Siemplify

Table of Contents

• Release Notes

• Overview

  • Key Features

• Requirements

  • SOAR platform

  • Cloud Pak for Security

  • Proxy Server

  • Python Environment

  • Endpoint Developed With

• Installation

  • Install

  • App Configuration

  • Custom Layouts

• Function - Siemplify Sync Task

• Function - Siemplify Sync Attachment

• Function - Siemplify Sync Case

• Function - Siemplify Sync Artifact

• Function - Siemplify Sync Comment

• Function - Siemplify Close Case

• Function - Siemplify Add Playbook

• Function - Siemplify Get Block List Entities

• Function - Siemplify Get Custom List Entities

• Function - Siemplify Add/Update Entity to Blocklist

• Function - Siemplify Add/Update Entity to Custom List

• Function - Siemplify Remove List Entry

• Data Table - Siemplify List Entries

• Custom Fields

• Rules

• Troubleshooting & Support

• Templates

---

Release Notes

Version	Date	Notes
1.0.0	02/2022	Initial Release

---

Overview

Siemplify App for IBM QRadar SOAR (SOAR)

Bi-directional synchronization with Siemplify Cases from SOAR Incidents. Other Siemplify case components synchronized are:

• SOAR comments to Siemplify case insights

• SOAR attachments

• SOAR case tasks

• Siemplify closed cases will update IBM SOAR incidents

Key Features

• Sync SOAR incidents (including notes, artifacts, and attachments) with Siemplify cases

• Sync Siemplify case close events with SOAR incidents

• Sync Siemplify case changes with existing SOAR incidents

• Flexible templates used allowing modification for your environment

• Get entities added to the Block or Custom list

• Add entities to the Block or Custom list

• Add Playbooks to a Case

---

Requirements

This app supports the IBM QRadar SOAR Platform and the IBM Cloud Pak for Security.

SOAR platform

The SOAR platform supports two app deployment mechanisms, App Host and integration server.

If deploying to a SOAR platform with an App Host, the requirements are:

• SOAR platform >= 41.2.51.

• The app is in a container-based format (available from the AppExchange as a zip file).

If deploying to a SOAR platform with an integration server, the requirements are:

• SOAR platform >= 41.2.51.

• The app is in the older integration format (available from the AppExchange as a zip file which contains a tar.gz file).

• Integration server is running resilient-circuits>=43.0.0.

• If using an API key account, make sure the account provides the following minimum permissions:

  Name	Permissions
  Org Data	Read
  Function	Read
  Incident	Read all, edit fields, edit status
  Incident	Create

The following SOAR platform guides provide additional information:

• App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.

• Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.

• System Administrator Guide: provides the procedure to install, configure and deploy apps.

The above guides are available on the IBM Knowledge Center at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the App Host Deployment Guide or Integration Server Guide by expanding SOAR Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.

Cloud Pak for Security

If you are deploying to IBM Cloud Pak for Security, the requirements are:

• IBM Cloud Pak for Security >= 1.4.

• Cloud Pak is configured with an App Host.

• The app is in a container-based format (available from the AppExchange as a zip file).

The following Cloud Pak guides provide additional information:

• App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.

• System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security Knowledge Center table of contents, select Case Management and Orchestration & Automation > System administrator.

These guides are available on the IBM Knowledge Center at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific Knowledge Center page, select Case Management and Orchestration & Automation.

Proxy Server

The app does support a proxy server.

Python Environment

Python 3.6 is supported. Additional package dependencies may exist for each of these packages:

• jinja2

• pytz

• resilient-circuits>=43.0.0

• simplejson

Endpoint Developed With Siemplify

This app has been tested using:

Product Name	Product Version	API URL	API Version
Siemplify	5.6.x	https://<siemplify_host>/api/external/v1	v1

Configuration

• Generate an Siemplify API Key for use with IBM SOAR. This value will used with the app.config api_key setting.

---

Installation

Install

• To install or uninstall an App or Integration on the Resilient platform, see the documentation at ibm.biz/soar-docs.

• To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.

App Configuration

The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.

Config	Required	Example	Description
base_url	Yes	https://<siemplify host>	Base URL for your Siemplify server
api_key	Yes	abc-123-def	API Generated from Siemplify
cafile	Yes	`false	/path/to/siemplify.cert`
polling_interval	No	120	Seconds to wait between polling intervals. 0 disables poller. This will disable the ability to close an IBM SOAR incient when the Siempify Case closes.
polling_lookback	No	120	Minutes to look back for cased cases the first time poller runs
poller_timezone	No	Etc/GMT	Timezone adjustment for Siemplify timestamp comparison
default_environment	No	Default Environment	Siemplify environment to use when creating cases and entities if none specifically referenced
siemplify_create_case_template	No	/path/to/siemplify_create_case.jinja	Use when overriding the default template
soar_close_case_template	No	/path/to/soar_close_case.jinja	Use when overriding the default template
soar_update_case_template	No	/path/to/soar_update_case_case.jinja	Use when overriding the default template
artifact_type_lookup	No	/path/to/artifact_type_lookup.json	Use to specify an override JSON file with a mapping between SOAR artifact types and Siemplify entities
playbook_mappings	No	'<SOAR Incident Type>': 'playbook1,playbook2','Malware':'playbook3','DEFAULT':'playbook4'	* Lookup key/value pairs to mapp a SOAR incident type to Siemplify playbook(s)*

Custom Layouts

• Import the Data Tables and Custom Fields in a tab like the screenshot below:

  

---

Function - Siemplify Sync Task

Sync a SOAR Task to Siemplify

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_case_id	number	No	42	Siemplify case Id stored with the SOAR incident
siemplify_soar_task_id	number	No	1003	SOAR incident task id
siemplify_task_assignee	text	No	@Administator	Name of Siemplify assignee for the task

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'status': 0,
    'priority': 0,
    'name': 'IBM SOAR: Investigate Malware',
    'owner': '@Administrator',
    'completor': None,
    'completionComment': None,
    'completionDateTimeUnixTimeInMs': None,
    'dueDateUnixTimeInMs': None,
    'creatorUserId': 'Siemplify automation',
    'id': 19,
    'type': 2,
    'caseId': 60,
    'isFavorite': False,
    'modificationTimeUnixTimeInMs': 1641570964725,
    'creationTimeUnixTimeInMs': 1641570964725,
    'alertIdentifier': None
  },
  'raw': None,
  'inputs': {
    'siemplify_task_assignee': '@Administrator',
    'siemplify_soar_task_id': 802,
    'siemplify_case_id': 60
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 551,
    'timestamp': '2022-01-07 10:56:04'
  }
}

Example Pre-Process Script:

inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_soar_task_id = task.id
inputs.siemplify_task_assignee = "@Administrator"

Example Post-Process Script:

if results.success:
  task.addNote("Siemplify Sync Task: {}".format(task.name))
else:
  task.addNote("Siemplify Sync Task: {} failed: {}".format(task.name, results.reason))

---

Function - Siemplify Sync Attachment

Create a Siemplify Attachment from a SOAR Case Attachment

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	Yes	123	Siemplify alert id saved in the SOAR incident
siemplify_attachment_id	number	Yes	``	SOAR incident attachment id
siemplify_case_id	number	Yes	46	Siemplify case id saved in the SOAR incident
siemplify_incident_id	number	Yes	2009	SOAR incident id

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'evidenceName': 'app-rc_data_feed_plugin_odbcfeed-1',
    'description': 'created by IBM SOAR',
    'evidenceThumbnailBase64': '',
    'evidenceId': 12,
    'fileType': '.0.5.zip',
    'creatorUserId': 'Siemplify automation',
    'id': 12,
    'type': 4,
    'caseId': 60,
    'isFavorite': False,
    'modificationTimeUnixTimeInMs': 1641571089125,
    'creationTimeUnixTimeInMs': 1641571089125,
    'alertIdentifier': None
  },
  'raw': None,
  'inputs': {
    'siemplify_incident_id': 2145,
    'siemplify_alert_id': 'IBM SOAR Alert 2145_f48baf55-3618-4cf4-b2b5-d3b974d71785',
    'siemplify_case_id': 60,
    'siemplify_attachment_id': 15
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 781,
    'timestamp': '2022-01-07 10:58:09'
  }
}

Example Pre-Process Script:

inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_incident_id = incident.id
inputs.siemplify_attachment_id = attachment.id

Example Post-Process Script:

if results.success:
  incident.addNote("Siemplify Sync Attachment: {} created".format(attachment.name))
else:
  incident.addNote("Siemplify Sync Attachment: {} failed. Reason: {}".format(attachment.name, results.reason))

---

Function - Siemplify Sync Case

Sync a SOAR Case to Siemplify

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	Yes	IBM SOAR Alert 2148_abc-1234	Siemplify alert id saved in the SOAR incident
siemplify_assigned_user	text	No	@Administator	Set Assigned User. Default is none.
siemplify_case_id	number	Yes	46	Siemplify case id saved in the SOAR incident
siemplify_environment	text	No	Default Environment	Set environment. See app.config setting for default
siemplify_incident_id	number	Yes	2009	SOAR incident Id
siemplify_sync_artifacts	boolean	No	`true	false`
siemplify_sync_attachments	boolean	No	`true	false`
siemplify_sync_comments	boolean	No	`true	false`

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'wallData': [
      {
        'comment': 'Case creation reason: IBM SOAR Incident 2145',
        'creatorUserId': 'Siemplify automation',
        'id': 63,
        'type': 7,
        'caseId': 63,
        'isFavorite': False,
        'modificationTimeUnixTimeInMs': 1641571162242,
        'creationTimeUnixTimeInMs': 1641571162242,
        'alertIdentifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b'
      },
      {
        'comment': 'Playbook SentinelOne Threat Remediation attached to case.',
        'creatorUserId': 'Siemplify automation',
        'id': 36,
        'type': 5,
        'caseId': 63,
        'isFavorite': False,
        'modificationTimeUnixTimeInMs': 1641571162382,
        'creationTimeUnixTimeInMs': 1641571162382,
        'alertIdentifier': None
      }
    ],
    'alerts': [
      {
        'ticketId': '',
        'identifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
        'hasWorkflows': True,
        'workflowsStatus': 1,
        'sourceSystemName': '',
        'securityEventCards': [
          {
            'caseId': 63,
            'eventId': None,
            'alertIdentifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
            'eventName': None,
            'product': None,
            'sources': [

            ],
            'destinations': [

            ],
            'artificats': [

            ],
            'port': None,
            'outcome': None,
            'time': '2022-01-05T17:52:10Z',
            'deviceEventClassId': None,
            'fields': [

            ]
          }
        ],
        'entityCards': [

        ],
        'productFamilies': [
          'Default'
        ],
        'fields': [
          {
            'isHighlight': True,
            'groupName': 'HIGHLIGHTED FIELDS',
            'items': [
              {
                'originalName': 'AlertName',
                'name': 'Alert Name',
                'value': 'IBM SOAR Alert 2145'
              },
              {
                'originalName': 'EndTime',
                'name': 'End Time',
                'value': '1641405130000'
              },
              {
                'originalName': 'StartTime',
                'name': 'Start Time',
                'value': '1641405130000'
              }
            ]
          },
          {
            'isHighlight': False,
            'groupName': 'Time',
            'items': [
              {
                'originalName': 'DetectionTime',
                'name': 'Detection Time',
                'value': '1641405130000'
              },
              {
                'originalName': 'EndTime',
                'name': 'End Time',
                'value': '1641405130000'
              },
              {
                'originalName': 'StartTime',
                'name': 'Start Time',
                'value': '1641405130000'
              }
            ]
          },
          {
            'isHighlight': False,
            'groupName': 'Case',
            'items': [
              {
                'originalName': 'AlertName',
                'name': 'Alert Name',
                'value': 'IBM SOAR Alert 2145'
              },
              {
                'originalName': 'RuleGenerator',
                'name': 'Rule Generator',
                'value': 'Manual Case'
              }
            ]
          },
          {
            'isHighlight': False,
            'groupName': 'Default',
            'items': [
              {
                'originalName': 'AlertGroupIdentifier',
                'name': 'AlertGroupIdentifier',
                'value': 'Manual Case_af8ee1c9-97de-4e45-a1a7-cb9926a8096d'
              },
              {
                'originalName': 'IsManualAlert',
                'name': 'IsManualAlert',
                'value': 'True'
              }
            ]
          },
          {
            'isHighlight': False,
            'groupName': 'Threat',
            'items': [
              {
                'originalName': 'Priority',
                'name': 'Priority',
                'value': 'Unchanged'
              }
            ]
          }
        ],
        'name': 'IBM SOAR Alert 2145',
        'product': None,
        'startTimeUnixTimeInMs': 1641405130000,
        'apiSlaExpiration': {
          'slaExpirationTime': None,
          'criticalExpirationTime': None,
          'expirationStatus': 2
        },
        'isManualAlert': True,
        'priority': 0,
        'id': 0,
        'creationTimeUnixTimeInMs': 0,
        'modificationTimeUnixTimeInMs': 0,
        'additionalProperties': {
          'identifier': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
          'detectionTime': '1641405130000',
          'alertName': 'IBM SOAR Alert 2145',
          'ruleGenerator': 'Manual Case',
          'alertGroupIdentifier': 'Manual Case_af8ee1c9-97de-4e45-a1a7-cb9926a8096d',
          'isManualAlert': 'True',
          'priority': 'Unchanged',
          'endTime': '1641405130000',
          'startTime': '1641405130000'
        }
      }
    ],
    'caseRecommendations': {
      'similarCases': [
        {
          'id': 60,
          'title': 'IBM SOAR - default playbook',
          'caseRecommendationOutcomeStatus': 0,
          'priority': '50',
          'creationTime': '2022-01-05T17:52:28.652Z',
          'scorePercent': 100,
          'isClosed': False,
          'closedRootCause': None,
          'closedComment': None
        }
      ],
      'relevantAnalysts': [
        'Admin'
      ],
      'relevantTags': [

      ]
    },
    'tags': [
      {
        'caseId': 63,
        'tag': 'IBMSOAR',
        'priority': 0
      },
      {
        'caseId': 63,
        'tag': 'Manual Case',
        'priority': 0
      }
    ],
    'insights': [

    ],
    'productFamilies': [

    ],
    'summary': {
      'fields': [

      ]
    },
    'entityCards': [

    ],
    'entities': [

    ],
    'description': None,
    'canOpenIncident': False,
    'hasIncident': False,
    'title': 'IBM SOAR - default playbook',
    'isTouched': False,
    'hasSuspiciousEntity': False,
    'isMerged': False,
    'isImportant': True,
    'isIncident': False,
    'hasWorkflow': True,
    'environment': 'Default Environment',
    'priority': 50,
    'stage': 'Triage',
    'assignedUserName': '@Administrator',
    'apiSlaExpiration': {
      'slaExpirationTime': None,
      'criticalExpirationTime': None,
      'expirationStatus': 2
    },
    'apiStageSlaExpiration': {
      'slaExpirationTime': None,
      'criticalExpirationTime': None,
      'expirationStatus': 2
    },
    'status': 1,
    'isTestCase': False,
    'caseSource': 'User',
    'isOverflowCase': False,
    'id': 63,
    'creationTimeUnixTimeInMs': 1641571162101,
    'modificationTimeUnixTimeInMs': 1641571162183,
    'additionalProperties': {

    },
    'siemplify_case_url': 'https://9.55.194.8/#/main/cases/classic-view/63'
  },
  'raw': None,
  'inputs': {
    'siemplify_incident_id': 2145,
    'siemplify_sync_attachments': True,
    'siemplify_assigned_user': '@Administrator',
    'siemplify_environment': 'Default Environment',
    'siemplify_alert_id': 'IBM SOAR Alert 2145_f48baf55-3618-4cf4-b2b5-d3b974d71785',
    'siemplify_sync_comments': True,
    'siemplify_sync_artifacts': True,
    'siemplify_case_id': 60
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 2809,
    'timestamp': '2022-01-07 10:59:24'
  }
}

Example Pre-Process Script:

inputs.siemplify_incident_id = incident.id
inputs.siemplify_assigned_user = None
inputs.siemplify_environment = None
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id

Example Post-Process Script:

PRIORITY_LOOKUP = {-1: "Informational", 40: "Low", 50:"Medium", 60:"Medium", 80:"High", 100:"Critical", "DEFAULT": "Medium"}

if results.success:
  case = results.content
  if not incident.properties.siemplify_case_id:
    incident.addNote("Siemplify Sync Case {} created".format(case.get('id')))
    incident.properties.siemplify_case_id = case.get('id')
    incident.properties.siemplify_case_link = helper.createRichText("<a target='blank' href='{}'>{}</a>".format(case.get('siemplify_case_url'), case.get('title')))

    if case.get('alerts'):
      incident.properties.siemplify_alert_id = case['alerts'][0]['identifier']
  else:
    incident.addNote("Siemplify Sync Case {} synchronized".format(case.get('id')))

  # always update these fields
  incident.properties.siemplify_assignee = case.get('assignedUserName')
  incident.properties.siemplify_environment = case.get('environment')
  incident.properties.siemplify_is_important = case.get('isImportant')
  incident.properties.siemplify_priority = PRIORITY_LOOKUP.get(case.get("priority", "DEFAULT"), str(case.get("priority")))
  incident.properties.siemplify_stage = case.get('stage')
  incident.properties.siemplify_tags = ", ".join( [tag.get('tag') for tag in case.get('tags', [])] )

else:
  incident.addNote("Siemplify Sync Case failed: {}".format(str(results.content)))

---

Function - Siemplify Sync Artifact

Sync a SOAR Incident artifact to a Siemplify CASE alert and entity

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	No	IBM SOAR Alert 2148_abc-1234	Siemplify alert id saved in the SOAR incident
siemplify_artifact_id	number	Yes	1000	-
siemplify_artifact_type	text	Yes	IP Address	-
siemplify_artifact_value	text	Yes	1.2.3.4	-
siemplify_case_id	number	No	46	Siemplify case id saved in the SOAR incident
siemplify_environment	text	No	Default Environment	Set environment. See app.config setting for default

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {

  },
  'raw': None,
  'inputs': {
    'siemplify_artifact_type': 'IP Address',
    'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
    'siemplify_environment': None,
    'siemplify_artifact_id': 200,
    'siemplify_artifact_value': '121.24.56.9',
    'siemplify_case_id': 63
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 597,
    'timestamp': '2022-01-07 11:02:05'
  }
}

Example Pre-Process Script:

inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_environment = None
inputs.siemplify_artifact_id = artifact.id

Example Post-Process Script:

if results.success:
  incident.addNote("Siemplify Sync Artifact: {} ({}) created".format(artifact.value, artifact.type))
else:
  incident.addNote("Siemplify Sync Artifact: {} ({}) failed".format(artifact.value, artifact.type))

---

Function - Siemplify Sync Comment

Create a Siemplify Case comment

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	No	IBM SOAR Alert 2148_abc-1234	Siemplify alert id saved in the SOAR incident
siemplify_case_id	number	No	46	Siemplfy case id saved in the SOAR incident
siemplify_comment	text	No	comment text	-

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {

  },
  'raw': None,
  'inputs': {
    'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
    'siemplify_comment': '<div class="rte"><div>Issue appears to be malicious</div></div>',
    'siemplify_case_id': 63
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 365,
    'timestamp': '2022-01-07 11:06:17'
  }
}

Example Pre-Process Script:

inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_comment = note.text.content

Example Post-Process Script:

if results.success:
  note.text = "<b>Siemplify Sync complete</b><br>"+note.text.content
else:
  incident.addNote(helper.createRichText("Siemplify Sync for note failed. Reason: {}".format(results.reason)))

---

Function - Siemplify Close Case

Close a Siemplify Case

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	Yes	IBM SOAR Alert 2148_abc-1234	Siemplify alert id saved in the SOAR incident
siemplify_case_id	number	Yes	46	Siemplify case id saved in the SOAR incident
siemplify_comment	text	No	-	Added as the Siemplfy close comment
siemplify_reason	text	Yes	Resolved	Added as the Siemplify close reason
siemplify_root_cause	text	Yes	Not an Issue	Added as the Siemplify root cause

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'close_case': True
  },
  'raw': None,
  'inputs': {
    'siemplify_root_cause': '<div class="rte"><div>Threat mitigated</div></div>',
    'siemplify_alert_id': 'IBM SOAR Alert 2145_38352c92-bf66-4a50-87e2-5875accd7d7b',
    'siemplify_reason': 'Inconclusive',
    'siemplify_case_id': 63
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 488,
    'timestamp': '2022-01-07 11:07:58'
  }
}

Example Pre-Process Script:

# change as necessary. Value Siemplify values are:  Malicious, Non Malicious, Maintenance, Inconclusive
LOOKUP_STATUS = {
    "7": "Inconclusive", # Unresolved
    "8": "Inconclusive", # Duplicate
    "9": "Non Malicious", # Not an Issue
    "10": "Malicious" # Resolved
}

inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_root_cause = incident.resolution_summary.content
inputs.siemplify_reason = LOOKUP_STATUS.get(str(incident.resolution_id), 'Inconclusive')

Example Post-Process Script:

if results.success:
  note = "Siemplify Sync cased {} closed".format(incident.properties.siemplify_case_id)
else:
  note = "Siemplify Sync cased {} failed to close: {}".format(incident.properties.siemplify_case_id, results.reason)
incident.addNote(helper.createPlainText(note))

---

Function - Siemplify Add Playbook

Add a Playbook to a Siemplify Case, optionally running it automatically

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_alert_id	text	Yes	IBM SOAR Alert 2148_abc-1234	Siemplify alert id saved in the SOAR incident
siemplify_case_id	number	Yes	46	Siemplify case id saved in the SOAR incident
siemplify_playbook_name	text	Yes	-	Name of Playbook to add
siemplify_run_playbook_automatically	bool	Yes	`True	False`

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'success': True
  },
  'raw': None,
  'inputs': {
    'siemplify_run_playbook_automatically': True,
    'siemplify_alert_id': 'IBM SOAR Alert 3834_64215769-ecb2-4fd7-bfb9-e6ca81c7a869',
    'siemplify_playbook_name': 'SentinelOne Threat Remediation',
    'siemplify_case_id': 171
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 312,
    'timestamp': '2022-03-31 17:31:39'
  }
}

Example Pre-Process Script:

inputs.siemplify_alert_id = incident.properties.siemplify_alert_id
inputs.siemplify_case_id = incident.properties.siemplify_case_id
inputs.siemplify_playbook_name = rule.properties.siemplify_playbook_name
inputs.siemplify_run_playbook_automatically = rule.properties.siemplify_run_playbook_automatically

Example Post-Process Script:

if results.success:
  incident.addNote("Siemplify Add Playbook: '{}' created".format(rule.properties.siemplify_playbook_name))
else:
  incident.addNote("Siemplify Add Playbook: '{}' failed: ".format(rule.properties.siemplify_playbook_name, results.reason))

---

Function - Siemplify: Add/Update Entity to Blocklist

Add an artifact to the Siemplify Blacklist

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_artifact_type	text	No	-	-
siemplify_artifact_value	text	No	-	-
siemplify_environment	text	No	Default Environment	Set environment. See app.config setting for default

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'entityIdentifier': 'malicious.exe',
    'entityType': 'FILENAME',
    'scope': 2,
    'environments': [
      'Default Environment'
    ]
  },
  'raw': None,
  'inputs': {
    'siemplify_artifact_type': 'File Name',
    'siemplify_environment': None,
    'siemplify_artifact_value': 'malicious.exe'
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 582,
    'timestamp': '2022-01-07 11:26:32'
  }
}

Example Pre-Process Script:

inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_environment = rule.properties.siemplify_environments

Example Post-Process Script:

from java.util import Date

current_dt = Date().getTime()

if results.success:
    entity = results.content
    row = incident.addRow('siemplify_list_entries')
    row['report_date'] = current_dt
    row['list_name'] = 'Block List'
    row['entity'] = entity['entityIdentifier']
    row['entity_type'] = entity['entityType']
    row['environments'] = ", ".join(entity['environments'])
    incident.addNote("Siemplify Add/Update Blocklist successful for: {} ({})".format(artifact.value, artifact.type))
else:
  incident.addNote("Siemplify Add/Update Blocklist Entity failed: {}".format(results.reason))

---

Function - Siemplify Add/Update Entity to Custom List

Add an artifact to the Siemplify custom list

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_artifact_type	text	No	-	-
siemplify_artifact_value	text	No	-	-
siemplify_category	text	No	-	If left empty, the artifact type is used
siemplify_environment	text	No	Default Environment	Set environment. See app.config setting for default

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': {
    'entityIdentifier': 'malicious.exe',
    'category': 'Malicious Category',
    'environments': [
      'Default Environment'
    ]
  },
  'raw': None,
  'inputs': {
    'siemplify_artifact_type': 'File Name',
    'siemplify_environment': None,
    'siemplify_category': 'Malicious Category',
    'siemplify_artifact_value': 'malicious.exe'
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 293,
    'timestamp': '2022-01-07 11:25:35'
  }
}

Example Pre-Process Script:

inputs.siemplify_artifact_type = artifact.type
inputs.siemplify_artifact_value = artifact.value
inputs.siemplify_category = rule.properties.siemplify_list_category
inputs.siemplify_environment = rule.properties.siemplify_environments

Example Post-Process Script:

from java.util import Date

current_dt = Date().getTime()

if results.success:
  entity = results.content
  row = incident.addRow('siemplify_list_entries')
  row['report_date'] = current_dt
  row['list_name'] = 'Custom List'
  row['entity'] = entity['entityIdentifier']
  row['entity_type'] = entity['category']
  row['environments'] = ", ".join(entity['environments'])
  incident.addNote("Siemplify Add/Update Custom List successful for: {} ({})".format(artifact.value, artifact.type))
else:
  incident.addNote("Siemplify Add/Update Custom List Entity failed: {}".format(results.reason))

---

Function - Siemplify Get Custom List Entities

Get entities from Siemplify’s custom list

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_limit	number	No	-	Limit the results returned
siemplify_search	text	No	-	Filter results based on a search entry

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': [
    {
      'entityIdentifier': 'soar_list',
      'category': 'soar_category',
      'forDBMigration': False,
      'environments': [
        'Default Environment'
      ],
      'id': 1,
      'creationTimeUnixTimeInMs': 1638827701814,
      'modificationTimeUnixTimeInMs': 1638827701814
    },
    {
      'entityIdentifier': 'soar2_list',
      'category': 'soar_category',
      'forDBMigration': False,
      'environments': [
        'Default Environment'
      ],
      'id': 2,
      'creationTimeUnixTimeInMs': 1641490099338,
      'modificationTimeUnixTimeInMs': 1641490099338
    }
  ],
  'raw': None,
  'inputs': {
    'siemplify_search': None,
    'siemplify_limit': 100
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 325,
    'timestamp': '2022-01-07 11:21:31'
  }
}

Example Pre-Process Script:

inputs.siemplify_limit = rule.properties.siemplify_limit_result if rule.properties.siemplify_limit_result else 100
inputs.siemplify_search = rule.properties.siemplify_search_term

Example Post-Process Script:

from java.util import Date

current_dt = Date().getTime()

if results.success:
  if isinstance(results.content, list):
    entity_list = results.content
  else:
    entity_list = results.content.get("objectsList", {})

  for entity in entity_list:
    row = incident.addRow('siemplify_list_entries')
    row['report_date'] = current_dt
    row['list_name'] = 'Custom List'
    row['entity'] = entity['entityIdentifier']
    row['entity_type'] = entity['category']
    row['environments'] = ", ".join(entity['environments'])
else:
  incident.addNote("Siemplify Get Blocklist Entities failed: {}".format(results.reason))

---

Function - Siemplify: Get Blocklist Entities

Get entities from Siemplify’s Blacklist

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_limit	number	No	-	Limit the results returned
siemplify_search	text	No	-	Filter results based on a search entry

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': [
    {
      'id': 1,
      'entityIdentifier': 'https://abc.com',
      'entityType': 'DestinationURL',
      'elementType': 0,
      'scope': 2,
      'environments': [
        'Default Environment'
      ]
    },
    {
      'id': 2,
      'entityIdentifier': '1.2.3.4',
      'entityType': 'IPSET',
      'elementType': 0,
      'scope': 2,
      'environments': [
        'Default Environment'
      ]
    }
  ],
  'raw': None,
  'inputs': {
    'siemplify_search': None,
    'siemplify_limit': 100
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 240,
    'timestamp': '2022-01-07 11:23:21'
  }
}

Example Pre-Process Script:

inputs.siemplify_limit = rule.properties.siemplify_limit_result if rule.properties.siemplify_limit_result else 100
inputs.siemplify_search = rule.properties.siemplify_search_term

Example Post-Process Script:

from java.util import Date

current_dt = Date().getTime()

if results.success:
  if isinstance(results.content, list):
    entity_list = results.content
  else:
    entity_list = results.content.get("objectsList", {})

  for entity in entity_list:
    row = incident.addRow('siemplify_list_entries')
    row['report_date'] = current_dt
    row['list_name'] = 'Block List'
    row['entity'] = entity['entityIdentifier']
    row['entity_type'] = entity['entityType']
    row['environments'] = ", ".join(entity['environments'])
else:
  incident.addNote("Siemplify Get Blocklist Entities failed: {}".format(results.reason))

---

Function - Siemplify: Remove List Entry

Remove a Blocklist or Custom List entry

Inputs:

Name	Type	Required	Example	Tooltip
siemplify_entity_id	number	Yes	2	ID within the list
siemplify_entity_list	text	Yes	Block List	Name of blocklist or custom list
siemplify_entity_type	text	Yes	IPSEC	Type of the entity
siemplify_entity_value	text	Yes	192.168.1.19	Value of the entity
siemplify_environments	text	Yes	Default Environment, Environment2	Environments

Outputs:

results = {
  'version': 2.0,
  'success': True,
  'reason': None,
  'content': '',
  'raw': None,
  'inputs': {
    'siemplify_entity_id': 9,
    'siemplify_entity_list': "Block List",
    'siemplify_entity_type': "IPSEC",
    'siemplify_entity_value': "192.168.1.19",
    'siemplifu_environments': "Default Environment, Environment2"
  },
  'metrics': {
    'version': '1.0',
    'package': 'fn-siemplify',
    'package_version': '1.0.0',
    'host': 'localhost',
    'execution_time_ms': 240,
    'timestamp': '2022-01-07 11:23:21'
  }
}

Example Pre-Process Script:

inputs.siemplify_entity_id = row['entity_id']
inputs.siemplify_entity_list  = row['list_name']
inputs.siemplify_entity_value = row['entity']
inputs.siemplify_entity_type = row['entity_type']
inputs.siemplify_environments = row['environments']

Example Post-Process Script:

if results.success:
  incident.addNote("Siemplify Remove {} Entity '{}' successful".format(row['list_name'], row['entity']))
  row['entity'] = "{} (deleted)".format(row['entity'])
else:
  incident.addNote("Siemplify Remove {} Entity '{}' failed: {}".format(row['list_name'], row['entity'], results.reason))

---

Data Table - Siemplify List Entries

API Name:

siemplify_list_entries

Columns:

Column Name	API Access Name	Type	Tooltip
Report Date	report_date	datetimepicker	-
List Name	list_name	text	-
Entity	entity	text	-
Entity Type/Category	entity_type	text	-
Environments	environments	text	-

---

Custom Fields

Label	API Access Name	Type	Prefix	Placeholder	Tooltip
Siemplify Assignee	siemplify_assignee	text	properties	-	Siemplify case assignee
Siemplify Is Important	siemplify_is_important	boolean	properties	-	Siemplify IsImportant
Siemplify Case Id	siemplify_case_id	number	properties	-	Siemplify case id used for synchronization
Siemplify Stage	siemplify_stage	text	properties	-	Siemplify case stage
Siemplify Priority	siemplify_priority	number	properties	-	Siemplify case priority
Siemplify Alert Id	siemplify_alert_id	text	properties	-	Siemplify alert id used for synchronization
Siemplify Case Link	siemplify_case_link	textarea	properties	-	URL link back to Case

---

Rules

Rule Name	Object	Workflow Triggered
Siemplify Auto Sync Case	incident	siemplify_sync_case
Siemplify Auto Sync Attachment	attachment	siemplify_sync_attachment
Siemplify Auto Sync Comment	note	siemplify_sync_comment
Siemplify Sync Artifact	artifact	siemplify_sync_artifact
Siemplify Auto Close Case	incident	siemplify_close_case
Siemplify Sync Comment	note	siemplify_sync_comment
Siemplify Sync Task	task	siemplify_sync_task
Siemplify Auto Sync Artifact	artifact	siemplify_sync_artifact
Siemplify Sync Case	incident	siemplify_m_sync_case
Siemplify: Get Blocklist Entities	incident	siemplify_get_blocklist_entities
Siemplify: Get Custom List Entities	incident	siemplify_get_customlist_entities
Siemplify: Add/Update Entity to Blocklist	artifact	siemplify_addupdate_entity_to_blocklist
Siemplify: Add/Update entity to Custom List	artifact	siemplify_addupdate_entity_to_customlist

---

Troubleshooting & Support

Refer to the documentation listed in the Requirements section for troubleshooting information.

For Support

This is a IBM Supported App. Please search the Community ibm.biz/soarcommunity for assistance or open a case at ibm.com/mysupport.

Templates

These templates can be copied and modified to override the existing templates used for several synchronization operations.

Siemplify Create Case Template

Used in the siemplify_create_case_template app.config parameter.

{
  "title": "IBM SOAR - {{ name|e }}",
  "assignedUser": {% if siemplify_assigned_user %} "{{ siemplify_assigned_user }}" {% else %} null {% endif %},
  "reason": "IBM SOAR Incident {{ id }}",
  "priority": "{{ priority | string | resilient_substitute('{"25": "Low", "50":"Medium", "80":"High", "100":"Critical", "DEFAULT": "Medium"}') }}",
  "environment": "{{ siemplify_environment if siemplify_environment else 'Default Environment'}}",
  "isImportant": {{ confirmed | tojson }},
  "alertName": "IBM SOAR Alert {{ id }}",
  "occurenceTime": "{{ discovered_date | resilient_display_datetimeformat(milliseconds=True) }}",
  "slaExpirationDateTime": null,
  "playbooks": {{ siemplify_playbooks | tojson }},
  "tags": {{ siemplify_tags | tojson }}
}

SOAR Close Case Template

Used in the soar_close_case_template app.config parameter.

{
  {# JINJA template for closing a new Resilient incident from a Defender alert. #}
  "plan_status": "C",
  "resolution_id": "Resolved",
  "resolution_summary": "Closed from Siemplify. Root Cause: {{ rootCause }}. Reason: {{ closeReason }}."
  {# additional fields may be needed. Add as necessary #}
  {# "properties": { } #}
}

SOAR Update Case Template

Used in the soar_update_case_template app.config parameter.

{
  {% if description %}
    "description": "{{ description }}",
  {% endif %}
  "properties": {
    {% if tags %}
      "siemplify_tags": "{{ tags|map(attribute='tag')|list|join(', ') }}",
    {% endif %}
    "siemplify_assignee": "{{ assignedUserName }}",
    "siemplify_stage": "{{ stage }}",
    "siemplify_is_important": {{ isImportant|tojson }},
    "siemplify_priority": "{{ priority | string | resilient_substitute('{"25": "Low", "50":"Medium", "80":"High", "100":"Critical", "DEFAULT": "Medium"}') }}"
  }
}

Artifact Type Lookup

Used in the artifact_type_lookup app.config parameter.

{
    "DEFAULT": "GENERICENTITY",
    "Port": "ADDRESS",
    "MAC Address": "MacAddress",
    "Process Name": "PROCESS",
    "Service": "PROCESS",
    "File Name": "FILENAME",
    "File Path": "FILENAME",
    "Malware MD5 Hash": "FILEHASH",
    "Malware SHA-1 Hash": "FILEHASH",
    "Malware SHA-256 Hash": "FILEHASH",
    "Malware Sample Fuzzy Hash": "FILEHASH",
    "URI PATH": "DestinationURL",
    "URL": "DestinationURL",
    "URL Referer": "DestinationURL",
    "Email Subject": "EMAILSUBJECT",
    "Threat CVE ID": "CVEID",
    "String": "GENERICENTITY",
    "DNS Name": "DESTINATIONDOMAIN",
    "IP Address": "IPSET",
    "User Agent": "USERUNIQNAME",
    "User Account": "USERUNIQNAME",
    "Registry Key": "GENERICENTITY",
    "Password" : "GENERICENTITY",
    "Observed Data": "GENERICENTITY",
    "Network CIDR Range": "IPSET",
    "Mutex": "THREATSIGNATURE",
    "Malware Family/Variant": "GENERICENTITY",
    "HTTP Response Header": "GENERICENTITY",
    "HTTP Request Header": "GENERICENTITY",
    "Email Sender Name": "USERUNIQNAME",
    "Email Sender": "USERUNIQNAME",
    "Email Recipient": "USERUNIQNAME",
    "Email Body": "GENERICENTITY",
    "Email Attachment Name": "FILENAME",
    "Email Attachment": null,
    "Log File": null,
    "Malware Sample": null,
    "Other File": null,
    "RFC 822 Email Message File": null,
    "X509 Certificate File": null
}