Cisco Orbital
Integration version: 5.0
Use Cases
Perform active actions - execute SQL queries to get more information about the endpoint.
Configure Cisco Orbital Integration to work with Google Security Operations SOAR
Product Permission
In order to authenticate, you need to generate a token and use this token in API requests.
How to generate Client ID and Client Secret
To generate Client ID and Client Secret, you need to perform the following steps:
- Login into Cisco Orbital.
- Navigate to the account settings and click Create API Credentials.
- Fill out the fields.
- Copy Client ID and Client Secret.
Configure Cisco Orbital integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Client ID | String | N/A | Yes | Client ID of the Cisco Orbital account. |
| Client Secret | Password | N/A | Yes | Client Secret of the Cisco Orbital account. |
| Verify SSL | Checkbox | Checked | No | If enabled, verifies that the SSL certificate for the connection to the Cisco Orbital server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to the Cisco Orbital with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
The action doesn't run on entities, nor has mandatory input parameters..
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Cisco Orbital server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Cisco Orbital server! Error is {0}".format(exception.stacktrace) |
General |
Execute Query
Description
Execute queries on endpoints based on IP and Hostname entities in Cisco Orbital.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | Yes | Specify the query that needs to be executed. |
| Name | String | N/A | No | Specify the name for the query job. If nothing is specified, the action uses
a name in the following format:
PRODUCT_NAME-GUID |
| Custom Context Fields | String | N/A | No | Specify additional custom context fields that should be added to the job. Format: key_1:value_1,key_2:value_1. |
| Max Results To Return | Integer | 100 | No | Specify how many results should be returned. |
| Hide Case Wall Table | Checkbox | N/A | No | If enabled, action will not prepare a case wall table. |
| Timeout | Integer | 1 | No | Specify how many minutes to wait for results before finishing action execution. Maximum: 5 minutes. Default: 1 minute. |
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"results": [
{
"node": "eXHZw6pLMxepKQtf9B8VTQ",
"osQuery": [
{
"sql": "SELECT name,pid FROM processes;"
}
],
"osQueryResult": [
{
"types": [
"",
""
],
"columns": [
"name",
"pid"
],
"values": [
"[System Process]",
"0",
"System",
"4",
"Registry",
"88",
"smss.exe",
"516",
"csrss.exe",
"596",
"wininit.exe",
"672",
"csrss.exe",
"680",
"winlogon.exe",
"724",
"services.exe",
"796",
"lsass.exe",
"804",
"svchost.exe",
"916",
"fontdrvhost.exe",
"936",
"svchost.exe",
"944",
"svchost.exe",
"1020",
"svchost.exe",
"296",
"fontdrvhost.exe",
"560",
"dwm.exe",
"1048",
"svchost.exe",
"1136",
"svchost.exe",
"1144",
"svchost.exe",
"1192",
"svchost.exe",
"1256",
"svchost.exe",
"1280",
"svchost.exe",
"1372",
"svchost.exe",
"1392",
"svchost.exe",
"1488",
"svchost.exe",
"1504",
"svchost.exe",
"1552",
"svchost.exe",
"1604",
"svchost.exe",
"1716",
"svchost.exe",
"1724",
"svchost.exe",
"1804",
"svchost.exe",
"1812",
"svchost.exe",
"1964"
],
"error": "",
"secs": 0.06800670176744461,
"label": "",
"name": ""
}
],
"error": {
"en": ""
},
"hostinfo": {
"osinfo": {
"os": "windows",
"osname": "Windows 10 Enterprise Evaluation",
"release": "6.3",
"version": "10.0.18363",
"arch": "amd64"
},
"hostname": "TIP-HW-HOST-034",
"interfaces": {
"Ethernet0": {
"name": "Ethernet0",
"mac": "00:50:56:a2:05:8b",
"ipv4": "172.30.202.128/24",
"ipv6": "fe80::983:e8ed:c392:3e3e/64",
"active": true
}
},
"external": {
"name": "",
"mac": "",
"ipv4": "185.180.102.139",
"active": true
},
"updated": "2020-10-12T12:03:30.1329732Z",
"version": "v1.7.6"
},
"rowcount": 149,
"context": {
"description": "front desk",
"lol": "kek",
"value": "anything\"}"
}
},
{
"node": "oHNPQUeWwK1ql3R2J13GSw",
"osQuery": [
{
"sql": "SELECT name,pid FROM processes;"
}
],
"osQueryResult": [
{
"types": [
"",
""
],
"columns": [
"name",
"pid"
],
"values": [
"[System Process]",
"0",
"System",
"4",
"Registry",
"88",
"smss.exe",
"360",
"csrss.exe",
"440",
"wininit.exe",
"520",
"csrss.exe",
"536",
"winlogon.exe",
"616",
"services.exe",
"656",
"lsass.exe",
"664",
"svchost.exe",
"772",
"fontdrvhost.exe",
"784",
"fontdrvhost.exe",
"792",
"svchost.exe",
"864",
"svchost.exe",
"6852",
"SystemSettings.exe",
"7864",
"YourPhone.exe",
"5160",
"RuntimeBroker.exe",
"516",
"dllhost.exe",
"1496"
],
"error": "",
"secs": 0.025061199441552162,
"label": "",
"name": ""
}
],
"error": {
"en": ""
},
"hostinfo": {
"osinfo": {
"os": "windows",
"osname": "Windows 10 Enterprise Evaluation",
"release": "6.3",
"version": "10.0.18363",
"arch": "amd64"
},
"hostname": "TIP-HW-HOST-033",
"fqdn": {
"127.0.0.1": "www.virustotal.com"
},
"interfaces": {
"Ethernet0": {
"name": "Ethernet0",
"mac": "00:50:56:a2:66:8a",
"ipv4": "172.30.202.127/24",
"ipv6": "fe80::84:5a0f:7973:63/64",
"active": true
}
},
"external": {
"name": "",
"mac": "",
"ipv4": "185.180.102.139",
"active": true
},
"updated": "2020-10-07T00:11:31.0951018Z",
"version": "v1.7.6"
},
"rowcount": 132,
"context": {
"description": "front desk",
"lol": "kek",
"value": "anything\"}"
}
}
],
"error": {
"en": ""
},
"next": ""
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message\* | The action should not fail nor stop a playbook execution: If SQL query is executed without errors on one of the entities (is_success=true): "Successfully executed query and retrieved results from Cisco Orbital on the following entities:\n".format(entity.identifier) If SQL query is not executed on some entities (is_success=true): "Action wasn't able to successfully execute query and retrieve results from Cisco Orbital on the following entities:\n".format(entity.identifier) If the 400 status code is reported in the first response (is_success=false): "Action wasn't able to execute queries in Cisco Orbital. Reason: {0}".format(comma-separated list of errors) If all of the results have an error: "Action wasn't able to execute queries on all provided entities in Cisco Orbital. Reason: errors in the query." Async Message: "Submitted Query. Waiting for results until timeout." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, otheris reported: "Error executing action "List Buckets". Reason: {0}''.format(error.Stacktrace) If the "Timeout" parameter is not in the 1-5 range: "Timeout value should be in range from 1 to 5." |
General |
Case Wall Table For each result that doesn't have an error |
If entity type is hostname: Table Name: "Results for {0}".format(entity.identifier) If other entity types: Table Name: "Results for {0} ({1})".format(entity.identifier, hostinfo/hostname) All of the columns from the response will be used as table columns. |
General |