About the connector
Interset is a powerful investigation and hunting interface. It detects threats before data is stolen using security analytics and machine learning to generate prioritized threat leads for SOC efficiency.
This document provides information about the Micro Focus Interset connector, which facilitates automated interactions, with a server using FortiSOAR™ playbooks. Add the Micro Focus Interset connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about the current session or creating a new tag for the specified tenant in Interset.
Version information
Connector Version: 1.0.0
FortiSOAR™ versions Tested on: 5.1.3-30 and 6.0.0-790
Authored By: Fortinet
Certified: Yes
Data Ingestion Support
You can use the "Data Ingestion Wizard" to easily ingest Interset data, i.e., alerts, aggregates, or anomalies, into FortiSOAR™ . To The following playbooks have been added for data ingestion:
- > Interset > Fetch
- Interset > Ingest
- >> Interset > Init Macros
Important: While configuring data ingestion in FortiSOAR™ Version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in FortiSOAR™ product documentation.
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-micro-focus-interset
Prerequisites to configuring the connector
- You must have the IP address or FQDN of the Interset server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™ , on the Connectors page, click the Micro Focus Interset connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server Address |
IP address or FQDN of the Interset server to which you will connect and perform the automated operations. |
| Username |
Username to access the interset server to which you will connect and perform the automated operations. |
| Password |
Password to access the interset server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Get Session |
Retrieves information about the current session from Interset. |
get_session_info
Investigation |
| Get Raw Events |
Retrieves raw events, in the CSV or JSON format, from Interset based on the tenant ID and other input parameters you have specified. |
get_raw_events
Investigation |
| Get Rules |
Retrieves JSON representations of all workflows for the specified tenant from Interset based on the tenant ID you have specified. |
get_workflows
Investigation |
| Delete Rule |
Deletes all workflows for the specified tenant from Interset based on the tenant ID you have specified.
Warning: This operation deletes all the existing workflows for the specified tenant. Use with caution. |
delete_rule
Investigation |
| Get Authentication Attempts |
Provides an overview of the number of successful and failed authentication attempts made against servers based on the tenant ID and other input parameters you have specified. |
get_authentication_attempts
Investigation |
| Get Context |
Retrieves the context and statistics for the specified anomaly, alert, or, aggregate from Interset based on the tenant ID, rollup level, and rollup ID you have specified. |
get_context
Investigation |
| Get Entities |
Retrieves entities from Interset based on the entity type, tenant ID and other input parameters you have specified. The entities are sorted by entityName. |
get_entities
Investigation |
| Get Entity Details |
Retrieves the entity's name, type, bot score, tags and clusters entities from Interset based on the entity hash and tenant ID you have specified |
get_entity_details
Investigation |
| Get Associated Entities |
Retrieves two sets of top entities associated with the specified entity: one sorted by entity risk scores and the other sorted by accesses to or from that entity from interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: An entity is considered to be associated with another if they occur together in the same anomaly at least once within the selected time window. |
get_associated_entities
Investigation |
| Get Entity Risk Graph |
Retrieves a timeline of an entity's risk scores for a given time range from Interset based on the tenant ID, entity hash and other input parameters you have specified.
Note: The risk returned in each time bucket represents the maximum risk for that entity within that bucket's time range. |
get_entity_risk_graph
Investigation |
| Get Bot Users |
Retrieves bot users sorted by the descending bot score from Interset based on the tenant ID and sort order you have specified.
Note: Sort order is applied to the bot score. |
get_bot_users
Investigation |
| Get Entity Risk Score |
Retrieves the current risk score for the specified entity for the specified time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. |
get_entity_risk_score
Investigation |
| Get Entity Risk Distribution |
Provides an overview of how many entities of the specified type are associated with each risk level at the most current time in the dataset based on the tenant ID and other input parameters you have specified. |
get_entity_risk_distribution
Investigation |
| Get Top Accessed Entities |
Retrieves a list of entities, ordered by the number of times they were accessed from Interset based on the tenant ID, entity hash, and other input parameters you have specified. |
get_top_accessed_entities_by_entitytype
Investigation |
| Get Top Risky Entities |
Retrieves a list of the top riskiest entities by type from Interset based on the tenant ID, entity type, and other input parameters you have specified. |
get_top_risky_entities_by_entitytype
Investigation |
| Get Anomalies/Alerts/Aggregates |
Retrieves anomalies, alerts, or aggregates for the specified rollup and tenant from Interset based on the tenant ID, rollup level, rollup ID, and other input parameters you have specified. |
get_anomalies_alerts_aggregates
Investigation |
| Search Users |
Searches for users on Interset based on the tenant ID, specified query, and other input parameters you have specified. |
search_users
Investigation |
| Get Working Hours |
Retrieves an array of expected activity for the specified user or organization for each half hour of the day from Interset based on the tenant ID, time span and other input parameters you have specified.
The minute represents the beginning of the half-hour period, and the expected value represents the level of activity expected for that half-hour period. The expected values form a histogram and are not normalized to a particular scale. |
get_working_hours
Investigation |
| Create Tag |
Creates a new tag for the specified tenant in Interset based on the tenant ID and tag you have specified. |
create_tag
Investigation |
| Get Tags |
Retrieves all tags for the specified tenant from Interset based on the tenant ID and other input parameters you have specified.
Tags can be configured either by a user through the UI, or by Analytics. The payload specifies the source of the tag. |
get_tags
Investigation |
| Delete Tag |
Deletes the specified tag from the specified tenant based on the tenant ID and tag name you have specified. |
delete_tag
Investigation |
| Get Entities By Tags |
Retrieves entities that match the specified tags from Interset based on the tenant ID, entity type, and other input parameters you have specified. |
get_entities_by_tags
Investigation |
| Add Tag To Elements |
Adds a tag to a list of elements of the same type in Interset based on the tenant ID, tag name, element type and other input parameters you have specified. |
add_tag_to_elements
Investigation |
| Remove Tag From Elements |
Deletes a tag from a list of elements of the same type from Interset based on the tenant ID, tag name, element type and other input parameters you have specified. |
remove_tag_from_elements
Investigation |
| Get Anomaly Weights |
Retrieves weights for all configured anomalies based on the tenant ID or for specific anomalies based on the tenant ID, DID and anomaly type you have specified. |
get_anomaly_weights
Investigation |
| Set Anomaly Weight |
Sets the weight of an anomaly that is associated with the tenant, DID, and anomaly type you have specified. |
set_anomaly_weight
Investigation |
operation: Get Session
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"extendedApis": {},
"accessToken": "",
"persistentSessions": "",
"userDisplayName": "",
"analyticsTuningAvailable": "",
"roles": [
{
"hasSensorProxy": "",
"tenantName": "",
"features": [],
"tenantId": "",
"role": "",
"userId": ""
}
],
"userId": ""
}
operation: Get Raw Events
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated raw events you want to retrieve from Interset. |
| Query |
(Optional) Kibana-type query using which you want to retrieve raw events from Interset.
For example, (user:("camilla")) AND (project:("csrv/rel3/Auditor")) |
| Category |
(Optional) Category, such as VPN, Endpoint, etc, of the raw event whose details you want to retrieve from Interset. |
| Count |
(Optional) Maximum number of raw events that this operation should return. |
| Time Zone |
(Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST |
| Start Time |
(Optional) Start time from when you want to retrieve raw events from Interset. If no value is provided, then the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve raw events from Interset. If no value is provided, then the end time of the dataset is used. |
| Response Format |
(Optional) Format in which you want this operation to return the response. You can choose between are CSV or JSON. |
Output
The output contains a non-dictionary value.
operation: Get Rules
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated workflow information you want to retrieve from Interset. |
Output
The output contains the following populated JSON schema:
{
"whereType": {
"display": "",
"name": ""
},
"modDate": "",
"behavior": {
"display": "",
"icon": "",
"name": ""
},
"risk": {
"operator": {
"display": "",
"name": ""
},
"value": "",
"property": {
"display": "",
"type": "",
"name": ""
},
"conjunction": {
"display": "",
"name": ""
}
},
"source": {
"icon": "",
"display": "",
"name": ""
},
"uuid": "",
"actions": [
{
"content": {
"severity": ""
},
"property": {
"icon": "",
"display": "",
"name": ""
}
}
],
"drl": "",
"name": "",
"validConfig": "",
"conditions": [],
"user": {
"property": {
"display": "",
"type": "",
"name": ""
}
},
"active": "",
"creationDate": "",
"trigger": {
"entity": "",
"properties": [
{
"display": "",
"type": "",
"name": ""
}
],
"display": "",
"name": "",
"icon": ""
},
"debug": ""
}
operation: Delete Rule
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose workflows you want to delete from Interset. |
Output
The output contains the following populated JSON schema:
{
"result": [],
"message": ""
}
operation: Get Authentication Attempts
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated authentication attempts you want to retrieve from Interset. |
| Query |
(Optional) Query using which you want to retrieve authentication attempts information from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Start Time |
(Optional) Start time from when you want to retrieve authentication attempts information from Interset. If no value is provided, then the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve authentication attempts information from Interset. If no value is provided, then the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"data": {
"succeeded": "",
"failed": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Context
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated anomaly's context and statistics you want to retrieve from Interset. |
| Rollup Level |
Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
| Rollup ID |
ID of the aggregate, alert, or anomaly whose context and statistics you want to retrieve from Interset. |
Output
The output contains the following populated JSON schema:
Output schema if '' is 'Alerts'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": "",
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
Output schema if 'Rollup Level' is 'Anomalies'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": [
{
"expected": "",
"minute": ""
}
],
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Entities
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entities you want to retrieve from Interset. |
| Entity Type |
Entity type that you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Count |
(Optional) Maximum number of entities that this operation should return. |
| Sort Order |
(Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending.
|
| Scroll ID |
(Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
| Keep Alive |
(Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
Output
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [],
"entityType": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
operation: Get Entity Details
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entity details you want to retrieve from Interset. |
| Entity Type |
Type of entity type whose details you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
| Entity Hash |
Element hash of the entity whose details you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Output
The output contains the following populated JSON schema:
{
"data": {
"entityHash": "",
"clusters": [],
"entityType": "",
"entityName": "",
"botScore": "",
"tags": []
},
"requestTime": "",
"cached": ""
}
operation: Get Associated Entities
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entities you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Entity Hash |
Element hash of the entity whose associated entities you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
| Count |
(Optional) Maximum number of associated entities that this operation should return. |
| Risk Sort |
(Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
| Start Time |
(Optional) Start time from when you want to get associated entities from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to get associated entities from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"data": {
"accesses": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
},
"risk": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
}
},
"requestTime": "",
"cached": ""
}
operation: Get Entity Risk Graph
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entity's risk graph you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated risk graph you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Entity Hash |
Element hash of the entity whose associated risk graph you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
| Count |
(Optional) Maximum number of time buckets that this operation should return between start time and end time. Each time bucket contains the entity's maximum risk in that time range. |
| Interval |
(Optional) The interval of the time bucket; this parameter supersedes the count parameter. Accepted values are: "day". Buckets are broken down based on the requested time zone. |
| Time Zone |
(Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST |
| Start Time |
(Optional) Start time from when you want to get the risk graph of the entity from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to get the risk graph of the entity from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Get Bot Users
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entity's bot users you want to retrieve from Interset. |
| Count |
(Optional) Maximum number of bot users that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"risk": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Get Entity Risk Score
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entity's risk score you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated risk score you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Entity Hash |
Element hash of the entity whose associated risk score you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
| Sort |
(Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
| Format |
(Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
| Markup |
Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
| Time Zone |
(Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST |
| Start Time |
(Optional) Start time from when you want to retrieve the risk score from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve the risk score from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"data": {
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": {
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"searchQuery": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"contextAnomalyId": "",
"significance": ""
},
"decayedToTimestamp": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Entity Risk Distribution
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entity's risk distribution you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated risk distribution you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Query |
(Optional) Query using which you want to retrieve entity risk distribution information from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Start Time |
(Optional) Start time from when you want to retrieve risk distribution from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve risk distribution from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"data": {
"risks": {
"low": "",
"high": "",
"extreme": "",
"total": "",
"medium": ""
},
"count": "",
"entityTypes": [],
"name": "",
"type": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Top Accessed Entities
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated top accessed entities you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated top accessed entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Count |
(Optional) Maximum number of entities that this operation should return. |
| Query |
(Optional) Query using which you want to retrieve top accessed entities information from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Start Time |
(Optional) Start time from when you want to retrieve top accessed entities from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve top accessed entities from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"data": {},
"requestTime": "",
"cached": ""
}
operation: Get Top Risky Entities
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated top riskiest entities you want to retrieve from Interset. |
| Entity Type |
Entity type whose associated top riskiest entities you want to retrieve from Interset.
For example, user, volume, printer, website, etc. |
| Sort |
(Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
| Format |
(Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
| Query |
(Optional) Query using which you want to retrieve top riskiest entities information from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Markup |
Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
| Time Zone |
(Optional) Timezone in which you want the results to be returned.
For example, +5:00, America/Montreal, EST |
| Count |
(Optional) Maximum number of entities that this operation should return. |
| Scroll ID |
(Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
| Keep Alive |
(Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
| Start Time |
(Optional) Start time from when you want to retrieve top riskiest entities from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve top riskiest entities from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": "",
"decayedToTimestamp": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
operation: Get Anomalies/Alerts/Aggregates
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated anomalies, alerts, or aggregates you want to retrieve from Interset. |
| Rollup Level |
Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
| Rollup ID |
ID of the aggregate, alert, or anomaly that you want to retrieve from Interset. |
| Count |
(Optional) Maximum number of anomalies, alerts, or aggregates that this operation should return. |
| Sort |
(Optional) Select the method of sorting the results You can choose from Timestamp or Risk. |
| Sort Order |
(Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending.
|
| Risk Sort |
(Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
| Minimum Risk |
(Optional) Minimum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
| Maximum Risk |
(Optional) Maximum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
| Query |
(Optional) Query using which you want to retrieve anomalies, alerts, or aggregates from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Markup |
Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }}.
When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
| Scroll ID |
(Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
| Keep Alive |
(Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
| Start Time |
(Optional) Start time from when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
{
"totalHits": "",
"scrollId": "",
"data": [
{
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"startTime": "",
"searchQuery": "",
"endTime": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"tags": [],
"sql": {
"searchQuery": ""
},
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"generic": {
"timeRangeQuery": "",
"searchQuery": ""
},
"contextAnomalyId": "",
"significance": ""
}
],
"requestTime": "",
"queryTime": "",
"cached": ""
}
operation: Search Users
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated users you want to retrieve from Interset. |
| Search for |
Select the search criteria using which you want to search for users in Interset. You can choose from the following options: Top Exit Produces, Top Failed Login, Top Risky Days, Top Screen Captures, or Top Violation Producers. |
| Count |
(Optional) Maximum number of users that this operation should return. |
| Query |
(Optional) Query using which you want to retrieve users from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Start Time |
(Optional) Start time from when you want to search for users in Interset. If no value is provided, the start time of the dataset is used. |
| End Time |
(Optional) End time till when you want to search for users in Interset. If no value is provided, the end time of the dataset is used. |
Output
The output contains the following populated JSON schema:
Output schema if '' is 'Top Exit Producers'
{
"data": {},
nbsp; "requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Failed Login'
{
"data": [
{
"totalFailed": "",
"entityName": "",
"entityHash": "",
"totalSuccess": ""
}
],
"requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Risky Days'
{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Get Working Hours
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated working hours you want to retrieve from Interset. |
| Working Hours For |
Select the entity type for which you want to retrieve working hours. You can choose between User or Organization.
If you choose 'User', then you must specify the following parameters:
- Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.
- User Hash: Element hash of the user entity whose associated working hours you want to retrieve from Interset. For example,
393ff13c9b519ec2
If you choose 'Organization', then you must specify the following parameter:
- Time Span: Timespan for which you want to retrieve working hours from Interset. You can choose between Daily or Weekly.
|
Output
The output contains the following populated JSON schema:
{
"data": [
{
"expected": "",
"minute": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Create Tag
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant for which you want to create a tag in Interset. |
| Tag Name |
Name for the tag that you want to create in the specified tenant in Interset. |
| Description |
(Optional) Description of the tag that you want to create in Interset. |
Output
The output contains the following populated JSON schema:
{
"requestTime": "",
"data": {
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
},
"cached": ""
}
operation: Get Tags
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated tags you want to retrieve from Interset. |
| Source |
Select how the tag was created. Tags can be created either by a User through the UI or by Analytics. |
| Query |
(Optional) Query using which you want to retrieve tags from Interset. A query can accept the following parameters:
userid: Allows filtering using the entityHash. Use serverid, projectid, and so on, to filter on other types of scored entities. user: Allows filtering using the entityName. Use server, project, and soon, to filter on other types of scored entities. risk: Allows filtering by risk levels, which are low, medium, high, or extreme. anomalies: Allows filtering by anomaly types. For example, anomalies:201,202.
|
| Text To Search |
(Optional) Text that you want to use to match tags by name. |
Output
The output contains the following populated JSON schema:
{
"data": [
{
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Delete Tag
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant from which you want to delete the specified tag in Interset. |
| Tag |
Name of tag that you want to delete from the specified tenant in Interset. |
Output
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Entities By Tags
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant whose associated entities you want to retrieve from Interset. |
| Entities For |
Select whether you want to retrieve entities from Interset for a single tag or for multiple tags.
If you choose 'Single Tag', then you must specify the following parameters:
- Tag Name: Name of tag whose associated entities you want to retrieve from Interset.
- Element type: Type of element with which the tag is associated. You can select from Alerts, Anomalies, or Entities.
If you choose 'Multiple Tags', then you must specify the following parameters:
- Matches: Indicates whether the returned entities must have any or all of the specified tags. Possible values are "Any" (return entities with any of the specified tags) or "All" (return entities with all the specified tags).
- Tags: List of tags, In CSV or List format, whose associated entities you want to retrieve from Interset. For example,
['tag1', 'tag2'] or tag1, tag2
|
| Count |
(Optional) Maximum number of tagged elements that this operation should return. |
| Scroll ID |
(Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Output
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
operation: Add Tag To Elements
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant in whose associated elements you want to add the specified tags. |
| Tag Name |
Name of tag that you want to add to the specified element type and hash. |
| Element type |
Type of element with which you want to associate the tag that you want to add in Interset. |
| Element Hashes |
List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2. |
| Retries |
Number of times to retry the update operation if a conflict occurs. |
Output
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
operation: Remove Tag From Elements
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant from whose associated elements you want to remove the specified tags. |
| Tag Name |
Name of tag that you want to remove from the specified element type and hash. |
| Element type |
Type of element that is associated with the tag that you want to remove from Interset. |
| Element Hashes |
List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2. |
| Retries |
Number of times to retry the update operation if a conflict occurs. |
Output
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
operation: Get Anomaly Weights
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant for which you want to retrieve anomaly weights from Interset. |
| Get Anomaly Weights |
You can choose to retrieve the weights for all configured anomalies by selecting For ALL Anomalies, or you can choose to retrieve weights for specific configured anomalies by selecting By Anomaly Type.
If you select 'By Anomaly Type', then you have to specify the following parameters:
- DID: The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once.
- Anomaly Type: Type of anomaly whose weight you want to retrieve from Interset, for example, 212.
|
Output
The output contains the following populated JSON schema:
{
"weight": "",
"anomalyType": "",
"importance": "",
"did": "",
"defaultWeight": ""
}
operation: Set Anomaly Weight
Input parameters
| Parameter |
Description |
| Tenant ID |
ID of the tenant for which you want to set the anomaly weights in Interset. |
| DID |
The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once. |
| Anomaly Type |
Type of anomaly whose weight you want to set in Interset, for example, 212. |
| Weight |
Value of weight that you want to assign to the anomaly type you have specified, |
Output
The output contains the following populated JSON schema:
{
"weight": ""
}
Included playbooks
The Sample - Micro Focus Interset - 1.0.0 playbook collection comes bundled with the Micro Focus Interset connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Micro Focus Interset connector.
- Anomaly: Get Anomaly Weights
- Anomaly: Set Anomaly Weights
- Entity: Get Associated Entities
- Entity: Get Entities
- Entity: Get Entity Details
- Entity: Get Entity Risk Distribution
- Entity: Get Entity Risk Graph
- Entity: Get Entity Risk Score
- Entity: Get Top Accessed Entities
- Entity: Get Top Risky Entities
- Get Anomalies/Alerts/Aggregates
- Get Authentication Attempts
- Get Bot Users
- Get Context
- Get Raw Events
- Get Session
- Get Working Hours
- > Interset > Fetch
- Interset > Ingest
- >> Interset > Init Macros
- Interset > Monitor User Risk Score
This playbook demonstrates a use case in which the playbook monitors the risk score of a user for the specified timeframe and creates an alert if the risk score is higher than the set threshold. If the risk score is lower than the set threshold, then the playbook adds a comment and again monitors the user for the next 24 hrs to check whether the user's risk score is increasing or not, and based on the results, updates the severity of the alert.
- Interset > Notify User Risk Score
This playbook demonstrates a use case in which the playbook sends notifications of the risk score of the user using Slack messages and emails.
- Search Users
- Tag: Add Tag To Elements
- Tag: Create Tag
- Tag: Delete Tag
- Tag: Get Entities By Tags
- Tag: Get Tags
- Tag: Remove Tag From Elements
- Workflow: Delete Rule
- Workflow: Get Rules
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
