TIPCommon.base

TIPCommon.base.nativemethod

TIPCommon.base.nativemethod(method: Callable[[...], Any]) → Callable[[...], Any]

Decorator that marks a method as native.

Parameters

Parameters
method (function) The method to be marked as native.

Returns

The decorated method.

Return type

function

TIPCommon.base.is_native

TIPCommon.base.is_native(method: Callable[[...], Any]) → bool

Returns True if the method is marked as native, False otherwise.

Parameters

Parameters
method (function) The method to check.

Returns

True if the method is marked as native, False otherwise.

Return type

bool

class TIPCommon.base.connector.Connector

class TIPCommon.base.connector.Connector(script_name, is_test_run)

Bases: ABC

A unified generic infrastructure implementation for Google Security Operations SOAR connector development.

The Connector base class provides template abstract methods to override in the inherited connector classes, generic properties, and general flows as methods executed when calling the connector start method.

Parameters

Parameters
script_name str

The name of the script using this connector.
is_test_run bool

Indicates whether the current run is a test run or not.

Attributes

Attributes
siemplify The Siemplify connector execution object.

Type: SiemplifyConnectorExecution
script_name The name of the script using this connector.

Type: str

connector_start_time The time at which the connector started.

Type: int
logger The logger for this connector.

Type: str
is_test_run Indicates whether the current run is a test run or not.

Type: bool
params The parameters container for this connector.

Type: Container
context The context data container for this connector.

Type: Container
vars The runtime variables container used by the connector.

Type: Container
env_common The environment common handle object.

Type: str
error_msg The error message the connector will display in case of a generic failure.

Type: str

Abstract methods

Abstract methods
validate_params(self) Validate the parameters for this connector.
read_context_data(self) Read the context data for this connector.
write_context_data(self, processed_alerts) Write the context data for this connector.
init_managers(self) Initialize the managers for this connector.
store_alert_in_cache(self, alert) Store the alert in the cache.
get_alerts(self) Get the alerts from the manager.
create_alert_info(self, alert) Create an alert info object.

Additional methods

Additional methods are called during the connector execution. They affect the alert processing phase but are not mandatory to override.

Additional methods
get_last_success_time(self, max_backwords_param_name, metric, padding_period_param_name, padding_period_metric, time_format, print_value, microtime) Calculates the connector's last successful timestamp.
max_alerts_processed(self, processed_alerts) Returns True if reached the Maximum alerts to process limit during the connector execution.
pass_filters(self, alert) Boolean method to check if the alert passes through the connector filters.
filter_alerts(self, alerts) Filters alerts from the manager and returns the list of filtered alerts.
process_alert(self, alert) Additional alert processing, such as events enrichment.
finalize(self) A method to handle all post-processing logic before completing the current iteration of the connector.

Example

import time
import TIPCommon
from TIPCommon.base import Connector
from TIPCommon.data_models import BaseAlert
from SiemplifyConnectorsDataModel import AlertInfo

class FakeAlert(BaseAlert):
    def __init__(self, raw_data):
        super().__init__(raw_data, raw_data.get('Id'))
        start_time = raw_data.get('StartTime')
        end_time = raw_data.get('EndTime')

class FakeConnector(Connector):
    def validate_params(self):
        self.params.user_email = self.param_validator.validate_email(
            'User Email',
            self.params.user_email
        )

    def read_context_data(self):
        self.context.ids = TIPCommon.read_ids(self.siemplify)

    def init_managers(self):
        self.manager = FakeManager(self.params.user_email)

    def get_alerts(self):
        raw_alerts = self.manager.get_alerts()
        parsed_alerts = []
        for alert in raw_alerts:
            parsed_alerts.append(FakeAlert(alert))
        return parsed_alerts

    def store_alert_in_cache(self, alert):
        self.context.ids.append(alert.alert_id)

    def create_alert_info(self, alert):
        alert_info = AlertInfo()
        alert_info.ticket_id = alert.alert_id
        alert_info.display_id = alert.alert_id
        alert_info.name = "Fake Alert"
        alert_info.device_vendor = "Fake Device Vendor"
        alert_info.device_product = "Fake Device Product"
        alert_info.start_time = alert.start_time
        alert_info.end_time = alert.end_time
        alert_info.environment = self.env_common.get_environment(
            TIPCommon.dict_to_flat(alert.to_json())
        )
        return alert_info

    def write_context_data(self):
        TIPCommon.write_ids(self.siemplify, self.context.ids)

    def get_last_success_time():
        return super().get_last_success_time(
            max_backwards_param_name="max_days_backwards",
            metric="days",
            padding_period_param_name="padding_period",
            padding_period_metric="hours"
        )

if __name__ == '__main__':
    script_name = "MyFakeConnector"
    is_test = TIPCommon.is_test_run(sys.argv)
    connector = FakeConnector(script_name, is_test)
    connector.start()

abstract create_alert_info

abstract create_alert_info(alert: [BaseAlert]) → AlertInfo

Creates an alert info object.

Parameters

Parameters
alert The alert to create the alert info object for.

Raises

ConnectorSetupError, if there is an error creating the alert info object.

extract_params

extract_params() → None

Extracts connector parameters from UI and stores them in the params container.

filter_alerts

filter_alerts(alerts: list[BaseAlert]) → list[BaseAlert]

Filters alerts from manager and returns the list of filtered alerts.

Parameters

Parameters
alerts A list of alerts.

Returns

A list of filtered alerts.

finalize

finalize() → None

The method is used to handle all post-processing logic before completing the connector's current iteration.

Examples

Class MyConnector(Connector)

    # method override
    def finalize(self) -> None:
        self.manager.logout()

abstractget_alerts

abstractget_alerts() → list[ BaseAlert ]

Get alerts from the manager and return a list of alerts.

Raises

ConnectorSetupError, if there is an error getting the alerts.

get_last_success_time

get_last_success_time(max_backwards_param_name=None, metric='hours', padding_period_param_name=None, padding_period_metric='hours', time_format=2, print_value=True, microtime=False, date_time_format=None)

Calculates the connector last successful timestamp using max TIME backwards and padding period connector parameters, where TIME is the time metric.

Parameters

Parameters
max_backwords_param_name str

Parameter name for alert fetching offset time. If None is provided, the parameter calculates a timestamp with offset 0.

Default value is None.
metric str

Time metric to use in the TIPCommon get_last_success_time method.

Default value is hours.
padding_period_param_name Optional

str

Time metric similar to the metric parameter.

Default value is hours.
time_format int

Defines which time format to return for the last success time.

Default value is DATETIME_FORMAT.
print_value Optional

bool

Defines whether to log the value or not.

True by default.
microtime Optional

bool

If the time format is Unix, the parameter converts the stored timestamp from milliseconds to seconds.

False by default.
date_time_format Optional

str

Returns the last success time as a formatted datetime string.

If time_format is not DATETIME_FORMAT, this parameter will be ignored.

Example

#overridden
def get_last_success_time():
    return super().get_last_success_time(
        max_backwards_param_name="max_days_backwards",
        metric="days",
        padding_period_param_name="padding_period",
        padding_period_metric="hours"
    )

Returns

Last success time in DATETIME or Unix format.

Return type

(any, int)

abstractinit_managers

abstractinit_managers() → None

Creates manager instance objects.

Example

Class MyConnector(Connector)

    # method override
    def init_managers(self):
        self.params.manager = MyManager(...)

Raises

ConnectorSetupError, if there is an error creating the manager instance objects.

load_env_common

load_env_common() → EnvironmentHandle

Downloads the environment handle object from the EnvironmentCommon module depending on the Siemplify platform deployment.

Raises

ConnectorSetupError, if the function couldn't create the environment handle object.

Returns

An environment handle object.

Return type

EnvironmentHandle

max_alerts_processed

max_alerts_processed(processed_alerts) → bool

Returns True if reached the Maximum alerts to process limit during the connector execution.

Parameters

Parameters
processed_alerts A list of processed alerts.

Returns

True if the Maximum alerts to process limit has been reached, False otherwise.

pass_filters

pass_filters(alert) → bool

Boolean method to check if the alert passes through the connector filters.

Parameters

Parameters
alert The alert to check.

Returns

True if the alert passes the filters, False otherwise.

process_alert

process_alert(alert: [BaseAlert]) → [BaseAlert]

Extensive alert processing, such as events enrichment.

Parameters

Parameters
alert The alert to process.

Returns

The processed alert.

process_alerts

process_alerts(filtered_alerts: list[BaseAlert], timeout_threshold: float = 0.9)` → tuple[list[AlertInfo], list[BaseAlert]]

Main alert processing loop.

The steps for each alert object are as follows:

  1. Check if the connector is approaching timeout.
  2. Check the max alert count for a test run.
  3. Check the max alert count for a commercial run (override).
  4. Check if the alert passes through filters.
  5. Process the alert (override).
  6. Store the alert in cache, for example, id.json (override).
  7. Create the AlertInfo object.
  8. Check if the alert is overflowed.
  9. Append the alert to processed alerts.

Parameters

Parameters
filtered_alerts list[ BaseAlert]

List of filtered BaseAlert objects.
timeout_threshold Optional

float

Timeout threshold for connector execution.

Default value is 0.9.

To provide other value for the timeout threshold, you can override this method as follows:

my_threshold = 0.9
def process_alerts(self, filtered_alerts, timeout_threshold):
    return super().process_alerts(filtered_alerts, my_threshold)

Returns

A tuple containing a list of AlertInfo objects and a list of BaseAlert objects.

read_context_data

read_context_data() → None

Load context data from platform data storage (DB/LFS), such as alert IDs.

Example

from TIPCommon import read_ids

Class MyConnector(Connector):
    # method override
    def read_context_data(self):
        self.context.ids = TIPCommon.read_ids(self.siemplify)

Raises

ConnectorSetupError, if there is an error loading the context data.

set_last_success_time

set_last_success_time(alerts: list[BaseAlert], timestamp_key: str = None, incrementation_value=0, log_timestamp=True, convert_timestamp_to_micro_time=False, convert_a_string_timestamp_to_unix=False)

This method gets the timestamp of the most recent alert from alerts using timestamp_key, where alert is a list of all alerts the connector has tried or completed processing, and stores this timestamp in the LFS/DB.

Parameters

Parameters
alerts list[ BaseAlert]

List of all alerts the connector has tried or completed processing.
timestamp_key Optional

str

The timestamp attribute name for each alert.

Default value is None.
incrementation_value Optional

int

The value to increment last timestamp by milliseconds.

Default value is 0.
log_timestamp Optional

bool

Defines whether to log the timestamp or not.

True by default.
convert_timestamp_to_micro_time Optional

bool

Timestamp * 1000 if True.

False by default.
convert_a_string_timestamp_to_unix Optional

bool

If the timestamp in the raw data is in the form of a string, the parameter converts the timestamp to Unix before saving it.

False by default.

Example

Class MyAlert(BaseAlert):
    def __init__(self, raw_data, alert_id):
        super().__init__(raw_data, alert_id)
        self.timestamp = raw_data.get('DetectionTime')

Class MyConnector(Connector):
    # method override
    def set_last_success_time(self, alerts):
        super().set_last_success_time(
            alerts=alerts,
            timestamp_key='timestamp'
        )

store_alert_in_cache

store_alert_in_cache(alert: [BaseAlert])

Save alert ID to ids.json or equivalent.

Parameters

Parameters
alert The alert with the ID to store

Example

Class MyConnector(Connector):
    # method override
    def store_alert_in_cache(self, alert):
        # self.context.alert_ids here is of type list
        self.context.alert_ids.append(alert.alert_id)

Raises

ConnectorSetupError, if there is an error storing the alert.

abstractvalidate_params

abstractvalidate_params() → None

Validate connector parameters.

Example

Class MyConnector(Connector)

    # method override
    def validate_params(self):
        self.params.user_email = self.param_validator.validate_email(
            param_name='User Email',
            email=self.params.user_email
        )

Raises

ConnectorSetupError, if any parameter is invalid.

write_context_data

write_context_data() → None

Save updated context data to the platform data storage (DB/LFS).

Example

from TIPCommon import write_ids

Class MyConnector(Connector):
    # method override
    def read_context_data(self):
        write_ids(self.siemplify, self.context.ids)

Raises

ConnectorSetupError, if there is an error saving the context data.

class TIPCommon.base.action.base_action.Action

class TIPCommon.base.action.base_action.Action(script_name: str)

Bases: ABC

A unified generic infrastructure implementation for the Google Security Operations SOAR action development.

The Action base class provides template abstract methods to override in the inherited action classes, generic properties, and general flows as methods that are executed when calling the action's run method.

Parameters

Parameters
script_name str

The name of the script that is using the connector.

Attributes

Attributes
soar_action The SiemplifyAction SDK object.

Type: SiemplifyAction
script_name The name of the script that is using this action.

Type: str
action_start_time The action start time.

Type: int
logger The logger object used for logging in actions.

Type: SiemplifyLogger
params The parameters container for this connector.

Type: Container
global_context Dictionary to store the context if needed.

Type: dict
entity_types Entity types supported by the action.

Type: list[EntityTypesEnum]
entities_to_update The entities to update when the action ends.

Type: list[Entity]
json_results The action JSON results.

Type: JSON
attachments Case result attachments to add.

Type: list[Attachment]
contents Case result contents to add.

Type: list[Content]
data_tables Case result data tables to add.

Type: list[DataTable]
html_reports Case result HTML reports to add.

Type: list
links Case result links to add.

Type: list[Link]
entity_insights Case entity insights to add.

Type: list[EntityInsight]

case_insights Case insights to add.

Type: list[CaseInsight]

execution_state The action's final execution state.

Type: ExecutionState

result_value The action final result value.

Type: bool
output_message The action's output message in case of success.

Type: str
error_output_message The action's output message in case of failure.

Type: str
- run() Runs the action execution.
- _get_adjusted_json_results() Adjusts the JSON result to a particular structure.

Abstract methods

Abstract methods
_validate_params() Validates the parameters for this action.
_init_managers() Initializes and returns a manager object.
_perform_action() Performs the action's main logic.

Additional methods

These are methods that are called during the action execution and affect the alerts processing phase but are not mandatory to override.

  • _get_entity_types()
  • _finalize_action_on_success()
  • _finalize_action_on_failure()
  • _on_entity_failure()
  • _handle_timeout()

SDK wrapper methods

  • _add_attachment_to_current_case()
  • _get_current_case_attachments()
  • _add_comment_to_case()
  • _get_current_case_comments()
  • _assign_case_to_user()
  • _add_tag_to_case()
  • _attach_playbook_to_current_alert()
  • _get_similar_cases_to_current_case()
  • _get_alerts_ticket_ids_from_cases_closed_since_timestamp()
  • _change_current_case_stage()
  • _change_current_case_priority()
  • _close_current_case()
  • _close_alert()
  • _escalate_case()
  • _mark_case_as_important()
  • _raise_incident()
  • _add_entity_to_case()
  • _update_alerts_additional_data()
  • _get_current_integration_configuration()
  • _any_alert_entities_in_custom_list()
  • _add_alert_entities_to_custom_list()
  • _remove_alert_entities_from_custom_list()

Example

from TIPCommon.base.actions.action_base import Action
from TIPCommon.base.utils import validate_manager, validate_entity
from TIPCommon.validation import ParameterValidator

SOME_ACTION_SCRIPT_NAME = 'Some Integration - Some Action'

class SomeAction(Action):
    def __init__(self, script_name: str) -> None:
        super().__init__(script_name)

    def _validate_params(self) -> None:
        validator = ParameterValidator(self.soar_action)
        ...  # validation logic

    def _init_managers(self) -> AManagerObject:
        return AManagerObject(
            param1=self.params.param_1,
            param2=self.params.param_2,
        )

    def _perform_action(
            self,
            manager: AManagerObject,
            entity: Entity,
    ) -> None:
        self.logger.info('Validating manager is not None')
        validate_manager(manager)

        self.logger.info('Validating entity is not None')
        validate_manager(entity)

        try:
            self.logger.info('Querying manager')
            data = manager.do_something(
                param=self.params.query,
                entity=entity.original_identifier,
            )

            ...  # Some logic to process the data

        except SomeCustomException as err:
            self.error_output_message = (
                "Action wasn't able to successfully do its thing."
            )
            raise err from err

def main() -> None:
    SomeAction(SEARCH_GRAPHS_SCRIPT_NAME).run()

if __name__ == '__main__':
    main()

property action_start_time

property action_start_time: int

Returns an int representing the action starting time in Unix.

property attachments

property attachments: list[Attachment]

All the attachments in the list will be sent to the case result by default.

Returns a list of Attachment objects representing the insights for this case.

property case_insights

property case_insights: list[CaseInsight]

All the case insights in the list will be sent to the case result by default.

Returns a list of CaseInsight objects representing the insights for this case.

property contents

property contents: list[Content]

All the contents in the list will be sent to the case result by default.

Returns a list of Content objects representing the insights for this case.

property data_tables

property data_tables: list[DataTable]

All the data tables in the list will be sent to the case result by default.

Returns a list of DataTable objects representing the insights for this case.

property entities_to_update

property entities_to_update: list[DomainEntityInfo]

All the entities in the list will be sent to be updated in the platform.

Returns a list of Entity objects representing the entities that should be updated in the case.

property entity_insights

property entity_insights: list[EntityInsight]

All the entity insights in the list will be sent to the case result by default.

Returns a list of EntityInsight objects representing the insights for this case.

property entity_types

property entity_types: list[EntityTypesEnum]

If the action works with entities, it only processes entities whose type is in the entity_types list. Otherwise, the action skips the entity.

Returns a list of EntityTypesEnum objects representing entity types the action can process.

property error_output_message

property error_output_message: str

The action output message in case of a failed run.

An output message that should appear in case of a failure during the action runtime. Default value is ActionSCRIPT_NAMEfailed.

property execution_state

property execution_state: ExecutionState

The action's execution state—a status indicator represented by an integer to pass back to the platform.

Possible statuses are as follows:

  • ExecutionState.COMPLETED = 0
  • ExecutionState.IN_PROGRESS = 1
  • ExecutionState.FAILED = 2
  • ExecutionState.TIMED_OUT = 3

Returns the ExecutionState object representing the current execution state.

property html_reports

property html_reports: list[HTMLReport]

All the HTML reports in the list will be sent to the case result by default.

Returns a list of HTMLReport objects representing the insights for this case.

property json_results

property json_results: Dict[str, Any] | List[Dict[str, Any]]

Returns the action's JSON result to be sent to the case wall.

property links: list[Link]

All the links in the list will be sent to the case result by default.

Returns a list of Link objects representing the insights for this case.

property logger

property logger: NewLineLogger

Returns the NewLineLogger object for actions.

property output_message

property output_message: str

The action's output message in case of a successful run.

A short descriptive message to pass back as the output message of the action.

property params

property params: [Container]

Returns the action's parameters descriptor—a Container object with the action parameters (in snake_case) as its attributes.

property result_value

property result_value: bool

The action's result value to be passed back to the platform.

Possible values:

  • True: Action Succeeded
  • False: Action Failed

run

run(**kwargs)

property script_name

property script_name: str

Returns the script name of the action as a str.

property soar_action

property soar_action: SiemplifyAction

Returns the SDK SiemplifyAction object.

class TIPCommon.base.action.base_enrich_action.EnrichAction

class TIPCommon.base.action.base_enrich_action.EnrichAction(script_name: str)

Bases: Action

Class that represents the entity enrichment action.

This class inherits from the TIPCommon.base.actions.base_action::Action class.

Parameters

Parameters
script_name str

The name of the script using this connector.

Attributes

Attributes
enrichment_data

This attribute holds the enrichment data for the current entity in each of the entity iterations. At the end of each iteration, the entity's additional_properties attribute is updated with self.enrichment_data, meaning that this value should be set every time with the new value.

Type: dict
entity_results Entity results that should appear in the JSON results under this specific object.

Type: Any

Abstract methods

Abstract methods
_get_entity_types() Gets the type of entities the action runs on.
_perform_enrich_action() Perform the main enrichment logic on an entity.

Private methods

Private methods
_perform_action()

This method combines the other abstract methods with more OOTB enrichment logic and passes it to the parent class to use in the start() method.

class TIPCommon.base.action.data_models.ActionParamType

class TIPCommon.base.action.data_models.ActionParamType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

BOOLEAN= 1

CASE_PRIORITIES= 7

CLOSE_CASE_REASONS= 5

CLOSE_ROOT_CAUSE= 6

CODE= 20

CONTENT= 11

DDL= 15

EMAIL_CONTENT= 10

ENTITY_TYPE= 13

MULTI_VALUES= 14

NULL= -1

PASSWORD= 12

PLAYBOOK_NAME= 2

STAGE= 4

STRING= 0

USER= 3

class TIPCommon.base.action.data_models.Attachment

class TIPCommon.base.action.data_models.Attachment(filename: str, file_contents: bytes, title: str = 'Script Result Attachment', additional_data: dict | None = None)

Bases: object

An action script-result attachment.

This class is immutable, after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
title The title of the attachment.

Type: str | None
filename The filename of the attachment.

Type: str
file_contents The content of the attachment file.

Type: bytes
additional_data Additional data.

Type: dict | None

class TIPCommon.base.action.data_models.CaseAttachment

class TIPCommon.base.action.data_models.CaseAttachment(attachment_id: int, attachment_type: str, description: str, is_favorite: bool)

Bases: object

A case attachment.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
attachment_id int

The attachment ID.
attachment_type str

The type of the attachment.
description str

The description of the attachment.
is_favorite bool

Indicates whether the attachment is marked as favorite.

class TIPCommon.base.action.data_models.CaseComment

class TIPCommon.base.action.data_models.CaseComment(comment: str, creator_user_id: str, comment_id: int, comment_type: int, case_id: int, is_favorite: bool, modification_time_unix_time_in_ms: int, creation_time_unix_time_in_ms: int, alert_identifier: str, creator_full_name: str | None = None, is_deleted: bool | None = None, last_editor: str | None = None, last_editor_full_name: str | None = None, modification_time_unix_time_in_ms_for_client: int | None = None, comment_for_client: str | None = None)

Bases: object

A case comment.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
comment str

The comment.
comment_for_client str | None

The comment for the client.
modification_time_unix_time_in_ms_for_client int

The modification time for the comment_for_client.
last_editor str

The ID of the last editor, such as 77bdb7a4-8484-481d-9482-2449e33f9518.
last_editor_full_name str

The full name of the last editor user, such as admin admin.
is_deleted bool

Indicates whether the comment is already deleted.
creator_user_id str

The creator user ID, such as 77bdb7a4-8484-481d-9482-2449e33f9518.

creator_full_name str

The creator's full name, such as System.
comment_id int

The ID of the comment.
comment_type int

The type of the comment.
case_id int

The ID of the case.
is_favorite bool

Indicates whether the comment is marked as favorite.
modification_time_unix_time_in_ms int

The comment's last modification time in Unix, such as 1686040471269.
creation_time_unix_time_in_ms int

The comment's creation time in Unix, such as 1686040471269.
alert_identifier str

The alert's identifier, such as SUSPICIOUS PHISHING EMAIL_83765943-9437-4771-96F6-BD0FB291384E.

class TIPCommon.base.action.data_models.CaseInsight

class TIPCommon.base.action.data_models.CaseInsight(triggered_by: str, title: str, content: str, severity: InsightSeverity, insight_type: InsightType, entity_identifier: str = '', additional_data: Any | None = None, additional_data_type: Any | None = None, additional_data_title: str | None = None)

Bases: object

A case insight.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
title str

The title of the insight.
triggered_by str

Integration name.
content str

The insight message.
severity InsightSeverity

Insight severity. Possible values are:

  • info
  • warning
  • error
insight_type InsightType

Insight type. Possible values are:

  • general
  • entity
entity_identifier str | None

The entity's identifier.
additional_data Any | None

Additional data.
additional_data_type Any | None

The type of additional data.
additional_data_title str | None

The title of additional data.

class TIPCommon.base.action.data_models.CasePriority

class TIPCommon.base.action.data_models.CasePriority(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

CRITICAL= 100

HIGH= 80

INFORMATIONAL= 0

LOW= 40

MEDIUM= 60

class TIPCommon.base.action.data_models.CaseStage

class TIPCommon.base.action.data_models.CaseStage(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ASSESSMENT= 'Assessment'

IMPROVEMENT= 'Improvement'

INCIDENT= 'Incident'

INVESTIGATION= 'Investigation'

RESEARCH= 'Research'

TRIAGE= 'Triage'

class TIPCommon.base.action.data_models.CloseCaseOrAlertInconclusiveRootCauses

class TIPCommon.base.action.data_models.CloseCaseOrAlertInconclusiveRootCauses(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

NO_CLEAR_CONCLUSION= 'No clear conclusion'

class TIPCommon.base.action.data_models.CloseCaseOrAlertMaintenanceRootCauses

class TIPCommon.base.action.data_models.CloseCaseOrAlertMaintenanceRootCauses(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

LAB_TEST= 'Lab test'

OTHER= 'Other'

RULE_UNDER_CONSTRUCTION= 'Rule under construction'

class TIPCommon.base.action.data_models.CloseCaseOrAlertMaliciousRootCauses

class TIPCommon.base.action.data_models.CloseCaseOrAlertMaliciousRootCauses(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

EXTERNAL_ATTACK= 'External attack'

INFRASTRUCTURE_ISSUE= 'Infrastructure issue'

IRRELEVANT_TCP_UDP_PORT= 'Irrelevant TCP/UDP port'

MISCONFIGURED_SYSTEM= 'Misconfigured system'

OTHER= 'Other'

SIMILAR_CASE_IS_ALREADY_UNDER_INVESTIGATION= 'Similar case is already under investigation'

SYSTEM_APPLICATION_MALFUNCTION= 'System/application malfunction'

SYSTEM_CLOCKED_THE_ATTACK= 'System blocked the attack'

UNFORESEEN_EFFECTS_OF_CHANGE= 'Unforeseen effects of change'

UNKNOWN= 'Unknown'

class TIPCommon.base.action.data_models.CloseCaseOrAlertNotMaliciousRootCauses

class TIPCommon.base.action.data_models.CloseCaseOrAlertNotMaliciousRootCauses(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

EMPLOYEE_ERROR= 'Employee error'

HUMAN_ERROR= 'Human error'

LAB_TEST= 'Lab test'

LEGIT_ACTION= 'Legit action'

MISCONFIGURED_SYSTEM= 'Misconfigured system'

NONE= 'None'

NORMAL_BEHAVIOR= 'Normal behavior'

OTHER= 'Other'

PENETRATION_TEST= 'Penetration test'

RULE_UNDER_CONSTRUCTION= 'Rule under construction'

SIMILAR_CASE_IS_ALREADY_UNDER_INVESTIGATION= 'Similar case is already under investigation'

UNKNOWN= 'Unknown'

USER_MISTAKE= 'User mistake'

class TIPCommon.base.action.data_models.CloseCaseOrAlertReasons

class TIPCommon.base.action.data_models.CloseCaseOrAlertReasons(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

INCONCLUSIVE= 3

MAINTENANCE= 2

MALICIOUS= 0

NOT_MALICIOUS= 1

class TIPCommon.base.action.data_models.Content

class TIPCommon.base.action.data_models.Content(content: str, title: str = 'Script Result Content')

Bases: object

An action script-result content.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the ==operator.

Attributes

Attributes
title str | None

The title of the content.
content str

The content to add to the script results.

class TIPCommon.base.action.data_models.DataTable

class TIPCommon.base.action.data_models.DataTable(data_table: list[str], title: str = 'Script Result Data Table')

Bases: object

An action script-result data table.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
title str | None

The title of the table.
data_table list[str]

A list of CSV rows that construct the table.

class TIPCommon.base.action.data_models.EntityInsight

class TIPCommon.base.action.data_models.EntityInsight(entity: DomainEntityInfo, message: str, triggered_by: str | None = None, original_requesting_user: str | None = None)

Bases: object

An entity insight.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
entity Entity

The entity object.
message str

The insight's message.
triggered_by str | None

The integration's name.
original_requesting_user str | None

The original user.

class TIPCommon.base.action.data_models.EntityTypesEnum

class TIPCommon.base.action.data_models.EntityTypesEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ADDRESS= 'ADDRESS'

ALERT= 'ALERT'

APPLICATION= 'APPLICATION'

CHILD_HASH= 'CHILDHASH'

CHILD_PROCESS= 'CHILDPROCESS'

CLUSTER= 'CLUSTER'

CONTAINER= 'CONTAINER'

CREDIT_CARD= 'CREDITCARD'

CVE= 'CVE'

CVE_ID= 'CVEID'

DATABASE= 'DATABASE'

DEPLOYMENT= 'DEPLOYMENT'

DESTINATION_DOMAIN= 'DESTINATIONDOMAIN'

DOMAIN= 'DOMAIN'

EMAIL_MESSAGE= 'EMAILSUBJECT'

EVENT= 'EVENT'

FILE_HASH= 'FILEHASH'

FILE_NAME= 'FILENAME'

GENERIC= 'GENERICENTITY'

HOST_NAME= 'HOSTNAME'

IP_SET= 'IPSET'

MAC_ADDRESS= 'MacAddress'

PARENT_HASH= 'PARENTHASH'

PARENT_PROCESS= 'PARENTPROCESS'

PHONE_NUMBER= 'PHONENUMBER'

POD= 'POD'

PROCESS= 'PROCESS'

SERVICE= 'SERVICE'

SOURCE_DOMAIN= 'SOURCEDOMAIN'

THREAT_ACTOR= 'THREATACTOR'

THREAT_CAMPAIGN= 'THREATCAMPAIGN'

THREAT_SIGNATURE= 'THREATSIGNATURE'

URL= 'DestinationURL'

USB= 'USB'

USER= 'USERUNIQNAME'

class TIPCommon.base.action.data_models.ExecutionState

class TIPCommon.base.action.data_models.ExecutionState(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

COMPLETED= 0

FAILED= 2

IN_PROGRESS= 1

TIMED_OUT= 3

class TIPCommon.base.action.data_models.FullDetailsConfigurationParameter

class TIPCommon.base.action.data_models.FullDetailsConfigurationParameter(input_dict: dict[str, Any])

Bases: object

A general script parameter object.

Attributes

Attributes
full_dict dict[str, Any]

Original dictionary received from API.
id int | None

ID of the parameter.
integration_identifier str

The integration identifier, such as VirusTotalV3.
creation_time int

Time when the parameter was created.
modification_time int

Time when the parameter was last modified.
is_mandatory bool

Indicates whether the parameter is mandatory or not.
description str | None

Parameter description.
name str

Parameter name.
display_name str

Parameter displayed name.
value Any

The default value of the parameter.
type IntegrationParamType

The type of the parameter.
optional_values list

DDL of optional values for the type DDL.

class TIPCommon.base.action.data_models.HTMLReport

class TIPCommon.base.action.data_models.HTMLReport(report_name: str, report_contents: str, title: str = 'Script Result HTML Report')

Bases: object

An action script-result link.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
title str | None

The title of the link.
report_name str

The name of the report.
report_content str

The HTML content of the report.

class TIPCommon.base.action.data_models.IntegrationParamType

class TIPCommon.base.action.data_models.IntegrationParamType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

BOOLEAN= 0

EMAIL= 8

INTEGER= 1

IP= 4

NULL= -1

PASSWORD= 3

STRING= 2

class TIPCommon.base.action.data_models.Link(link: str, title: str = 'Script Result Link')

Bases: object

An action script-result link.

This class is immutable: after assigning values and creating the object, new values cannot be assigned to the attributes. The class supports hashing (stored in a set or as a dict key) and the == operator.

Attributes

Attributes
title str | None

The title of the link.
link str

The link.

class TIPCommon.base.action.data_models.ScriptParameter

class TIPCommon.base.action.data_models.ScriptParameter(input_dict: dict[str, Any])

Bases: object

A general script parameter object.

Attributes

Attributes
full_dict dict[str, Any]

Original dictionary received from API.
id int | None

ID of the parameter.
creation_time int

Time when the parameter was created.
modification_time int

Time when the parameter was last modified.
custom_action_id int | None

The action ID.
is_mandatory bool

Indicates whether the parameter is mandatory or not.
default_value Any

The default value of the parameter.

This parameter is prioritized over the value parameter in playbooks.
description str | None

Parameter description.
name str | None

Parameter name.
value Any

The value of the parameter. This value is prioritized over the default_value parameter in manual actions.
type ActionParamType

The type of the parameter.
optional_values list

DDL of optional values for the type DDL.

class TIPCommon.base.job.base_job.Job

class TIPCommon.base.job.base_job.Job(script_name)

Bases: ABC

A class that represents a Job script in Google Security Operations SOAR.

Attributes

Attributes
soar_job The SDK SiemplifyJob object.
script_name Name of the job script.
job_start_time Unix time that indicates when the job started.
logger A logger from the soar_job object.
params A descriptor that contains the parameters of the job.
error_msg The error message to display in a case of a script failure.

property error_msg: str

property job_start_time: int

property logger: NewLineLogger

property params: Container

property script_name: str

property soar_job: SiemplifyJob

start(**kwargs)

class TIPCommon.base.job.data_models.JobParameter

class TIPCommon.base.job.data_models.JobParameter(input_dict: Dict[str, Any])

Bases: object

A general script parameter object.

Attributes

Attributes
full_dict dict[str, Any]

Original dictionary received from API.
id int | None

ID of the parameter.
is_mandatory bool

Indicates whether the parameter is mandatory or not.
name str | None

Parameter name.
value Any

The default value of the parameter. This value is prioritized over the default_value parameter in manual actions.
type ActionParamType

The type of the parameter.