Skip to content

mishalp-crest/splunk-soar-digitalshadows

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Digital Shadows

Publisher: Digital Shadows Ltd.
Connector Version: 2.0.1
Product Vendor: Digital Shadows
Product Name: Digital Shadows SearchLight
Product Version Supported (regex): ".*"
Minimum Product Version: 4.9.39220

The Digital Shadows SearchLight App allows users to create flexible and dynamic playbooks that fully harness the capabilities provided by the Digital Shadows SearchLight API

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Digital Shadows SearchLight asset in SOAR.

VARIABLE REQUIRED TYPE DESCRIPTION
ds_api_key required string The account key of the Digital Shadows portal that is used to configure this app
ds_api_secret_key required password A secured key that is linked with the API key used to configure this app
private_incident optional boolean A private incident is an event that could lead to loss of, or disruption to, an organization's operations, services, or functions
global_incident optional boolean A global incident is a type of event that can remotely lead to the loss of an organization's resources
history_days_interval required string Historical days for which data needs to be polled by the application. Example input: 10 (for last 10 days data)
inc_typ_data_leakage optional boolean The severity of Data Leakage incident is based on the observation that sensitive client systems information, with credentials, is publicly available
inc_typ_brand_protection optional boolean Brand Protection is a type of incident in which attackers impersonate domains, social accounts, people, and mobile applications
inc_typ_infrastructure optional boolean Infrastructure incident occurs when an internal network protocol is exposed to the internet
inc_typ_physical_security optional boolean Physical Security incident occurs when the certificate of a domain has security issues
inc_typ_social_media_compliance optional boolean Social Media Compliance incident consists of exploiting secured information such as passwords on social media
inc_typ_cyber_threat optional boolean Cyber Threat incident usually consists of a company's account information to be sold and accessed by unauthorized personnel

Supported Actions

test connectivity - Validate connection to the Digital Shadows API
on poll - Callback action for the 'on_poll' ingest functionality
search all records - Search across all Digital Shadow's entities including incidents, threat profiles, and our closed data stores
get incident - Retrieve a single incident and its details, identified by its unique integer identifier
search incidents - Search incidents based on filters. The On Poll action also uses this endpoint to collect incidents for a given time range/interval
get incident review - Retrieve the history of all review submissions for a given incident, ordered by submission time with the most recent submission first
post incident review - Post a status update to the incident along with a note
search intelligence incidents - Meant to be a simple way to search Intelligence Incidents based on time range and incident types if needed
get intelligence incident - Retrieve a single intelligence incident and its details, identified by its unique integer identifier
get intelligenceincident ioc - Retrieve the indicators of compromise associated with an intelligence incident
search data breaches - Search across all data breaches that are relevant to your organization
get data breach - Retrieve a single data breach and its details, identified by its unique integer identifier. The records associated with the breach must be retrieved using a separate operation
search databreach records - Search data breach records across all data breaches. This operation also includes basic information about the data breach the record occurred within
get databreach records - Retrieve breach records (credentials) for a specific breach
get breachrecord byuser - This action allows you to search breach records based on the domain, review status, or full/partial strings from the username
get breachrecord review - Retrieve the list of review status updates for a given data breach record
post breachrecord review - Update an individual breach record's notes or status using this action

action: 'test connectivity'

Validate connection to the Digital Shadows API

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'on poll'

Callback action for the 'on_poll' ingest functionality

Type: ingest
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
start_time optional Start of the polling time range for which the app will fetch all the events after this time. It should be in epoch time (milliseconds). Example - 1611587778000 numeric
end_time optional End of the polling time range for which the app will fetch all the events before this time. It should be in epoch time (milliseconds). Example - 1611587778000 numeric

Action Output

No Output

action: 'search all records'

Search across all Digital Shadow's entities including incidents, threat profiles, and our closed data stores

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
date_range required Date Range. Example input: P30D(for Past 30 Days) string digital shadows date range
query required Search string string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.date_range string digital shadows date range
action_result.parameter.query string
action_result.data string
action_result.summary.entity_count string
action_result.summary.entity_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get incident'

Retrieve a single incident and its details, identified by its unique integer identifier

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_id required Digital Shadows Incident ID numeric digital shadows incident id

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.incident_id numeric digital shadows incident id
action_result.data string
action_result.summary.incident_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'search incidents'

Search incidents based on filters. The On Poll action also uses this endpoint to collect incidents for a given time range/interval

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
date_range required Incident Date Range. Example input: P30D(for Past 30 Days) string digital shadows date range
incident_types optional Incident Types string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.date_range string digital shadows date range
action_result.parameter.incident_types string
action_result.data string
action_result.summary.incident_count string
action_result.summary.incident_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get incident review'

Retrieve the history of all review submissions for a given incident, ordered by submission time with the most recent submission first

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_id required Digital Shadows Incident ID numeric digital shadows incident id

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.incident_id numeric digital shadows incident id
action_result.data string
action_result.summary.incident_reviews_count numeric
action_result.summary.incident_reviews_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'post incident review'

Post a status update to the incident along with a note

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_id required Incident ID numeric digital shadows incident id
review_note required Incident Review Note string
review_status required Incident Review Status string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.incident_id numeric digital shadows incident id
action_result.parameter.review_note string
action_result.parameter.review_status string
action_result.data string
action_result.summary.incident_reviews_message boolean
action_result.summary.incident_reviews_status_code string
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'search intelligence incidents'

Meant to be a simple way to search Intelligence Incidents based on time range and incident types if needed

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
date_range required Intelligence Incident Date Range. Example input: P30D(for Past 30 Days) string digital shadows date range
incident_types optional Incident Types string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.date_range string digital shadows date range
action_result.parameter.incident_types string
action_result.data string
action_result.summary.intelligence_incident_count string
action_result.summary.intelligence_incident_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get intelligence incident'

Retrieve a single intelligence incident and its details, identified by its unique integer identifier

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
intel_incident_id required Digital Shadows Intelligence Incident ID numeric digital shadows intelligence incident id

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.intel_incident_id numeric digital shadows intelligence incident id
action_result.data string
action_result.summary.intelligence_incident_count string
action_result.summary.intelligence_incident_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get intelligenceincident ioc'

Retrieve the indicators of compromise associated with an intelligence incident

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
intel_incident_id required Digital Shadows Intelligence Incident IoCs ID numeric digital shadows intelligence incident id
types optional Types string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.intel_incident_id numeric digital shadows intelligence incident id
action_result.parameter.types string
action_result.data string
action_result.summary.intelligence_incident_ioc_count string
action_result.summary.intelligence_incident_ioc_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'search data breaches'

Search across all data breaches that are relevant to your organization

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
date_range required Data Breach Date Range. Example input: P30D(for Past 30 Days) string digital shadows date range
reposted_credentials optional Data Breach reposted Credentials string
severities optional Severities string
statuses optional Statuses string
user_name optional Username (use '*' for wildcard matching) string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.date_range string digital shadows date range
action_result.parameter.reposted_credentials string
action_result.parameter.severities string
action_result.parameter.statuses string
action_result.parameter.user_name string
action_result.data string
action_result.summary.data_breach_count string
action_result.summary.data_breach_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get data breach'

Retrieve a single data breach and its details, identified by its unique integer identifier. The records associated with the breach must be retrieved using a separate operation

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
breach_id required Data Breach ID numeric digital shadows breach id

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.breach_id numeric digital shadows breach id
action_result.data string
action_result.summary.data_breach_count string
action_result.summary.data_breach_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'search databreach records'

Search data breach records across all data breaches. This operation also includes basic information about the data breach the record occurred within

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
date_range required Data Breach record Date Range. Example input: P30D(for Past 30 Days) string digital shadows date range
domain_names optional Data Breach record domain names (comma separated). Example input: 'xyz.com, abc.org' string
review_statuses optional Review Statuses string
distinction optional Distinction string
user_name optional Username (use '*' for wildcard matching) string
password optional Password (use '*' for wildcard matching) string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.date_range string digital shadows date range
action_result.parameter.distinction string
action_result.parameter.domain_names string
action_result.parameter.password string
action_result.parameter.review_statuses string
action_result.parameter.user_name string
action_result.data string
action_result.summary.data_breach_record_count string
action_result.summary.data_breach_record_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get databreach records'

Retrieve breach records (credentials) for a specific breach

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
breach_id required Data Breach ID numeric digital shadows breach id

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.breach_id numeric digital shadows breach id
action_result.data string
action_result.summary.data_breach_record_count string
action_result.summary.data_breach_record_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get breachrecord byuser'

This action allows you to search breach records based on the domain, review status, or full/partial strings from the username

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
user_name required Username (use '*' for wildcard matching) string
domain_names optional Domain Names (comma separated) string
published_date_range optional Published Date Range. Example input: P30D(for Past 30 Days) string
review_statuses optional Review Statuses (comma separated). Example: open, read, closed string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.domain_names string
action_result.parameter.published_date_range string
action_result.parameter.review_statuses string
action_result.parameter.user_name string
action_result.data string
action_result.summary.data_breach_record_count string
action_result.summary.data_breach_record_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get breachrecord review'

Retrieve the list of review status updates for a given data breach record

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
breach_record_id required Digital Shadows Breach Record ID numeric

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.breach_record_id numeric
action_result.data string
action_result.summary.breach_record_reviews_count numeric
action_result.summary.breach_record_reviews_found boolean
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'post breachrecord review'

Update an individual breach record's notes or status using this action

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
breach_record_id required Data Breach Record ID numeric
review_note required Update an individual breach record's notes using this action string
review_status required Update an individual breach record's status using this action string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.breach_record_id numeric
action_result.parameter.review_note string
action_result.parameter.review_status string
action_result.data string
action_result.summary.breach_record_reviews_message boolean
action_result.summary.breach_record_reviews_status_code string
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

About

Connector for Splunk SOAR, previously Phantom Cyber

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 99.7%
  • HTML 0.3%