SiemplifyUtilities

Integration version: 19.0

Configure SiemplifyUtilities integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Actions

Count Entities in Scope

Description

Count the number of entities from a specific scope.

Parameters

Parameter	Type	Default Value	Description
Entity Type	13	N/A	The type of the target entities.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
list_count	N/A	N/A

JSON Result

N/A

Count List

Description

Count the number of items on a list - separated by a configurable delimiter.

Parameters

Parameter	Type	Default Value	Description
Input String	String	N/A	Comma separated string list. For example: value1,value2,value3.
Delimiter	String	N/A	Define a symbol, which is used for separation of values from the input list.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
list_count	N/A	N/A

JSON Result

N/A

Delete File

Description

Delete a selected file from the file system.

Parameters

Name	Type	Mandatory	Description
File Path	String	Yes	Specifies the absolute file path for the file that needs to be deleted.

Run On

This action does not run on entities.

Action Results

Script Result

Script result name	Value
is_success	True/False

JSON Result

{
"filepath": ""
"status": "deleted/not found"
}

Case Wall

The action provides the following output messages:

Output message	Message description
Successfully deleted file.	The action is successful.
File was not found for the provided path.	The file does not exist.
No activity was found for the provided service accounts in Google Cloud Policy Intelligence	The action could not find data for any of the listed service accounts.
Error executing action "Delete File".	The action returned an error. Check connection to the server, input parameters, or credentials.

Extract top From JSON

Description

The action gets a JSON as an input, and sorts it by a specific key and returns the TOP 'x' of the relevant branches.

Parameters

Parameter	Type	Default Value	Description
JSON Data	String	N/A	JSON data to process.
Key To Sort By	String	N/A	Nested key separated by dots. Use * as a wildcard. Example: Host.*.wassap_list.Severity.
Field Type	String	N/A	The type of the field to sort by. Valid values: int (numeric field), string (a text field) or date.
Reverse (DESC -> ASC)	Checkbox	Checked	Sort results by DESC or ASC (Z -> A).
Top Rows	String	N/A	Retrieve number of rows from JSON to process.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
result	N/A	N/A

JSON Result

[
    {
        "HOST": {
            "DETECTION":{
                "QID": "82003",
                "SEVERITY": "1",
                "RESULTS": "Timestamp of host (network byte ordering): 03:40:14 GMT"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T10:24:35Z",
            "OS": "Windows 10"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }, {
        "HOST":{
            "DETECTION": {
                "PORT": "443",
                "QID": "11827",
                "PROTOCOL": "tcp",
                "RESULTS": "X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 443.",
                "SEVERITY": "2"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T08:31:58Z",
            "OS": "Linux 3.13"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }, {
        "HOST": {
            "DETECTION": {
                "PORT": "53",
                "QID": "15033",
                "PROTOCOL": "udp",
                "RESULTS": "--- IPv4 --- ",
                "SEVERITY": "4"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T08:31:58Z",
            "OS": "Linux 3.13"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }
]

Filter JSON

Description

Filter JSON dict.

Parameters

Parameter	Type	Default Value	Description
JSON Data	String	N/A	The JSON dictionary data to filter.
Root Key Path	String	N/A	The path to the Root Key. Note: The system uses dot notation for JSON search. For example: json.message.status.
Condition Path	String	N/A	The path to the field to filter by, dot separated.
Condition Operator	String	N/A	The condition operator. Can be one of the following: = / != / > / < / >= / <= / in / not in.
Condition Value	String	N/A	The value of the condition to filter by.
Output Path	String	N/A	The path to the desired results in the filtered dict, dot separated.
Delimiter	String	N/A	The delimiter to join the values inf the output path, default: comma.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "a": {
        "HOST": [
            {
                "DETECTION": {
                    "QID": "82003",
                    "SEVERITY": "1",
                    "RESULTS": "Timestamp of host (network byte ordering): 03:40:14 GMT"
                },
                "IP": "1.1.1.1",
                "LAST_SCAN_DATETIME": "2018-08-13T10:24:35Z",
                "OS": "Windows 10"
            }
        ],
        "DATETIME": "2018-08-29T14:01:12Z"
    }
}

Get Deployment URL

Get deployment URL for Google Security Operations.

Entities

The action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
Entity insight	N/A
Insight	N/A
JSON result	Available
OOTB widget	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

JSON result

{
"url": ""
}

Case wall

Output message Message description

Successfully retrieved deployment URL. Action is successful.

Output message	Message description
Successfully retrieved deployment URL.	Action is successful.
Error executing action "Get Deployment URL". Reason: `ERROR_REASON`	The action returned an error. Check connection to the server, input parameters, or credentials.

Error executing action "Get Deployment URL". Reason: ERROR_REASON

The action returned an error.

Check connection to the server, input parameters, or credentials.

List Operations

Description

Provide operations on lists.

Parameters

Parameter	Type	Default Value	Description
First List	String	N/A	Comma-separated string list. For example: value1,value2,value3.
Second List	String	N/A	Comma-separated string list. For example: value1,value2,value3.
Delimiter	String	N/A	Define a symbol, which is used for separation of values in both lists.
Operator	String	N/A	Has to be one of the following: intersection, union, subtract or xor.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
result_list	N/A	N/A

JSON Result

{
    "results": {
        "count": 6,
        "data": [
            "item",
            "item1",
            "item2"
        ]
    }
}

Parse EML to JSON

Description

Parse EML to JSON.

Parameters

Parameter	Type	Default Value	Description
EML Content	String	N/A	The base64 encoded content of the EML file.
Blacklisted Headers	comma separated string	No	Headers to exclude from the response.
Use Blacklist As Whitelist	Checkbox	Unchecked	To only include the listed headers.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
parsed_eml	N/A	N/A

JSON Result

{
    "HTML Body": "<div><br></div>",
    "Attachments": {},
    "Recipients": "john_doe@example.com",
    "CC": "",
    "Links": {
        "urls_1": "https://lh4.googleusercontent.com/rE6-WYjfFuiHbHUV33G31NCtUeBl9YGnw4bvlorqMeNaC60qWagqtohFwCpq2eJxlMYMJPPDAqqXRZW6Oja8GqOjt3jB3aB6tzJP-jdtbCBoj-m3vu49tttHmWpXGJUSI6UuTUYS",
        "urls_2": "https://lh4.googleusercontent.com/Uih5TalWnJjBbG_QaRICp8emX5wIakbCmstEDP3YHT7l45qdjIllcxg_Ddapvrh5DqGKszK3KKM5M0kEoC1YX6TgbWKJKPX0OxD5BeWr3uu6SRAHs7lwP20khjHSlxsIM46egQ-M"
    },
    "BCC": "",
    "To": "john_doe@example.com",
    "Date": "Mon, 13 Aug 2018 13:20:34 +0300",
    "From": "john_doe@example.com",
    "Subject": "TEST6:::Test:::ADVANCE NOTICE: 07.08.2018-Disable Accounts-user\\\r\\\\n Office Il Office"
}

For this action, the functional changes apply to integration version 10 and later: in the JSON result, the with field is split into the id and with fields. For more details, see the following example:

Integration version 9 and earlier:
```
"with": "smtp id ID"
```
Integration version 10 and laterer:
```
"id": "ID"
"with": "SMTP"
```

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

N/A

Query Joiner

Description

Form a query string from given parameters.

Parameters

Parameter	Type	Default Value	Description
Values	String	N/A	Comma separated string list. For example: value1,value2,value3.
Query Field	String	N/A	Query target field ex. SrcIP, DestHost, etc.
Query Operator	String	N/A	Query operator(OR, AND, etc.).
Add Quotes	Checkbox	N/A	If enabled, action will add quotes to every item in the "Values" list.
Add Double Quotes	Checkbox	N/A	If enabled, action will add double quotes to every item in the "Values" list.

Run On

This action runs on all entities.

Action Results

Script Result

Script Result Name	Value Options	Example
query	N/A	N/A

JSON Result

N/A

Export Entities as OpenIOC File

Description

Export entities as OpenIOC file. Supported entities: Filehash, IP address, URL, Hostname, User.

Parameters

Name	Type	Mandatory	Description
Export Folder Path	String	Yes	Specify the folder that should store the OpenIOC files.

Run On

This action runs on the following entities:

Filehash
IP Address
URL
Hostname
User

Action Results

JSON Result

{

"absolute_file_path": OpenIOC_{random_guid}.txt

}

Case Wall

Case	Success	Fail	Message
If successful	Yes	No	Successfully created an OpenIOC file based on provided entities.
No entities in the scope	No	No	Action wasn't able to create an OpenIOC file, because there are no entities in the action execution scope.
Fatal error, invalid creds, API root	No	Yes	Error executing action "Export Entities as OpenIOC File". Reason: {error traceback}