SiemplifyUtilities
Integration version: 19.0
Configure SiemplifyUtilities integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Actions
Count Entities in Scope
Description
Count the number of entities from a specific scope.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Entity Type
|
13 | N/A | The type of the target entities. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
list_count
|
N/A | N/A |
JSON Result
N/A
Count List
Description
Count the number of items on a list - separated by a configurable delimiter.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Input String
|
String | N/A | Comma separated string list. For example: value1,value2,value3. |
|
Delimiter
|
String | N/A | Define a symbol, which is used for separation of values from the input list. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
list_count
|
N/A | N/A |
JSON Result
N/A
Delete File
Description
Delete a selected file from the file system.
Parameters
| Name | Type | Mandatory | Description |
|---|---|---|---|
|
File Path
|
String | Yes | Specifies the absolute file path for the file that needs to be deleted. |
Run On
This action does not run on entities.
Action Results
Script Result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON Result
{
"filepath"
:
""
"status"
:
"deleted/not found"
}
Case Wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
| Successfully deleted file. | The action is successful. |
| File was not found for the provided path. | The file does not exist. |
| No activity was found for the provided service accounts in Google Cloud Policy Intelligence | The action could not find data for any of the listed service accounts. |
| Error executing action "Delete File". | The action returned an error. Check connection to the server, input parameters, or credentials. |
Extract top From JSON
Description
The action gets a JSON as an input, and sorts it by a specific key and returns the TOP 'x' of the relevant branches.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
JSON Data
|
String | N/A | JSON data to process. |
|
Key To Sort By
|
String | N/A | Nested key separated by dots. Use * as a wildcard. Example: Host.*.wassap_list.Severity. |
|
Field Type
|
String | N/A | The type of the field to sort by. Valid values: int (numeric field), string (a text field) or date. |
|
Reverse (DESC -> ASC)
|
Checkbox | Checked | Sort results by DESC or ASC (Z -> A). |
|
Top Rows
|
String | N/A | Retrieve number of rows from JSON to process. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
result
|
N/A | N/A |
JSON Result
[
{
"HOST"
:
{
"DETECTION"
:{
"QID"
:
"82003"
,
"SEVERITY"
:
"1"
,
"RESULTS"
:
"Timestamp of host (network byte ordering): 03:40:14 GMT"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T10:24:35Z"
,
"OS"
:
"Windows 10"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
},
{
"HOST"
:{
"DETECTION"
:
{
"PORT"
:
"443"
,
"QID"
:
"11827"
,
"PROTOCOL"
:
"tcp"
,
"RESULTS"
:
"X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 443."
,
"SEVERITY"
:
"2"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T08:31:58Z"
,
"OS"
:
"Linux 3.13"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
},
{
"HOST"
:
{
"DETECTION"
:
{
"PORT"
:
"53"
,
"QID"
:
"15033"
,
"PROTOCOL"
:
"udp"
,
"RESULTS"
:
"--- IPv4 --- "
,
"SEVERITY"
:
"4"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T08:31:58Z"
,
"OS"
:
"Linux 3.13"
},
"DATETIME"
:
"2018-08-29T14:01:12Z"
}
]
Filter JSON
Description
Filter JSON dict.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
JSON Data
|
String | N/A | The JSON dictionary data to filter. |
|
Root Key Path
|
String | N/A | The path to the Root Key. Note: The system uses dot notation for JSON search. For example: json.message.status. |
|
Condition Path
|
String | N/A | The path to the field to filter by, dot separated. |
|
Condition Operator
|
String | N/A | The condition operator. Can be one of the following: = / != / > / < / >= / <= / in / not in. |
|
Condition Value
|
String | N/A | The value of the condition to filter by. |
|
Output Path
|
String | N/A | The path to the desired results in the filtered dict, dot separated. |
|
Delimiter
|
String | N/A | The delimiter to join the values inf the output path, default: comma. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
results
|
True/False | results:False |
JSON Result
{
"a"
:
{
"HOST"
:
[
{
"DETECTION"
:
{
"QID"
:
"82003"
,
"SEVERITY"
:
"1"
,
"RESULTS"
:
"Timestamp of host (network byte ordering): 03:40:14 GMT"
},
"IP"
:
"1.1.1.1"
,
"LAST_SCAN_DATETIME"
:
"2018-08-13T10:24:35Z"
,
"OS"
:
"Windows 10"
}
],
"DATETIME"
:
"2018-08-29T14:01:12Z"
}
}
Get Deployment URL
Get deployment URL for Google Security Operations.
Entities
The action doesn't run on entities.
Action inputs
N/A
Action outputs
Action output type
Case wall attachment
N/A
Case wall link
N/A
Case wall table
N/A
Enrichment table
N/A
Entity insight
N/A
Insight
N/A
JSON result
Available
OOTB widget
N/A
Script result
Available
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"url"
:
""
}
Case wall
| Output message | Message description |
|---|---|
| Successfully retrieved deployment URL. | Action is successful. |
Error executing action "Get Deployment URL". Reason: ERROR_REASON
|
The action returned an error. Check connection to the server, input parameters, or credentials. |
List Operations
Description
Provide operations on lists.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
First List
|
String | N/A | Comma-separated string list. For example: value1,value2,value3. |
|
Second List
|
String | N/A | Comma-separated string list. For example: value1,value2,value3. |
|
Delimiter
|
String | N/A | Define a symbol, which is used for separation of values in both lists. |
|
Operator
|
String | N/A | Has to be one of the following: intersection, union, subtract or xor. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
result_list
|
N/A | N/A |
JSON Result
{
"results"
:
{
"count"
:
6
,
"data"
:
[
"item"
,
"item1"
,
"item2"
]
}
}
Parse EML to JSON
Description
Parse EML to JSON.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
EML Content
|
String | N/A | The base64 encoded content of the EML file. |
|
Blacklisted Headers
|
comma separated string | No | Headers to exclude from the response. |
|
Use Blacklist As Whitelist
|
Checkbox | Unchecked | To only include the listed headers. |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
parsed_eml
|
N/A | N/A |
JSON Result
{
"HTML Body"
:
"<div><br></div>"
,
"Attachments"
:
{},
"Recipients"
:
"john_doe@example.com"
,
"CC"
:
""
,
"Links"
:
{
"urls_1"
:
"https://lh4.googleusercontent.com/rE6-WYjfFuiHbHUV33G31NCtUeBl9YGnw4bvlorqMeNaC60qWagqtohFwCpq2eJxlMYMJPPDAqqXRZW6Oja8GqOjt3jB3aB6tzJP-jdtbCBoj-m3vu49tttHmWpXGJUSI6UuTUYS"
,
"urls_2"
:
"https://lh4.googleusercontent.com/Uih5TalWnJjBbG_QaRICp8emX5wIakbCmstEDP3YHT7l45qdjIllcxg_Ddapvrh5DqGKszK3KKM5M0kEoC1YX6TgbWKJKPX0OxD5BeWr3uu6SRAHs7lwP20khjHSlxsIM46egQ-M"
},
"BCC"
:
""
,
"To"
:
"john_doe@example.com"
,
"Date"
:
"Mon, 13 Aug 2018 13:20:34 +0300"
,
"From"
:
"john_doe@example.com"
,
"Subject"
:
"TEST6:::Test:::ADVANCE NOTICE: 07.08.2018-Disable Accounts-user\\\r\\\\n Office Il Office"
}
For this action, the functional changes apply to integration version 10
and later: in the JSON result, the with
field is split into the id
and with
fields. For more details, see the following example:
-
Integration version 9 and earlier:
"with" : "smtp id ID " -
Integration version 10 and laterer:
"id" : " ID " "with" : "SMTP"
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
success
|
True/False | success:False |
JSON Result
N
/
A
Query Joiner
Description
Form a query string from given parameters.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Values
|
String | N/A | Comma separated string list. For example: value1,value2,value3. |
|
Query Field
|
String | N/A | Query target field ex. SrcIP, DestHost, etc. |
|
Query Operator
|
String | N/A | Query operator(OR, AND, etc.). |
|
Add Quotes
|
Checkbox | N/A | If enabled, action will add quotes to every item in the "Values" list. |
|
Add Double Quotes
|
Checkbox | N/A | If enabled, action will add double quotes to every item in the "Values" list. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
query
|
N/A | N/A |
JSON Result
N
/
A
Export Entities as OpenIOC File
Description
Export entities as OpenIOC file. Supported entities: Filehash, IP address, URL, Hostname, User.
Parameters
| Name | Type | Mandatory | Description |
|---|---|---|---|
|
Export Folder Path
|
String | Yes | Specify the folder that should store the OpenIOC files. |
Run On
This action runs on the following entities:
- Filehash
- IP Address
- URL
- Hostname
- User
Action Results
JSON Result
{
"absolute_file_path"
:
OpenIOC_
{
random_guid
}
.
txt
}
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
|
If successful
|
Yes | No | Successfully created an OpenIOC file based on provided entities. |
|
No entities in the scope
|
No | No | Action wasn't able to create an OpenIOC file, because there are no entities in the action execution scope. |
|
Fatal error, invalid creds, API root
|
No | Yes | Error executing action "Export Entities as OpenIOC File". Reason: {error traceback} |
Need more help? Get answers from Community members and Google SecOps professionals.
