Interset is a powerful investigation and hunting interface. It detects threats before data is stolen using security analytics and machine learning to generate prioritized threat leads for SOC efficiency.
This document provides information about the Micro Focus Interset connector, which facilitates automated interactions, with a server using FortiSOAR™ playbooks. Add the Micro Focus Interset connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about the current session or creating a new tag for the specified tenant in Interset.
Connector Version: 1.0.0
FortiSOAR™ versions Tested on: 5.1.3-30 and 6.0.0-790
Authored By: Fortinet
Certified: Yes
You can use the "Data Ingestion Wizard" to easily ingest Interset data, i.e., alerts, aggregates, or anomalies, into FortiSOAR™ . To The following playbooks have been added for data ingestion:
Important: While configuring data ingestion in FortiSOAR™ Version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in FortiSOAR™ product documentation.
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-micro-focus-interset
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, click the Micro Focus Interset connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Address | IP address or FQDN of the Interset server to which you will connect and perform the automated operations. |
Username | Username to access the interset server to which you will connect and perform the automated operations. |
Password | Password to access the interset server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Session | Retrieves information about the current session from Interset. | get_session_info Investigation |
Get Raw Events | Retrieves raw events, in the CSV or JSON format, from Interset based on the tenant ID and other input parameters you have specified. | get_raw_events Investigation |
Get Rules | Retrieves JSON representations of all workflows for the specified tenant from Interset based on the tenant ID you have specified. | get_workflows Investigation |
Delete Rule | Deletes all workflows for the specified tenant from Interset based on the tenant ID you have specified. Warning: This operation deletes all the existing workflows for the specified tenant. Use with caution. |
delete_rule Investigation |
Get Authentication Attempts | Provides an overview of the number of successful and failed authentication attempts made against servers based on the tenant ID and other input parameters you have specified. | get_authentication_attempts Investigation |
Get Context | Retrieves the context and statistics for the specified anomaly, alert, or, aggregate from Interset based on the tenant ID, rollup level, and rollup ID you have specified. | get_context Investigation |
Get Entities | Retrieves entities from Interset based on the entity type, tenant ID and other input parameters you have specified. The entities are sorted by entityName. | get_entities Investigation |
Get Entity Details | Retrieves the entity's name, type, bot score, tags and clusters entities from Interset based on the entity hash and tenant ID you have specified | get_entity_details Investigation |
Get Associated Entities | Retrieves two sets of top entities associated with the specified entity: one sorted by entity risk scores and the other sorted by accesses to or from that entity from interset based on the tenant ID, entity hash and other input parameters you have specified. Note: An entity is considered to be associated with another if they occur together in the same anomaly at least once within the selected time window. |
get_associated_entities Investigation |
Get Entity Risk Graph | Retrieves a timeline of an entity's risk scores for a given time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. Note: The risk returned in each time bucket represents the maximum risk for that entity within that bucket's time range. |
get_entity_risk_graph Investigation |
Get Bot Users | Retrieves bot users sorted by the descending bot score from Interset based on the tenant ID and sort order you have specified. Note: Sort order is applied to the bot score. |
get_bot_users Investigation |
Get Entity Risk Score | Retrieves the current risk score for the specified entity for the specified time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. | get_entity_risk_score Investigation |
Get Entity Risk Distribution | Provides an overview of how many entities of the specified type are associated with each risk level at the most current time in the dataset based on the tenant ID and other input parameters you have specified. | get_entity_risk_distribution Investigation |
Get Top Accessed Entities | Retrieves a list of entities, ordered by the number of times they were accessed from Interset based on the tenant ID, entity hash, and other input parameters you have specified. | get_top_accessed_entities_by_entitytype Investigation |
Get Top Risky Entities | Retrieves a list of the top riskiest entities by type from Interset based on the tenant ID, entity type, and other input parameters you have specified. | get_top_risky_entities_by_entitytype Investigation |
Get Anomalies/Alerts/Aggregates | Retrieves anomalies, alerts, or aggregates for the specified rollup and tenant from Interset based on the tenant ID, rollup level, rollup ID, and other input parameters you have specified. | get_anomalies_alerts_aggregates Investigation |
Search Users | Searches for users on Interset based on the tenant ID, specified query, and other input parameters you have specified. | search_users Investigation |
Get Working Hours | Retrieves an array of expected activity for the specified user or organization for each half hour of the day from Interset based on the tenant ID, time span and other input parameters you have specified. The minute represents the beginning of the half-hour period, and the expected value represents the level of activity expected for that half-hour period. The expected values form a histogram and are not normalized to a particular scale. |
get_working_hours Investigation |
Create Tag | Creates a new tag for the specified tenant in Interset based on the tenant ID and tag you have specified. | create_tag Investigation |
Get Tags | Retrieves all tags for the specified tenant from Interset based on the tenant ID and other input parameters you have specified. Tags can be configured either by a user through the UI, or by Analytics. The payload specifies the source of the tag. |
get_tags Investigation |
Delete Tag | Deletes the specified tag from the specified tenant based on the tenant ID and tag name you have specified. | delete_tag Investigation |
Get Entities By Tags | Retrieves entities that match the specified tags from Interset based on the tenant ID, entity type, and other input parameters you have specified. | get_entities_by_tags Investigation |
Add Tag To Elements | Adds a tag to a list of elements of the same type in Interset based on the tenant ID, tag name, element type and other input parameters you have specified. | add_tag_to_elements Investigation |
Remove Tag From Elements | Deletes a tag from a list of elements of the same type from Interset based on the tenant ID, tag name, element type and other input parameters you have specified. | remove_tag_from_elements Investigation |
Get Anomaly Weights | Retrieves weights for all configured anomalies based on the tenant ID or for specific anomalies based on the tenant ID, DID and anomaly type you have specified. | get_anomaly_weights Investigation |
Set Anomaly Weight | Sets the weight of an anomaly that is associated with the tenant, DID, and anomaly type you have specified. | set_anomaly_weight Investigation |
None.
The output contains the following populated JSON schema:
{
"extendedApis": {},
"accessToken": "",
"persistentSessions": "",
"userDisplayName": "",
"analyticsTuningAvailable": "",
"roles": [
{
"hasSensorProxy": "",
"tenantName": "",
"features": [],
"tenantId": "",
"role": "",
"userId": ""
}
],
"userId": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated raw events you want to retrieve from Interset. |
Query | (Optional) Kibana-type query using which you want to retrieve raw events from Interset. For example, ( user:("camilla")) AND (project:("csrv/rel3/Auditor")) |
Category | (Optional) Category, such as VPN, Endpoint, etc, of the raw event whose details you want to retrieve from Interset. |
Count | (Optional) Maximum number of raw events that this operation should return. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to retrieve raw events from Interset. If no value is provided, then the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve raw events from Interset. If no value is provided, then the end time of the dataset is used. |
Response Format | (Optional) Format in which you want this operation to return the response. You can choose between are CSV or JSON. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated workflow information you want to retrieve from Interset. |
The output contains the following populated JSON schema:
{
"whereType": {
"display": "",
"name": ""
},
"modDate": "",
"behavior": {
"display": "",
"icon": "",
"name": ""
},
"risk": {
"operator": {
"display": "",
"name": ""
},
"value": "",
"property": {
"display": "",
"type": "",
"name": ""
},
"conjunction": {
"display": "",
"name": ""
}
},
"source": {
"icon": "",
"display": "",
"name": ""
},
"uuid": "",
"actions": [
{
"content": {
"severity": ""
},
"property": {
"icon": "",
"display": "",
"name": ""
}
}
],
"drl": "",
"name": "",
"validConfig": "",
"conditions": [],
"user": {
"property": {
"display": "",
"type": "",
"name": ""
}
},
"active": "",
"creationDate": "",
"trigger": {
"entity": "",
"properties": [
{
"display": "",
"type": "",
"name": ""
}
],
"display": "",
"name": "",
"icon": ""
},
"debug": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose workflows you want to delete from Interset. |
The output contains the following populated JSON schema:
{
"result": [],
"message": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated authentication attempts you want to retrieve from Interset. |
Query | (Optional) Query using which you want to retrieve authentication attempts information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve authentication attempts information from Interset. If no value is provided, then the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve authentication attempts information from Interset. If no value is provided, then the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"succeeded": "",
"failed": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated anomaly's context and statistics you want to retrieve from Interset. |
Rollup Level | Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
Rollup ID | ID of the aggregate, alert, or anomaly whose context and statistics you want to retrieve from Interset. |
The output contains the following populated JSON schema:
Output schema if '' is 'Alerts'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": "",
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
Output schema if 'Rollup Level' is 'Anomalies'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": [
{
"expected": "",
"minute": ""
}
],
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entity Type | Entity type that you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Count | (Optional) Maximum number of entities that this operation should return. |
Sort Order | (Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [],
"entityType": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity details you want to retrieve from Interset. |
Entity Type | Type of entity type whose details you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose details you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
The output contains the following populated JSON schema:
{
"data": {
"entityHash": "",
"clusters": [],
"entityType": "",
"entityName": "",
"botScore": "",
"tags": []
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated entities you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Count | (Optional) Maximum number of associated entities that this operation should return. |
Risk Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Start Time | (Optional) Start time from when you want to get associated entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to get associated entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"accesses": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
},
"risk": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
}
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk graph you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk graph you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated risk graph you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Count | (Optional) Maximum number of time buckets that this operation should return between start time and end time. Each time bucket contains the entity's maximum risk in that time range. |
Interval | (Optional) The interval of the time bucket; this parameter supersedes the count parameter. Accepted values are: "day". Buckets are broken down based on the requested time zone. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to get the risk graph of the entity from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to get the risk graph of the entity from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's bot users you want to retrieve from Interset. |
Count | (Optional) Maximum number of bot users that this operation should return. |
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"risk": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk score you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk score you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated risk score you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Format | (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to retrieve the risk score from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve the risk score from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": {
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"searchQuery": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"contextAnomalyId": "",
"significance": ""
},
"decayedToTimestamp": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk distribution you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk distribution you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Query | (Optional) Query using which you want to retrieve entity risk distribution information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve risk distribution from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve risk distribution from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"risks": {
"low": "",
"high": "",
"extreme": "",
"total": "",
"medium": ""
},
"count": "",
"entityTypes": [],
"name": "",
"type": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated top accessed entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated top accessed entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Count | (Optional) Maximum number of entities that this operation should return. |
Query | (Optional) Query using which you want to retrieve top accessed entities information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve top accessed entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve top accessed entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated top riskiest entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated top riskiest entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Format | (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
Query | (Optional) Query using which you want to retrieve top riskiest entities information from Interset. A query can accept the following parameters:
|
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Count | (Optional) Maximum number of entities that this operation should return. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
Start Time | (Optional) Start time from when you want to retrieve top riskiest entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve top riskiest entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": "",
"decayedToTimestamp": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated anomalies, alerts, or aggregates you want to retrieve from Interset. |
Rollup Level | Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
Rollup ID | ID of the aggregate, alert, or anomaly that you want to retrieve from Interset. |
Count | (Optional) Maximum number of anomalies, alerts, or aggregates that this operation should return. |
Sort | (Optional) Select the method of sorting the results You can choose from Timestamp or Risk. |
Sort Order | (Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending. |
Risk Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Minimum Risk | (Optional) Minimum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
Maximum Risk | (Optional) Maximum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
Query | (Optional) Query using which you want to retrieve anomalies, alerts, or aggregates from Interset. A query can accept the following parameters:
|
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
Start Time | (Optional) Start time from when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"scrollId": "",
"data": [
{
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"startTime": "",
"searchQuery": "",
"endTime": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"tags": [],
"sql": {
"searchQuery": ""
},
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"generic": {
"timeRangeQuery": "",
"searchQuery": ""
},
"contextAnomalyId": "",
"significance": ""
}
],
"requestTime": "",
"queryTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated users you want to retrieve from Interset. |
Search for | Select the search criteria using which you want to search for users in Interset. You can choose from the following options: Top Exit Produces, Top Failed Login, Top Risky Days, Top Screen Captures, or Top Violation Producers. |
Count | (Optional) Maximum number of users that this operation should return. |
Query | (Optional) Query using which you want to retrieve users from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to search for users in Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to search for users in Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
Output schema if '' is 'Top Exit Producers'
{
"data": {},
nbsp; "requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Failed Login'
{
"data": [
{
"totalFailed": "",
"entityName": "",
"entityHash": "",
"totalSuccess": ""
}
],
"requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Risky Days'
{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated working hours you want to retrieve from Interset. |
Working Hours For | Select the entity type for which you want to retrieve working hours. You can choose between User or Organization. If you choose 'User', then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"data": [
{
"expected": "",
"minute": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to create a tag in Interset. |
Tag Name | Name for the tag that you want to create in the specified tenant in Interset. |
Description | (Optional) Description of the tag that you want to create in Interset. |
The output contains the following populated JSON schema:
{
"requestTime": "",
"data": {
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
},
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated tags you want to retrieve from Interset. |
Source | Select how the tag was created. Tags can be created either by a User through the UI or by Analytics. |
Query | (Optional) Query using which you want to retrieve tags from Interset. A query can accept the following parameters:
|
Text To Search | (Optional) Text that you want to use to match tags by name. |
The output contains the following populated JSON schema:
{
"data": [
{
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant from which you want to delete the specified tag in Interset. |
Tag | Name of tag that you want to delete from the specified tenant in Interset. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entities For | Select whether you want to retrieve entities from Interset for a single tag or for multiple tags. If you choose 'Single Tag', then you must specify the following parameters:
|
Count | (Optional) Maximum number of tagged elements that this operation should return. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant in whose associated elements you want to add the specified tags. |
Tag Name | Name of tag that you want to add to the specified element type and hash. |
Element type | Type of element with which you want to associate the tag that you want to add in Interset. |
Element Hashes | List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2 . |
Retries | Number of times to retry the update operation if a conflict occurs. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant from whose associated elements you want to remove the specified tags. |
Tag Name | Name of tag that you want to remove from the specified element type and hash. |
Element type | Type of element that is associated with the tag that you want to remove from Interset. |
Element Hashes | List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2 . |
Retries | Number of times to retry the update operation if a conflict occurs. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to retrieve anomaly weights from Interset. |
Get Anomaly Weights | You can choose to retrieve the weights for all configured anomalies by selecting For ALL Anomalies, or you can choose to retrieve weights for specific configured anomalies by selecting By Anomaly Type. If you select 'By Anomaly Type', then you have to specify the following parameters:
|
The output contains the following populated JSON schema:
{
"weight": "",
"anomalyType": "",
"importance": "",
"did": "",
"defaultWeight": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to set the anomaly weights in Interset. |
DID | The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once. |
Anomaly Type | Type of anomaly whose weight you want to set in Interset, for example, 212. |
Weight | Value of weight that you want to assign to the anomaly type you have specified, |
The output contains the following populated JSON schema:
{
"weight": ""
}
The Sample - Micro Focus Interset - 1.0.0
playbook collection comes bundled with the Micro Focus Interset connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Micro Focus Interset connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Interset is a powerful investigation and hunting interface. It detects threats before data is stolen using security analytics and machine learning to generate prioritized threat leads for SOC efficiency.
This document provides information about the Micro Focus Interset connector, which facilitates automated interactions, with a server using FortiSOAR™ playbooks. Add the Micro Focus Interset connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about the current session or creating a new tag for the specified tenant in Interset.
Connector Version: 1.0.0
FortiSOAR™ versions Tested on: 5.1.3-30 and 6.0.0-790
Authored By: Fortinet
Certified: Yes
You can use the "Data Ingestion Wizard" to easily ingest Interset data, i.e., alerts, aggregates, or anomalies, into FortiSOAR™ . To The following playbooks have been added for data ingestion:
Important: While configuring data ingestion in FortiSOAR™ Version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in FortiSOAR™ product documentation.
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-micro-focus-interset
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, click the Micro Focus Interset connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Address | IP address or FQDN of the Interset server to which you will connect and perform the automated operations. |
Username | Username to access the interset server to which you will connect and perform the automated operations. |
Password | Password to access the interset server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Session | Retrieves information about the current session from Interset. | get_session_info Investigation |
Get Raw Events | Retrieves raw events, in the CSV or JSON format, from Interset based on the tenant ID and other input parameters you have specified. | get_raw_events Investigation |
Get Rules | Retrieves JSON representations of all workflows for the specified tenant from Interset based on the tenant ID you have specified. | get_workflows Investigation |
Delete Rule | Deletes all workflows for the specified tenant from Interset based on the tenant ID you have specified. Warning: This operation deletes all the existing workflows for the specified tenant. Use with caution. |
delete_rule Investigation |
Get Authentication Attempts | Provides an overview of the number of successful and failed authentication attempts made against servers based on the tenant ID and other input parameters you have specified. | get_authentication_attempts Investigation |
Get Context | Retrieves the context and statistics for the specified anomaly, alert, or, aggregate from Interset based on the tenant ID, rollup level, and rollup ID you have specified. | get_context Investigation |
Get Entities | Retrieves entities from Interset based on the entity type, tenant ID and other input parameters you have specified. The entities are sorted by entityName. | get_entities Investigation |
Get Entity Details | Retrieves the entity's name, type, bot score, tags and clusters entities from Interset based on the entity hash and tenant ID you have specified | get_entity_details Investigation |
Get Associated Entities | Retrieves two sets of top entities associated with the specified entity: one sorted by entity risk scores and the other sorted by accesses to or from that entity from interset based on the tenant ID, entity hash and other input parameters you have specified. Note: An entity is considered to be associated with another if they occur together in the same anomaly at least once within the selected time window. |
get_associated_entities Investigation |
Get Entity Risk Graph | Retrieves a timeline of an entity's risk scores for a given time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. Note: The risk returned in each time bucket represents the maximum risk for that entity within that bucket's time range. |
get_entity_risk_graph Investigation |
Get Bot Users | Retrieves bot users sorted by the descending bot score from Interset based on the tenant ID and sort order you have specified. Note: Sort order is applied to the bot score. |
get_bot_users Investigation |
Get Entity Risk Score | Retrieves the current risk score for the specified entity for the specified time range from Interset based on the tenant ID, entity hash and other input parameters you have specified. | get_entity_risk_score Investigation |
Get Entity Risk Distribution | Provides an overview of how many entities of the specified type are associated with each risk level at the most current time in the dataset based on the tenant ID and other input parameters you have specified. | get_entity_risk_distribution Investigation |
Get Top Accessed Entities | Retrieves a list of entities, ordered by the number of times they were accessed from Interset based on the tenant ID, entity hash, and other input parameters you have specified. | get_top_accessed_entities_by_entitytype Investigation |
Get Top Risky Entities | Retrieves a list of the top riskiest entities by type from Interset based on the tenant ID, entity type, and other input parameters you have specified. | get_top_risky_entities_by_entitytype Investigation |
Get Anomalies/Alerts/Aggregates | Retrieves anomalies, alerts, or aggregates for the specified rollup and tenant from Interset based on the tenant ID, rollup level, rollup ID, and other input parameters you have specified. | get_anomalies_alerts_aggregates Investigation |
Search Users | Searches for users on Interset based on the tenant ID, specified query, and other input parameters you have specified. | search_users Investigation |
Get Working Hours | Retrieves an array of expected activity for the specified user or organization for each half hour of the day from Interset based on the tenant ID, time span and other input parameters you have specified. The minute represents the beginning of the half-hour period, and the expected value represents the level of activity expected for that half-hour period. The expected values form a histogram and are not normalized to a particular scale. |
get_working_hours Investigation |
Create Tag | Creates a new tag for the specified tenant in Interset based on the tenant ID and tag you have specified. | create_tag Investigation |
Get Tags | Retrieves all tags for the specified tenant from Interset based on the tenant ID and other input parameters you have specified. Tags can be configured either by a user through the UI, or by Analytics. The payload specifies the source of the tag. |
get_tags Investigation |
Delete Tag | Deletes the specified tag from the specified tenant based on the tenant ID and tag name you have specified. | delete_tag Investigation |
Get Entities By Tags | Retrieves entities that match the specified tags from Interset based on the tenant ID, entity type, and other input parameters you have specified. | get_entities_by_tags Investigation |
Add Tag To Elements | Adds a tag to a list of elements of the same type in Interset based on the tenant ID, tag name, element type and other input parameters you have specified. | add_tag_to_elements Investigation |
Remove Tag From Elements | Deletes a tag from a list of elements of the same type from Interset based on the tenant ID, tag name, element type and other input parameters you have specified. | remove_tag_from_elements Investigation |
Get Anomaly Weights | Retrieves weights for all configured anomalies based on the tenant ID or for specific anomalies based on the tenant ID, DID and anomaly type you have specified. | get_anomaly_weights Investigation |
Set Anomaly Weight | Sets the weight of an anomaly that is associated with the tenant, DID, and anomaly type you have specified. | set_anomaly_weight Investigation |
None.
The output contains the following populated JSON schema:
{
"extendedApis": {},
"accessToken": "",
"persistentSessions": "",
"userDisplayName": "",
"analyticsTuningAvailable": "",
"roles": [
{
"hasSensorProxy": "",
"tenantName": "",
"features": [],
"tenantId": "",
"role": "",
"userId": ""
}
],
"userId": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated raw events you want to retrieve from Interset. |
Query | (Optional) Kibana-type query using which you want to retrieve raw events from Interset. For example, ( user:("camilla")) AND (project:("csrv/rel3/Auditor")) |
Category | (Optional) Category, such as VPN, Endpoint, etc, of the raw event whose details you want to retrieve from Interset. |
Count | (Optional) Maximum number of raw events that this operation should return. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to retrieve raw events from Interset. If no value is provided, then the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve raw events from Interset. If no value is provided, then the end time of the dataset is used. |
Response Format | (Optional) Format in which you want this operation to return the response. You can choose between are CSV or JSON. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated workflow information you want to retrieve from Interset. |
The output contains the following populated JSON schema:
{
"whereType": {
"display": "",
"name": ""
},
"modDate": "",
"behavior": {
"display": "",
"icon": "",
"name": ""
},
"risk": {
"operator": {
"display": "",
"name": ""
},
"value": "",
"property": {
"display": "",
"type": "",
"name": ""
},
"conjunction": {
"display": "",
"name": ""
}
},
"source": {
"icon": "",
"display": "",
"name": ""
},
"uuid": "",
"actions": [
{
"content": {
"severity": ""
},
"property": {
"icon": "",
"display": "",
"name": ""
}
}
],
"drl": "",
"name": "",
"validConfig": "",
"conditions": [],
"user": {
"property": {
"display": "",
"type": "",
"name": ""
}
},
"active": "",
"creationDate": "",
"trigger": {
"entity": "",
"properties": [
{
"display": "",
"type": "",
"name": ""
}
],
"display": "",
"name": "",
"icon": ""
},
"debug": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose workflows you want to delete from Interset. |
The output contains the following populated JSON schema:
{
"result": [],
"message": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated authentication attempts you want to retrieve from Interset. |
Query | (Optional) Query using which you want to retrieve authentication attempts information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve authentication attempts information from Interset. If no value is provided, then the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve authentication attempts information from Interset. If no value is provided, then the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"succeeded": "",
"failed": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated anomaly's context and statistics you want to retrieve from Interset. |
Rollup Level | Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
Rollup ID | ID of the aggregate, alert, or anomaly whose context and statistics you want to retrieve from Interset. |
The output contains the following populated JSON schema:
Output schema if '' is 'Alerts'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": "",
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
Output schema if 'Rollup Level' is 'Anomalies'
{
"data": {
"unit": "",
"threat": "",
"contextType": "",
"values": [
{
"value": [
{
"expected": "",
"minute": ""
}
],
"description": "",
"displayName": "",
"key": "",
"type": ""
}
],
"bucketSize": "",
"unitDescription": "",
"threatDescription": "",
"unitType": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entity Type | Entity type that you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Count | (Optional) Maximum number of entities that this operation should return. |
Sort Order | (Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [],
"entityType": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity details you want to retrieve from Interset. |
Entity Type | Type of entity type whose details you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose details you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
The output contains the following populated JSON schema:
{
"data": {
"entityHash": "",
"clusters": [],
"entityType": "",
"entityName": "",
"botScore": "",
"tags": []
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated entities you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Count | (Optional) Maximum number of associated entities that this operation should return. |
Risk Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Start Time | (Optional) Start time from when you want to get associated entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to get associated entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"accesses": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
},
"risk": {
"project": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
],
"server": [
{
"accesses": "",
"entityName": "",
"entityHash": "",
"risk": "",
"entityType": ""
}
]
}
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk graph you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk graph you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated risk graph you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Count | (Optional) Maximum number of time buckets that this operation should return between start time and end time. Each time bucket contains the entity's maximum risk in that time range. |
Interval | (Optional) The interval of the time bucket; this parameter supersedes the count parameter. Accepted values are: "day". Buckets are broken down based on the requested time zone. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to get the risk graph of the entity from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to get the risk graph of the entity from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's bot users you want to retrieve from Interset. |
Count | (Optional) Maximum number of bot users that this operation should return. |
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"risk": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk score you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk score you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Entity Hash | Element hash of the entity whose associated risk score you want to retrieve from Interset. For example, 393ff13c9b519ec2 |
Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Format | (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Start Time | (Optional) Start time from when you want to retrieve the risk score from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve the risk score from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": {
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"searchQuery": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"contextAnomalyId": "",
"significance": ""
},
"decayedToTimestamp": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entity's risk distribution you want to retrieve from Interset. |
Entity Type | Entity type whose associated risk distribution you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Query | (Optional) Query using which you want to retrieve entity risk distribution information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve risk distribution from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve risk distribution from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {
"risks": {
"low": "",
"high": "",
"extreme": "",
"total": "",
"medium": ""
},
"count": "",
"entityTypes": [],
"name": "",
"type": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated top accessed entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated top accessed entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Count | (Optional) Maximum number of entities that this operation should return. |
Query | (Optional) Query using which you want to retrieve top accessed entities information from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to retrieve top accessed entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve top accessed entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"data": {},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated top riskiest entities you want to retrieve from Interset. |
Entity Type | Entity type whose associated top riskiest entities you want to retrieve from Interset. For example, user, volume, printer, website, etc. |
Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Format | (Optional) Format in which you want this operation to return the response. When this is set to "long", the top alert information for the entity is included in the response. |
Query | (Optional) Query using which you want to retrieve top riskiest entities information from Interset. A query can accept the following parameters:
|
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Time Zone | (Optional) Timezone in which you want the results to be returned. For example, +5:00, America/Montreal, EST |
Count | (Optional) Maximum number of entities that this operation should return. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
Start Time | (Optional) Start time from when you want to retrieve top riskiest entities from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve top riskiest entities from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"data": [
{
"riskChange": "",
"lastActivity": "",
"risk": "",
"entityType": "",
"preDecayedRisk": "",
"entityName": "",
"storyCount": "",
"entityHash": "",
"tags": [
{
"description": "",
"id": "",
"source": "",
"name": ""
}
],
"mostSignificantAlert": "",
"decayedToTimestamp": ""
}
],
"requestTime": "",
"scrollId": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated anomalies, alerts, or aggregates you want to retrieve from Interset. |
Rollup Level | Level at which anomalies are combined. Aggregates combine similar alerts within the same time period across entities. Alerts combine similar anomalies within the same time period for a single entity. You can choose between Anomalies, Aggregates, or Alerts. |
Rollup ID | ID of the aggregate, alert, or anomaly that you want to retrieve from Interset. |
Count | (Optional) Maximum number of anomalies, alerts, or aggregates that this operation should return. |
Sort | (Optional) Select the method of sorting the results You can choose from Timestamp or Risk. |
Sort Order | (Optional) Sort order that you can apply to the result that is retrieved from Interset.
You can choose either Ascending or Descending. |
Risk Sort | (Optional) Sorts the result that is retrieved from Interset based on the risk level you have specified. You can choose from Current, Maximum, or Window End. |
Minimum Risk | (Optional) Minimum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
Maximum Risk | (Optional) Maximum threshold of anomaly/alert risk below which all anomalies/alerts should be excluded from the results. |
Query | (Optional) Query using which you want to retrieve anomalies, alerts, or aggregates from Interset. A query can accept the following parameters:
|
Markup | Select this option, i.e., set it to true, to include handlebar markup in alert text. In this case, anomalies might contain markup tags in double curly braces, {{ and }} .When this option is cleared, i.e, set as false, the returned anomalies contain only plain English text that can be displayed directly without further processing. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
Keep Alive | (Optional) Number of milliseconds during which the results of the scroll request are considered valid. Defaults to 5 minutes. |
Start Time | (Optional) Start time from when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to retrieve anomalies, alerts, or aggregates from Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
{
"totalHits": "",
"scrollId": "",
"data": [
{
"alertId": "",
"datasource": "",
"risk": "",
"category": "",
"templates": {
"family": "",
"teaser": "",
"alert": "",
"threat": "",
"tooltip": ""
},
"bucketSize": "",
"numChildren": "",
"contextType": "",
"kibana": {
"indexName": "",
"startTime": "",
"searchQuery": "",
"endTime": ""
},
"anomalyTypes": [],
"contribution": "",
"rollupLevel": "",
"tags": [],
"sql": {
"searchQuery": ""
},
"parentId": "",
"numAnomalies": "",
"timestamp": "",
"id": "",
"generic": {
"timeRangeQuery": "",
"searchQuery": ""
},
"contextAnomalyId": "",
"significance": ""
}
],
"requestTime": "",
"queryTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated users you want to retrieve from Interset. |
Search for | Select the search criteria using which you want to search for users in Interset. You can choose from the following options: Top Exit Produces, Top Failed Login, Top Risky Days, Top Screen Captures, or Top Violation Producers. |
Count | (Optional) Maximum number of users that this operation should return. |
Query | (Optional) Query using which you want to retrieve users from Interset. A query can accept the following parameters:
|
Start Time | (Optional) Start time from when you want to search for users in Interset. If no value is provided, the start time of the dataset is used. |
End Time | (Optional) End time till when you want to search for users in Interset. If no value is provided, the end time of the dataset is used. |
The output contains the following populated JSON schema:
Output schema if '' is 'Top Exit Producers'
{
"data": {},
nbsp; "requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Failed Login'
{
"data": [
{
"totalFailed": "",
"entityName": "",
"entityHash": "",
"totalSuccess": ""
}
],
"requestTime": "",
"cached": ""
}
Output schema if 'Search for' is 'Top Risky Days'
{
"data": [
{
"timestamp": "",
"risk": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated working hours you want to retrieve from Interset. |
Working Hours For | Select the entity type for which you want to retrieve working hours. You can choose between User or Organization. If you choose 'User', then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"data": [
{
"expected": "",
"minute": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to create a tag in Interset. |
Tag Name | Name for the tag that you want to create in the specified tenant in Interset. |
Description | (Optional) Description of the tag that you want to create in Interset. |
The output contains the following populated JSON schema:
{
"requestTime": "",
"data": {
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
},
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated tags you want to retrieve from Interset. |
Source | Select how the tag was created. Tags can be created either by a User through the UI or by Analytics. |
Query | (Optional) Query using which you want to retrieve tags from Interset. A query can accept the following parameters:
|
Text To Search | (Optional) Text that you want to use to match tags by name. |
The output contains the following populated JSON schema:
{
"data": [
{
"created": "",
"entities": [],
"source": "",
"description": "",
"createdBy": "",
"modifiedBy": "",
"id": "",
"modified": "",
"name": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant from which you want to delete the specified tag in Interset. |
Tag | Name of tag that you want to delete from the specified tenant in Interset. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose associated entities you want to retrieve from Interset. |
Entities For | Select whether you want to retrieve entities from Interset for a single tag or for multiple tags. If you choose 'Single Tag', then you must specify the following parameters:
|
Count | (Optional) Maximum number of tagged elements that this operation should return. |
Scroll ID | (Optional) ScrollID from a previous request. Use this ScrollID to get subsequent results. |
The output contains the following populated JSON schema:
{
"data": [
{
"entityName": "",
"entityHash": "",
"entityType": ""
}
],
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant in whose associated elements you want to add the specified tags. |
Tag Name | Name of tag that you want to add to the specified element type and hash. |
Element type | Type of element with which you want to associate the tag that you want to add in Interset. |
Element Hashes | List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2 . |
Retries | Number of times to retry the update operation if a conflict occurs. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant from whose associated elements you want to remove the specified tags. |
Tag Name | Name of tag that you want to remove from the specified element type and hash. |
Element type | Type of element that is associated with the tag that you want to remove from Interset. |
Element Hashes | List element hashes in CSV or list format to which you want to add the tag. For example, 393ff13c9b519ec2 . |
Retries | Number of times to retry the update operation if a conflict occurs. |
The output contains the following populated JSON schema:
{
"data": {
"message": ""
},
"requestTime": "",
"cached": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to retrieve anomaly weights from Interset. |
Get Anomaly Weights | You can choose to retrieve the weights for all configured anomalies by selecting For ALL Anomalies, or you can choose to retrieve weights for specific configured anomalies by selecting By Anomaly Type. If you select 'By Anomaly Type', then you have to specify the following parameters:
|
The output contains the following populated JSON schema:
{
"weight": "",
"anomalyType": "",
"importance": "",
"did": "",
"defaultWeight": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant for which you want to set the anomaly weights in Interset. |
DID | The Data ID, which is a differentiator between data sources of the same type, for example, Perforce and SharePoint repository data. The value of DID is usually 0. A value of -1 refers to all DIDs at once. |
Anomaly Type | Type of anomaly whose weight you want to set in Interset, for example, 212. |
Weight | Value of weight that you want to assign to the anomaly type you have specified, |
The output contains the following populated JSON schema:
{
"weight": ""
}
The Sample - Micro Focus Interset - 1.0.0
playbook collection comes bundled with the Micro Focus Interset connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Micro Focus Interset connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.