Fortinet Document Library

Version:


Table of Contents

Micro Focus Interset

1.0.0
Copy Link

About the connector

Interset is a powerful investigation and hunting interface. It detects threats before data is stolen using security analytics and machine learning to generate prioritized threat leads for SOC efficiency.

This document provides information about the Micro Focus Interset connector, which facilitates automated interactions, with a server using FortiSOAR™ playbooks. Add the Micro Focus Interset connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about the current session or creating a new tag for the specified tenant in Interset.

Version information

Connector Version: 1.0.0

FortiSOAR™ versions Tested on: 5.1.3-30 and 6.0.0-790

Authored By: Fortinet

Certified: Yes

Data Ingestion Support

You can use the "Data Ingestion Wizard" to easily ingest Interset data, i.e., alerts, aggregates, or anomalies, into FortiSOAR™ . To The following playbooks have been added for data ingestion:

  • > Interset > Fetch
  • Interset > Ingest
  • >> Interset > Init Macros

Important: While configuring data ingestion in FortiSOAR™ Version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in FortiSOAR™ product documentation.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-micro-focus-interset

Prerequisites to configuring the connector

  • You must have the IP address or FQDN of the Interset server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Micro Focus Interset connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server Address IP address or FQDN of the Interset server to which you will connect and perform the automated operations.
Username Username to access the interset server to which you will connect and perform the automated operations.
Password Password to access the interset server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Session Retrieves information about the current session from Interset. get_session_info
Investigation
Get Raw Events Retrieves raw events, in the CSV or JSON format, from Interset based on the tenant ID and other input parameters you have specified. get_raw_events
Investigation
Get Rules Retrieves JSON representations of all workflows for the specified tenant from Interset based on the tenant ID you have specified. get_workflows
Investigation
Delete Rule Deletes all workflows for the specified tenant from Interset based on the tenant ID you have specified.
Warning: This operation deletes all the existing workflows for the specified tenant. Use with caution.
delete_rule
Investigation
Get Authentication Attempts Provides an overview of the number of successful and failed authentication attempts made against servers based on the tenant ID and other input parameters you have specified. get_authentication_attempts
Investigation
Get Context Retrieves the context and statistics for the specified anomaly, alert, or, aggregate from Interset based on the tenant ID, rollup level, and rollup ID you have specified. get_context
Investigation
Get Entities Retrieves entities from Interset based on the entity type, tenant ID and other input parameters you have specified. The entities are sorted by entityName. get_entities
Investigation
Get Entity Details Retrieves the entity's name, type, bot score, tags and clusters entities from Interset based on the entity hash and tenant ID you have specified get_entity_details
Investigation
Get Associated Entities Retrieves two sets of top entities associated with the specified entity: one sorted by entity risk scores and the other sorted by accesses to or from that entity from interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: An entity is considered to be associated with another if they occur together in the same anomaly at least once within the selected time window.
get_associated_entities
Investigation
Get Entity Risk Graph Retrieves a timeline of an entity's risk scores for a given time range from Interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: The risk returned in each time bucket represents the maximum risk for that entity within that bucket's time range.
get_entity_risk_graph
Investigation
Get Bot Users Retrieves bot users sorted by the descending bot score from Interset based on the tenant ID and sort order you have specified.
Note: Sort order is applied to the bot score.
get_bot_users
Investigation
Get Entity Risk Score Retrieves the current risk score for the specified entity for the specified time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. get_entity_risk_score
Investigation
Get Entity Risk Distribution Provides an overview of how many entities of the specified type are associated with each risk level at the most current time in the dataset based on the tenant ID and other input parameters you have specified. get_entity_risk_distribution
Investigation
Get Top Accessed Entities Retrieves a list of entities, ordered by the number of times they were accessed from Interset based on the tenant ID, entity hash, and other input parameters you have specified. get_top_accessed_entities_by_entitytype
Investigation
Get Top Risky Entities Retrieves a list of the top riskiest entities by type from Interset based on the tenant ID, entity type, and other input parameters you have specified. get_top_risky_entities_by_entitytype
Investigation
Get Anomalies/Alerts/Aggregates Retrieves anomalies, alerts, or aggregates for the specified rollup and tenant from Interset based on the tenant ID, rollup level, rollup ID, and other input parameters you have specified. get_anomalies_alerts_aggregates
Investigation
Search Users Searches for users on Interset based on the tenant ID, specified query, and other input parameters you have specified. search_users
Investigation
Get Working Hours Retrieves an array of expected activity for the specified user or organization for each half hour of the day from Interset based on the tenant ID, time span and other input parameters you have specified.
The minute represents the beginning of the half-hour period, and the expected value represents the level of activity expected for that half-hour period. The expected values form a histogram and are not normalized to a particular scale.
get_working_hours
Investigation
Create Tag Creates a new tag for the specified tenant in Interset based on the tenant ID and tag you have specified. create_tag
Investigation
Get Tags Retrieves all tags for the specified tenant from Interset based on the tenant ID and other input parameters you have specified.
Tags can be configured either by a user through the UI, or by Analytics. The payload specifies the source of the tag.
get_tags
Investigation
Delete Tag Deletes the specified tag from the specified tenant based on the tenant ID and tag name you have specified. delete_tag
Investigation
Get Entities By Tags Retrieves entities that match the specified tags from Interset based on the tenant ID, entity type, and other input parameters you have specified. get_entities_by_tags
Investigation
Add Tag To Elements Adds a tag to a list of elements of the same type in Interset based on the tenant ID, tag name, element type and other input parameters you have specified. add_tag_to_elements
Investigation
Remove Tag From Elements Deletes a tag from a list of elements of the same type from Interset based on the tenant ID, tag name, element type and other input parameters you have specified. remove_tag_from_elements
Investigation
Get Anomaly Weights Retrieves weights for all configured anomalies based on the tenant ID or for specific anomalies based on the tenant ID, DID and anomaly type you have specified. get_anomaly_weights
Investigation
Set Anomaly Weight Sets the weight of an anomaly that is associated with the tenant, DID, and anomaly type you have specified. set_anomaly_weight
Investigation

operation: Get Session

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "extendedApis": {},
     "accessToken": "",
     "persistentSessions": "",
     "userDisplayName": "",
     "analyticsTuningAvailable": "",
     "roles": [
         {
             "hasSensorProxy": "",
             "tenantName": "",
             "features": [],
             "tenantId": "",
             "role": "",
             "userId": ""
         }
     ],
     "userId": ""
}

operation: Get Raw Events

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated raw events you want to retrieve from Interset.
Query (Optional) Kibana-type query using which you want to retrieve raw events from Interset.
For example, (user:("camilla")) AND (project:("csrv/rel3/Auditor"))
Category (Optional) Category, such as VPN, Endpoint, etc, of the raw event whose details you want to retrieve from Interset.
Count (Optional) Maximum number of raw events that this operation should return.
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to retrieve raw events from Interset. If no value is provided, then the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve raw events from Interset. If no value is provided, then the end time of the dataset is used.
Response Format (Optional) Format in which you want this operation to return the response. You can choose between are CSV or JSON.

Output

The output contains a non-dictionary value.

operation: Get Rules

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated workflow information you want to retrieve from Interset.

Output

The output contains the following populated JSON schema:
{
     "whereType": {
         "display": "",
         "name": ""
     },
     "modDate": "",
     "behavior": {
         "display": "",
         "icon": "",
         "name": ""
     },
     "risk": {
         "operator": {
             "display": "",
             "name": ""
         },
         "value": "",
         "property": {
             "display": "",
             "type": "",
             "name": ""
         },
         "conjunction": {
             "display": "",
             "name": ""
         }
     },
     "source": {
         "icon": "",
         "display": "",
         "name": ""
     },
     "uuid": "",
     "actions": [
         {
             "content": {
                 "severity": ""
             },
             "property": {
                 "icon": "",
                 "display": "",
                 "name": ""
             }
         }
     ],
     "drl": "",
     "name": "",
     "validConfig": "",
     "conditions": [],
     "user": {
         "property": {
             "display": "",
             "type": "",
             "name": ""
         }
     },
     "active": "",
     "creationDate": "",
     "trigger": {
         "entity": "",
         "properties": [
             {
                 "display": "",
                 "type": "",
                 "name": ""
             }
         ],
         "display": "",
         "name": "",
         "icon": ""
     },
     "debug": ""
}

operation: Delete Rule

Input parameters

Parameter Description
Tenant ID ID of the tenant whose workflows you want to delete from Interset.

Output

The output contains the following populated JSON schema:
{
     "result": [],
     "message": ""
}

operation: Get Authentication Attempts

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated authentication attempts you want to retrieve from Interset.
Query (Optional) Query using which you want to retrieve authentication attempts information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve authentication attempts information from Interset. If no value is provided, then the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve authentication attempts information from Interset. If no value is provided, then the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "succeeded": "",
         "failed": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Context

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated anomaly's context and statistics you want to retrieve from Interset.
Rollup Level Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts.
Rollup ID ID of the aggregate, alert, or anomaly whose context and statistics you want to retrieve from Interset.

Output

The output contains the following populated JSON schema:

Output schema if '' is 'Alerts'
{
     "data": {
         "unit": "",
         "threat": "",
         "contextType": "",
         "values": [
             {
                 "value": "",
                 "description": "",
                 "displayName": "",
                 "key": "",
                 "type": ""
             }
         ],
         "bucketSize": "",
         "unitDescription": "",
         "threatDescription": "",
         "unitType": ""
     },
     "requestTime": "",
     "cached": ""
}

Output schema if 'Rollup Level' is 'Anomalies'
{
     "data": {
         "unit": "",
         "threat": "",
         "contextType": "",
         "values": [
             {
                 "value": [
                     {
                         "expected": "",
                         "minute": ""
                     }
                 ],
                 "description": "",
                 "displayName": "",
                 "key": "",
                 "type": ""
             }
         ],
         "bucketSize": "",
         "unitDescription": "",
         "threatDescription": "",
         "unitType": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entity Type Entity type that you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Count (Optional) Maximum number of entities that this operation should return.
Sort Order (Optional) Sort order that you can apply to the result that is retrieved from Interset.

You can choose either Ascending or Descending.

Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "tags": [],
             "entityType": ""
         }
     ],
     "requestTime": "",
     "scrollId": "",
     "cached": ""
}

operation: Get Entity Details

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity details you want to retrieve from Interset.
Entity Type Type of entity type whose details you want to retrieve from Interset. For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose details you want to retrieve from Interset. For example, 393ff13c9b519ec2

Output

The output contains the following populated JSON schema:
{
     "data": {
         "entityHash": "",
         "clusters": [],
         "entityType": "",
         "entityName": "",
         "botScore": "",
         "tags": []
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Associated Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entity Type Entity type whose associated entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated entities you want to retrieve from Interset. For example, 393ff13c9b519ec2
Count (Optional) Maximum number of associated entities that this operation should return.
Risk Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Start Time (Optional) Start time from when you want to get associated entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to get associated entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "accesses": {
             "project": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ],
             "server": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ]
         },
         "risk": {
             "project": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ],
             "server": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ]
         }
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Graph

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk graph you want to retrieve from Interset.
Entity Type Entity type whose associated risk graph you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated risk graph you want to retrieve from Interset. For example, 393ff13c9b519ec2
Count (Optional) Maximum number of time buckets that this operation should return between start time and end time. Each time bucket contains the entity's maximum risk in that time range.
Interval (Optional) The interval of the time bucket; this parameter supersedes the count parameter. Accepted values are: "day". Buckets are broken down based on the requested time zone.
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to get the risk graph of the entity from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to get the risk graph of the entity from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
     "data": [
         {
             "timestamp": "",
             "risk": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Bot Users

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's bot users you want to retrieve from Interset.
Count (Optional) Maximum number of bot users that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "tags": [
                 {
                     "description": "",
                     "id": "",
                     "source": "",
                     "name": ""
                 }
             ],
             "risk": "",
             "entityType": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Score

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk score you want to retrieve from Interset.
Entity Type Entity type whose associated risk score you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated risk score you want to retrieve from Interset. For example, 393ff13c9b519ec2
Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Format (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to retrieve the risk score from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve the risk score from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "riskChange": "",
         "lastActivity": "",
         "risk": "",
         "entityType": "",
         "preDecayedRisk": "",
         "entityName": "",
         "storyCount": "",
         "entityHash": "",
         "tags": [
             {
                 "description": "",
                 "id": "",
                 "source": "",
                 "name": ""
             }
         ],
         "mostSignificantAlert": {
             "alertId": "",
             "datasource": "",
             "risk": "",
             "category": "",
             "templates": {
                 "family": "",
                 "teaser": "",
                 "alert": "",
                 "threat": "",
                 "tooltip": ""
             },
             "bucketSize": "",
             "numChildren": "",
             "contextType": "",
             "kibana": {
                 "indexName": "",
                 "searchQuery": ""
             },
             "anomalyTypes": [],
             "contribution": "",
             "rollupLevel": "",
             "parentId": "",
             "numAnomalies": "",
             "timestamp": "",
             "id": "",
             "contextAnomalyId": "",
             "significance": ""
         },
         "decayedToTimestamp": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Distribution

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk distribution you want to retrieve from Interset.
Entity Type Entity type whose associated risk distribution you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Query (Optional) Query using which you want to retrieve entity risk distribution information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve risk distribution from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve risk distribution from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "risks": {
             "low": "",
             "high": "",
             "extreme": "",
             "total": "",
             "medium": ""
         },
         "count": "",
         "entityTypes": [],
         "name": "",
         "type": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Top Accessed Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated top accessed entities you want to retrieve from Interset.
Entity Type Entity type whose associated top accessed entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Count (Optional) Maximum number of entities that this operation should return. 
Query (Optional) Query using which you want to retrieve top accessed entities information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve top accessed entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve top accessed entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {},
     "requestTime": "",
     "cached": ""
}

operation: Get Top Risky Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated top riskiest entities you want to retrieve from Interset.
Entity Type Entity type whose associated top riskiest entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Format (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response.
Query (Optional) Query using which you want to retrieve top riskiest entities information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Count (Optional) Maximum number of entities that this operation should return. 
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.
Start Time (Optional) Start time from when you want to retrieve top riskiest entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve top riskiest entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "data": [
         {
             "riskChange": "",
             "lastActivity": "",
             "risk": "",
             "entityType": "",
             "preDecayedRisk": "",
             "entityName": "",
             "storyCount": "",
             "entityHash": "",
             "tags": [
                 {
                     "description": "",
                     "id": "",
                     "source": "",
                     "name": ""
                 }
             ],
             "mostSignificantAlert": "",
             "decayedToTimestamp": ""
         }
     ],
     "requestTime": "",
     "scrollId": "",
     "cached": ""
}

operation: Get Anomalies/Alerts/Aggregates

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated anomalies, alerts, or aggregates you want to retrieve from Interset.
Rollup Level Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts.
Rollup ID ID of the aggregate, alert, or anomaly that you want to retrieve from Interset.
Count (Optional) Maximum number of anomalies, alerts, or aggregates that this operation should return. 
Sort (Optional) Select the method of sorting the results You can choose from Timestamp or Risk.
Sort Order (Optional) Sort order that you can apply to the result that is retrieved from Interset.

You can choose either Ascending or Descending.

Risk Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Minimum Risk (Optional) Minimum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results.
Maximum Risk (Optional) Maximum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results.
Query (Optional) Query using which you want to retrieve anomalies, alerts, or aggregates from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.
Start Time (Optional) Start time from when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "scrollId": "",
     "data": [
         {
             "alertId": "",
             "datasource": "",
             "risk": "",
             "category": "",
             "templates": {
                 "family": "",
                 "teaser": "",
                 "alert": "",
                 "threat": "",
                 "tooltip": ""
             },
             "bucketSize": "",
             "numChildren": "",
             "contextType": "",
             "kibana": {
                 "indexName": "",
                 "startTime": "",
                 "searchQuery": "",
                 "endTime": ""
             },
             "anomalyTypes": [],
             "contribution": "",
             "rollupLevel": "",
             "tags": [],
             "sql": {
                 "searchQuery": ""
             },
             "parentId": "",
             "numAnomalies": "",
             "timestamp": "",
             "id": "",
             "generic": {
                 "timeRangeQuery": "",
                 "searchQuery": ""
             },
             "contextAnomalyId": "",
             "significance": ""
         }
     ],
     "requestTime": "",
     "queryTime": "",
     "cached": ""
}

operation: Search Users

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated users you want to retrieve from Interset.
Search for Select the search criteria using which you want to search for users in Interset. You can choose from the following options: Top Exit Produces, Top Failed Login, Top Risky Days, Top Screen Captures, or Top Violation Producers.
Count (Optional) Maximum number of users that this operation should return. 
Query (Optional) Query using which you want to retrieve users from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to search for users in Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to search for users in Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:

Output schema if '' is 'Top Exit Producers'
{
     "data": {},
  nbsp;   "requestTime": "",
     "cached": ""
}

Output schema if 'Search for' is 'Top Failed Login'
{
     "data": [
         {
             "totalFailed": "",
             "entityName": "",
             "entityHash": "",
             "totalSuccess": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

Output schema if 'Search for' is 'Top Risky Days'
{
     "data": [
         {
             "timestamp": "",
             "risk": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Working Hours

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated working hours you want to retrieve from Interset.
Working Hours For Select the entity type for which you want to retrieve working hours. You can choose between User or Organization.
If you choose 'User', then you must specify the following parameters:
  • Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.
  • User Hash: Element hash of the user entity whose associated working hours you want to retrieve from Interset. For example, 393ff13c9b519ec2
If you choose 'Organization', then you must specify the following parameter:
  • Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "expected": "",
             "minute": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Create Tag

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to create a tag in Interset.
Tag Name Name for the tag that you want to create in the specified tenant in Interset.
Description (Optional) Description of the tag that you want to create in Interset.

Output

The output contains the following populated JSON schema:
{
     "requestTime": "",
     "data": {
         "created": "",
         "entities": [],
         "source": "",
         "description": "",
         "createdBy": "",
         "modifiedBy": "",
         "id": "",
         "modified": "",
         "name": ""
     },
     "cached": ""
}

operation: Get Tags

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated tags you want to retrieve from Interset.
Source Select how the tag was created. Tags can be created either by a User through the UI or by Analytics.
Query (Optional) Query using which you want to retrieve tags from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Text To Search (Optional) Text that you want to use to match tags by name.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "created": "",
             "entities": [],
             "source": "",
             "description": "",
             "createdBy": "",
             "modifiedBy": "",
             "id": "",
             "modified": "",
             "name": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Delete Tag

Input parameters

Parameter Description
Tenant ID ID of the tenant from which you want to delete the specified tag in Interset.
Tag Name of tag that you want to delete from the specified tenant in Interset.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entities By Tags

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entities For Select whether you want to retrieve entities from Interset for a single tag or for multiple tags.
If you choose 'Single Tag', then you must specify the following parameters:
  • Tag Name: Name of tag whose associated entities you want to retrieve from Interset.
  • Element type: Type of element with which the tag is associated. You can select from Alerts, Anomalies, or Entities.
If you choose 'Multiple Tags', then you must specify the following parameters:
  • Matches: Indicates whether the returned entities must have any or all of the specified tags. Possible values are "Any" (return entities with any of the specified tags) or "All" (return entities with all the specified tags).
  • Tags: List of tags, In CSV or List format, whose associated entities you want to retrieve from Interset. For example, ['tag1', 'tag2'] or tag1, tag2
Count (Optional) Maximum number of tagged elements that this operation should return. 
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "entityType": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Add Tag To Elements

Input parameters

Parameter Description
Tenant ID ID of the tenant in whose associated elements you want to add the specified tags.
Tag Name Name of tag that you want to add to the specified element type and hash.
Element type Type of element with which you want to associate the tag that you want to add in Interset.
Element Hashes List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2.
Retries Number of times to retry the update operation if a conflict occurs.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Remove Tag From Elements

Input parameters

Parameter Description
Tenant ID ID of the tenant from whose associated elements you want to remove the specified tags.
Tag Name Name of tag that you want to remove from the specified element type and hash.
Element type Type of element that is associated with the tag that you want to remove from Interset.
Element Hashes List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2.
Retries Number of times to retry the update operation if a conflict occurs.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Anomaly Weights

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to retrieve anomaly weights from Interset.
Get Anomaly Weights You can choose to retrieve the weights for all configured anomalies by selecting For ALL Anomalies, or you can choose to retrieve weights for specific configured anomalies by selecting By Anomaly Type.
If you select 'By Anomaly Type', then you have to specify the following parameters:
  • DID: The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once.
  • Anomaly Type: Type of anomaly whose weight you want to retrieve from Interset, for example, 212.

Output

The output contains the following populated JSON schema:
{
     "weight": "",
     "anomalyType": "",
     "importance": "",
     "did": "",
     "defaultWeight": ""
}

operation: Set Anomaly Weight

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to set the anomaly weights in Interset.
DID The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once.
Anomaly Type Type of anomaly whose weight you want to set in Interset, for example, 212.
Weight Value of weight that you want to assign to the anomaly type you have specified,

Output

The output contains the following populated JSON schema:
{
     "weight": ""
}

Included playbooks

The Sample - Micro Focus Interset - 1.0.0 playbook collection comes bundled with the Micro Focus Interset connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Micro Focus Interset connector.

  • Anomaly: Get Anomaly Weights
  • Anomaly: Set Anomaly Weights
  • Entity: Get Associated Entities
  • Entity: Get Entities
  • Entity: Get Entity Details
  • Entity: Get Entity Risk Distribution
  • Entity: Get Entity Risk Graph
  • Entity: Get Entity Risk Score
  • Entity: Get Top Accessed Entities
  • Entity: Get Top Risky Entities
  • Get Anomalies/Alerts/Aggregates
  • Get Authentication Attempts
  • Get Bot Users
  • Get Context
  • Get Raw Events
  • Get Session
  • Get Working Hours
  • > Interset > Fetch
  • Interset > Ingest
  • >> Interset > Init Macros
  • Interset > Monitor User Risk Score
    This playbook demonstrates a use case in which the playbook monitors the risk score of a user for the specified timeframe and creates an alert if the risk score is higher than the set threshold. If the risk score is lower than the set threshold, then the playbook adds a comment and again monitors the user for the next 24 hrs to check whether the user's risk score is increasing or not, and based on the results, updates the severity of the alert.
  • Interset > Notify User Risk Score
    This playbook demonstrates a use case in which the playbook sends notifications of the risk score of the user using Slack messages and emails.
  • Search Users
  • Tag: Add Tag To Elements
  • Tag: Create Tag
  • Tag: Delete Tag
  • Tag: Get Entities By Tags
  • Tag: Get Tags
  • Tag: Remove Tag From Elements
  • Workflow: Delete Rule
  • Workflow: Get Rules

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Interset is a powerful investigation and hunting interface. It detects threats before data is stolen using security analytics and machine learning to generate prioritized threat leads for SOC efficiency.

This document provides information about the Micro Focus Interset connector, which facilitates automated interactions, with a server using FortiSOAR™ playbooks. Add the Micro Focus Interset connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about the current session or creating a new tag for the specified tenant in Interset.

Version information

Connector Version: 1.0.0

FortiSOAR™ versions Tested on: 5.1.3-30 and 6.0.0-790

Authored By: Fortinet

Certified: Yes

Data Ingestion Support

You can use the "Data Ingestion Wizard" to easily ingest Interset data, i.e., alerts, aggregates, or anomalies, into FortiSOAR™ . To The following playbooks have been added for data ingestion:

Important: While configuring data ingestion in FortiSOAR™ Version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in FortiSOAR™ product documentation.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-micro-focus-interset

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Micro Focus Interset connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server Address IP address or FQDN of the Interset server to which you will connect and perform the automated operations.
Username Username to access the interset server to which you will connect and perform the automated operations.
Password Password to access the interset server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Session Retrieves information about the current session from Interset. get_session_info
Investigation
Get Raw Events Retrieves raw events, in the CSV or JSON format, from Interset based on the tenant ID and other input parameters you have specified. get_raw_events
Investigation
Get Rules Retrieves JSON representations of all workflows for the specified tenant from Interset based on the tenant ID you have specified. get_workflows
Investigation
Delete Rule Deletes all workflows for the specified tenant from Interset based on the tenant ID you have specified.
Warning: This operation deletes all the existing workflows for the specified tenant. Use with caution.
delete_rule
Investigation
Get Authentication Attempts Provides an overview of the number of successful and failed authentication attempts made against servers based on the tenant ID and other input parameters you have specified. get_authentication_attempts
Investigation
Get Context Retrieves the context and statistics for the specified anomaly, alert, or, aggregate from Interset based on the tenant ID, rollup level, and rollup ID you have specified. get_context
Investigation
Get Entities Retrieves entities from Interset based on the entity type, tenant ID and other input parameters you have specified. The entities are sorted by entityName. get_entities
Investigation
Get Entity Details Retrieves the entity's name, type, bot score, tags and clusters entities from Interset based on the entity hash and tenant ID you have specified get_entity_details
Investigation
Get Associated Entities Retrieves two sets of top entities associated with the specified entity: one sorted by entity risk scores and the other sorted by accesses to or from that entity from interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: An entity is considered to be associated with another if they occur together in the same anomaly at least once within the selected time window.
get_associated_entities
Investigation
Get Entity Risk Graph Retrieves a timeline of an entity's risk scores for a given time range from Interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: The risk returned in each time bucket represents the maximum risk for that entity within that bucket's time range.
get_entity_risk_graph
Investigation
Get Bot Users Retrieves bot users sorted by the descending bot score from Interset based on the tenant ID and sort order you have specified.
Note: Sort order is applied to the bot score.
get_bot_users
Investigation
Get Entity Risk Score Retrieves the current risk score for the specified entity for the specified time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. get_entity_risk_score
Investigation
Get Entity Risk Distribution Provides an overview of how many entities of the specified type are associated with each risk level at the most current time in the dataset based on the tenant ID and other input parameters you have specified. get_entity_risk_distribution
Investigation
Get Top Accessed Entities Retrieves a list of entities, ordered by the number of times they were accessed from Interset based on the tenant ID, entity hash, and other input parameters you have specified. get_top_accessed_entities_by_entitytype
Investigation
Get Top Risky Entities Retrieves a list of the top riskiest entities by type from Interset based on the tenant ID, entity type, and other input parameters you have specified. get_top_risky_entities_by_entitytype
Investigation
Get Anomalies/Alerts/Aggregates Retrieves anomalies, alerts, or aggregates for the specified rollup and tenant from Interset based on the tenant ID, rollup level, rollup ID, and other input parameters you have specified. get_anomalies_alerts_aggregates
Investigation
Search Users Searches for users on Interset based on the tenant ID, specified query, and other input parameters you have specified. search_users
Investigation
Get Working Hours Retrieves an array of expected activity for the specified user or organization for each half hour of the day from Interset based on the tenant ID, time span and other input parameters you have specified.
The minute represents the beginning of the half-hour period, and the expected value represents the level of activity expected for that half-hour period. The expected values form a histogram and are not normalized to a particular scale.
get_working_hours
Investigation
Create Tag Creates a new tag for the specified tenant in Interset based on the tenant ID and tag you have specified. create_tag
Investigation
Get Tags Retrieves all tags for the specified tenant from Interset based on the tenant ID and other input parameters you have specified.
Tags can be configured either by a user through the UI, or by Analytics. The payload specifies the source of the tag.
get_tags
Investigation
Delete Tag Deletes the specified tag from the specified tenant based on the tenant ID and tag name you have specified. delete_tag
Investigation
Get Entities By Tags Retrieves entities that match the specified tags from Interset based on the tenant ID, entity type, and other input parameters you have specified. get_entities_by_tags
Investigation
Add Tag To Elements Adds a tag to a list of elements of the same type in Interset based on the tenant ID, tag name, element type and other input parameters you have specified. add_tag_to_elements
Investigation
Remove Tag From Elements Deletes a tag from a list of elements of the same type from Interset based on the tenant ID, tag name, element type and other input parameters you have specified. remove_tag_from_elements
Investigation
Get Anomaly Weights Retrieves weights for all configured anomalies based on the tenant ID or for specific anomalies based on the tenant ID, DID and anomaly type you have specified. get_anomaly_weights
Investigation
Set Anomaly Weight Sets the weight of an anomaly that is associated with the tenant, DID, and anomaly type you have specified. set_anomaly_weight
Investigation

operation: Get Session

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "extendedApis": {},
     "accessToken": "",
     "persistentSessions": "",
     "userDisplayName": "",
     "analyticsTuningAvailable": "",
     "roles": [
         {
             "hasSensorProxy": "",
             "tenantName": "",
             "features": [],
             "tenantId": "",
             "role": "",
             "userId": ""
         }
     ],
     "userId": ""
}

operation: Get Raw Events

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated raw events you want to retrieve from Interset.
Query (Optional) Kibana-type query using which you want to retrieve raw events from Interset.
For example, (user:("camilla")) AND (project:("csrv/rel3/Auditor"))
Category (Optional) Category, such as VPN, Endpoint, etc, of the raw event whose details you want to retrieve from Interset.
Count (Optional) Maximum number of raw events that this operation should return.
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to retrieve raw events from Interset. If no value is provided, then the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve raw events from Interset. If no value is provided, then the end time of the dataset is used.
Response Format (Optional) Format in which you want this operation to return the response. You can choose between are CSV or JSON.

Output

The output contains a non-dictionary value.

operation: Get Rules

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated workflow information you want to retrieve from Interset.

Output

The output contains the following populated JSON schema:
{
     "whereType": {
         "display": "",
         "name": ""
     },
     "modDate": "",
     "behavior": {
         "display": "",
         "icon": "",
         "name": ""
     },
     "risk": {
         "operator": {
             "display": "",
             "name": ""
         },
         "value": "",
         "property": {
             "display": "",
             "type": "",
             "name": ""
         },
         "conjunction": {
             "display": "",
             "name": ""
         }
     },
     "source": {
         "icon": "",
         "display": "",
         "name": ""
     },
     "uuid": "",
     "actions": [
         {
             "content": {
                 "severity": ""
             },
             "property": {
                 "icon": "",
                 "display": "",
                 "name": ""
             }
         }
     ],
     "drl": "",
     "name": "",
     "validConfig": "",
     "conditions": [],
     "user": {
         "property": {
             "display": "",
             "type": "",
             "name": ""
         }
     },
     "active": "",
     "creationDate": "",
     "trigger": {
         "entity": "",
         "properties": [
             {
                 "display": "",
                 "type": "",
                 "name": ""
             }
         ],
         "display": "",
         "name": "",
         "icon": ""
     },
     "debug": ""
}

operation: Delete Rule

Input parameters

Parameter Description
Tenant ID ID of the tenant whose workflows you want to delete from Interset.

Output

The output contains the following populated JSON schema:
{
     "result": [],
     "message": ""
}

operation: Get Authentication Attempts

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated authentication attempts you want to retrieve from Interset.
Query (Optional) Query using which you want to retrieve authentication attempts information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve authentication attempts information from Interset. If no value is provided, then the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve authentication attempts information from Interset. If no value is provided, then the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "succeeded": "",
         "failed": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Context

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated anomaly's context and statistics you want to retrieve from Interset.
Rollup Level Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts.
Rollup ID ID of the aggregate, alert, or anomaly whose context and statistics you want to retrieve from Interset.

Output

The output contains the following populated JSON schema:

Output schema if '' is 'Alerts'
{
     "data": {
         "unit": "",
         "threat": "",
         "contextType": "",
         "values": [
             {
                 "value": "",
                 "description": "",
                 "displayName": "",
                 "key": "",
                 "type": ""
             }
         ],
         "bucketSize": "",
         "unitDescription": "",
         "threatDescription": "",
         "unitType": ""
     },
     "requestTime": "",
     "cached": ""
}

Output schema if 'Rollup Level' is 'Anomalies'
{
     "data": {
         "unit": "",
         "threat": "",
         "contextType": "",
         "values": [
             {
                 "value": [
                     {
                         "expected": "",
                         "minute": ""
                     }
                 ],
                 "description": "",
                 "displayName": "",
                 "key": "",
                 "type": ""
             }
         ],
         "bucketSize": "",
         "unitDescription": "",
         "threatDescription": "",
         "unitType": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entity Type Entity type that you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Count (Optional) Maximum number of entities that this operation should return.
Sort Order (Optional) Sort order that you can apply to the result that is retrieved from Interset.

You can choose either Ascending or Descending.

Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "tags": [],
             "entityType": ""
         }
     ],
     "requestTime": "",
     "scrollId": "",
     "cached": ""
}

operation: Get Entity Details

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity details you want to retrieve from Interset.
Entity Type Type of entity type whose details you want to retrieve from Interset. For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose details you want to retrieve from Interset. For example, 393ff13c9b519ec2

Output

The output contains the following populated JSON schema:
{
     "data": {
         "entityHash": "",
         "clusters": [],
         "entityType": "",
         "entityName": "",
         "botScore": "",
         "tags": []
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Associated Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entity Type Entity type whose associated entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated entities you want to retrieve from Interset. For example, 393ff13c9b519ec2
Count (Optional) Maximum number of associated entities that this operation should return.
Risk Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Start Time (Optional) Start time from when you want to get associated entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to get associated entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "accesses": {
             "project": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ],
             "server": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ]
         },
         "risk": {
             "project": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ],
             "server": [
                 {
                     "accesses": "",
                     "entityName": "",
                     "entityHash": "",
                     "risk": "",
                     "entityType": ""
                 }
             ]
         }
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Graph

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk graph you want to retrieve from Interset.
Entity Type Entity type whose associated risk graph you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated risk graph you want to retrieve from Interset. For example, 393ff13c9b519ec2
Count (Optional) Maximum number of time buckets that this operation should return between start time and end time. Each time bucket contains the entity's maximum risk in that time range.
Interval (Optional) The interval of the time bucket; this parameter supersedes the count parameter. Accepted values are: "day". Buckets are broken down based on the requested time zone.
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to get the risk graph of the entity from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to get the risk graph of the entity from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
     "data": [
         {
             "timestamp": "",
             "risk": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Bot Users

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's bot users you want to retrieve from Interset.
Count (Optional) Maximum number of bot users that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "tags": [
                 {
                     "description": "",
                     "id": "",
                     "source": "",
                     "name": ""
                 }
             ],
             "risk": "",
             "entityType": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Score

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk score you want to retrieve from Interset.
Entity Type Entity type whose associated risk score you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Entity Hash Element hash of the entity whose associated risk score you want to retrieve from Interset. For example, 393ff13c9b519ec2
Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Format (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Start Time (Optional) Start time from when you want to retrieve the risk score from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve the risk score from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "riskChange": "",
         "lastActivity": "",
         "risk": "",
         "entityType": "",
         "preDecayedRisk": "",
         "entityName": "",
         "storyCount": "",
         "entityHash": "",
         "tags": [
             {
                 "description": "",
                 "id": "",
                 "source": "",
                 "name": ""
             }
         ],
         "mostSignificantAlert": {
             "alertId": "",
             "datasource": "",
             "risk": "",
             "category": "",
             "templates": {
                 "family": "",
                 "teaser": "",
                 "alert": "",
                 "threat": "",
                 "tooltip": ""
             },
             "bucketSize": "",
             "numChildren": "",
             "contextType": "",
             "kibana": {
                 "indexName": "",
                 "searchQuery": ""
             },
             "anomalyTypes": [],
             "contribution": "",
             "rollupLevel": "",
             "parentId": "",
             "numAnomalies": "",
             "timestamp": "",
             "id": "",
             "contextAnomalyId": "",
             "significance": ""
         },
         "decayedToTimestamp": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entity Risk Distribution

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entity's risk distribution you want to retrieve from Interset.
Entity Type Entity type whose associated risk distribution you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Query (Optional) Query using which you want to retrieve entity risk distribution information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve risk distribution from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve risk distribution from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "risks": {
             "low": "",
             "high": "",
             "extreme": "",
             "total": "",
             "medium": ""
         },
         "count": "",
         "entityTypes": [],
         "name": "",
         "type": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Top Accessed Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated top accessed entities you want to retrieve from Interset.
Entity Type Entity type whose associated top accessed entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Count (Optional) Maximum number of entities that this operation should return. 
Query (Optional) Query using which you want to retrieve top accessed entities information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to retrieve top accessed entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve top accessed entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "data": {},
     "requestTime": "",
     "cached": ""
}

operation: Get Top Risky Entities

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated top riskiest entities you want to retrieve from Interset.
Entity Type Entity type whose associated top riskiest entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc.
Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Format (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response.
Query (Optional) Query using which you want to retrieve top riskiest entities information from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Time Zone (Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST
Count (Optional) Maximum number of entities that this operation should return. 
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.
Start Time (Optional) Start time from when you want to retrieve top riskiest entities from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve top riskiest entities from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "data": [
         {
             "riskChange": "",
             "lastActivity": "",
             "risk": "",
             "entityType": "",
             "preDecayedRisk": "",
             "entityName": "",
             "storyCount": "",
             "entityHash": "",
             "tags": [
                 {
                     "description": "",
                     "id": "",
                     "source": "",
                     "name": ""
                 }
             ],
             "mostSignificantAlert": "",
             "decayedToTimestamp": ""
         }
     ],
     "requestTime": "",
     "scrollId": "",
     "cached": ""
}

operation: Get Anomalies/Alerts/Aggregates

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated anomalies, alerts, or aggregates you want to retrieve from Interset.
Rollup Level Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts.
Rollup ID ID of the aggregate, alert, or anomaly that you want to retrieve from Interset.
Count (Optional) Maximum number of anomalies, alerts, or aggregates that this operation should return. 
Sort (Optional) Select the method of sorting the results You can choose from Timestamp or Risk.
Sort Order (Optional) Sort order that you can apply to the result that is retrieved from Interset.

You can choose either Ascending or Descending.

Risk Sort (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End.
Minimum Risk (Optional) Minimum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results.
Maximum Risk (Optional) Maximum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results.
Query (Optional) Query using which you want to retrieve anomalies, alerts, or aggregates from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Markup Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing.  
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.
Keep Alive (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes.
Start Time (Optional) Start time from when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:
{
     "totalHits": "",
     "scrollId": "",
     "data": [
         {
             "alertId": "",
             "datasource": "",
             "risk": "",
             "category": "",
             "templates": {
                 "family": "",
                 "teaser": "",
                 "alert": "",
                 "threat": "",
                 "tooltip": ""
             },
             "bucketSize": "",
             "numChildren": "",
             "contextType": "",
             "kibana": {
                 "indexName": "",
                 "startTime": "",
                 "searchQuery": "",
                 "endTime": ""
             },
             "anomalyTypes": [],
             "contribution": "",
             "rollupLevel": "",
             "tags": [],
             "sql": {
                 "searchQuery": ""
             },
             "parentId": "",
             "numAnomalies": "",
             "timestamp": "",
             "id": "",
             "generic": {
                 "timeRangeQuery": "",
                 "searchQuery": ""
             },
             "contextAnomalyId": "",
             "significance": ""
         }
     ],
     "requestTime": "",
     "queryTime": "",
     "cached": ""
}

operation: Search Users

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated users you want to retrieve from Interset.
Search for Select the search criteria using which you want to search for users in Interset. You can choose from the following options: Top Exit Produces, Top Failed Login, Top Risky Days, Top Screen Captures, or Top Violation Producers.
Count (Optional) Maximum number of users that this operation should return. 
Query (Optional) Query using which you want to retrieve users from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Start Time (Optional) Start time from when you want to search for users in Interset. If no value is provided, the start time of the dataset is used.
End Time (Optional) End time till when you want to search for users in Interset. If no value is provided, the end time of the dataset is used.

Output

The output contains the following populated JSON schema:

Output schema if '' is 'Top Exit Producers'
{
     "data": {},
  nbsp;   "requestTime": "",
     "cached": ""
}

Output schema if 'Search for' is 'Top Failed Login'
{
     "data": [
         {
             "totalFailed": "",
             "entityName": "",
             "entityHash": "",
             "totalSuccess": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

Output schema if 'Search for' is 'Top Risky Days'
{
     "data": [
         {
             "timestamp": "",
             "risk": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Get Working Hours

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated working hours you want to retrieve from Interset.
Working Hours For Select the entity type for which you want to retrieve working hours. You can choose between User or Organization.
If you choose 'User', then you must specify the following parameters:
  • Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.
  • User Hash: Element hash of the user entity whose associated working hours you want to retrieve from Interset. For example, 393ff13c9b519ec2
If you choose 'Organization', then you must specify the following parameter:
  • Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "expected": "",
             "minute": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Create Tag

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to create a tag in Interset.
Tag Name Name for the tag that you want to create in the specified tenant in Interset.
Description (Optional) Description of the tag that you want to create in Interset.

Output

The output contains the following populated JSON schema:
{
     "requestTime": "",
     "data": {
         "created": "",
         "entities": [],
         "source": "",
         "description": "",
         "createdBy": "",
         "modifiedBy": "",
         "id": "",
         "modified": "",
         "name": ""
     },
     "cached": ""
}

operation: Get Tags

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated tags you want to retrieve from Interset.
Source Select how the tag was created. Tags can be created either by a User through the UI or by Analytics.
Query (Optional) Query using which you want to retrieve tags from Interset. A query can accept the following parameters:
  • userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. 
  • user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. 
  • risk: Allows filtering by risk levels, which are low, medium, high, or extreme. 
  • anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
Text To Search (Optional) Text that you want to use to match tags by name.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "created": "",
             "entities": [],
             "source": "",
             "description": "",
             "createdBy": "",
             "modifiedBy": "",
             "id": "",
             "modified": "",
             "name": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Delete Tag

Input parameters

Parameter Description
Tenant ID ID of the tenant from which you want to delete the specified tag in Interset.
Tag Name of tag that you want to delete from the specified tenant in Interset.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Entities By Tags

Input parameters

Parameter Description
Tenant ID ID of the tenant whose associated entities you want to retrieve from Interset.
Entities For Select whether you want to retrieve entities from Interset for a single tag or for multiple tags.
If you choose 'Single Tag', then you must specify the following parameters:
  • Tag Name: Name of tag whose associated entities you want to retrieve from Interset.
  • Element type: Type of element with which the tag is associated. You can select from Alerts, Anomalies, or Entities.
If you choose 'Multiple Tags', then you must specify the following parameters:
  • Matches: Indicates whether the returned entities must have any or all of the specified tags. Possible values are "Any" (return entities with any of the specified tags) or "All" (return entities with all the specified tags).
  • Tags: List of tags, In CSV or List format, whose associated entities you want to retrieve from Interset. For example, ['tag1', 'tag2'] or tag1, tag2
Count (Optional) Maximum number of tagged elements that this operation should return. 
Scroll ID (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results.

Output

The output contains the following populated JSON schema:
{
     "data": [
         {
             "entityName": "",
             "entityHash": "",
             "entityType": ""
         }
     ],
     "requestTime": "",
     "cached": ""
}

operation: Add Tag To Elements

Input parameters

Parameter Description
Tenant ID ID of the tenant in whose associated elements you want to add the specified tags.
Tag Name Name of tag that you want to add to the specified element type and hash.
Element type Type of element with which you want to associate the tag that you want to add in Interset.
Element Hashes List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2.
Retries Number of times to retry the update operation if a conflict occurs.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Remove Tag From Elements

Input parameters

Parameter Description
Tenant ID ID of the tenant from whose associated elements you want to remove the specified tags.
Tag Name Name of tag that you want to remove from the specified element type and hash.
Element type Type of element that is associated with the tag that you want to remove from Interset.
Element Hashes List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2.
Retries Number of times to retry the update operation if a conflict occurs.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": ""
     },
     "requestTime": "",
     "cached": ""
}

operation: Get Anomaly Weights

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to retrieve anomaly weights from Interset.
Get Anomaly Weights You can choose to retrieve the weights for all configured anomalies by selecting For ALL Anomalies, or you can choose to retrieve weights for specific configured anomalies by selecting By Anomaly Type.
If you select 'By Anomaly Type', then you have to specify the following parameters:
  • DID: The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once.
  • Anomaly Type: Type of anomaly whose weight you want to retrieve from Interset, for example, 212.

Output

The output contains the following populated JSON schema:
{
     "weight": "",
     "anomalyType": "",
     "importance": "",
     "did": "",
     "defaultWeight": ""
}

operation: Set Anomaly Weight

Input parameters

Parameter Description
Tenant ID ID of the tenant for which you want to set the anomaly weights in Interset.
DID The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once.
Anomaly Type Type of anomaly whose weight you want to set in Interset, for example, 212.
Weight Value of weight that you want to assign to the anomaly type you have specified,

Output

The output contains the following populated JSON schema:
{
     "weight": ""
}

Included playbooks

The Sample - Micro Focus Interset - 1.0.0 playbook collection comes bundled with the Micro Focus Interset connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Micro Focus Interset connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.