Siemplify Tools Community Integration
ShakedTal
Community Team
Hi Community, with the new capability released in the latest community edition which enables our community members to share Integrations with each other by publishing them to our official Integration Marketplace, we are working on a new community Integration called Siemplify Tools which is a set of utility actions for data manipulation to enhance playbook capabilities. We invite you to checkout the list of actions we developed below and offer additional actions that can be part of the Siemplify Tools Integration 🤗
Add Attachment - adds an attachment to the case wall (similar to attach evidence).
Get Attachment - the action gets an attachment from the case wall (the result is presented as a Base64).
Add Or Update Alert Additional Data - the action adds or updates fields on the Alert additional data (the result will be all accumulated data that was added to the alert).
Check Entities Fields In Text - this action allows to search for a specific field from each entity in the scope (or multiple fields using REGEX) and compare it with one or more values.
Create Advanced Entity Insights - the action was created to replace the use of the add insight action and create a unique insight per entity based on the json result of previous actions in the playbook.
Decode Base64 - the action decodes base64 input.
Enrich Entity From Event Field - the action extracts fields from the event and adds them to the Entity fields.
Enrich Entity With Field - the action adds enrichment fields to the Entity based on a list of key values.
Extract URL Domain - this action enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. In addition to entities, a user can specify a list of URLs as a parameter and process them, without enriching naturally.
Get Original Alert Json - the action gets the original alert Json (raw data) and presents it as a Json result.
Is String In Custom List - the action checks if a specific string exists in a Custom list.
Math Functions - a set of Python built-in functions.
You are welcome to share your ideas in a comment below💥💭
Comments
Hello,
I think we absolutely need to be able to do this in the event fields too.
Check Entities Fields In Text
Extract URL Domain
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Will it update the visualization under the "Explore" ? (e.g Adding SHA256 to an Entity Field.)
I am asking this because this part of the ontology feature very is limited.
Enrich Entity From Event Field
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Aren't we already extracting these domains when configuring the visual families?
I think it would be best to be able to extract Domain URL from any metadata and add them as an Entity (e.g URL in the body of an e-mail)
Extract URL Domain
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Out of curiosity, why is it presented in base 64?
The action gets an attachment from the case wall (the result is presented as a Base64)
------------------------------------------------------------
Isn't this already available with the JSON Expression Builder?
Create Advanced Entity Insights
Hi @Antoine Lafond, thank you for your feedback. Please see my notes in bold -
I think we absolutely need to be able to do this in the event fields too - can you please elaborate on a use case for the "check entities fields in text"?
Check Entities Fields In Text
Extract URL Domain
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Will it update the visualization under the "Explore" ? (e.g Adding SHA256 to an Entity Field.) - Yes it will.
I am asking this because this part of the ontology feature very is limited.
Enrich Entity From Event Field
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Aren't we already extracting these domains when configuring the visual families? - This extends the capabilities we currently have in the Visual Families.
I think it would be best to be able to extract Domain URL from any metadata and add them as an Entity (e.g URL in the body of an e-mail)
Extract URL Domain
-- -- -- -- -- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- -- -- -- --
Out of curiosity, why is it presented in base 64? - This is due to the fact that we need to forward string between actions and not binary data.
The action gets an attachment from the case wall (the result is presented as a Base64)
------------------------------------------------------------
Isn't this already available with the JSON Expression Builder? - Today this isn't a solution available in the Json Expression Builder.
Create Advanced Entity Insights
If you have any recommendations or thoughts on new actions that will be part of the Siemplify Tools Integration we would love to hear them😊
@ShakedTal Please see my notes in bold too:
I think we absolutely need to be able to do this in the event fields too.
-- "Can you please elaborate on a use case for the "check entities fields in text"?"
-- Not everything are Entities, here is a quick example:
Aren't we already extracting these domains when configuring the visual families?
-- This extends the capabilities we currently have in the Visual Families.
-- I may be misinterpreting this but from my personal experience, I have been extracting URL, process names, filenames and more using the "transform" parameter using REGEX when configuring the mapping.
I think it would be great to merge the "Extract URL Domain" with ""Check Entities fields in text" by making this one single action that allows us to select how we want to manipulate and extract strings.
For example:
The action name could be "Text Manipulation" would have a drop down menu with the following things:
Out of curiosity, why is it presented in base 64?
-- This is due to the fact that we need to forward string between actions and not binary data.
Well, I suppose there is a more detailed explanation to this since this all has to do with your Serialization/De-serialization process.
Perhaps, would it be possible to be able to know with type of file the attachment is?
Isn't this already available with the JSON Expression Builder?
-- Today this isn't a solution available in the Json Expression Builder.
-- I may be misinterpreting this too but how are the "Advanced Insight" any different than this?
Hi @Antoine Lafond
1) We plan to solve the issue where it is not possible to create custom entities (or simply multiple entities of the same type) on the mapping level. Regardless, I see its value (and its is actually fairly easy to modify). I'll see if we can incorporate this addition to the first SiemplifyTools version. Thanks for the feedback
2) Based on my short research regarding domain extraction of URLs, it is not enough to use only REGEX. If you have a REGEX solution please do contact me via Slack and lets discuss. As for merging the "check entities..." action with the "extract URL domain" action, this is already complex enough in my opinion and I feel adding more functionality to it (and hence more complexity) will be its downfall. Maybe we should also discuss this one a bit further.
3) GetAttachment action returns file type as well (along side a 'blob' data in base64).
4) This is a little complex. The example you give is of a single entity with a single JSON result. On the generic level, you might have multiple entities (multiple users in this example) and then you start to see issues with the insight action. To deal with it, I am currently working on a set of actions that should, hopefully, give us enough flexibility to deal with a wider range of entity insight (and support multiple entities, not just one)
If you have any further questions and suggestions, please do not hesitate to let me know. This "tools" integration is created to make your life easier and I intend to incorporate as much feedback and flexibility as possible.
Yair
Hi @Yair Stern @ShakedTal ,
Just wanted to thank you both for taking the time to answer to these questions.
@Antoine Lafond thank you for your feedback.