Humio
Integration version: 5.0
Configure Humio integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
API Root | String | https://cloud.us.humio.com | Yes | API root of the Humio instance. |
API Token | Password | N/A | Yes | API token of the Humio instance. |
Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Humio server is valid. |
Use Cases
- Perform ingestion of the events from repositories
- Perform searching
Actions
Ping
Description
Test connectivity to the Humio with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
Case Wall
Result type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Humio server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Humio server! Error is {0}".format(exception.stacktrace) |
General |
Execute Simple Search
Description
Search events based on parameters in Humio.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Repository Name | String | N/A | Yes | Specify the name of the repository that should be searched. |
Query Filter | String | N/A | No | Specify the query that should be executed during the search. Note: The "head()" and "select()" functions shouldn't be provided. |
Time Frame | DDL | Last Hour Possible Values:
|
No | Specify a time frame for the results. If "Custom" is selected, you also need to provide the "Start Time" parameter. |
Start Time | String | N/A | No | Specify the start time for the results. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 |
End Time | String | N/A | No | Specify the end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time. |
Fields To Return | CSV | N/A | No | Specify the fields to return. If nothing is provided, the action returns all fields. |
Sort Field | String | N/A | No | Specify what parameter should be used for sorting. By default the query sorts data by timestamp in the ascending order. |
Sort Field Type | DDL | String Possible Values:
|
No | Specify the type of the field that is used for sorting. This parameter is needed to ensure that the correct results are returned. |
Sort Order | DDL | ASC Possible Values:
|
No | Specify the order of sorting. |
Max Results To Return | Integer | 50 | No | Specify the number of results to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[
{
"@timestamp": 1636028056292,
"@rawstring": {
"actor": {
"ip": "31.43.227.151",
"orgRoot": false,
"organizationId": "z4ApqmrB7XbvsQB5E1muelI4WAKz4buZ",
"proxyRequest": false,
"type": "orgUser",
"user": {
"id": "MgPXnBAKQ4gCg25hW5jKhYTo",
"isRoot": false,
"username": "dana@example.com"
}
},
"method": "google",
"sensitive": false,
"timestamp": "2021-11-04T12:14:16.292Z",
"type": "user.signin"
},
"@id": "gZPMhXMMcScGXHwxZ7bRH6Ns_88_264_1636028056"
},
{
"@timestamp": 1636028057934,
"@rawstring": {
"actor": {
"ip": "31.43.227.151",
"orgRoot": false,
"organizationId": "z4ApqmrB7XbvsQB5E1muelI4WAKz4buZ",
"proxyRequest": false,
"type": "orgUser",
"user": {
"id": "MgPXnBAKQ4gCg25hW5jKhYTo",
"isRoot": false,
"username": "dana@example.com"
}
},
"sensitive": false,
"timestamp": "2021-11-04T12:14:17.934Z",
"type": "notifications.user.create"
},
"@id": "lSLLg2gMDW8GwHtpZTGD8GU1_65_108_1636028057"
}
]
Case Wall
Result type | Value / Description | Type |
---|---|---|
Result type | Value/Description | Type |
Output message* | The action should not fail nor stop a playbook execution: If found at least one result (is_success=true): "Successfully returned results for the query "{query}" in Humio." If no results are found (is_succees=true): "No results were found for the query "{query}" in Humio." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other: "Error executing action "Execute Simple Search". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Execute Simple Search". Reason: {0}''.format(response) If the 404 status code is reported: "Error executing action "Execute Custom Search". Reason: {0}''.format(response) |
General |
Case Wall | Name: Results | General |
Execute Custom Search
Description
Search events using custom query in Humio.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Repository Name | String | N/A | Yes | Specify the name of the repository that should be searched. |
Query | String | N/A | Yes | Specify the query that needs to be executed in Humio. Note: The "head()" function shouldn't be a part of this string. |
Max Results To Return | Integer | 50 | No | Specify the number of results to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[
{
"@timestamp": 1636028056292,
"@rawstring": {
"actor": {
"ip": "31.43.227.151",
"orgRoot": false,
"organizationId": "z4ApqmrB7XbvsQB5E1muelI4WAKz4buZ",
"proxyRequest": false,
"type": "orgUser",
"user": {
"id": "MgPXnBAKQ4gCg25hW5jKhYTo",
"isRoot": false,
"username": "dana@example.com"
}
},
"method": "google",
"sensitive": false,
"timestamp": "2021-11-04T12:14:16.292Z",
"type": "user.signin"
},
"@id": "gZPMhXMMcScGXHwxZ7bRH6Ns_88_264_1636028056"
},
{
"@timestamp": 1636028057934,
"@rawstring": {
"actor": {
"ip": "31.43.227.151",
"orgRoot": false,
"organizationId": "z4ApqmrB7XbvsQB5E1muelI4WAKz4buZ",
"proxyRequest": false,
"type": "orgUser",
"user": {
"id": "MgPXnBAKQ4gCg25hW5jKhYTo",
"isRoot": false,
"username": "dana@example.com"
}
},
"sensitive": false,
"timestamp": "2021-11-04T12:14:17.934Z",
"type": "notifications.user.create"
},
"@id": "lSLLg2gMDW8GwHtpZTGD8GU1_65_108_1636028057"
}
]
Case Wall
Result type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution: If found at least one result (is_success=true): "Successfully returned results for the query "{query}" in Humio." If no results are found (is_succees=true): "No results were found for the query "{query}" in Humio" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Execute Custom Search". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Execute Custom Search". Reason: {0}''.format(response) If the 404 status code is reported: "Error executing action "Execute Custom Search". Reason: {0}''.format(response) |
General |
Case Wall | Name: Results | General |
Connectors
Humio - Events Connector
Description
Pull information about events in the repository from Humio.
Configure Humio - Events Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
Event Field Name | String | event_field | Yes | Enter the source field name in order to retrieve the Event Field name. |
Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) | Integer | 360 | Yes | Timeout limit for the python process running the current script. |
API Root | String | https://cloud.us.humio.com | Yes | API root of the Humio instance. |
API Token | Password | N/A | No | API token of the Humio instance. |
Repository Name | String | N/A | Yes | Name of the repository from the results will be fetched. |
Query | String | N/A | No | Query for the events. Note: select() and head() functions should not be added here. |
Alert Field Name | String | N/A | No | Name of the key that should be used for Alert Name. If nothing or invalid value is provided, the connector will use "Humio Alert" as fallback. |
Severity Field Name | CSV | N/A | Yes | A comma-separated list of keys that should be used for mapping of the severity. Note: if the key contains "string" values, they should be mapped with "Severity Mapping JSON". If invalid key is provided, "Default" from the "Severity Mapping JSON" parameter will be used. |
Severity Mapping JSON | JSON | { "fieldName": { "value_1": 100, "value_2": 75, "value_3": -1 }, "Default": 50 } |
Yes | JSON object that contains all of the keys with mapped string values. Note: "Default" key is mandatory. |
Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
Max Events To Fetch | Integer | 20 | No | How many events to process per one connector iteration. |
Use whitelist as a blacklist | Checkbox | Checked | Yes | If enabled, whitelist will be used as a blacklist. |
Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Humio is valid. |
Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
Proxy Username | String | N/A | No | The proxy username to authenticate with. |
Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.