Siemplify

Integration version: 80.0

Configure Siemplify integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Monitors Mail Recipients String example@example.com, example1@example.com Yes Monitors Mail Recipients
Elastic Server Address String localhost Yes Elastic Server Address
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Add to Custom List

Description

Add an Entity Identifier to a categorized Custom List, in order to perform future comparisons in other actions.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Category String N/A Yes A custom list of categories to be used.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult True/False ScriptResult:False
JSON Result
N/A

Add Entity Insight

Description

Add an insight configurable message to each targeted entity.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Message String N/A Yes Message content to be added.

The Message parameter supports HTML elements, for example:

<h1>H1 Heading</h1>
<h2>H2 Heading</h2>

<p>Paragraph</p>
<b>Bold text</b>
<br>
<a href="google.com">Link</a>

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Add General Insight

Description

Add a general insight configurable message to the case.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Title String N/A Yes The title of the insight.
Message String N/A Yes The message that is placed on the insight.
Triggered By String N/A No A description for the cause of this insight.

The Message parameter supports HTML elements, for example:

<h1>H1 Heading</h1>
<h2>H2 Heading</h2>

<p>Paragraph</p>
<b>Bold text</b>
<br>
<a href="google.com">Link</a>

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Add Tags To Similar Cases

Description

First use SDK to get similar cases. Take the IDs and use them in the loop over which you will iterate, when running add tag method. Action should support comma-separated values.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Generator Checkbox Checked No

Search for similar cases by the same Rule Generator.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Port Checkbox Checked No

Search for similar cases by the same Port number.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Category Outcome Checkbox Checked No

Search for similar cases by the same Category Outcome.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Entity Identifier Checkbox Checked No

Search for similar cases containing the same Entity Identifier.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Days Back String N/A Yes Defines the number of days back the search should look for similar cases.
Tags String N/A Yes Specify a comma-separated list of tags that you want to add to similar cases.

Assign Case

Description

Assign case to specific user or usergroup.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Assigned User String N/A Yes User or Usergroup to whom a case should be assigned.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Attach Playbook to Alert

Description

Attach a specific playbook to an alert.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Playbook Name String N/A Yes Playbook which should be attached to an alert.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A

Case Comment

Description

Add a comment to the case the current alert has been grouped to.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Comment String N/A Yes Comment to be added to the case.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
SuccessStatus True/False SuccessStatus:False
JSON Result
N/A

Case Tag

Description

Add given tag to the case the current alert is grouped to.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Tag String N/A Yes Tag to be added to the case.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Change Case Stage

Description

Change case stage to handling.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Stage DDL N/A Yes Stage to which the case should be moved to.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Change Priority

Description

Automatically change case priority to the given input.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Priority DDL N/A Yes Priority which should be set for the case.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Close Alert

Description

Closes the current alert.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Reason DDL N/A Yes Alert closure reason.
Root Cause DDL N/A Yes Root cause of the alert closure.
Comment String N/A Yes Comment content.
Assign to User DDL N/A No User that the closed case is assigned to.
Tags String N/A No Comma-separated tags values.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
StatusResult True/False StatusResult:False
JSON Result
N/A

Close Case

Description

Closes the case the current alert has been grouped to.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Reason DDL N/A Yes Closure reason.
Root Cause DDL N/A Yes Root cause of the case closure.
Comment String N/A Yes Comment content.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
StatusResult True/False StatusResult:False
JSON Result
N/A

Create Entity

Description

Creates an entity and adds it to the requested alert.

The "Create Entity" action update released within version 57 of the integration, provides different functionalities in various Google Security Operations SOAR Platform versions:

  • For version 5.6.2+: The user can choose delimiter in the mapping process, and the DB configuration is ignored.
  • For versions between 5.6.0, inclusive and up to 5.6.2, exclusive: There are two different places where delimiting takes place:

    • The action
    • Google Security Operations SOAR DB

    If you want to use a different delimiter in the entity creation process, make sure to align it between the two places. For example, if you have a custom Delimiter that is '&' , you can:

    • Make sure to change it to '&' in both places.
    • In the DB, change it to '&' and keep empty in the action, to avoid "Double Delimiting".
  • For versions up to 5.6.0: This change doesn't affect delimiting.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Entities Identifies String N/A Yes

Entity identifier or comma-separated list of identifiers.

Example: value1,value2,value3

Entity Type List N/A Yes

Google Security Operations SOAR entity type.

Example: HOSTNAME / USERNAME

Delimiter String ' , ' No

Provide a delimiter character, with which the action splits the input it gets into a number of entities instead of a single one.

If no value is provided, the action does not perform any splitting on the input, and it's handled as a single entity.

Is Internal Checkbox Unchecked No Mark if entities are part of an internal network.
Is Suspicious Checkbox Unchecked No Mark if entities are suspicious.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
StatusResult True/False StatusResult:False
JSON Result
N/A

Create or Update Entity Properties

Description

Create or change properties for entities in the entity scope.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Entity Field String N/A Yes Field that has to be created or updated.
Field Value String N/A Yes Value that has to be set to the field.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Get Similar Cases

Description

Search for similar cases and return their IDs.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Generator Checkbox Checked No

Search for similar cases by the same Rule Generator.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Port Checkbox Checked No

Search for similar cases by the same Port number.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Category Outcome Checkbox Checked No

Search for similar cases by the same Category Outcome.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Entity Identifier Checkbox Checked No

Search for similar cases containing the same Entity Identifier.

Note: All these search criteria are joined using logical 'AND' condition and are used in the same search.

Days Back String N/A Yes Defines the number of days back the search should look for similar cases.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
SimilarCasesIds N/A N/A
JSON Result
N/A

Instruction

Description

Set an instruction for the analyst.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Instruction String N/A Yes Instruction content.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Is in Custom List

Description

Check whether an Entity Identifier is part of a predefined dynamic categorized Custom List.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Category String N/A Yes Custom list category.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A

Mark as Important

Description

Mark case as important.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Open Web Url

Description

Generate a browser link.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Title String N/A Yes Title for URL.
URL String N/A Yes Target URL.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Permitted Alert Time

Description

Check case time according to a given time condition.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Permitted Start Time String N/A Yes

Start of the timeframe, when alerts are allowed.

Example: 9:55:24

Permitted End Time String N/A Yes

End of the timeframe, when alerts are allowed.

Example: 17:23:21

Monday Checkbox Unchecked No N/A
Tuesday Checkbox Checked No N/A
Wednesday Checkbox Checked No N/A
Thursday Checkbox Unchecked No N/A
Friday Checkbox Unchecked No N/A
Saturday Checkbox Unchecked No N/A
Sunday Checkbox Unchecked No N/A
Input Timezone String UTC Yes

Timezone name.

Example: UTC.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
permitted N/A N/A
JSON Result
N/A

Ping

Description

Test Connectivity.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Raise Incident

Description

Raise case incident. Used to mark critical true positive cases.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
null N/A N/A
JSON Result
N/A

Remove From Custom List

Description

Remove an Entity Identifier from a categorized Custom List, in order to perform future comparisons in other actions.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Category String N/A Yes Custom list category to be used.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A

Run Remote

Description

Run remote action through publisher.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Publisher Name String N/A Yes Publisher instance name to be used.
Remote Integration Name String N/A Yes Remote integration name to be used.
Remote Action Name String N/A Yes Remote action name to be used.
Remote Context Data String N/A Yes Remote action context data
Remote Action Script String N/A Yes Remote action script content to be executed.
Agent ID String N/A Yes Action's target agent ID.
Installed Integrations Shared Folder String N/A Yes Installed Integrations Shared Folder.
Verify SSL Checkbox Unchecked No Enables or disables SSL Verification between the Google Security Operations SOAR machine and the remote Publisher.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Test Siemplify Proxy

Description

Test connection to a given endpoint using proxy settings configured in Google Security Operations SOAR.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Endpoint URL String N/A Yes The endpoint to try to connect to.
HTTP Method String GET Yes The HTTP method to use when connecting to the endpoint.
Body String GET No The body of the HTTP request.
Verify SSL Checkbox Checked No Enables\Disables SSL Verification between Google Security Operations SOAR machine and the remote Publisher

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Remove Tag

Description

Remove tags from a case.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Tag String N/A Yes Specify the tag that needs to be removed. Comma-separated values.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A
Case Wall
Result Type Value / Description Type
Output message*

If the tag was successfully removed: (is_success=true): "Successfully removed the following tags from case {case_id}: /n {tags}"

If an error is reported (is_success=false): "Error executing action {action name}" (error message should include the reason)

If a case is closed: It is not possible to remove the tag.

General

Set Case SLA

Description

Set the SLA for a case. This action has the highest priority and it will override the existing SLA defined for the specific case.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
SLA Period Integer 5 Yes The period of time after which the SLA is in breach.
SLA Time Unit DDL Minutes

Possible values:

    Minutes
  • Hours
  • Days
Yes Specify the unit for SLA Time.
SLA Time To Critical Period Integer 4 Yes

The period of time after which the SLA enters the critical period.

Value of this parameter needs to be less than value of the SLA Period parameter.

SLA Time To Critical Unit DDL Minutes

Possible values:

    Minutes
  • Hours
  • Days
Yes Specify the unit for SLA Time To Critical.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Set Alert SLA

Description

Set the SLA for an alert. This action has the highest priority and it will override the existing SLA defined for the specific alert.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
SLA Period Integer 5 Yes The period of time after which the SLA is in breach.
SLA Time Unit DDL Minutes

Possible values:

    Minutes
  • Hours
  • Days
Yes Specify the unit for SLA Time.
SLA Time To Critical Period Integer 4 Yes

The period of time after which the SLA enters the critical period.

Value of this parameter needs to be less than value of the SLA Period parameter.

SLA Time To Critical Unit DDL Minutes

Possible values:

    Minutes
  • Hours
  • Days
Yes Specify the unit for SLA Time To Critical.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Update Case Description

Description

Update a case description.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Description String N/A Yes Specify a description that should be set for the case.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
StatusResult True/False StatusResult:False
Case Wall
Result Type Value / Description Type
Output message*

If successful: (is_success=true): "Successfully updated case description."

If a fatal error, like invalid credentials, API root, other is reported (is_success=false): "Error executing action "Update Case Description". Reason: {error traceback}"

General

Get Scope Context Value

Description

Action gets a value stored under a specified key in the Google Security Operations SOAR database. Available scopes to get context values for: Alert, Case, Global.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Context Scope DDL

Select One

Possible Values:

  • Not specified
  • Alert
  • Case Global
Yes Specify the Google Security Operations SOAR context scope to return context keys for.
Key Name String N/A Yes Specify the key name to get context value for.
Create Case Wall Table Checkbox Checked No If enabled, the case wall table is created as part of action results.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result

Action should return JSON result of the stored context value.

Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available and scope IS global or connector AND context key is specified (is_success=true): "Successfully found context value for the provided context key {context_key} with scope {context_scope}.".

If data is not available (is_success=false): "No context values were found for the provided context scope {context_scope}."

If data is not available and context key is specified (is_success=false): "Context value was not found for the provided context key {context_key} with scope {context_scope}."

If data is available (is_success = true), the "Create Case Wall Table" parameter is set to true, and the size of context value is more than 5000 characters: "Action will not return the Case Wall table as the context value(s) are too big.".

The action should fail and stop a playbook execution:

If the "Context Type" parameter is set to default of "Not Specified": "Error executing action "Get Context Value". Reason: Value for "Context Type" parameter is not specified."

If a fatal error, like wrong credentials, no connection to the server, other:

"Error executing action "Get Context Value". Reason: {0}''.format(error.Stacktrace)"

General
Table

Table Name: Context Values for scope {scope} Table Columns:

  • Key
  • Value
General

Set Scope Context Value

Description

Action sets a value for a key specified that is stored in the Google Security Operations SOAR database. Available scopes to get context values for: Alert, Case, Global.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Context Scope DDL

Select One

Possible Values:

  • Not specified
  • Alert
  • Case
  • Global
Yes Specify the Google Security Operations SOAR context scope to return context keys for.
Key Name String N/A Yes Specify the key name to set context value for.
Key Value String N/A Yes Specify the value to store under the specified key.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result

Action should return JSON result of the context key(s) that were set.

Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully set context value for the context key {context_key} with scope {context_scope}.".

The action should fail and stop a playbook execution:

If the "Context Type" parameter is set to default of "Not Specified": "Error executing action "Set Context Value". Reason: Value for "Context Type" parameter is not specified."

If a fatal error, like wrong credentials, no connection to the server, other:

"Error executing action "Set Context Value". Reason: {0}''.format(error.Stacktrace)

General

Get Connector Context Value

Description

Action gets a value stored under a specified key in the Google Security Operations SOAR database for a connector context.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Connector Identifier String N/A Yes

Specify connector identifier to list context keys for.

Parameter works together with the "Connector Identifier Filter Logic" parameter.

Key Name String N/A No Optionally specify the key name to get context value for.
Create Case Wall Table Checkbox Checked No If enabled, the case wall table is created as part of action results.

Use Cases

Fetch value stored in DB.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result

Action should return JSON result of the stored context value.

Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available and the context key is specified (is_success=true): "Successfully found context value for the provided context key {context_key} for connector identifier {connector identifier}.".

If data is not available and the context key is specified (is_success=false): "Context value was not found for the provided context key {context_key} and connector identifier {connector_identifier}."

If data is available (is_success=true) and the "Create Case Wall Table" parameter is set to true, and the size of context value is more than 5000 characters: "Action will not return the Case Wall table as the context value(s) are too big.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported:

"Error executing action "Get Context Value". Reason: {0}''.format(error.Stacktrace)

General
Table

Table Name: Available Connector Context Values Table Columns:

  • Connector identifier
  • Key
  • Value
General

Jobs

Actions Monitor

Description

Notifies of all the actions, that have individually failed at least 3 times, in the last 3 hours.

Cases Collector

Description

Collects cases and connector logs from Publisher.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Publisher ID String N/A Yes N/A
Verify SSL Checkbox Unchecked Yes N/A

Connectors Monitor

Description

Notifies about any error in the (connectors) alert ingestion process.

Delete Case Files History

Description

Deletes case files that are older than X days from Done and Error folders of the ETL.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Days String 10 Yes N/A

ETL Monito

Description

Notifies about any error in the ETL alert ingestion process.

Jobs Monitor

Description‌

Notifies about all the jobs that had failed in the last 3 hours.

Logs Collector

Description‌

Notifies about all the jobs that had failed in the last 3 hours.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Publisher ID String N/A Yes N/A
Verify SSL Checkbox Unchecked No N/A

Machine Resource Utilization

Description‌

Notifies if the machine resource utilization is close to full usage, according to the following rules:

  • CPU - over 90%
  • MEM - over 85%
  • Drive - over 80%

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
CPU Limit Integer 90 Yes N/A
Memory Limit integer 85 Yes N/A
Drives Limit Integer 80 Yes N/A
Disks String N/A No N/A

Measurement Monitor

Description‌‌

Sends an email report of various system measurement to configured admins.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Additional Email Recipients String Insights@siemplify.co No This job sends an email to the recipients defined in this parameter and in the Google Security Operations SOAR Integration Configuration.
Metrics Output Folder String N/A No Output folder location. For each job run a CSV output containing the metrics is saved here.
Max CSV Files Count Retention Integer 100 No The maximum number of the CSV output files to save under Metrics Output Folder.