Humio

Integration with Humio This integration was integrated and tested with version xx of Humio

Configure Humio on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Humio.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlHumio URLTrue
API-keyUser API tokenTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
queryParameterQuery to use to fetch incidentsFalse
queryRepositoryFetch incidents from repositoryFalse
queryStartTimeFetch incidents fromFalse
queryTimeZoneOffsetMinutesTimeZoneOffset in MinutesFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
  1. Click Test to validate the URLs, token, and connection.

Obtaining an API key

Go to https://your-humio/settings and copy the API token. Example https://cloud.humio.com/settings

Fetch incidents

The parameters used for fetch-incidents are only used if you want to use the fetch incidents feature. It is recommended to use alerts and notifiers in Humio to send this data to XSOAR via a webhook notifier instead. You can read more about the supported time-formats for backfilling here

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

humio-query


Query the data from Humio

Base Command

humio-query

Input

Argument NameDescriptionRequired
repositoryRepository to searchRequired
queryStringQuery string to useRequired
startRelative or absolute (epoch)Optional
endRelative or absolute (epoch)Optional
isLiveAnswer with true, 1, t, y or yesOptional
timeZoneOffsetMinutesTimeZoneOffset in Minutes (default 0)Optional
argumentsAdditional argumentsOptional

Context Output

PathTypeDescription
Humio.QueryUnknownQuery output

Command Example

!humio-query repository=sandbox queryString="foo=bar" start=24h end=now isLive=false

Context Example

{
"Humio": {
"Query": [
[
{
"#repo": "sandbox_Szpj6CNb6h7eWK1ZI09D9HFk",
"#type": "kv",
"@id": "hgXrSjcMWB08aJW40hfNUONL_3_2_1588676868",
"@rawstring": "foo=bar bar=foo",
"@session": "c12af55f-069d-43eb-840f-ff08fd11f685",
"@timestamp": 1588676868908,
"@timezone": "Z",
"bar": "foo",
"foo": "bar"
},
{
"#repo": "sandbox_Szpj6CNb6h7eWK1ZI09D9HFk",
"#type": "kv",
"@id": "hgXrSjcMWB08aJW40hfNUONL_3_1_1588676850",
"@rawstring": "foo=bar",
"@session": "c12af55f-069d-43eb-840f-ff08fd11f685",
"@timestamp": 1588676850226,
"@timezone": "Z",
"foo": "bar"
}
]
]
}
}

Human Readable Output

Humio Query Results

#repo#type@id@rawstring@session@timestamp@timezonebarfoo
sandbox_Szpj6CNb6h7eWK1ZI09D9HFkkvhgXrSjcMWB08aJW40hfNUONL_3_2_1588676868foo=bar bar=fooc12af55f-069d-43eb-840f-ff08fd11f6851588676868908Zfoobar
sandbox_Szpj6CNb6h7eWK1ZI09D9HFkkvhgXrSjcMWB08aJW40hfNUONL_3_1_1588676850foo=barc12af55f-069d-43eb-840f-ff08fd11f6851588676850226Zbar

humio-query-job


Issue a query job to Humio

Base Command

humio-query-job

Input

Argument NameDescriptionRequired
queryStringQuery string to useRequired
startRelative or absolute (epoch)Optional
endRelative or absolute (epoch)Optional
repositoryRepository to useRequired
isLiveIs it live?Optional
timeZoneOffsetMinutesTimezone offset in MinutesOptional
argumentsAdditional ArgumentsOptional

Context Output

PathTypeDescription
Humio.JobUnknownQuery Job outputs

Command Example

!humio-query-job queryString="foo=bar" repository=sandbox

Context Example

{
"Humio": {
"Job": {
"id": "1-1feyl7ulm_fmWhWmLhkPkWxZ",
"queryOnView": "<M:foo=bar>"
}
}
}

Human Readable Output

Humio Query Job

idqueryOnView
1-1feyl7ulm_fmWhWmLhkPkWxZ<M:foo=bar>

humio-poll


Issue poll command to Humio

Base Command

humio-poll

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired
idId to poll forRequired

Context Output

PathTypeDescription
Humio.ResultUnknownPoll results
Humio.Result.cancelledUnknownIf it was cancelled
Humio.Result.eventsUnknownEvents in the poll
Humio.Result.doneUnknownIf its done
Humio.Result.metaDataUnknownMetaData from the poll
Humio.Result.job_idStringHumio Job id the results came from

Command Example

!humio-poll repository=sandbox id=1-mJg87kWn247FiYFpsnwZcx9G

Context Example

{
"Humio": {
"Result": {
"cancelled": false,
"done": true,
"events": [
{
"#repo": "sandbox_Szpj6CNb6h7eWK1ZI09D9HFk",
"#type": "kv",
"@id": "hgXrSjcMWB08aJW40hfNUONL_3_2_1588676868",
"@rawstring": "foo=bar bar=foo",
"@session": "c12af55f-069d-43eb-840f-ff08fd11f685",
"@timestamp": 1588676868908,
"@timezone": "Z",
"bar": "foo",
"foo": "bar"
},
{
"#repo": "sandbox_Szpj6CNb6h7eWK1ZI09D9HFk",
"#type": "kv",
"@id": "hgXrSjcMWB08aJW40hfNUONL_3_1_1588676850",
"@rawstring": "foo=bar",
"@session": "c12af55f-069d-43eb-840f-ff08fd11f685",
"@timestamp": 1588676850226,
"@timezone": "Z",
"foo": "bar"
}
],
"job_id": "1-mJg87kWn247FiYFpsnwZcx9G",
"metaData": {
"eventCount": 2,
"extraData": {
"hasMoreEvents": "false"
},
"filterQuery": {
"end": 1588680722272,
"includeDeletedEvents": false,
"isInteractive": false,
"isLive": false,
"noResultUntilDone": false,
"queryString": "foo=bar",
"showQueryEventDistribution": false,
"start": 1588594322272
},
"isAggregate": false,
"pollAfter": 1000,
"processedBytes": 704,
"processedEvents": 6,
"queryEnd": 1588680722272,
"queryStart": 1588594322272,
"resultBufferSize": 2,
"timeMillis": 280833,
"totalWork": 1,
"warnings": [],
"workDone": 1
}
}
}
}

Human Readable Output

Humio Poll Result

#repo#type@id@rawstring@session@timestamp@timezonebarfoo
sandbox_Szpj6CNb6h7eWK1ZI09D9HFkkvhgXrSjcMWB08aJW40hfNUONL_3_2_1588676868foo=bar bar=fooc12af55f-069d-43eb-840f-ff08fd11f6851588676868908Zfoobar
sandbox_Szpj6CNb6h7eWK1ZI09D9HFkkvhgXrSjcMWB08aJW40hfNUONL_3_1_1588676850foo=barc12af55f-069d-43eb-840f-ff08fd11f6851588676850226Zbar

humio-delete-job


Issue a job delete command to Humio

Base Command

humio-delete-job

Input

Argument NameDescriptionRequired
idID of the job to deleteRequired
repositoryRepository to useRequired

Context Output

There is no context output for this command.

Command Example

!humio-delete-job repository=sandbox id=1-mJg87kWn247FiYFpsnwZcx9G

Context Example

{}

Human Readable Output

Command executed. Status code <Response [204]>

humio-list-alerts


List alerts from Humio

Base Command

humio-list-alerts

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired

Context Output

PathTypeDescription
Humio.Alert.descriptionStringDescription of the alert
Humio.Alert.idStringThe alert id
Humio.Alert.nameStringThe alert name
Humio.Alert.notifiersStringThe notifiers the alert will use
Humio.Alert.query.endStringthe end time of the query
Humio.Alert.query.isLiveNumberwhether or not the query is live
Humio.Alert.query.queryStringStringThe query string being used
Humio.Alert.query.startStringThe start time of the query
Humio.Alert.silencedNumberWhether or not the alert is enabled
Humio.Alert.throttleTimeMillisNumberThe throttle time for alerts

Command Example

!humio-list-alerts repository=sandbox

Context Example

{
"Humio": {
"Alert": [
{
"description": "",
"error": "All notifications failed.",
"id": "ArHY37FM9Z8kWxYMRknwmdR5yJwNEUgc",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_namme2",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
},
{
"description": "",
"error": "All notifications failed.",
"id": "zXN-qja2pm5YFKVYDnllAmK4ctQ3wiOs",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_name3",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
},
{
"description": "",
"error": "All notifications failed.",
"id": "dIn3uuIvY4Gz90Bt2Dn2mVtDuB11ZUl2",
"labels": [],
"lastAlarm": 1588680716685,
"name": "SampleAlert",
"notifiers": [
"BTkuj8QArhIFMh_L39FoN0tnyTUEXplc"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "foo=bar",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
},
{
"description": "new_alert",
"error": "All notifications failed.",
"id": "kgguoWz0KgxEwge8IQt70L33C1J83U0C",
"labels": [
"label"
],
"lastAlarm": 1588680716684,
"name": "new_alert_name",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 500000
},
{
"description": "description 2",
"id": "zNVae7vz-DH7GpeQUPfx1KXMGXGg7bf7",
"labels": [
"label"
],
"lastAlarm": 1588677696684,
"name": "new name",
"notifiers": [
"BTkuj8QArhIFMh_L39FoN0tnyTUEXplc"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "test=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 500000
},
{
"description": "",
"error": "All notifications failed.",
"id": "sFeYsP2mOJ_-CAqKt9frixFIYzXluiTB",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_name2",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
},
{
"description": "",
"error": "All notifications failed.",
"id": "sn82IuvTc9Vfnl45XqLWoZASIcBezvu1",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_name4",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
},
{
"description": "",
"error": "All notifications failed.",
"id": "ljeBta_tEvrGRRbae7MzLRiZG4NbckBm",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_name5",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
}
]
}
}

Human Readable Output

Humio Alerts

descriptionerroridlabelslastAlarmnamenotifiersquerysilencedthrottleTimeMillis
All notifications failed.ArHY37FM9Z8kWxYMRknwmdR5yJwNEUgc1588680716684new_alert_namme2AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000
All notifications failed.zXN-qja2pm5YFKVYDnllAmK4ctQ3wiOs1588680716684new_alert_name3AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000
All notifications failed.dIn3uuIvY4Gz90Bt2Dn2mVtDuB11ZUl21588680716685SampleAlertBTkuj8QArhIFMh_L39FoN0tnyTUEXplcend: now
isLive: true
queryString: foo=bar
start: 24h
false300000
new_alertAll notifications failed.kgguoWz0KgxEwge8IQt70L33C1J83U0Clabel1588680716684new_alert_nameAQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false500000
description 2zNVae7vz-DH7GpeQUPfx1KXMGXGg7bf7label1588677696684new nameBTkuj8QArhIFMh_L39FoN0tnyTUEXplcend: now
isLive: true
queryString: test=true
start: 24h
false500000
All notifications failed.sFeYsP2mOJ_-CAqKt9frixFIYzXluiTB1588680716684new_alert_name2AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000
All notifications failed.sn82IuvTc9Vfnl45XqLWoZASIcBezvu11588680716684new_alert_name4AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000
All notifications failed.ljeBta_tEvrGRRbae7MzLRiZG4NbckBm1588680716684new_alert_name5AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000

humio-get-alert-by-id


list alerts by id from Humio

Base Command

humio-get-alert-by-id

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired
idAlert IDRequired

Context Output

PathTypeDescription
Humio.Alert.descriptionStringDescription of the alert
Humio.Alert.idStringThe alert id
Humio.Alert.nameStringThe alert name
Humio.Alert.notifiersStringThe notifiers the alert will use
Humio.Alert.query.endStringthe end time of the query
Humio.Alert.query.isLiveNumberwhether or not the query is live
Humio.Alert.query.queryStringStringThe query string being used
Humio.Alert.query.startStringThe start time of the query
Humio.Alert.silencedNumberWhether or not the alert is enabled
Humio.Alert.throttleTimeMillisNumberThe throttle time for alerts

Command Example

!humio-get-alert-by-id repository=sandbox id=ArHY37FM9Z8kWxYMRknwmdR5yJwNEUgc

Context Example

{
"Humio": {
"Alert": {
"description": "",
"error": "All notifications failed.",
"id": "ArHY37FM9Z8kWxYMRknwmdR5yJwNEUgc",
"labels": [],
"lastAlarm": 1588680716684,
"name": "new_alert_namme2",
"notifiers": [
"AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "alert=true",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
}
}
}

Human Readable Output

Humio Alerts

erroridlastAlarmnamenotifiersquerysilencedthrottleTimeMillis
All notifications failed.ArHY37FM9Z8kWxYMRknwmdR5yJwNEUgc1588680716684new_alert_namme2AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezend: now
isLive: true
queryString: alert=true
start: 24h
false300000

humio-create-alert


Create an alert in Humio

Base Command

humio-create-alert

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired
nameName of the alertRequired
queryStringQuery to useRequired
startStart time, relative or epoch in ms.Optional
descriptionDescription of the alertOptional
throttleTimeMillisTime millis intervalOptional
silencedIs it silencedOptional
notifierscomma-separated values of notifier IDsRequired
labelscomma-separated values of labelsOptional

Context Output

PathTypeDescription
Humio.Alert.descriptionStringDescription of the alert
Humio.Alert.idStringThe alert id
Humio.Alert.nameStringThe alert name
Humio.Alert.notifiersStringThe notifiers the alert will use
Humio.Alert.query.endStringthe end time of the query
Humio.Alert.query.isLiveNumberwhether or not the query is live
Humio.Alert.query.queryStringStringThe query string being used
Humio.Alert.query.startStringThe start time of the query
Humio.Alert.silencedNumberWhether or not the alert is enabled
Humio.Alert.throttleTimeMillisNumberThe throttle time for alerts

Command Example

!humio-create-alert name=SampleTestAlert notifiers=BTkuj8QArhIFMh_L39FoN0tnyTUEXplc queryString="foo=bar" repository=sandbox

Context Example

{
"Humio": {
"Alert": {
"description": "",
"id": "_LLJeuH_--APkyCVaj3NDdXPlyfAtcsB",
"labels": [],
"name": "SampleTestAlert",
"notifiers": [
"BTkuj8QArhIFMh_L39FoN0tnyTUEXplc"
],
"query": {
"end": "now",
"isLive": true,
"queryString": "foo=bar",
"start": "24h"
},
"silenced": false,
"throttleTimeMillis": 300000
}
}
}

Human Readable Output

Humio Alerts

idnamenotifiersquerysilencedthrottleTimeMillis
LLJeuH--APkyCVaj3NDdXPlyfAtcsBSampleTestAlertBTkuj8QArhIFMh_L39FoN0tnyTUEXplcend: now
isLive: true
queryString: foo=bar
start: 24h
false300000

humio-list-notifiers


List all notifiers in Humio

Base Command

humio-list-notifiers

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired

Context Output

PathTypeDescription
Humio.NotifierUnknownList of notifiers

Command Example

!humio-list-notifiers repository=sandbox

Context Example

{
"Humio": {
"Notifier": [
{
"entity": "WebHookNotifier",
"id": "BTkuj8QArhIFMh_L39FoN0tnyTUEXplc",
"name": "Null Webhook",
"properties": {
"bodyTemplate": "{\n \"repository\": \"{repo_name}\",\n \"timestamp\": \"{alert_triggered_timestamp}\",\n \"alert\": {\n \"name\": \"{alert_name}\",\n \"description\": \"{alert_description}\",\n \"query\": {\n \"queryString\": \"{query_string} \",\n \"end\": \"{query_time_end}\",\n \"start\": \"{query_time_start}\"\n },\n \"notifierID\": \"{alert_notifier_id}\",\n \"id\": \"{alert_id}\",\n \"linkURL\": \"{url}\"\n },\n \"warnings\": \"{warnings}\",\n \"events\": {events},\n \"numberOfEvents\": {event_count}\n}",
"headers": {
"Content-Type": "application/json"
},
"ignoreSSL": false,
"method": "POST",
"url": "http://localhost"
}
},
{
"entity": "WebHookNotifier",
"id": "AQs6CuWm-uyXfYaNzwMyDGTX4S4qyAez",
"name": "other",
"properties": {
"bodyTemplate": "BODY",
"headers": {
"Content-Type": "application/json"
},
"ignoreSSL": false,
"method": "POST",
"url": "http://localhost"
}
}
]
}
}

Human Readable Output

Humio Notifiers

entityidnameproperties
WebHookNotifierBTkuj8QArhIFMh_L39FoN0tnyTUEXplcNull WebhookbodyTemplate: {
"repository": "{repo_name}",
"timestamp": "{alert_triggered_timestamp}",
"alert": {
"name": "{alert_name}",
"description": "{alert_description}",
"query": {
"queryString": "{query_string} ",
"end": "{query_time_end}",
"start": "{query_time_start}"
},
"notifierID": "{alert_notifier_id}",
"id": "{alert_id}",
"linkURL": "{url}"
},
"warnings": "{warnings}",
"events": {events},
"numberOfEvents": {event_count}
}
headers: {"Content-Type": "application/json"}
ignoreSSL: false
method: POST
url: http://localhost
WebHookNotifierAQs6CuWm-uyXfYaNzwMyDGTX4S4qyAezotherbodyTemplate: BODY
headers: {"Content-Type": "application/json"}
ignoreSSL: false
method: POST
url: http://localhost

humio-delete-alert


Delete alert in Humio

Base Command

humio-delete-alert

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired
idID of the alert to be deletedRequired

Context Output

PathTypeDescription
Humio.Humio-delete-alertUnknownDetails of the deletion

Command Example

!humio-delete-alert repository=sandbox id=dIn3uuIvY4Gz90Bt2Dn2mVtDuB11ZUl2

Context Example

{}

Human Readable Output

Command executed. Status code <Response [204]>

humio-get-notifier-by-id


Get notifier from Humio by id

Base Command

humio-get-notifier-by-id

Input

Argument NameDescriptionRequired
repositoryRepository to useRequired
idID to useRequired

Context Output

PathTypeDescription
Humio.NotifierUnknownDetails of the notifier

Command Example

!humio-get-notifier-by-id repository=sandbox id=BTkuj8QArhIFMh_L39FoN0tnyTUEXplc

Context Example

{
"Humio": {
"Notifier": {
"entity": "WebHookNotifier",
"id": "BTkuj8QArhIFMh_L39FoN0tnyTUEXplc",
"name": "Null Webhook",
"properties": {
"bodyTemplate": "BODY",
"headers": {
"Content-Type": "application/json"
},
"ignoreSSL": false,
"method": "POST",
"url": "http://localhost"
}
}
}
}

Human Readable Output

Humio Notifiers

entityidnameproperties
WebHookNotifierBTkuj8QArhIFMh_L39FoN0tnyTUEXplcNull WebhookbodyTemplate: {
"repository": "{repo_name}",
"timestamp": "{alert_triggered_timestamp}",
"alert": {
"name": "{alert_name}",
"description": "{alert_description}",
"query": {
"queryString": "{query_string} ",
"end": "{query_time_end}",
"start": "{query_time_start}"
},
"notifierID": "{alert_notifier_id}",
"id": "{alert_id}",
"linkURL": "{url}"
},
"warnings": "{warnings}",
"events": {events},
"numberOfEvents": {event_count}
}
headers: {"Content-Type": "application/json"}
ignoreSSL: false
method: POST
url: http://localhost