Amazon Macie
Integration version: 3.0
Configure Amazon Macie integration in Google Security Operations SOAR
For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| AWS Access Key ID | String | N/A | Yes | AWS Access Key ID to use in integration. |
| AWS Secret Key | Password | N/A | Yes | AWS Secret Key to use in integration. |
| AWS Default Region | String | N/A | Yes | AWS default region to use in integration, for example us-west-1. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to the Amazon Macie service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Use cases
The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Amazon Macie service with the provided connection parameters!" The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
Genera |
List Findings
Description
List Amazon Macie findings based on the specified action input parameters.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Finding Type | String | N/A | No | Finding type to search for, for example SensitiveData:S3Object/Credentials or SensitiveData:S3Object/Multiple. Parameter accepts multiple values as a comma-separated string. If nothing is specified, the action returns all types of findings. |
| Severity | String | 4 | No | Finding severity to search - High, Medium or Low. Parameter accepts multiple values as a comma-separated string. If nothing is specified, the action returns all findings regardless of severity. |
| Include Archived Findings? | Checkbox | Unchecked | No | Specify whether to include archived findings in results or not. |
| Time Frame | Integer | 4 | No | Specify a time frame in hours for which to fetch findings. |
| Record limit | Integer | 20 | No | Specify how many records can be returned by the action. |
| Sort by | String | N/A | No | Specify a parameter for sorting the data. Example: updatedAt |
| Sort order | DDL | ASC | No | Sort order. |
Use cases
List Amazon Macie findings to see what findings are available.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
{'ResponseMetadata': {'HTTPHeaders': {'connection': 'keep-alive',
'content-length': '2741',
'content-type': 'application/json',
'date': 'Thu, 22 Oct 2020 11:08:58 GMT',
'x-amz-apigw-id': 'Uz07pGOKoAMFdTQ=',
'x-amzn-remapped-content-length': '2741',
'x-amzn-remapped-date': 'Thu, 22 Oct '
'2020 11:08:57 '
'GMT',
'x-amzn-remapped-x-amzn-requestid': 'eaea00d2-11f8-40d8-adce-f6c9f17e9815',
'x-amzn-requestid': '4102349a-a5da-4bfc-ad78-40f48885985f'},
'HTTPStatusCode': 200,
'RequestId': '4102349a-a5da-4bfc-ad78-40f48885985f',
'RetryAttempts': 0},
'findings': [{'accountId': '582302349248',
'archived': False,
'category': 'CLASSIFICATION',
'classificationDetails': {'detailedResultsLocation': 's3://[export-config-not-set]/AWSLogs/582302349248/Macie/us-east-1/088009521d393eda440a24f3c7ad8fbd/ad20d649-55b0-3137-ac1f-cd7e744377f6/',
'jobArn': 'arn:aws:macie2:us-east-1:582302349248:classification-job/088009521d393eda440a24f3c7ad8fbd',
'jobId': '088009521d393eda440a24f3c7ad8fbd',
'result': {'additionalOccurrences': False,
'customDataIdentifiers': {'detections': [],
'totalCount': 0},
'mimeType': 'application/zip',
'sensitiveData': [{'category': 'PERSONAL_INFORMATION',
'detections': [{'count': 80,
'type': 'PHONE_NUMBER'},
{'count': 5,
'type': 'ADDRESS'},
{'count': 207,
'type': 'NAME'}],
'totalCount': 292},
{'category': 'CREDENTIALS',
'detections': [{'count': 5,
'type': 'AWS_CREDENTIALS'}],
'totalCount': 5}],
'sizeClassified': 44213802,
'status': {'code': 'PARTIAL',
'reason': 'ARCHIVE_CONTAINS_UNPROCESSED_FILES'}}},
'count': 1,
'createdAt': datetime.datetime(2020, 10, 22, 3, 12, 9, 364000, tzinfo=tzutc()),
'description': 'The object contains more than one type of '
'sensitive information.',
'id': 'a6ce788c0e623a3f160d1cc4b81f4802',
'partition': 'aws',
'region': 'us-east-1',
'resourcesAffected': {'s3Bucket': {'arn': 'arn:aws:s3:::testsiemplify',
'createdAt': datetime.datetime(2020, 9, 14, 10, 31, 56, tzinfo=tzutc()),
'defaultServerSideEncryption': {'encryptionType': 'NONE'},
'name': 'testsiemplify',
'owner': {'displayName': 'lab_aws',
'id': '935dc3fed0e1d2c5b12242cf9927370824f2438681a2d3c0523f254dbde41aba'},
'publicAccess': {'effectivePermission': 'PUBLIC',
'permissionConfiguration': {'accountLevelPermissions': {'blockPublicAccess': {'blockPublicAcls': False,
'blockPublicPolicy': False,
'ignorePublicAcls': False,
'restrictPublicBuckets': False}},
'bucketLevelPermissions': {'accessControlList': {'allowsPublicReadAccess': False,
'allowsPublicWriteAccess': False},
'blockPublicAccess': {'blockPublicAcls': False,
'blockPublicPolicy': False,
'ignorePublicAcls': False,
'restrictPublicBuckets': False},
'bucketPolicy': {'allowsPublicReadAccess': True,
'allowsPublicWriteAccess': False}}}},
'tags': []},
's3Object': {'bucketArn': 'arn:aws:s3:::testsiemplify',
'eTag': '8dfbe2ba101b3ca0a62f8fde823503b4-5',
'extension': 'zip',
'key': 'awscliv2.zip',
'lastModified': datetime.datetime(2020, 9, 28, 18, 47, 30, tzinfo=tzutc()),
'path': 'testsiemplify/awscliv2.zip',
'publicAccess': False,
'serverSideEncryption': {'encryptionType': 'NONE'},
'size': 33775890,
'storageClass': 'STANDARD',
'tags': [],
'versionId': ''}},
'sample': False,
'schemaVersion': '1.0',
'severity': {'description': 'High', 'score': 3},
'title': 'The S3 object contains multiple types of sensitive '
'information.',
'type': 'SensitiveData:S3Object/Multiple',
'updatedAt': datetime.datetime(2020, 10, 22, 3, 12, 9, 364000, tzinfo=tzutc())}]}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Amazon Macie findings found" If is_success=False, for example no findings were found: "No findings were returned." The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
| Table | Table Name: Amazon Macie Findings Table Columns:
|
General |
Get Findings
Description
Get Amazon Macie findings based on specified Finding ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Finding ID | String | N/A | Yes | Finding ID to get details for. Parameter can take multiple values as a comma-separated string. |
Use Cases
Get Findings details while analyzing the alert. Finding in this case will not be "flat" out as if it will be from connector, and finding data might be easier to process.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON Result
{
"Policy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::testsiemplify/*"
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Amazon Macie findings found" If is_success=False, for example no findings were found: "No findings were returned." The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
| Table | Table Name: Amazon Macie Findings Table Columns: |
General |
Create Custom Data Identifier
Description
Create Amazon Macie Custom Data Identifier.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Custom Data Identifier Name | String | N/A | Yes | Amazon Macie new custom data identifier name. |
| Custom Data Identifier Description | String | N/A | No | Amazon Macie new custom data identifier description. |
| Custom Data Identifier Regular Expression | String | N/A | Yes | Amazon Macie new custom data identifier regular expression. Example: I[a@]mAB[a@]dRequest |
| Custom Data Identifier Keywords | String | N/A | No | Amazon Macie new custom data identifier keywords. |
| Custom Data Identifier Ignore Words | String | N/A | No | Amazon Macie new custom data identifier ignore words. |
| Custom Data Identifier Maximum Match Distance | Integer | 50 | No | Amazon Macie new custom data identifier maximum match distance. |
Use cases
Create Amazon Macie custom data identifier based on the observed data, so later new custom data identifier can be used in classification jobs.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON Result
{'ResponseMetadata': {'HTTPHeaders': {'connection': 'keep-alive',
'content-length': '65',
'content-type': 'application/json',
'date': 'Mon, 26 Oct 2020 05:15:07 GMT',
'x-amz-apigw-id': 'VAM2LEqkoAMFU0g=',
'x-amzn-remapped-content-length': '65',
'x-amzn-remapped-date': 'Mon, 26 Oct '
'2020 05:15:07 '
'GMT',
'x-amzn-remapped-x-amzn-requestid': '61217a30-189e-4573-9f76-257b7065a04d',
'x-amzn-requestid': '509e1c12-ab86-459e-9d6d-790a359686b2'},
'HTTPStatusCode': 200,
'RequestId': '509e1c12-ab86-459e-9d6d-790a359686b2',
'RetryAttempts': 0},
'customDataIdentifierId': 'ff43487b-5643-4de1-b651-9ecbeb3021ed'}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "New Amazon Macie custom data identifier created: {0}".format(new identifier_id from response) If is_success=False, for example no findings were found: "Failed to create Amazon Macie Identifier. Error is: {0}".format(error from response) The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
Delete Custom Data Identifier
Description
Delete Amazon Macie Custom Data Identifier.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Custom Data Identifier ID | String | N/A | No | Amazon Macie custom data identifier id to delete. |
Use Cases
Delete Amazon Macie Custom Data Identifier.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Amazon Macie custom data identifier {0} deleted".format(custom data identifier id) If is_success=False, for example no findings were found: "Failed to delete Amazon Macie Identifier {0}. Error is: {1}".format(custom data identifier id, error from response) The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
Enable Macie
Description
Enable the Amazon Macie service.
Parameters
N/A
Use cases
Enable Amazon Macie after service window is completed.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully enabled Amazon Macie service" If is_success=False: "Failed to enable Amazon Macie service. Error is: {0}".format(error from response) The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported:"Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
Disable Macie
Description
Disable Amazon Macie service.
Use Cases
Disable Amazon Macie for service window - to make some change is AWS buckets and not cause a lot of false positives.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully disabled Amazon Macie service" If is_success=False: "Failed to disable Amazon Macie service. Error is: {0}".format(error from response) The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace) |
General |
Connectors
Amazon Macie - Findings Connector
Use Cases
Ingest Amazon Macie findings.
Configure Amazon Macie - Findings Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | N/A | Yes | The field name used to determine the device product. |
| Event Field Name | String | N/A | Yes | The field name used to determine the event name (sub-type). |
| Environment Field Name | String | N/A | No | N/A |
| Environment Regex Pattern | String | N/A | No | N/A |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| AWS Access Key ID | String | N/A | True | AWS Access Key ID to use in integration. |
| AWS Secret Key | Password | N/A | True | AWS Secret Key to use in integration. |
| AWS Default Region | String | N/A | True | AWS default region to use in integration, for example us-west-2. |
| Finding severity to ingest | String | N/A | No | Finding severity to ingest - High, Medium or Low.
Parameter accepts multiple values as a comma separated string. If nothing is specified, the connector ingests all findings regardless of severity. |
| Max findings to fetch | Integer | 50 | No | Number of findings to process per one connector iteration. |
| Fetch Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch findings. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist is used as a blacklist. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Blacklist
Disabled by default. Can be enabled with use blacklist as a whitelist checkbox.
Whitelist
The connector supports Whitelist. Whitelist logic: ingest only findings of specific type.
Proxy Support
The connector supports Proxy.