TIPCommon.base

TIPCommon.base.action.action_parser.parse_case_attachment

TIPCommon.base.action.action_parser.parse_case_attachment(attachment: MutableMapping[str, Any]) → CaseAttachment

Parses a JSON attachment and returns a CaseAttachment object.

Parameters

attachment

A response JSON object representing the attachment.

Returns

The parsed CaseAttachment object.

Return type

CaseAttachment

TIPCommon.base.action.action_parser.parse_case_comment

TIPCommon.base.action.action_parser.parse_case_comment(comment: MutableMapping[str, Any]) → CaseComment

Parses a JSON comment and returns a CaseComment object.

Parameters

comment

A response JSON object representing the comment.

Returns

The parsed CaseComment object.

Return type

CaseComment

class TIPCommon.base.action.base_action.Action

class TIPCommon.base.action.base_action.Action(name: str)

Bases: ABC, Generic[ApiClient]

A unified generic infrastructure implementation for the Google SecOps action development.

The Actionbase class provides template abstract methods to override in the inherited action classes, generic properties, and general flows as methods that are executed when calling the action's run method.

Parameters

name

str

The action's script name.

Attributes

_soar_action

The SiemplifyAction SDK object.

Type: SiemplifyAction

_api_client

The API client of the integration.

Type: Apiable

_name

The name of the script using this action.

Type: str

_action_start_time

The action start time.

Type: int

_logger

The logger object used for logging in actions.

Type: SiemplifyLogger

_params

The parameter container for this action.

Type: Container

global_context

A dictionary to store the context, if needed.

Type: dict

_entity_types

The entity types supported by the action.

Type: list[ EntityTypesEnum ]

_entities_to_update

The entities to update when the action ends.

Type: list[Entity]

json_results

The action's JSON results.

Type: JSON

_attachments

The case result attachments to add.

Type: list[ Attachment ]

_contents

The case result contents to add.

Type: list[ Content ]

_data_tables

The case result data tables to add.

Type: list[ DataTable ]

_html_reports

The case result HTML reports to add.

Type: list[ HTMLReport ]

_links

The case result links to add.

Type: list[ Link ]

_entity_insights

The case entity insights to add.

Type: list[ EntityInsight ]

_case_insights

The case insights to add.

Type: list[ CaseInsight ]

_execution_state

The action's final execution state.

Type: ExecutionState

_result_value

The action final result value.

Type: bool

_output_message

The action's output message when it succeeds.

Type: str

_error_output_message

The action's output message when it fails.

Type: str

Methods

`- run()`	Runs the action execution.
`- _get_adjusted_json_results()`	Adjusts the JSON result to a particular structure.

Abstract methods

_validate_params()

Validates the parameters for this action.

_init_managers()

Initializes and returns a manager object.

_perform_action()

Performs the action's main logic.

Additional methods

These are methods that are called during the action execution and affect the alerts processing phase but are not mandatory to override.

_get_entity_types()
_finalize_action_on_success()
_finalize_action_on_failure()
_on_entity_failure()
_handle_timeout()
_extract_action_parameters()
_finalize()

SDK wrapper methods

_add_attachment_to_current_case()
_get_current_case_attachments()
_add_comment_to_case()
_get_current_case_comments()
_assign_case_to_user()
_add_tag_to_case()
_attach_playbook_to_current_alert()
_get_similar_cases_to_current_case()
_get_alerts_ticket_ids_from_cases_closed_since_timestamp()
_change_current_case_stage()
_change_current_case_priority()
_close_current_case()
_close_alert()
_escalate_case()
_mark_case_as_important()
_raise_incident()
_add_entity_to_case()
_update_alerts_additional_data()
_get_current_integration_configuration()
_any_alert_entities_in_custom_list()
_add_alert_entities_to_custom_list()
_remove_alert_entities_from_custom_list()

Example

  from 
  
 TIPCommon.base.actions.action_base 
  
 import 
 Action 
 from 
  
 TIPCommon.validation 
  
 import 
 ParameterValidator 
 SOME_ACTION_SCRIPT_NAME 
 = 
 'Some Integration - Some Action' 
 class 
  
 SomeAction 
 ( 
 Action 
 ): 
 def 
  
 _validate_params 
 ( 
 self 
 ) 
 - 
> None 
 : 
 validator 
 = 
 ParameterValidator 
 ( 
 self 
 . 
 soar_action 
 ) 
 ... 
 # validation logic 
 def 
  
 _perform_action 
 ( 
 self 
 , 
 entity 
 : 
 Entity 
 ) 
 - 
> None 
 : 
 try 
 : 
 self 
 . 
 logger 
 . 
 info 
 ( 
 'Querying Api client' 
 ) 
 data 
 = 
 self 
 . 
 api_client 
 . 
 do_something 
 ( 
 param 
 = 
 self 
 . 
 params 
 . 
 query 
 , 
 entity 
 = 
 entity 
 . 
 original_identifier 
 ) 
 ... 
 # Some logic to process the data 
 except 
 SomeCustomException 
 as 
 err 
 : 
 self 
 . 
 error_output_message 
 = 
 ( 
 "Action wasn't able to successfully do its thing." 
 ) 
 raise 
 err 
 from 
  
 err 
 def 
  
 main 
 () 
 - 
> None 
 : 
 SomeAction 
 ( 
 SEARCH_GRAPHS_SCRIPT_NAME 
 ) 
 . 
 run 
 () 
 if 
 __name__ 
 == 
 '__main__' 
 : 
 main 
 ()

property action_start_time

property action_start_time: int

Returns an int representing the action starting time in Unix.

property api_client

propertyapi_client: ApiClient | Collection[ApiClient] | Type[Tuple[ApiClient, ...]] | None

Returns an Apiable object.

property attachments

property attachments: list[ Attachment ]

All the attachments in the list are sent to the case result by default.

Returns a list of Attachment objects representing the insights for this case.

property case_insights

property case_insights: list[ CaseInsight ]

All the case insights in the list are sent to the case result by default.

Returns a list of CaseInsight objects representing the insights for this case.

property contents

property contents: list[ Content ]

All list contents are sent to the case result by default.

Returns a list of Content objects representing the insights for this case.

property data_tables

property data_tables: list[ DataTable ]

By default, all data tables in the list are sent to the case result.

Returns a list of DataTable objects representing the insights for this case.

property entities_to_update

property entities_to_update: list[DomainEntityInfo]

All entities in the list are sent to the platform for updating.

Returns a list of Entity objects representing the entities that should be updated in the case.

property entity_insights

property entity_insights: list[ EntityInsight ]

All entity insights in the list are sent to the case result by default.

Returns a list of EntityInsight objects representing the insights for this case.

property entity_types

property entity_types: list[ EntityTypesEnum ]

If the action works with entities, it only processes entities whose type is in the entity_types list. Otherwise, the action skips the entity.

Returns a list of EntityTypesEnum objects representing entity types the action can process.

property error_output_message

property error_output_message: str

The action output message in case of a failed run.

An output message that should appear in case of a failure during the action runtime. Default value is Action SCRIPT_NAME failed .

property execution_state

property execution_state: ExecutionState

The action's execution state—a status indicator represented by an integer to pass back to the platform.

Possible statuses are as follows:

ExecutionState.COMPLETED = 0
ExecutionState.IN_PROGRESS = 1
ExecutionState.FAILED = 2
ExecutionState.TIMED_OUT = 3

Returns the ExecutionState object representing the current execution state.

property html_reports

property html_reports: list[ HTMLReport ]

All the HTML reports in the list will be sent to the case result by default.

Returns a list of HTMLReport objects representing the insights for this case.

property is_first_run

property is_first_run: bool

Indicates whether this is the first run.

Returns:

True if this is the first run, False otherwise.

property json_results

property json_results: Dict[str, Any] | List[Dict[str, Any]]

Returns the action's JSON result to be sent to the case wall.

property links

property links: list[ Link ]

All the links in the list will be sent to the case result by default.

Returns a list of Link objects representing the insights for this case.

property logger

property logger: NewLineLogger

Returns the NewLineLogger object for actions.

property name

property name: str

property output_message

property output_message: str

The action's output message in case of a successful run.

The output message that summarizes the result of the action.

property params

property params: [ Container ]

Returns a Container object that describes the action's parameters, with each parameter exposed as a snake_case attribute.

property result_value

property result_value: bool

The action's result value to be passed back to the platform.

Possible values:

True : Action Succeeded
False : Action Failed

property soar_action

property soar_action: SiemplifyAction

Returns the SDK SiemplifyAction object.

class TIPCommon.base.action.base_enrich_action.EnrichAction

class TIPCommon.base.action.base_enrich_action.EnrichAction(name: str)

Bases: Action

A class that represents an entity enrichment action.

This class inherits from the TIPCommon.base.actions.base_action::Action class.

Parameters

name

str

The name of the action.

Attributes

enrichment_data

This attribute holds the enrichment data for the current entity in each of the entity iterations. At the end of each iteration, the entity's additional_properties attribute is updated with self.enrichment_data , meaning that this value is set every time with the new value.

Type: dict

entity_results

Entity results included in the JSON output for this object.

Type: Any

global_context

A dictionary to store the context if needed.

Type: dict

Abstract methods

_get_entity_types()

Gets the type of entities the action runs on.

_perform_enrich_action()

Perform the main enrichment logic on an entity.

Private methods

_perform_action()

This method combines the other abstract methods with more OOTB enrichment logic and passes it to the parent class to use in the start() method.

class TIPCommon.base.action.data_models.ActionParamType

class TIPCommon.base.action.data_models.ActionParamType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Constants

BOOLEAN = 1
CASE_PRIORITIES = 7
CLOSE_CASE_REASONS = 5
CLOSE_ROOT_CAUSE = 6
CODE = 20
CONTENT = 11
DDL = 15
EMAIL_CONTENT = 10
ENTITY_TYPE = 13
MULTI_VALUES = 14
NULL = -1
PASSWORD = 12
PLAYBOOK_NAME = 2
STAGE = 4
STRING = 0
USER = 3

class TIPCommon.base.action.data_models.Attachment

class TIPCommon.base.action.data_models.Attachment(filename: str, file_contents: bytes, title: str = 'Script Result Attachment', additional_data: dict | None = None)

Bases: object

An action script-result attachment.

This class is immutable: once created, its attributes cannot be modified. It supports hashing (for example, use in sets or as dictionary keys) and equality comparison using the == operator.

Attributes

title

The title of the attachment.

Type: str | None

filename

The filename of the attachment.

Type: str

file_contents

The content of the attachment file.

Type: bytes

additional_data

Additional data.

Type: dict | None

class TIPCommon.base.action.data_models.CaseAttachment

class TIPCommon.base.action.data_models.CaseAttachment(attachment_id: int, attachment_type: str, description: str, is_favorite: bool)

Bases: object

A case attachment.

This class is immutable; after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

attachment_id

int

The attachment ID.

attachment_type

str

The type of the attachment.

description

str

The description of the attachment.

is_favorite

bool

Indicates whether the attachment is marked as favorite.

class TIPCommon.base.action.data_models.CaseComment

class TIPCommon.base.action.data_models.CaseComment(comment: str, creator_user_id: str, comment_id: int, comment_type: int, case_id: int, is_favorite: bool, modification_time_unix_time_in_ms: int, creation_time_unix_time_in_ms: int, alert_identifier: str, creator_full_name: str | None = None, is_deleted: bool | None = None, last_editor: str | None = None, last_editor_full_name: str | None = None, modification_time_unix_time_in_ms_for_client: int | None = None, comment_for_client: str | None = None)

Bases: object

A case comment.

Attributes

comment

str

The comment.

comment_for_client

str | None

The comment for the client.

modification_time_unix_time_in_ms_for_client

int

The modification time for the comment_for_client .

last_editor

str

The ID of the last editor, such as 77bdb7a4-8484-481d-9482-2449e33f9518 .

last_editor_full_name

str

The full name of the last editor user, such as admin admin .

is_deleted

bool

Indicates whether the comment is already deleted.

creator_user_id

str

The creator user ID, such as 77bdb7a4-8484-481d-9482-2449e33f9518 .

creator_full_name

str

The creator's full name, such as System .

comment_id

int

The ID of the comment.

comment_type

int

The type of the comment.

case_id

int

The ID of the case.

is_favorite

bool

Indicates whether the comment is marked as favorite.

modification_time_unix_time_in_ms

int

The comment's last modification time in Unix, such as 1686040471269 .

creation_time_unix_time_in_ms

int

The comment's creation time in Unix, such as 1686040471269 .

alert_identifier

str

The alert's identifier, such as SUSPICIOUS PHISHING EMAIL_83765943-9437-4771-96F6-BD0FB291384E .

class TIPCommon.base.action.data_models.CaseInsight

class TIPCommon.base.action.data_models.CaseInsight(triggered_by: str, title: str, content: str, severity: InsightSeverity, insight_type: InsightType, entity_identifier: str = '', additional_data: Any | None = None, additional_data_type: Any | None = None, additional_data_title: str | None = None)

Bases: object

A case insight.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

title

str

The title of the insight.

triggered_by

str

Integration name.

content

str

The insight message.

severity

InsightSeverity

Insight severity. Possible values are:

info
warning
error

insight_type

InsightType

Insight type. Possible values are:

general
entity

entity_identifier

str | None

The entity's identifier.

additional_data

Any | None

Additional data.

additional_data_type

Any | None

The type of additional data.

additional_data_title

str | None

EMPLOYEE_ERROR = 'Employee error'
HUMAN_ERROR = 'Human error'
LAB_TEST = 'Lab test'
LEGIT_ACTION = 'Legit action'
MISCONFIGURED_SYSTEM = 'Misconfigured system'
NONE = 'None'
NORMAL_BEHAVIOR = 'Normal behavior'
OTHER = 'Other'
PENETRATION_TEST = 'Penetration test'
RULE_UNDER_CONSTRUCTION = 'Rule under construction'
SIMILAR_CASE_IS_ALREADY_UNDER_INVESTIGATION = 'Similar case is already under investigation'
UNKNOWN = 'Unknown'
USER_MISTAKE = 'User mistake'

class TIPCommon.base.action.data_models.CloseCaseOrAlertReasons

class TIPCommon.base.action.data_models.CloseCaseOrAlertReasons(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

### Constants

INCONCLUSIVE = 3
MAINTENANCE = 2
MALICIOUS = 0
NOT_MALICIOUS = 1

triggered_by

str | None

The integration's name.

original_requesting_user

str | None

The original user.

class TIPCommon.base.action.data_models.EntityTypesEnum

class TIPCommon.base.action.data_models.EntityTypesEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Constants

ADDRESS = 'ADDRESS'
ALERT = 'ALERT'
APPLICATION = 'APPLICATION'
CHILD_HASH = 'CHILDHASH'
CHILD_PROCESS = 'CHILDPROCESS'
CLUSTER = 'CLUSTER'
CONTAINER = 'CONTAINER'
CREDIT_CARD = 'CREDITCARD'
CVE = 'CVE'
CVE_ID = 'CVEID'
DATABASE = 'DATABASE'
DEPLOYMENT = 'DEPLOYMENT'
DESTINATION_DOMAIN = 'DESTINATIONDOMAIN'
DOMAIN = 'DOMAIN'
EMAIL_MESSAGE = 'EMAILSUBJECT'
EVENT = 'EVENT'
FILE_HASH = 'FILEHASH'
FILE_NAME = 'FILENAME'
GENERIC = 'GENERICENTITY'
HOST_NAME = 'HOSTNAME'
IP_SET = 'IPSET'
MAC_ADDRESS = 'MacAddress'
PARENT_HASH = 'PARENTHASH'
PARENT_PROCESS = 'PARENTPROCESS'
PHONE_NUMBER = 'PHONENUMBER'
POD = 'POD'
PROCESS = 'PROCESS'
SERVICE = 'SERVICE'
SOURCE_DOMAIN = 'SOURCEDOMAIN'
THREAT_ACTOR = 'THREATACTOR'
THREAT_CAMPAIGN = 'THREATCAMPAIGN'
THREAT_SIGNATURE = 'THREATSIGNATURE'
URL = 'DestinationURL'
USB = 'USB'
USER = 'USERUNIQNAME'

class TIPCommon.base.action.data_models.ExecutionState

class TIPCommon.base.action.data_models.ExecutionState(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Constants

COMPLETED = 0
FAILED = 2
IN_PROGRESS = 1
TIMED_OUT = 3

class TIPCommon.base.action.data_models.FullDetailsConfigurationParameter

class TIPCommon.base.action.data_models.FullDetailsConfigurationParameter(input_dict: dict[str, Any])

Bases: object

A general script parameter object.

Attributes

full_dict

dict[str, Any]

The original dictionary received from API.

id

int | None

The ID of the parameter.

integration_identifier

str

The integration identifier, such as VirusTotalV3 .

creation_time

int

The time when the parameter was created.

modification_time

int

The time when the parameter was last modified.

is_mandatory

bool

Define whether the parameter is mandatory or not.

description

str | None

The parameter description.

name

str

The parameter name.

display_name

str

The parameter's displayed name.

value

Any

The default value of the parameter.

type

 IntegrationParamType

The type of the parameter.

optional_values

list

A DDL of optional values for the type DDL.

class TIPCommon.base.action.data_models.HTMLReport

class TIPCommon.base.action.data_models.HTMLReport(report_name: str, report_contents: str, title: str = 'Script Result HTML Report')

Bases: object

An action script-result link.

Attributes

title

str | None

The title of the link.

report_name

str

The name of the report.

report_contents

str

The HTML content of the report.

class TIPCommon.base.action.data_models.IntegrationParamType

class TIPCommon.base.action.data_models.IntegrationParamType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Constants

BOOLEAN = 0
EMAIL = 8
INTEGER = 1
IP = 4
NULL = -1
PASSWORD = 3
STRING = 2

class TIPCommon.base.action.data_models.Link

class TIPCommon.base.action.data_models.Link(link: str, title: str = 'Script Result Link')

Bases: object

An action script-result link.

Attributes

title

str | None

The title of the link.

link

str

The link.

class TIPCommon.base.action.data_models.ScriptParameter

class TIPCommon.base.action.data_models.ScriptParameter(input_dict: dict[str, Any]

Bases: object

A general script parameter object.

Attributes

full_dict

dict[str, Any]

Original dictionary received from API.

id

int | None

ID of the parameter.

creation_time

int

Time when the parameter was created.

modification_time

int

Time when the parameter was last modified.

custom_action_id

int | None

The action ID.

is_mandatory

bool

Indicates whether the parameter is mandatory or not.

default_value

Any

The default value of the parameter.

This parameter is prioritized over the value parameter in playbooks.

description

str | None

Parameter description.

name

str | None

Parameter name.

value

Any

The value of the parameter.

This value is prioritized over the default_value parameter in manual actions.

type

 ActionParamType

The type of the parameter.

optional_values

list

DDL of optional values for the type DDL.

class TIPCommon.base.interfaces.apiable.Apiable

class TIPCommon.base.interfaces.apiable.Apiable(authenticated_session: AuthenticatedSession, configuration: ApiParams)

Bases: ABC, Generic[ApiParams]

An interface for classes that manage API calls to external services.

class TIPCommon.base.interfaces.authable.Authable

class TIPCommon.base.interfaces.authable.Authable

Bases: ABC, Generic[AuthParams]

An interface for classes that manage authentication with external services.

Abstract methods

authenticat_session(params: Authparams) → None

Authenticate the self.session attribute of the class using params .

This method authenticates you to the service that the session interacts with, following the creation of an object using that session.

Attributes

params

object , dataclass , TypedDict , namedtuple , or anything holding all authentication parameters.

Authentication parameters.

class TIPCommon.base.interfaces.logger.Logger

class TIPCommon.base.interfaces.logger.Logger

Bases: ABC

A logger interface designed for marketplace scripts, verifying compatibility when the passed logger is replaced or mocked.

Abstract methods

debug(msg: str, *args, **kwargs) → None

Logs a debug message.

error(error_msg: str, *args, **kwargs) → None

Logs an error message.

exception(ex: Exception, *args, **kwargs) → None

Logs an exception message.

info(msg: str, *args, **kwargs) → None

Logs an information message.

warn(warning_msg: str, *args, **kwargs) → None

Logs a warning message.

class TIPCommon.base.interfaces.session.Session

class TIPCommon.base.interfaces.session.Session

Bases: ABC, Generic[_R]

This class manages API sessions using a session object. It supports various session types and mocks with libraries like requests or httpx .

Attributes

headers

dict

verify

bool

Abstract methods

delete(url: str, *args, **kwargs)→ _R

Deletes a resource from the server.

get(url: str, *args, **kwargs)→ _R

Gets a resource from the server.

patch(url: str, *args, **kwargs) → _R

Patches a resource on the server.

post(url: str, *args, **kwargs) → _R

Posts a resource to the server.

put(url: str, *args, **kwargs) → _R

Puts (updates or creates) a resource on the server.

request(method: str, *args, **kwargs) → _R

Makes a request to the server.

class TIPCommon.base.job.base_job.Job

class TIPCommon.base.job.base_job.Job(name: str)

Bases: ABC, Generic[ApiClient]

A class that represents a job script in Google Security Operations SOAR.

Methods

start(**kwargs) → None

property api_client

property api_client: ApiClient | Collection[ApiClient] | Type[Tuple[ApiClient, ...]] | None

Provides the API client or clients for interacting with external services.

property error_msg

property error_msg: str

Stores any error message encountered during the job's execution.

property job_start_time

property job_start_time: int

Represents the timestamp when the job started.

property logger

property logger: ScriptLogger

Provides logging functionality for the job script.

property name

property name: str

Holds the name of the job script.

property params

property params: Container

Contains the configuration parameters provided to the job.

property soar_job

property soar_job: SiemplifyJob

Represents the underlying Google Security Operations SOAR job instance.

class TIPCommon.base.job.base_job_refresh_token.RefreshTokenRenewalJob

class TIPCommon.base.job.base_job_refresh_token.RefreshTokenRenewalJob(name: str, integration_identifier: str)

Bases: Job, Generic[ApiClient]

This section describes lifecycle methods that influence job processing. Subclasses are not required to override them.

property api_client

property api_client: ApiClient | Collection[ApiClient] | Type[Tuple[ApiClient, ...]] | None

Holds the API client or clients used for external service interactions.

class TIPCommon.base.job.base_job_refresh_token.SuccessFailureTuple

class TIPCommon.base.job.base_job_refresh_token.SuccessFailureTuple(success_list, failure_list)

Bases: tuple

Attributes

success_list

Alias for field number 0.

failure_list

Alias for field number 1.

TIPCommon.base.job.base_job_refresh_token.validate_param_csv_to_multi_value

TIPCommon.base.job.base_job_refresh_token.validate_param_csv_to_multi_value(param_name: str, param_csv_value: str | None, delimiter: str = ',') → list[str]

Validates and parses a comma-separated parameter value into a list of unique elements. This function handles single values, quoted strings and mixed formats.

Parameters

param_name

The parameter key.

param_csv_value

The parameter value provided in the job parameter. If None , an empty list is returned.

Raises

ValueError – When the double quotes count is invalid, some values are invalid, or some values have mismatched double quotes.

Returns

A list of unique values provided in the job parameter. If no valid values are found, an empty list is returned.

Return type

list[str]

class TIPCommon.base.job.data_models.JobParameter

class TIPCommon.base.job.data_models.JobParameter(input_dict: MutableMapping[str, Any])

Bases: object

A general script parameter object.

Attributes

full_dict

dict[str, Any]

The original dict received from the API.

id

int | None

The ID of the parameter.

is_mandatory

bool

Define whether the parameter is mandatory or not.

Note: This attribute is prioritized over value in playbooks.

name

str | None

The name of the parameter.

type

 ActionParamType

The type of the parameter.

value

Any

The default value of the parameter.

Note: This attribute is prioritized over default_value in manual actions.

class TIPCommon.base.data_models.ActionJsonOutput

class TIPCommon.base.data_models.ActionJsonOutput(title: 'str' = 'JsonResult', content: 'str' = '', type: 'str | None' = None, is_for_entity: 'bool' = False, json_result: 'JSON | None' = None)

Bases: object

Represents the structured JSON output for an action.

class TIPCommon.base.data_models.ActionOutput

class TIPCommon.base.data_models.ActionOutput(output_message: 'str', result_value: 'str | bool', execution_state: 'ExecutionState', json_output: 'ActionJsonOutput | None', debug_output: 'str' = '')

Bases: object

Represents the complete output structure for an action.

class TIPCommon.base.data_models.ConnectorJsonOutput

class TIPCommon.base.data_models.ConnectorJsonOutput(alerts: 'list[AlertInfo | CaseInfo]', overflow_alerts: 'list[OverflowAlertDetails]' = <factory>, log_items: 'list' = <factory>, log_rows: 'list[str]' = <factory>, variables: 'dict' = <factory>)

Bases: object

Represents the structured JSON output for a connector.

class TIPCommon.base.data_models.ConnectorOutput

class TIPCommon.base.data_models.ConnectorOutput(json_output: 'ConnectorJsonOutput | None', debug_output: 'str' = '')

Bases: object

Represents the complete output structure for a connector.

TIPCommon.base.data_models.alert_info_from_json

TIPCommon.base.data_models.alert_info_from_json(json_: MutableMapping[str, Any])→ AlertInfo

Creates an AlertInfo object from a JSON of attributes.

Returns

The created AlertInfo object.

Return type

AlertInfo

Need more help? Get answers from Community members and Google SecOps professionals.