Outpost24
Integration version: 3.0
Configure Outpost24 integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://your-appliance.outpost24.com | Yes | API root of the Outpost24 instance. |
| Username | String | N/A | Yes | Username of the Outpost24 account. |
| Password | Password | N/A | Yes | Password of the Outpost24 account. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Outpost24 server is valid. |
Use Cases
- Perform enrichment of entities
- Ingestion of alerts
Actions
Enrich Entities
Description
Enrich entities using information from Outpost24. Supported entities: IP Address, Hostname.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing all of the retrieved information about the entity. |
| Return Finding Information | Checkbox | Checked | No | If enabled, the action also retrieves information about findings that were found on the endpoint. |
| Finding Type | DDL | All Possible values:
|
No | Specify the type of findings to return. |
| Finding Risk Level Filter | CSV | Initial, Recommendation, Low, Medium, High, Critical | No | Specify a comma-separated list of risk level findings that are used during filtering. Possible values: Initial, Recommendation, Low, Medium, High, Critical. If nothing is provided, the action fetches findings with all risk levels. |
| Max Findings To Return | Integer | 100 | No | Specify the number of findings to process per entity. If nothing is provided, the action returns 100 findings. |
Run On
The action is runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"id": 24358,
"ip": "10.205.0.35",
"hostname": "lix18.mirmine.net",
"businessCriticality": "MEDIUM",
"exposed": false,
"created": "2021-09-09T12:58:47.085514Z",
"firstSeen": "2021-09-09T12:58:47.085514Z",
"source": [
"NETSEC"
]
"Findings": [list of findings]
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| hostname | When available in JSON |
| ip | When available in JSON |
| exposed | When available in JSON |
| businessCriticality | When available in JSON |
| created | When available in JSON |
| firstSeen | When available in JSON |
| source | When available in JSON |
| count_initial_findings | When available in JSON |
| count_recommendation_findings | When available in JSON |
| count_low_findings | When available in JSON |
| count_medium_findings | When available in JSON |
| count_high_findings | When available in JSON |
| count_critical_findings | When available in JSON |
Case Wall
| Result type | Value / Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Outpost24 Mobile: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Outpost24: {entity.identifier}" If data is not available for any entity (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace): "Error executing action "Enrich Entities". Reason: invalid risk level filter values provided: {csv of invalid values}. Possible values: Initial, Recommendation, Low, Medium, High, Critical.' |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
|
Entity |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
|
Table |
Ping
Description
Test connectivity to the Outpost24 with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value/Description | Type (Entity \ General |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Outpost24 server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Outpost24 server! Error is {0}".format(exception.stacktrace) |
General |
Connectors
Outpost24 - Outscan Findings Connector
Description
Pull information about outscan findings from Outpost24.
Configure Outpost24 - Outscan Findings Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 300 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://your-appliance.outpost24.com | Yes | API root of the Outpost24 instance. |
| Username | String | N/A | Yes | Username of the Outpost24 account. |
| Password | Password | N/A | Yes | Password of the Outpost24 account. |
| Type Filter | CSV | Vulnerability, Information, Port | Yes | Comma-separated list of type filters for the finding. Possible values: Vulnerability, Information, Port. |
| Lowest Risk To Fetch | String | N/A | No | The lowest risk that needs to be used to fetch alerts. Possible values: Initial, Recommendation, Low, Medium, High, Critical. If nothing is specified, the connector ingests alerts with all risk levels. |
| Max Days Backwards | Integer | 1 | No | The number of hours for which findings should be fetched. |
| Max Findings To Fetch | Integer | 100 | No | The number of findings to process per one connector iteration. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist is used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Outpost24 server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.