Skip to content

ajburnell/canary

 
 

Repository files navigation

Canary for SOAR

Publisher: Splunk Community
Connector Version: 2.0.0
Product Vendor: ThinkST
Product Name: Canary
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0

This app supports ingestion and investigative actions on the ThinkST Canary API Service

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Canary asset in SOAR.

VARIABLE REQUIRED TYPE DESCRIPTION
domain required string Domain used for Canary Website. For example (https://*domain*.canary.tools)
api_key required password API Key from Canary Website

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
on poll - Ingest unacknowledged incidents from Canary
update incident - Acknowledge existing Canary incident
add ip ignorelist - Add new IP to Canary global Ignore List
remove ip ignorelist - Remove IP from Canary global IgnoreList
test ip ignorelist - Test if IP has been globally ignored
list incidents - Get the list of existing Canary Incidents

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'on poll'

Ingest unacknowledged incidents from Canary

Type: ingest
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'update incident'

Acknowledge existing Canary incident

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident required The incident key of an existing Incident string
incident_state required State to make incident string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident string
action_result.parameter.incident_state string
action_result.data string
action_result.summary string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'add ip ignorelist'

Add new IP to Canary global Ignore List

Type: contain
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
ip_address required IP Address to add to global Ignore List string ip

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.data.* string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric
action_result.summary string
action_result.parameter.ip_address string ip

action: 'remove ip ignorelist'

Remove IP from Canary global IgnoreList

Type: contain
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
ip_address required IP Address to remove from global Ignore List string ip

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.data.* string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric
action_result.summary string
action_result.parameter.ip_address string ip

action: 'test ip ignorelist'

Test if IP has been globally ignored

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
ip_address required IP Address to test on global Ignore List string ip

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.data.* string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric
action_result.summary string
action_result.parameter.ip_address string ip

action: 'list incidents'

Get the list of existing Canary Incidents

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_state required State of incidents to list string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident_state string
action_result.data.*.devices.*.description.acknowledged string
action_result.data.*.devices.*.description.created string
action_result.data.*.devices.*.description.created_std string
action_result.data.*.devices.*.description.description string
action_result.data.*.devices.*.description.dst_host string ip
action_result.data.*.devices.*.description.dst_port string
action_result.data.*.devices.*.description.events.*.HOSTNAME string ip host name
action_result.data.*.devices.*.description.events.*.PASSWORD string
action_result.data.*.devices.*.description.events.*.PATH string
action_result.data.*.devices.*.description.events.*.SETTINGS string
action_result.data.*.devices.*.description.events.*.SKIN string
action_result.data.*.devices.*.description.events.*.USERAGENT string
action_result.data.*.devices.*.description.events.*.USERNAME string user name
action_result.data.*.devices.*.description.events.*.timestamp numeric
action_result.data.*.devices.*.description.events.*.timestamp_std string
action_result.data.*.devices.*.description.events_count string
action_result.data.*.devices.*.description.ip_address string
action_result.data.*.devices.*.description.ippers string
action_result.data.*.devices.*.description.local_time string
action_result.data.*.devices.*.description.logtype string
action_result.data.*.devices.*.description.mac_address string
action_result.data.*.devices.*.description.name string
action_result.data.*.devices.*.description.node_id string
action_result.data.*.devices.*.description.notified string
action_result.data.*.devices.*.description.src_host string ip
action_result.data.*.devices.*.description.src_host_reverse string
action_result.data.*.devices.*.description.src_port string
action_result.data.*.devices.*.id string
action_result.data.*.devices.*.summary string
action_result.data.*.devices.*.updated string
action_result.data.*.devices.*.updated_id numeric
action_result.data.*.devices.*.updated_std string
action_result.data.*.feed string
action_result.data.*.incidents.*.description.acknowledged string
action_result.data.*.incidents.*.description.created string
action_result.data.*.incidents.*.description.created_std string
action_result.data.*.incidents.*.description.description string
action_result.data.*.incidents.*.description.dst_host string ip
action_result.data.*.incidents.*.description.dst_port string
action_result.data.*.incidents.*.description.events.*.HOSTNAME string ip host name
action_result.data.*.incidents.*.description.events.*.PASSWORD string
action_result.data.*.incidents.*.description.events.*.PATH string
action_result.data.*.incidents.*.description.events.*.SETTINGS string
action_result.data.*.incidents.*.description.events.*.SKIN string
action_result.data.*.incidents.*.description.events.*.USERAGENT string
action_result.data.*.incidents.*.description.events.*.USERNAME string user name
action_result.data.*.incidents.*.description.events.*.timestamp numeric
action_result.data.*.incidents.*.description.events.*.timestamp_std string
action_result.data.*.incidents.*.description.events_count string
action_result.data.*.incidents.*.description.ip_address string
action_result.data.*.incidents.*.description.ippers string
action_result.data.*.incidents.*.description.local_time string
action_result.data.*.incidents.*.description.logtype string
action_result.data.*.incidents.*.description.mac_address string
action_result.data.*.incidents.*.description.name string
action_result.data.*.incidents.*.description.node_id string
action_result.data.*.incidents.*.description.notified string
action_result.data.*.incidents.*.description.src_host string ip
action_result.data.*.incidents.*.description.src_host_reverse string
action_result.data.*.incidents.*.description.src_port string
action_result.data.*.incidents.*.id string
action_result.data.*.incidents.*.summary string
action_result.data.*.incidents.*.updated string
action_result.data.*.incidents.*.updated_id numeric
action_result.data.*.incidents.*.updated_std string
action_result.data.*.max_updated_id numeric
action_result.data.*.result string
action_result.data.*.updated string
action_result.data.*.updated_std string
action_result.data.*.updated_timestamp numeric
action_result.summary.count numeric
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%