SiemplifyUtilities

Integration version: 19.0

Configure SiemplifyUtilities integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Actions

Count Entities in Scope

Description

Count the number of entities from a specific scope.

Parameters

Parameter Type Default Value Description
Entity Type 13 N/A The type of the target entities.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
list_count N/A N/A
JSON Result
N/A

Count List

Description

Count the number of items on a list - separated by a configurable delimiter.

Parameters

Parameter Type Default Value Description
Input String String N/A Comma separated string list. For example: value1,value2,value3.
Delimiter String N/A Define a symbol, which is used for separation of values from the input list.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
list_count N/A N/A
JSON Result
N/A

Delete File

Description

Delete a selected file from the file system.

Parameters

Name Type Mandatory Description
File Path String Yes Specifies the absolute file path for the file that needs to be deleted.

Run On

This action does not run on entities.

Action Results

Script Result
Script result name Value
is_success True/False
JSON Result
{
"filepath": ""
"status": "deleted/not found"
}
Case Wall

The action provides the following output messages:

Output message Message description
Successfully deleted file. The action is successful.
File was not found for the provided path. The file does not exist.
No activity was found for the provided service accounts in Google Cloud Policy Intelligence The action could not find data for any of the listed service accounts.
Error executing action "Delete File".

The action returned an error.

Check connection to the server, input parameters, or credentials.

Extract top From JSON

Description

The action gets a JSON as an input, and sorts it by a specific key and returns the TOP 'x' of the relevant branches.

Parameters

Parameter Type Default Value Description
JSON Data String N/A JSON data to process.
Key To Sort By String N/A Nested key separated by dots. Use * as a wildcard. Example: Host.*.wassap_list.Severity.
Field Type String N/A The type of the field to sort by. Valid values: int (numeric field), string (a text field) or date.
Reverse (DESC -> ASC) Checkbox Checked Sort results by DESC or ASC (Z -> A).
Top Rows String N/A Retrieve number of rows from JSON to process.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
result N/A N/A
JSON Result
[
    {
        "HOST": {
            "DETECTION":{
                "QID": "82003",
                "SEVERITY": "1",
                "RESULTS": "Timestamp of host (network byte ordering): 03:40:14 GMT"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T10:24:35Z",
            "OS": "Windows 10"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }, {
        "HOST":{
            "DETECTION": {
                "PORT": "443",
                "QID": "11827",
                "PROTOCOL": "tcp",
                "RESULTS": "X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 443.",
                "SEVERITY": "2"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T08:31:58Z",
            "OS": "Linux 3.13"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }, {
        "HOST": {
            "DETECTION": {
                "PORT": "53",
                "QID": "15033",
                "PROTOCOL": "udp",
                "RESULTS": "--- IPv4 --- ",
                "SEVERITY": "4"
            },
            "IP": "1.1.1.1",
            "LAST_SCAN_DATETIME": "2018-08-13T08:31:58Z",
            "OS": "Linux 3.13"
        },
        "DATETIME": "2018-08-29T14:01:12Z"
    }
]

Filter JSON

Description

Filter JSON dict.

Parameters

Parameter Type Default Value Description
JSON Data String N/A The JSON dictionary data to filter.
Root Key Path String N/A The path to the Root Key. Note: The system uses dot notation for JSON search. For example: json.message.status.
Condition Path String N/A The path to the field to filter by, dot separated.
Condition Operator String N/A The condition operator. Can be one of the following: = / != / > / < / >= / <= / in / not in.
Condition Value String N/A The value of the condition to filter by.
Output Path String N/A The path to the desired results in the filtered dict, dot separated.
Delimiter String N/A The delimiter to join the values inf the output path, default: comma.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results True/False results:False
JSON Result
{
    "a": {
        "HOST": [
            {
                "DETECTION": {
                    "QID": "82003",
                    "SEVERITY": "1",
                    "RESULTS": "Timestamp of host (network byte ordering): 03:40:14 GMT"
                },
                "IP": "1.1.1.1",
                "LAST_SCAN_DATETIME": "2018-08-13T10:24:35Z",
                "OS": "Windows 10"
            }
        ],
        "DATETIME": "2018-08-29T14:01:12Z"
    }
}

Get Deployment URL

Get deployment URL for Google Security Operations.

Entities

The action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
Entity insight N/A
Insight N/A
JSON result Available
OOTB widget N/A
Script result Available
Script result
Script result name Value
is_success True/False
JSON result
{
"url": ""
}
Case wall
Output message Message description
Successfully retrieved deployment URL. Action is successful.
Error executing action "Get Deployment URL". Reason: ERROR_REASON

The action returned an error.

Check connection to the server, input parameters, or credentials.

List Operations

Description

Provide operations on lists.

Parameters

Parameter Type Default Value Description
First List String N/A Comma-separated string list. For example: value1,value2,value3.
Second List String N/A Comma-separated string list. For example: value1,value2,value3.
Delimiter String N/A Define a symbol, which is used for separation of values in both lists.
Operator String N/A Has to be one of the following: intersection, union, subtract or xor.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
result_list N/A N/A
JSON Result
{
    "results": {
        "count": 6,
        "data": [
            "item",
            "item1",
            "item2"
        ]
    }
}​​

Parse EML to JSON

Description

Parse EML to JSON.

Parameters

Parameter Type Default Value Description
EML Content String N/A The base64 encoded content of the EML file.
Blacklisted Headers comma separated string No Headers to exclude from the response.
Use Blacklist As Whitelist Checkbox Unchecked To only include the listed headers.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
parsed_eml N/A N/A
JSON Result
{
    "HTML Body": "<div><br></div>",
    "Attachments": {},
    "Recipients": "john_doe@example.com",
    "CC": "",
    "Links": {
        "urls_1": "https://lh4.googleusercontent.com/rE6-WYjfFuiHbHUV33G31NCtUeBl9YGnw4bvlorqMeNaC60qWagqtohFwCpq2eJxlMYMJPPDAqqXRZW6Oja8GqOjt3jB3aB6tzJP-jdtbCBoj-m3vu49tttHmWpXGJUSI6UuTUYS",
        "urls_2": "https://lh4.googleusercontent.com/Uih5TalWnJjBbG_QaRICp8emX5wIakbCmstEDP3YHT7l45qdjIllcxg_Ddapvrh5DqGKszK3KKM5M0kEoC1YX6TgbWKJKPX0OxD5BeWr3uu6SRAHs7lwP20khjHSlxsIM46egQ-M"
    },
    "BCC": "",
    "To": "john_doe@example.com",
    "Date": "Mon, 13 Aug 2018 13:20:34 +0300",
    "From": "john_doe@example.com",
    "Subject": "TEST6:::Test:::ADVANCE NOTICE: 07.08.2018-Disable Accounts-user\\\r\\\\n Office Il Office"
}

For this action, the functional changes apply to integration version 10 and later: in the JSON result, the with field is split into the id and with fields. For more details, see the following example:

  • Integration version 9 and earlier:

    "with": "smtp id ID"
    
  • Integration version 10 and laterer:

    "id": "ID"
    "with": "SMTP"
    

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Query Joiner

Description

Form a query string from given parameters.

Parameters

Parameter Type Default Value Description
Values String N/A Comma separated string list. For example: value1,value2,value3.
Query Field String N/A Query target field ex. SrcIP, DestHost, etc.
Query Operator String N/A Query operator(OR, AND, etc.).
Add Quotes Checkbox N/A If enabled, action will add quotes to every item in the "Values" list.
Add Double Quotes Checkbox N/A If enabled, action will add double quotes to every item in the "Values" list.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
query N/A N/A
JSON Result
N/A

Export Entities as OpenIOC File

Description

Export entities as OpenIOC file. Supported entities: Filehash, IP address, URL, Hostname, User.

Parameters

Name Type Mandatory Description
Export Folder Path String Yes Specify the folder that should store the OpenIOC files.

Run On

This action runs on the following entities:

  • Filehash
  • IP Address
  • URL
  • Hostname
  • User

Action Results

JSON Result
{

"absolute_file_path": OpenIOC_{random_guid}.txt

}
Case Wall
Case Success Fail Message
If successful Yes No Successfully created an OpenIOC file based on provided entities.
No entities in the scope No No Action wasn't able to create an OpenIOC file, because there are no entities in the action execution scope.
Fatal error, invalid creds, API root No Yes Error executing action "Export Entities as OpenIOC File". Reason: {error traceback}