ObserveIT
Integration version: 2.0
Use Cases
Ingest ObserveIT alerts and use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
Generate Client ID and Client Secret
- Go to https://
: /v2/apps/portal/home.html?#creds. - Press on the "+ Create App" button
Fill out the "Application Name" parameter.
Press on the "Save".
You will find a new ObserveIT application. Press on it and you will see this window.
Copy "Client Id" and "Client Secret".
Use these values in the integration configuration.
Configure ObserveIT integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://<address>:<port> | Yes | ObserveIT API Root. |
| Client ID | String | N/A | Yes | Client ID of the ObserveIT app. |
| Client Secret | Password | N/A | Yes | Client Secret of the ObserveIT app. |
| Use SSL | Checkbox | Checked | Yes | Option to enable SSL/TLS connection |
Actions
Ping
Description
Test connectivity to ObserveIT with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Playbook Use Cases Examples
The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Connectors
ObserveIT - Alerts Connector
Description
Pull alerts from ObserveIT.
Configure ObserveIT - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | eventType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://x.x.x.x:x | Yes | API root of ObserveIT server. |
| Client ID | String | N/A | Yes | Client ID of the ObserveIT app. |
| Client Secret | Password | Yes | Client Secret of the ObserveIT app. | |
| Lowest Severity To Fetch | String | Medium | Yes | Lowest severity that will be used to fetch Alerts. Possible values: Medium High Critical |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 25 | No | How many alerts to process per one connector iteration. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Use SSL | Checkbox | Checked | Yes | Option to enable SSL/TLS connection |
| Proxy Server Address | String | No | The address of the proxy server to use. | |
| Proxy Username | String | No | The proxy username to authenticate with. | |
| Proxy Password | Password | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.