Amazon Macie

Integration version: 5.0

Configure Amazon Macie integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
AWS Access Key ID String N/A Yes AWS Access Key ID to use in integration.
AWS Secret Key Password N/A Yes AWS Secret Key to use in integration.
AWS Default Region String N/A Yes AWS default region to use in integration, for example us-west-1.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to the Amazon Macie service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Use cases

The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Amazon Macie service with the provided connection parameters!"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

Genera

List Findings

Description

List Amazon Macie findings based on the specified action input parameters.

Parameters

Parameter name Type Default value Is mandatory Description
Finding Type String N/A No

Finding type to search for, for example SensitiveData:S3Object/Credentials or SensitiveData:S3Object/Multiple.

Parameter accepts multiple values as a comma-separated string.

If nothing is specified, the action returns all types of findings.

Severity String 4 No

Finding severity to search - High, Medium or Low.

Parameter accepts multiple values as a comma-separated string.

If nothing is specified, the action returns all findings regardless of severity.

Include Archived Findings? Checkbox Unchecked No Specify whether to include archived findings in results or not.
Time Frame Integer 4 No Specify a time frame in hours for which to fetch findings.
Record limit Integer 20 No Specify how many records can be returned by the action.
Sort by String N/A No

Specify a parameter for sorting the data.

Example: updatedAt

Sort order DDL ASC No Sort order.

Use cases

List Amazon Macie findings to see what findings are available.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{'ResponseMetadata': {'HTTPHeaders': {'connection': 'keep-alive',
                                      'content-length': '2741',
                                      'content-type': 'application/json',
                                      'date': 'Thu, 22 Oct 2020 11:08:58 GMT',
                                      'x-amz-apigw-id': 'Uz07pGOKoAMFdTQ=',
                                      'x-amzn-remapped-content-length': '2741',
                                      'x-amzn-remapped-date': 'Thu, 22 Oct '
                                                              '2020 11:08:57 '
                                                              'GMT',
                                      'x-amzn-remapped-x-amzn-requestid': 'eaea00d2-11f8-40d8-adce-f6c9f17e9815',
                                      'x-amzn-requestid': '4102349a-a5da-4bfc-ad78-40f48885985f'},
                      'HTTPStatusCode': 200,
                      'RequestId': '4102349a-a5da-4bfc-ad78-40f48885985f',
                      'RetryAttempts': 0},
 'findings': [{'accountId': '582302349248',
               'archived': False,
               'category': 'CLASSIFICATION',
               'classificationDetails': {'detailedResultsLocation': 's3://[export-config-not-set]/AWSLogs/582302349248/Macie/us-east-1/088009521d393eda440a24f3c7ad8fbd/ad20d649-55b0-3137-ac1f-cd7e744377f6/',
                                         'jobArn': 'arn:aws:macie2:us-east-1:582302349248:classification-job/088009521d393eda440a24f3c7ad8fbd',
                                         'jobId': '088009521d393eda440a24f3c7ad8fbd',
                                         'result': {'additionalOccurrences': False,
                                                    'customDataIdentifiers': {'detections': [],
                                                                              'totalCount': 0},
                                                    'mimeType': 'application/zip',
                                                    'sensitiveData': [{'category': 'PERSONAL_INFORMATION',
                                                                       'detections': [{'count': 80,
                                                                                       'type': 'PHONE_NUMBER'},
                                                                                      {'count': 5,
                                                                                       'type': 'ADDRESS'},
                                                                                      {'count': 207,
                                                                                       'type': 'NAME'}],
                                                                       'totalCount': 292},
                                                                      {'category': 'CREDENTIALS',
                                                                       'detections': [{'count': 5,
                                                                                       'type': 'AWS_CREDENTIALS'}],
                                                                       'totalCount': 5}],
                                                    'sizeClassified': 44213802,
                                                    'status': {'code': 'PARTIAL',
                                                               'reason': 'ARCHIVE_CONTAINS_UNPROCESSED_FILES'}}},
               'count': 1,
               'createdAt': datetime.datetime(2020, 10, 22, 3, 12, 9, 364000, tzinfo=tzutc()),
               'description': 'The object contains more than one type of '
                              'sensitive information.',
               'id': 'a6ce788c0e623a3f160d1cc4b81f4802',
               'partition': 'aws',
               'region': 'us-east-1',
               'resourcesAffected': {'s3Bucket': {'arn': 'arn:aws:s3:::testsiemplify',
                                                  'createdAt': datetime.datetime(2020, 9, 14, 10, 31, 56, tzinfo=tzutc()),
                                                  'defaultServerSideEncryption': {'encryptionType': 'NONE'},
                                                  'name': 'testsiemplify',
                                                  'owner': {'displayName': 'lab_aws',
                                                            'id': '935dc3fed0e1d2c5b12242cf9927370824f2438681a2d3c0523f254dbde41aba'},
                                                  'publicAccess': {'effectivePermission': 'PUBLIC',
                                                                   'permissionConfiguration': {'accountLevelPermissions': {'blockPublicAccess': {'blockPublicAcls': False,
                                                                                                                                                 'blockPublicPolicy': False,
                                                                                                                                                 'ignorePublicAcls': False,
                                                                                                                                                 'restrictPublicBuckets': False}},
                                                                                               'bucketLevelPermissions': {'accessControlList': {'allowsPublicReadAccess': False,
                                                                                                                                                'allowsPublicWriteAccess': False},
                                                                                                                          'blockPublicAccess': {'blockPublicAcls': False,
                                                                                                                                                'blockPublicPolicy': False,
                                                                                                                                                'ignorePublicAcls': False,
                                                                                                                                                'restrictPublicBuckets': False},
                                                                                                                          'bucketPolicy': {'allowsPublicReadAccess': True,
                                                                                                                                           'allowsPublicWriteAccess': False}}}},
                                                  'tags': []},
                                     's3Object': {'bucketArn': 'arn:aws:s3:::testsiemplify',
                                                  'eTag': '8dfbe2ba101b3ca0a62f8fde823503b4-5',
                                                  'extension': 'zip',
                                                  'key': 'awscliv2.zip',
                                                  'lastModified': datetime.datetime(2020, 9, 28, 18, 47, 30, tzinfo=tzutc()),
                                                  'path': 'testsiemplify/awscliv2.zip',
                                                  'publicAccess': False,
                                                  'serverSideEncryption': {'encryptionType': 'NONE'},
                                                  'size': 33775890,
                                                  'storageClass': 'STANDARD',
                                                  'tags': [],
                                                  'versionId': ''}},
               'sample': False,
               'schemaVersion': '1.0',
               'severity': {'description': 'High', 'score': 3},
               'title': 'The S3 object contains multiple types of sensitive '
                        'information.',
               'type': 'SensitiveData:S3Object/Multiple',
               'updatedAt': datetime.datetime(2020, 10, 22, 3, 12, 9, 364000, tzinfo=tzutc())}]}
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Amazon Macie findings found"

If is_success=False, for example no findings were found: "No findings were returned."

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

General
Table

Table Name: Amazon Macie Findings

Table Columns:

  • Finding ID - "id"
  • Category
  • Title
  • Severity
  • Type
  • Is Archived - archived
  • Created At
  • Updated At

General

Get Findings

Description

Get Amazon Macie findings based on specified Finding ID.

Parameters

Parameter name Type Default value Is mandatory Description
Finding ID String N/A Yes

Finding ID to get details for.

Parameter can take multiple values as a comma-separated string.

Use Cases

Get Findings details while analyzing the alert. Finding in this case will not be "flat" out as if it will be from connector, and finding data might be easier to process.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON Result
{
    "Policy": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AddPerm",
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::testsiemplify/*"
            }
        ]
    }
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Amazon Macie findings found"

If is_success=False, for example no findings were found: "No findings were returned."

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

General
Table

Table Name: Amazon Macie Findings

Table Columns:

  • Finding ID - "id"
  • Category
  • Title
  • Severity
  • Type
  • Is Archived - archived
  • Created At
  • Updated At
  • General

    Create Custom Data Identifier

    Description

    Create Amazon Macie Custom Data Identifier.

    Parameters

    Parameter name Type Default value Is mandatory Description
    Custom Data Identifier Name String N/A Yes Amazon Macie new custom data identifier name.
    Custom Data Identifier Description String N/A No Amazon Macie new custom data identifier description.
    Custom Data Identifier Regular Expression String N/A Yes Amazon Macie new custom data identifier regular expression. Example: I[a@]mAB[a@]dRequest
    Custom Data Identifier Keywords String N/A No Amazon Macie new custom data identifier keywords.
    Custom Data Identifier Ignore Words String N/A No Amazon Macie new custom data identifier ignore words.
    Custom Data Identifier Maximum Match Distance Integer 50 No Amazon Macie new custom data identifier maximum match distance.

    Use cases

    Create Amazon Macie custom data identifier based on the observed data, so later new custom data identifier can be used in classification jobs.

    Run on

    This action doesn't run on entities.

    Action results

    Script result
    Script result name Value options Example
    is_success True or False is_success:False
    JSON Result
    {'ResponseMetadata': {'HTTPHeaders': {'connection': 'keep-alive',
                                          'content-length': '65',
                                          'content-type': 'application/json',
                                          'date': 'Mon, 26 Oct 2020 05:15:07 GMT',
                                          'x-amz-apigw-id': 'VAM2LEqkoAMFU0g=',
                                          'x-amzn-remapped-content-length': '65',
                                          'x-amzn-remapped-date': 'Mon, 26 Oct '
                                                                  '2020 05:15:07 '
                                                                  'GMT',
                                          'x-amzn-remapped-x-amzn-requestid': '61217a30-189e-4573-9f76-257b7065a04d',
                                          'x-amzn-requestid': '509e1c12-ab86-459e-9d6d-790a359686b2'},
                          'HTTPStatusCode': 200,
                          'RequestId': '509e1c12-ab86-459e-9d6d-790a359686b2',
                          'RetryAttempts': 0},
     'customDataIdentifierId': 'ff43487b-5643-4de1-b651-9ecbeb3021ed'}
    
    Case wall
    Result type Description Type
    Output message*

    The action should not fail nor stop a playbook execution:

    If successful: "New Amazon Macie custom data identifier created: {0}".format(new identifier_id from response)

    If is_success=False, for example no findings were found: "Failed to create Amazon Macie Identifier. Error is: {0}".format(error from response)

    The action should fail and stop a playbook execution:

    If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

    General

    Delete Custom Data Identifier

    Description

    Delete Amazon Macie Custom Data Identifier.

    Parameters

    Parameter name Type Default value Is mandatory Description
    Custom Data Identifier ID String N/A No Amazon Macie custom data identifier id to delete.

    Use Cases

    Delete Amazon Macie Custom Data Identifier.

    Run on

    This action doesn't run on entities.

    Action results

    Script result
    Script result name Value options Example
    is_success True or False is_success:False
    Case wall
    Result type Description Type
    Output message*

    The action should not fail nor stop a playbook execution:

    If successful: "Amazon Macie custom data identifier {0} deleted".format(custom data identifier id)

    If is_success=False, for example no findings were found: "Failed to delete Amazon Macie Identifier {0}. Error is: {1}".format(custom data identifier id, error from response)

    The action should fail and stop a playbook execution:

    If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

    General

    Enable Macie

    Description

    Enable the Amazon Macie service.

    Parameters

    N/A

    Use cases

    Enable Amazon Macie after service window is completed.

    Run on

    This action doesn't run on entities.

    Action results

    Script result
    Script result name Value options Example
    is_success True or False is_success:False
    Case wall
    Result type Description Type
    Output message*

    The action should not fail nor stop a playbook execution:

    If successful: "Successfully enabled Amazon Macie service"

    If is_success=False: "Failed to enable Amazon Macie service. Error is: {0}".format(error from response)

    The action should fail and stop a playbook execution:

    If a critical error, like wrong credentials or lost connectivity is reported:"Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

    General

    Disable Macie

    Description

    Disable Amazon Macie service.

    Use Cases

    Disable Amazon Macie for service window - to make some change is AWS buckets and not cause a lot of false positives.

    Run on

    This action doesn't run on entities.

    Action results

    Script result
    Script result name Value options Example
    is_success True or False is_success:False
    Case wall
    Result type Description Type
    Output message*

    The action should not fail nor stop a playbook execution:

    If successful: "Successfully disabled Amazon Macie service"

    If is_success=False: "Failed to disable Amazon Macie service. Error is: {0}".format(error from response)

    The action should fail and stop a playbook execution:

    If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Amazon Macie service! Error is {0}".format(exception.stacktrace)

    General

    Connectors

    Amazon Macie - Findings Connector

    Use Cases

    Ingest Amazon Macie findings.

    Configure Amazon Macie - Findings Connector in Google Security Operations SOAR

    For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

    Connector parameters

    Use the following parameters to configure the connector:

    Parameter name Type Default value Is mandatory Description
    Product Field Name String N/A Yes The field name used to determine the device product.
    Event Field Name String N/A Yes The field name used to determine the event name (sub-type).
    Environment Field Name String N/A No N/A
    Environment Regex Pattern String N/A No N/A
    Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
    AWS Access Key ID String N/A True AWS Access Key ID to use in integration.
    AWS Secret Key Password N/A True AWS Secret Key to use in integration.
    AWS Default Region String N/A True AWS default region to use in integration, for example us-west-2.
    Finding severity to ingest String N/A No Finding severity to ingest - High, Medium or Low.

    Parameter accepts multiple values as a comma separated string.

    If nothing is specified, the connector ingests all findings regardless of severity.

    Max findings to fetch Integer 50 No Number of findings to process per one connector iteration.
    Fetch Max Hours Backwards Integer 1 No Number of hours from where to fetch findings.
    Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist is used as a blacklist.
    Proxy Server Address String N/A No The address of the proxy server to use.
    Proxy Username String N/A No The proxy username to authenticate with.
    Proxy Password Password N/A No The proxy password to authenticate with.

    Connector Rules

    Blacklist

    Disabled by default. Can be enabled with use blacklist as a whitelist checkbox.

    Whitelist

    The connector supports Whitelist. Whitelist logic: ingest only findings of specific type.

    Proxy Support

    The connector supports Proxy.