iboss

Integration version: 9.0

Use Cases

  1. Perform enrichment actions - get data from iboss to enrich data in Google Security Operations SOAR alerts.
  2. Perform active actions - block an IP or URL in iboss from Google Security Operations SOAR.

Product Permission

In order to authenticate, actions perform two requests. The first request is to get a token and the second request is to get a special XSRF token.

Configure iboss integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Cloud API Root String https://cloud.iboss.com/ Yes Specify the iboss cloud API Root.
Account API Root String https://accounts.iboss.com/ Yes Specify the iboss Account API Root.
Username String N/A Yes Specify the username of the iboss account.
Password Password N/A Yes Specify the password of the iboss account.
Verify SSL Checkbox Unchecked No If enabled, verify the SSL certificate for the connection to the iboss public cloud server is valid.
Run Remotely Checkbox Checked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to the iboss with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful:
print "Successfully connected to the iboss server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful:

print "Failed to connect to the iboss server! Error is {0}".format(exception.stacktrace)

General

Add URL to Policy Block List

Description

Add URL to iboss Block List.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify to which policy category you want to add the URL.
Priority Integer 50 Yes Specify priority of the URL that needs to be blocked.
Direction DDL

Destination

Possible values:

Destination

Source

Destination and Source

Yes Specify what is the direction of the URL.
Start Port Integer N/A No Specify the start port related to the URL that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
End Port Integer N/A No Specify the end port related to the URL that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
Note String N/A No Add a note related to the URL that needs to be blocked.
Is Regular Expression Checkbox Unchecked No If enabled, the URL will be considered as a regular expression.
Strip Scheme Checkbox Unchecked No If enabled, action will strip the scheme related to the URL.

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided URLs were blocked(is_success = true):
print "Successfully blocked the following URLs in the iboss category with ID {0}: \n {1}".format(category_id, entity.identifier list)

If fail to block specific URLs(is_success = true):
print "Action was not able to block the following URLs in the iboss category with ID {0}\n: {1}".format(category_id, [entity.identifier])

If fail to enrich for all entities (is_success = false):

print: "No URLs were blocked in the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false):

print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "Add URL to Policy Block List". Reason: {0}''.format(error.Stacktrace)

General

Add IP to Policy Block List

Description

Add IP to iboss Block List.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify to which policy category you want to add the URL.
Priority Integer 50 Yes Specify priority of the URL that needs to be blocked.
Direction DDL

Destination

Possible values:

Destination

Source

Destination and Source

Yes Specify what is the direction of the URL.
Start Port Integer N/A No Specify the start port related to the URL that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
End Port Integer N/A No Specify the end port related to the URL that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
Note String N/A No Add a note related to the URL that needs to be blocked.
Is Regular Expression Checkbox False No If enabled, URL will be considered as a regular expression.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided URLs were blocked(is_success = true):
print "Successfully blocked the following URLs in the iboss category with ID {0}: \n {1}".format(category_id, entity.identifier list)

If fail to block specific URLs(is_success = true):
print "Action was not able to block the following URLs in the iboss category with ID {0}\n: {1}".format(category_id, [entity.identifier])

If fail to enrich for all entities (is_success = false):

print: "No URLs were blocked in the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false):

print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "Add URL to Policy Block List". Reason: {0}''.format(error.Stacktrace)

General

Add IP to Policy Block List

Description

Add IP to iboss Block List.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify to which policy category you want to add the IP.
Priority Integer 50 Yes Specify priority of the IP that needs to be blocked.
Direction DDL

Destination

Possible values:

Destination

Source

Destination and Source

Yes Specify what is the direction of the IP.
Start Port Integer N/A No Specify the start port related to the IP that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
End Port Integer N/A No Specify the end port related to the IP that needs to be blocked. Note: if only "Start Port" or "End Port" is specified, the value will be added to both action parameters.
Note String N/A No Add a note related to the IP that needs to be blocked.
Is Regular Expression Checkbox Unchecked No If enabled, IP will be considered as a regular expression.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided IPs were blocked(is_success = true):
print "Successfully blocked the following IPs in the iboss category with ID {0}: \n {1}".format(category_id, entity.identifier list)

If fail to block specific IPs(is_success = true):
print "Action was not able to block the following IPs in the iboss category with ID {0}\n: {1}".format(category_id, [entity.identifier])

If fail to enrich for all entities (is_success = false):

print: "No IPs were blocked in the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false):

print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "Add IP to Policy Block List". Reason: {0}''.format(error.Stacktrace)

General

List Policy Block List Entries

Description

Return iboss Block List entries in a specific group.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify in which policy category do you want to list Block List entries.
Max Entries to Return Integer 50 Yes Specify how many entries to return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "entries": [
       {
          "direction": 0,
          "endPort": 0,
          "isRegex": 0,
          "note": "",
          "priority": 0,
          "startPort": 0,
          "type": 0,
          "url": "asaa.com",
          "weight": 501
       }
    ],
    "message": ""
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful returned and is available data(is_success = true):
print "Successfully listed entries from the iboss Block List in a category with ID '{0}'".format(category_id)

If returned and no data (is_success = false):

print: "No Block List entries were found in the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false)

Print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "List Policy Block List Entries". Reason: {0}''.format(error.Stacktrace)

General
CSV Case Wall

Name: "Block List Entries. Category {0}".format(Category)

Columns:

  • Name (mapped as url)
  • Priority (mapped as priority)
  • Weight (mapped as weight)
  • Direction (mapped as direction. Check action behaviour)
  • Start Port (mapped as startPort)
  • End Port (mapped as endPort)
  • Note (mapped as note)
  • Regex (mapped as isRegex. 1 = True, 0 = False)

Remove URL from Policy Block List

Description

Remove URL from iboss Block List.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify from which policy category do you want to remove the URL.
Start Port Integer N/A No Specify the start port related to the URL that needs to be deleted. This parameter is mandatory if the desired URL has a defined start port. This is an iboss limitation.
End Port Integer N/A No Specify end port related to the URL that needs to be deleted. This parameter is mandatory if the desired URL has a defined end port. This is an iboss limitation.
Strip Scheme Checkbox Un-checked No If enabled, action will strip the scheme related to the URL.

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided URLs were removed (is_success = true):
print "Successfully removed the following URLs from the iboss category with ID {0}: \n {1}".format(category_id, entity.identifier list)

If fail to remove specific URLs(is_success = true):

print "Action was not able to remove the following URLs from the category with ID {0}\n: {1}".format(category_id, [entity.identifier])

If fail to enrich for all entities (is_success = false):

Print: "No URLs were removed from the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false):

Print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "Remove URL from Policy Block List". Reason: {0}''.format(error.Stacktrace)

General

Remove IP from Policy Block List

Description

Remove IP from iboss Block List.

How to find Category ID

  1. Navigate to Web Security -> Policy Layers.
  2. Open Developer Tools Console (Ctrl + Shift + I in Google Chrome).
  3. Navigate there to Network tab.
  4. Try to edit the needed block list.

In the console, you will see requests that are being made. Search among those requests for customCategoryId=xxxx parameter.

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Category ID Integer 1001 Yes Specify from which policy category do you want to remove IP.
Start Port Integer N/A No Specify start port related to the IP that needs to be deleted. This parameter is mandatory if the desired URL has a defined start port. This is an iboss limitation.
End Port Integer N/A No Specify end port related to the IP that needs to be deleted. This parameter is mandatory if the desired IP has a defined end port. This is an iboss limitation.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided URLs was removed (is_success = true):
print "Successfully removed the following IPs from the iboss category with ID {0}: \n {1}".format(category_id, entity.identifier list)

If fail to remove specific URLs(is_success = true):

print "Action was not able to remove the following IPs from the iboss category with ID {0}\n: {1}".format(category_id, [entity.identifier])

If fail to enrich for all entities (is_success = false):

print: "No IPs were removed from the iboss category with ID {0}.".format(category_id)

If Policy is not a Block list: (is_success = false)

Print "Category with ID {category_id} is not associated with a Block list."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to the server, other:

print "Error executing action "Remove IP from Policy Block List". Reason: {0}''.format(error.Stacktrace)

General

URL Lookup

Description

Perform URL Lookup.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group ID Integer N/A No Specify for which group to perform a URL Lookup. If nothing is specified, the "Default" group will be used.

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Entity Enrichment
Enrichment Field Name Source (JSON Key) Logic - When to apply
IBOSS_group_{group_id}_categories categories When available in JSON
IBOSS_group_{group_id}_action action When available in JSON
IBOSS_group_{group_id}_message message When available in JSON
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "action": "Not Blocked",
    "categories": "Pornography/Nudity",
    "message": "Url Known."
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided URLs was looked up (is_success = true):
print "Successfully retrieved information about the following URLs: \n {0}".format( entity.identifier list)

If fail to lookup specific URLs(is_success = true):

Print: "Action was not able to retrieve information about the following URLs\n: {0}".format([entity.identifier])

If fail to lookup for all entities (is_success = false):

Print "No information was retrieved about URLs."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to the server, other:

print "Error executing action "URL Lookup". Reason: {0}''.format(error.Stacktrace)

General

URL Recategorization

Description

Submit URL for recategorization.

Run On

This action runs on the URL entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided URLs was submitted(is_success = true):
print "Successfully submitted the following URLs for recategorization: \n {0}".format( entity.identifier list)

If fail to remove specific URLs(is_success = true):

print "Action was not able to submit the following URLs for recategorization\n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success = false):

print: "No URLs were submitted for recategorization."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "URL Recategorization". Reason: {0}''.format(error.Stacktrace)

General