Splash

Integration version: 4.0

Use Cases

Perform enrichment of entities.

Configure Splash integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https:/{{ip address}}:8050 Yes API root of the Splash instance.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Splash server is valid.

Actions

Ping

Description

Test connectivity to Splash with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Splash server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Splash server! Error is {0}".format(exception.stacktrace)

 General

Enrich Entities

Description

Enrich entities using information from Splash. Supported entities: URL, IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Create Insight Checkbox Checked No If enabled, action will create an insight containing all of the retrieved information about the entity.
Include PNG Screenshot Checkbox Checked No If enabled, action will return a PNG screenshot in an insight. Note: "Create Insight" should be enabled for this parameter to work.
Include History Checkbox Unchecked No If enabled, action will return history information.
Include HAR Checkbox Unchecked No If enabled, action will return HAR information.

Run On

This action runs on the following entities:

  • URL
  • IP Address

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
original_url When available in JSON
final_url When available in JSON
title When available in JSON
has_history When available in JSON
was_redirected When available in JSON
count_har_entries When available in JSON
Insights

Enrich Entities insight example

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "url": "https://172.30.203.38/",
    "requestedUrl": "https://172.30.203.38/",
    "geometry": [
        0,
        0,
        1024,
        768
    ],
    "title": "Siemplify",
    "history": [
    ],
    "har": {
    }
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
if data is available for one(is_success = true): "Successfully enriched the following entities using information from Splash: {entity.identifier}".

If data is not available for one (is_success=true): "Action wasn't able to enrich the following entities using information from Splash: {entity.identifier}"

If data is not available for all (is_success=false): None of the provided entities were enriched.

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

 General

Case Wall Table

 Title: {entity.identifier} Entity