Siemplify¶
Table of Contents¶
Release Notes¶
Version |
Date |
Notes |
---|---|---|
1.0.0 |
02/2022 |
Initial Release |
Overview¶
Siemplify App for IBM QRadar SOAR (SOAR)
Bi-directional synchronization with Siemplify Cases from SOAR Incidents. Other Siemplify case components synchronized are:
SOAR comments to Siemplify case insights
SOAR attachments
SOAR case tasks
Siemplify closed cases will update IBM SOAR incidents
Key Features¶
Sync SOAR incidents (including notes, artifacts, and attachments) with Siemplify cases
Sync Siemplify case close events with SOAR incidents
Sync Siemplify case changes with existing SOAR incidents
Flexible templates used allowing modification for your environment
Get entities added to the Block or Custom list
Add entities to the Block or Custom list
Add Playbooks to a Case
Requirements¶
This app supports the IBM QRadar SOAR Platform and the IBM Cloud Pak for Security.
SOAR platform¶
The SOAR platform supports two app deployment mechanisms, App Host and integration server.
If deploying to a SOAR platform with an App Host, the requirements are:
SOAR platform >=
41.2.51
.The app is in a container-based format (available from the AppExchange as a
zip
file).
If deploying to a SOAR platform with an integration server, the requirements are:
SOAR platform >=
41.2.51
.The app is in the older integration format (available from the AppExchange as a
zip
file which contains atar.gz
file).Integration server is running
resilient-circuits>=43.0.0
.If using an API key account, make sure the account provides the following minimum permissions:
Name
Permissions
Org Data
Read
Function
Read
Incident
Read all, edit fields, edit status
Incident
Create
The following SOAR platform guides provide additional information:
App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
System Administrator Guide: provides the procedure to install, configure and deploy apps.
The above guides are available on the IBM Knowledge Center at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the App Host Deployment Guide or Integration Server Guide by expanding SOAR Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.
Cloud Pak for Security¶
If you are deploying to IBM Cloud Pak for Security, the requirements are:
IBM Cloud Pak for Security >= 1.4.
Cloud Pak is configured with an App Host.
The app is in a container-based format (available from the AppExchange as a
zip
file).
The following Cloud Pak guides provide additional information:
App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.
System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security Knowledge Center table of contents, select Case Management and Orchestration & Automation > System administrator.
These guides are available on the IBM Knowledge Center at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific Knowledge Center page, select Case Management and Orchestration & Automation.
Proxy Server¶
The app does support a proxy server.
Python Environment¶
Python 3.6 is supported. Additional package dependencies may exist for each of these packages:
jinja2
pytz
resilient-circuits>=43.0.0
simplejson
Endpoint Developed With Siemplify¶
This app has been tested using:
Product Name |
Product Version |
API URL |
API Version |
---|---|---|---|
Siemplify |
5.6.x |
https://<siemplify_host>/api/external/v1 |
v1 |
Configuration¶
Generate an Siemplify API Key for use with IBM SOAR. This value will used with the app.config
api_key
setting.
Installation¶
Install¶
To install or uninstall an App or Integration on the Resilient platform, see the documentation at ibm.biz/soar-docs.
To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.
App Configuration¶
The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.
Config |
Required |
Example |
Description |
---|---|---|---|
base_url |
Yes |
|
Base URL for your Siemplify server |
api_key |
Yes |
|
API Generated from Siemplify |
cafile |
Yes |
`false |
/path/to/siemplify.cert` |
polling_interval |
No |
|
Seconds to wait between polling intervals. 0 disables poller. This will disable the ability to close an IBM SOAR incient when the Siempify Case closes. |
polling_lookback |
No |
|
Minutes to look back for cased cases the first time poller runs |
poller_timezone |
No |
|
Timezone adjustment for Siemplify timestamp comparison |
default_environment |
No |
|
Siemplify environment to use when creating cases and entities if none specifically referenced |
siemplify_create_case_template |
No |
|
Use when overriding the default template |
soar_close_case_template |
No |
|
Use when overriding the default template |
soar_update_case_template |
No |
|
Use when overriding the default template |
artifact_type_lookup |
No |
|
Use to specify an override JSON file with a mapping between SOAR artifact types and Siemplify entities |
playbook_mappings |
No |
|
* Lookup key/value pairs to mapp a SOAR incident type to Siemplify playbook(s)* |
Custom Layouts¶
Import the Data Tables and Custom Fields in a tab like the screenshot below:
Function - Siemplify Sync Task¶
Sync a SOAR Task to Siemplify
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Siemplify case Id stored with the SOAR incident |
|
|
No |
|
SOAR incident task id |
|
|
No |
|
Name of Siemplify assignee for the task |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'status': 0,
'priority': 0,
'name': 'IBM SOAR: Investigate Malware',
'owner': '@Administrator',
'completor': None,
'completionComment': None,
'completionDateTimeUnixTimeInMs': None,
'dueDateUnixTimeInMs': None,
'creatorUserId': 'Siemplify automation',
'id': 19,
'type': 2,
'caseId': 60,
'isFavorite': False,
'modificationTimeUnixTimeInMs': 1641570964725,
'creationTimeUnixTimeInMs': 1641570964725,
'alertIdentifier': None
},
'raw': None,
'inputs': {
'siemplify_task_assignee': '@Administrator',
'siemplify_soar_task_id': 802,
'siemplify_case_id': 60
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 551,
'timestamp': '2022-01-07 10:56:04'
}
}
Example Pre-Process Script:
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_soar_task_id = task.id
inputs.siemplify_task_assignee = "@Administrator"
Example Post-Process Script:
if results.success:
task.addNote("Siemplify Sync Task: {}".format(task.name))
else:
task.addNote("Siemplify Sync Task: {} failed: {}".format(task.name, results.reason))
Function - Siemplify Sync Attachment¶
Create a Siemplify Attachment from a SOAR Case Attachment
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
Siemplify alert id saved in the SOAR incident |
|
|
Yes |
`` |
SOAR incident attachment id |
|
|
Yes |
|
Siemplify case id saved in the SOAR incident |
|
|
Yes |
|
SOAR incident id |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'evidenceName': 'app-rc_data_feed_plugin_odbcfeed-1',
'description': 'created by IBM SOAR',
'evidenceThumbnailBase64': '',
'evidenceId': 12,
'fileType': '.0.5.zip',
'creatorUserId': 'Siemplify automation',
'id': 12,
'type': 4,
'caseId': 60,
'isFavorite': False,
'modificationTimeUnixTimeInMs': 1641571089125,
'creationTimeUnixTimeInMs': 1641571089125,
'alertIdentifier': None
},
'raw': None,
'inputs': {
'siemplify_incident_id': 2145,
'siemplify_alert_id': 'IBM SOAR Alert 2145_f48baf55-3618-4cf4-b2b5-d3b974d71785',
'siemplify_case_id': 60,
'siemplify_attachment_id': 15
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 781,
'timestamp': '2022-01-07 10:58:09'
}
}
Example Pre-Process Script:
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_incident_id = incident.id
inputs.siemplify_attachment_id = attachment.id
Example Post-Process Script:
if results.success:
incident.addNote("Siemplify Sync Attachment: {} created".format(attachment.name))
else:
incident.addNote("Siemplify Sync Attachment: {} failed. Reason: {}".format(attachment.name, results.reason))
Function - Siemplify Sync Case¶
Sync a SOAR Case to Siemplify
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
Siemplify alert id saved in the SOAR incident |
|
|
No |
|
Set Assigned User. Default is none. |
|
|
Yes |
|
Siemplify case id saved in the SOAR incident |
|
|
No |
|
Set environment. See app.config setting for default |
|
|
Yes |
|
SOAR incident Id |
|
|
No |
`true |
false` |
|
|
No |
`true |
false` |
|
|
No |
`true |
false` |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'wallData': [
{
'comment': 'Case creation reason: IBM SOAR Incident 2145',
'creatorUserId': 'Siemplify automation',
'id': 63,
'type': 7,
'caseId': 63,
'isFavorite': False,
'modificationTimeUnixTimeInMs': 1641571162242,
'creationTimeUnixTimeInMs': 1641571162242,
'alertIdentifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b'
},
{
'comment': 'Playbook SentinelOne Threat Remediation attached to case.',
'creatorUserId': 'Siemplify automation',
'id': 36,
'type': 5,
'caseId': 63,
'isFavorite': False,
'modificationTimeUnixTimeInMs': 1641571162382,
'creationTimeUnixTimeInMs': 1641571162382,
'alertIdentifier': None
}
],
'alerts': [
{
'ticketId': '',
'identifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'hasWorkflows': True,
'workflowsStatus': 1,
'sourceSystemName': '',
'securityEventCards': [
{
'caseId': 63,
'eventId': None,
'alertIdentifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'eventName': None,
'product': None,
'sources': [
],
'destinations': [
],
'artificats': [
],
'port': None,
'outcome': None,
'time': '2022-01-05T17:52:10Z',
'deviceEventClassId': None,
'fields': [
]
}
],
'entityCards': [
],
'productFamilies': [
'Default'
],
'fields': [
{
'isHighlight': True,
'groupName': 'HIGHLIGHTED FIELDS',
'items': [
{
'originalName': 'AlertName',
'name': 'Alert Name',
'value': 'IBM SOAR Alert 2145'
},
{
'originalName': 'EndTime',
'name': 'End Time',
'value': '1641405130000'
},
{
'originalName': 'StartTime',
'name': 'Start Time',
'value': '1641405130000'
}
]
},
{
'isHighlight': False,
'groupName': 'Time',
'items': [
{
'originalName': 'DetectionTime',
'name': 'Detection Time',
'value': '1641405130000'
},
{
'originalName': 'EndTime',
'name': 'End Time',
'value': '1641405130000'
},
{
'originalName': 'StartTime',
'name': 'Start Time',
'value': '1641405130000'
}
]
},
{
'isHighlight': False,
'groupName': 'Case',
'items': [
{
'originalName': 'AlertName',
'name': 'Alert Name',
'value': 'IBM SOAR Alert 2145'
},
{
'originalName': 'RuleGenerator',
'name': 'Rule Generator',
'value': 'Manual Case'
}
]
},
{
'isHighlight': False,
'groupName': 'Default',
'items': [
{
'originalName': 'AlertGroupIdentifier',
'name': 'AlertGroupIdentifier',
'value': 'Manual Case_af8ee1c9-97de-4e45-a1a7-cb9926a8096d'
},
{
'originalName': 'IsManualAlert',
'name': 'IsManualAlert',
'value': 'True'
}
]
},
{
'isHighlight': False,
'groupName': 'Threat',
'items': [
{
'originalName': 'Priority',
'name': 'Priority',
'value': 'Unchanged'
}
]
}
],
'name': 'IBM SOAR Alert 2145',
'product': None,
'startTimeUnixTimeInMs': 1641405130000,
'apiSlaExpiration': {
'slaExpirationTime': None,
'criticalExpirationTime': None,
'expirationStatus': 2
},
'isManualAlert': True,
'priority': 0,
'id': 0,
'creationTimeUnixTimeInMs': 0,
'modificationTimeUnixTimeInMs': 0,
'additionalProperties': {
'identifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'detectionTime': '1641405130000',
'alertName': 'IBM SOAR Alert 2145',
'ruleGenerator': 'Manual Case',
'alertGroupIdentifier': 'Manual Case_af8ee1c9-97de-4e45-a1a7-cb9926a8096d',
'isManualAlert': 'True',
'priority': 'Unchanged',
'endTime': '1641405130000',
'startTime': '1641405130000'
}
}
],
'caseRecommendations': {
'similarCases': [
{
'id': 60,
'title': 'IBM SOAR - default playbook',
'caseRecommendationOutcomeStatus': 0,
'priority': '50',
'creationTime': '2022-01-05T17:52:28.652Z',
'scorePercent': 100,
'isClosed': False,
'closedRootCause': None,
'closedComment': None
}
],
'relevantAnalysts': [
'Admin'
],
'relevantTags': [
]
},
'tags': [
{
'caseId': 63,
'tag': 'IBMSOAR',
'priority': 0
},
{
'caseId': 63,
'tag': 'Manual Case',
'priority': 0
}
],
'insights': [
],
'productFamilies': [
],
'summary': {
'fields': [
]
},
'entityCards': [
],
'entities': [
],
'description': None,
'canOpenIncident': False,
'hasIncident': False,
'title': 'IBM SOAR - default playbook',
'isTouched': False,
'hasSuspiciousEntity': False,
'isMerged': False,
'isImportant': True,
'isIncident': False,
'hasWorkflow': True,
'environment': 'Default Environment',
'priority': 50,
'stage': 'Triage',
'assignedUserName': '@Administrator',
'apiSlaExpiration': {
'slaExpirationTime': None,
'criticalExpirationTime': None,
'expirationStatus': 2
},
'apiStageSlaExpiration': {
'slaExpirationTime': None,
'criticalExpirationTime': None,
'expirationStatus': 2
},
'status': 1,
'isTestCase': False,
'caseSource': 'User',
'isOverflowCase': False,
'id': 63,
'creationTimeUnixTimeInMs': 1641571162101,
'modificationTimeUnixTimeInMs': 1641571162183,
'additionalProperties': {
},
'siemplify_case_url': 'https://9.55.194.8/#/main/cases/classic-view/63'
},
'raw': None,
'inputs': {
'siemplify_incident_id': 2145,
'siemplify_sync_attachments': True,
'siemplify_assigned_user': '@Administrator',
'siemplify_environment': 'Default Environment',
'siemplify_alert_id': 'IBM SOAR Alert 2145_f48baf55-3618-4cf4-b2b5-d3b974d71785',
'siemplify_sync_comments': True,
'siemplify_sync_artifacts': True,
'siemplify_case_id': 60
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 2809,
'timestamp': '2022-01-07 10:59:24'
}
}
Example Pre-Process Script:
inputs.siemplify_incident_id = incident.id
inputs.siemplify_assigned_user = None
inputs.siemplify_environment = None
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
Example Post-Process Script:
PRIORITY_LOOKUP = {-1: "Informational", 40: "Low", 50:"Medium", 60:"Medium", 80:"High", 100:"Critical", "DEFAULT": "Medium"}
if results.success:
case = results.content
if not incident.properties.siemplify_case_id:
incident.addNote("Siemplify Sync Case {} created".format(case.get('id')))
incident.properties.siemplify_case_id = case.get('id')
incident.properties.siemplify_case_link = helper.createRichText("<a target='blank' href='{}'>{}</a>".format(case.get('siemplify_case_url'), case.get('title')))
if case.get('alerts'):
incident.properties.siemplify_alert_id = case['alerts'][0]['identifier']
else:
incident.addNote("Siemplify Sync Case {} synchronized".format(case.get('id')))
# always update these fields
incident.properties.siemplify_assignee = case.get('assignedUserName')
incident.properties.siemplify_environment = case.get('environment')
incident.properties.siemplify_is_important = case.get('isImportant')
incident.properties.siemplify_priority = PRIORITY_LOOKUP.get(case.get("priority", "DEFAULT"), str(case.get("priority")))
incident.properties.siemplify_stage = case.get('stage')
incident.properties.siemplify_tags = ", ".join( [tag.get('tag') for tag in case.get('tags', [])] )
else:
incident.addNote("Siemplify Sync Case failed: {}".format(str(results.content)))
Function - Siemplify Sync Artifact¶
Sync a SOAR Incident artifact to a Siemplify CASE alert and entity
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Siemplify alert id saved in the SOAR incident |
|
|
Yes |
|
- |
|
|
Yes |
|
- |
|
|
Yes |
|
- |
|
|
No |
|
Siemplify case id saved in the SOAR incident |
|
|
No |
|
Set environment. See app.config setting for default |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
},
'raw': None,
'inputs': {
'siemplify_artifact_type': 'IP Address',
'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'siemplify_environment': None,
'siemplify_artifact_id': 200,
'siemplify_artifact_value': '121.24.56.9',
'siemplify_case_id': 63
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 597,
'timestamp': '2022-01-07 11:02:05'
}
}
Example Pre-Process Script:
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_environment = None
inputs.siemplify_artifact_id = artifact.id
Example Post-Process Script:
if results.success:
incident.addNote("Siemplify Sync Artifact: {} ({}) created".format(artifact.value, artifact.type))
else:
incident.addNote("Siemplify Sync Artifact: {} ({}) failed".format(artifact.value, artifact.type))
Function - Siemplify Sync Comment¶
Create a Siemplify Case comment
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Siemplify alert id saved in the SOAR incident |
|
|
No |
|
Siemplfy case id saved in the SOAR incident |
|
|
No |
|
- |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
},
'raw': None,
'inputs': {
'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'siemplify_comment': '<div class="rte"><div>Issue appears to be malicious</div></div>',
'siemplify_case_id': 63
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 365,
'timestamp': '2022-01-07 11:06:17'
}
}
Example Pre-Process Script:
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_comment = note.text.content
Example Post-Process Script:
if results.success:
note.text = "<b>Siemplify Sync complete</b><br>"+note.text.content
else:
incident.addNote(helper.createRichText("Siemplify Sync for note failed. Reason: {}".format(results.reason)))
Function - Siemplify Close Case¶
Close a Siemplify Case
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
Siemplify alert id saved in the SOAR incident |
|
|
Yes |
|
Siemplify case id saved in the SOAR incident |
|
|
No |
|
Added as the Siemplfy close comment |
|
|
Yes |
|
Added as the Siemplify close reason |
|
|
Yes |
|
Added as the Siemplify root cause |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'close_case': True
},
'raw': None,
'inputs': {
'siemplify_root_cause': '<div class="rte"><div>Threat mitigated</div></div>',
'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
'siemplify_reason': 'Inconclusive',
'siemplify_case_id': 63
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 488,
'timestamp': '2022-01-07 11:07:58'
}
}
Example Pre-Process Script:
# change as necessary. Value Siemplify values are: Malicious, Non Malicious, Maintenance, Inconclusive
LOOKUP_STATUS = {
"7": "Inconclusive", # Unresolved
"8": "Inconclusive", # Duplicate
"9": "Non Malicious", # Not an Issue
"10": "Malicious" # Resolved
}
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_root_cause = incident.resolution_summary.content
inputs.siemplify_reason = LOOKUP_STATUS.get(str(incident.resolution_id), 'Inconclusive')
Example Post-Process Script:
if results.success:
note = "Siemplify Sync cased {} closed".format(incident.properties.siemplify_case_id)
else:
note = "Siemplify Sync cased {} failed to close: {}".format(incident.properties.siemplify_case_id, results.reason)
incident.addNote(helper.createPlainText(note))
Function - Siemplify Add Playbook¶
Add a Playbook to a Siemplify Case, optionally running it automatically
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
Siemplify alert id saved in the SOAR incident |
|
|
Yes |
|
Siemplify case id saved in the SOAR incident |
|
|
Yes |
|
Name of Playbook to add |
|
|
Yes |
`True |
False` |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'success': True
},
'raw': None,
'inputs': {
'siemplify_run_playbook_automatically': True,
'siemplify_alert_id': 'IBM SOAR Alert 3834_64215769-ecb2-4fd7-bfb9-e6ca81c7a869',
'siemplify_playbook_name': 'SentinelOne Threat Remediation',
'siemplify_case_id': 171
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 312,
'timestamp': '2022-03-31 17:31:39'
}
}
Example Pre-Process Script:
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_playbook_name = rule.properties.siemplify_playbook_name
inputs.siemplify_run_playbook_automatically = rule.properties.siemplify_run_playbook_automatically
Example Post-Process Script:
if results.success:
incident.addNote("Siemplify Add Playbook: '{}' created".format(rule.properties.siemplify_playbook_name))
else:
incident.addNote("Siemplify Add Playbook: '{}' failed: ".format(rule.properties.siemplify_playbook_name, results.reason))
Function - Siemplify: Add/Update Entity to Blocklist¶
Add an artifact to the Siemplify Blacklist
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
- |
|
|
No |
|
- |
|
|
No |
|
Set environment. See app.config setting for default |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'entityIdentifier': 'malicious.exe',
'entityType': 'FILENAME',
'scope': 2,
'environments': [
'Default Environment'
]
},
'raw': None,
'inputs': {
'siemplify_artifact_type': 'File Name',
'siemplify_environment': None,
'siemplify_artifact_value': 'malicious.exe'
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 582,
'timestamp': '2022-01-07 11:26:32'
}
}
Example Pre-Process Script:
inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_environment = rule.properties.siemplify_environments
Example Post-Process Script:
from java.util import Date
current_dt = Date().getTime()
if results.success:
entity = results.content
row = incident.addRow('siemplify_list_entries')
row['report_date'] = current_dt
row['list_name'] = 'Block List'
row['entity'] = entity['entityIdentifier']
row['entity_type'] = entity['entityType']
row['environments'] = ", ".join(entity['environments'])
incident.addNote("Siemplify Add/Update Blocklist successful for: {} ({})".format(artifact.value, artifact.type))
else:
incident.addNote("Siemplify Add/Update Blocklist Entity failed: {}".format(results.reason))
Function - Siemplify Add/Update Entity to Custom List¶
Add an artifact to the Siemplify custom list
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
- |
|
|
No |
|
- |
|
|
No |
|
If left empty, the artifact type is used |
|
|
No |
|
Set environment. See app.config setting for default |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': {
'entityIdentifier': 'malicious.exe',
'category': 'Malicious Category',
'environments': [
'Default Environment'
]
},
'raw': None,
'inputs': {
'siemplify_artifact_type': 'File Name',
'siemplify_environment': None,
'siemplify_category': 'Malicious Category',
'siemplify_artifact_value': 'malicious.exe'
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 293,
'timestamp': '2022-01-07 11:25:35'
}
}
Example Pre-Process Script:
inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_category = rule.properties.siemplify_list_category
inputs.siemplify_environment = rule.properties.siemplify_environments
Example Post-Process Script:
from java.util import Date
current_dt = Date().getTime()
if results.success:
entity = results.content
row = incident.addRow('siemplify_list_entries')
row['report_date'] = current_dt
row['list_name'] = 'Custom List'
row['entity'] = entity['entityIdentifier']
row['entity_type'] = entity['category']
row['environments'] = ", ".join(entity['environments'])
incident.addNote("Siemplify Add/Update Custom List successful for: {} ({})".format(artifact.value, artifact.type))
else:
incident.addNote("Siemplify Add/Update Custom List Entity failed: {}".format(results.reason))
Function - Siemplify Get Custom List Entities¶
Get entities from Siemplify’s custom list
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Limit the results returned |
|
|
No |
|
Filter results based on a search entry |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': [
{
'entityIdentifier': 'soar_list',
'category': 'soar_category',
'forDBMigration': False,
'environments': [
'Default Environment'
],
'id': 1,
'creationTimeUnixTimeInMs': 1638827701814,
'modificationTimeUnixTimeInMs': 1638827701814
},
{
'entityIdentifier': 'soar2_list',
'category': 'soar_category',
'forDBMigration': False,
'environments': [
'Default Environment'
],
'id': 2,
'creationTimeUnixTimeInMs': 1641490099338,
'modificationTimeUnixTimeInMs': 1641490099338
}
],
'raw': None,
'inputs': {
'siemplify_search': None,
'siemplify_limit': 100
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 325,
'timestamp': '2022-01-07 11:21:31'
}
}
Example Pre-Process Script:
inputs.siemplify_limit = rule.properties.siemplify_limit_result if rule.properties.siemplify_limit_result else 100
inputs.siemplify_search = rule.properties.siemplify_search_term
Example Post-Process Script:
from java.util import Date
current_dt = Date().getTime()
if results.success:
if isinstance(results.content, list):
entity_list = results.content
else:
entity_list = results.content.get("objectsList", {})
for entity in entity_list:
row = incident.addRow('siemplify_list_entries')
row['report_date'] = current_dt
row['list_name'] = 'Custom List'
row['entity'] = entity['entityIdentifier']
row['entity_type'] = entity['category']
row['environments'] = ", ".join(entity['environments'])
else:
incident.addNote("Siemplify Get Blocklist Entities failed: {}".format(results.reason))
Function - Siemplify: Get Blocklist Entities¶
Get entities from Siemplify’s Blacklist
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Limit the results returned |
|
|
No |
|
Filter results based on a search entry |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': [
{
'id': 1,
'entityIdentifier': 'https://abc.com',
'entityType': 'DestinationURL',
'elementType': 0,
'scope': 2,
'environments': [
'Default Environment'
]
},
{
'id': 2,
'entityIdentifier': '1.2.3.4',
'entityType': 'IPSET',
'elementType': 0,
'scope': 2,
'environments': [
'Default Environment'
]
}
],
'raw': None,
'inputs': {
'siemplify_search': None,
'siemplify_limit': 100
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 240,
'timestamp': '2022-01-07 11:23:21'
}
}
Example Pre-Process Script:
inputs.siemplify_limit = rule.properties.siemplify_limit_result if rule.properties.siemplify_limit_result else 100
inputs.siemplify_search = rule.properties.siemplify_search_term
Example Post-Process Script:
from java.util import Date
current_dt = Date().getTime()
if results.success:
if isinstance(results.content, list):
entity_list = results.content
else:
entity_list = results.content.get("objectsList", {})
for entity in entity_list:
row = incident.addRow('siemplify_list_entries')
row['report_date'] = current_dt
row['list_name'] = 'Block List'
row['entity'] = entity['entityIdentifier']
row['entity_type'] = entity['entityType']
row['environments'] = ", ".join(entity['environments'])
else:
incident.addNote("Siemplify Get Blocklist Entities failed: {}".format(results.reason))
Function - Siemplify: Remove List Entry¶
Remove a Blocklist or Custom List entry
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
ID within the list |
|
|
Yes |
|
Name of blocklist or custom list |
|
|
Yes |
|
Type of the entity |
|
|
Yes |
|
Value of the entity |
|
|
Yes |
|
Environments |
Outputs:
results = {
'version': 2.0,
'success': True,
'reason': None,
'content': '',
'raw': None,
'inputs': {
'siemplify_entity_id': 9,
'siemplify_entity_list': "Block List",
'siemplify_entity_type': "IPSEC",
'siemplify_entity_value': "192.168.1.19",
'siemplifu_environments': "Default Environment, Environment2"
},
'metrics': {
'version': '1.0',
'package': 'fn-siemplify',
'package_version': '1.0.0',
'host': 'localhost',
'execution_time_ms': 240,
'timestamp': '2022-01-07 11:23:21'
}
}
Example Pre-Process Script:
inputs.siemplify_entity_id = row['entity_id']
inputs.siemplify_entity_list = row['list_name']
inputs.siemplify_entity_value = row['entity']
inputs.siemplify_entity_type = row['entity_type']
inputs.siemplify_environments = row['environments']
Example Post-Process Script:
if results.success:
incident.addNote("Siemplify Remove {} Entity '{}' successful".format(row['list_name'], row['entity']))
row['entity'] = "{} (deleted)".format(row['entity'])
else:
incident.addNote("Siemplify Remove {} Entity '{}' failed: {}".format(row['list_name'], row['entity'], results.reason))
Data Table - Siemplify List Entries¶
API Name:¶
siemplify_list_entries
Columns:¶
Column Name |
API Access Name |
Type |
Tooltip |
---|---|---|---|
Report Date |
|
|
- |
List Name |
|
|
- |
Entity |
|
|
- |
Entity Type/Category |
|
|
- |
Environments |
|
|
- |
Custom Fields¶
Label |
API Access Name |
Type |
Prefix |
Placeholder |
Tooltip |
---|---|---|---|---|---|
Siemplify Assignee |
|
|
|
- |
Siemplify case assignee |
Siemplify Is Important |
|
|
|
- |
Siemplify IsImportant |
Siemplify Case Id |
|
|
|
- |
Siemplify case id used for synchronization |
Siemplify Stage |
|
|
|
- |
Siemplify case stage |
Siemplify Priority |
|
|
|
- |
Siemplify case priority |
Siemplify Alert Id |
|
|
|
- |
Siemplify alert id used for synchronization |
Siemplify Case Link |
|
|
|
- |
URL link back to Case |
Rules¶
Rule Name |
Object |
Workflow Triggered |
---|---|---|
Siemplify Auto Sync Case |
incident |
|
Siemplify Auto Sync Attachment |
attachment |
|
Siemplify Auto Sync Comment |
note |
|
Siemplify Sync Artifact |
artifact |
|
Siemplify Auto Close Case |
incident |
|
Siemplify Sync Comment |
note |
|
Siemplify Sync Task |
task |
|
Siemplify Auto Sync Artifact |
artifact |
|
Siemplify Sync Case |
incident |
|
Siemplify: Get Blocklist Entities |
incident |
siemplify_get_blocklist_entities |
Siemplify: Get Custom List Entities |
incident |
siemplify_get_customlist_entities |
Siemplify: Add/Update Entity to Blocklist |
artifact |
siemplify_addupdate_entity_to_blocklist |
Siemplify: Add/Update entity to Custom List |
artifact |
siemplify_addupdate_entity_to_customlist |
Troubleshooting & Support¶
Refer to the documentation listed in the Requirements section for troubleshooting information.
For Support¶
This is a IBM Supported App. Please search the Community ibm.biz/soarcommunity for assistance or open a case at ibm.com/mysupport.
Templates¶
These templates can be copied and modified to override the existing templates used for several synchronization operations.
Siemplify Create Case Template¶
Used in the siemplify_create_case_template
app.config parameter.
{
"title": "IBM SOAR - {{ name|e }}",
"assignedUser": {% if siemplify_assigned_user %} "{{ siemplify_assigned_user }}" {% else %} null {% endif %},
"reason": "IBM SOAR Incident {{ id }}",
"priority": "{{ priority | string | resilient_substitute('{"25": "Low", "50":"Medium", "80":"High", "100":"Critical", "DEFAULT": "Medium"}') }}",
"environment": "{{ siemplify_environment if siemplify_environment else 'Default Environment'}}",
"isImportant": {{ confirmed | tojson }},
"alertName": "IBM SOAR Alert {{ id }}",
"occurenceTime": "{{ discovered_date | resilient_display_datetimeformat(milliseconds=True) }}",
"slaExpirationDateTime": null,
"playbooks": {{ siemplify_playbooks | tojson }},
"tags": {{ siemplify_tags | tojson }}
}
SOAR Close Case Template¶
Used in the soar_close_case_template
app.config parameter.
{
{# JINJA template for closing a new Resilient incident from a Defender alert. #}
"plan_status": "C",
"resolution_id": "Resolved",
"resolution_summary": "Closed from Siemplify. Root Cause: {{ rootCause }}. Reason: {{ closeReason }}."
{# additional fields may be needed. Add as necessary #}
{# "properties": { } #}
}
SOAR Update Case Template¶
Used in the soar_update_case_template
app.config parameter.
{
{% if description %}
"description": "{{ description }}",
{% endif %}
"properties": {
{% if tags %}
"siemplify_tags": "{{ tags|map(attribute='tag')|list|join(', ') }}",
{% endif %}
"siemplify_assignee": "{{ assignedUserName }}",
"siemplify_stage": "{{ stage }}",
"siemplify_is_important": {{ isImportant|tojson }},
"siemplify_priority": "{{ priority | string | resilient_substitute('{"25": "Low", "50":"Medium", "80":"High", "100":"Critical", "DEFAULT": "Medium"}') }}"
}
}
Artifact Type Lookup¶
Used in the artifact_type_lookup
app.config parameter.
{
"DEFAULT": "GENERICENTITY",
"Port": "ADDRESS",
"MAC Address": "MacAddress",
"Process Name": "PROCESS",
"Service": "PROCESS",
"File Name": "FILENAME",
"File Path": "FILENAME",
"Malware MD5 Hash": "FILEHASH",
"Malware SHA-1 Hash": "FILEHASH",
"Malware SHA-256 Hash": "FILEHASH",
"Malware Sample Fuzzy Hash": "FILEHASH",
"URI PATH": "DestinationURL",
"URL": "DestinationURL",
"URL Referer": "DestinationURL",
"Email Subject": "EMAILSUBJECT",
"Threat CVE ID": "CVEID",
"String": "GENERICENTITY",
"DNS Name": "DESTINATIONDOMAIN",
"IP Address": "IPSET",
"User Agent": "USERUNIQNAME",
"User Account": "USERUNIQNAME",
"Registry Key": "GENERICENTITY",
"Password" : "GENERICENTITY",
"Observed Data": "GENERICENTITY",
"Network CIDR Range": "IPSET",
"Mutex": "THREATSIGNATURE",
"Malware Family/Variant": "GENERICENTITY",
"HTTP Response Header": "GENERICENTITY",
"HTTP Request Header": "GENERICENTITY",
"Email Sender Name": "USERUNIQNAME",
"Email Sender": "USERUNIQNAME",
"Email Recipient": "USERUNIQNAME",
"Email Body": "GENERICENTITY",
"Email Attachment Name": "FILENAME",
"Email Attachment": null,
"Log File": null,
"Malware Sample": null,
"Other File": null,
"RFC 822 Email Message File": null,
"X509 Certificate File": null
}