Signal Sciences WAF
Use the Signal Sciences next-gen web application firewall to increase security and maintain reliability.
Configure Signal Sciences WAF on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Signal Sciences WAF.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Token
- Corporation Name (should match the pattern [0-9a-z_.-]+)
- Fetch incidents
- Incident type
- Fetch Interval (in minutes)
- CSV list of sites to fetch from. If no sites are specified, events from all corporation’s sites will be fetched.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get a site’s whitelist: sigsci-get-whitelist
- Get a site’s blacklist: sigsci-get-blacklist
- Add an IP address to a whitelist: sigsci-whitelist-add-ip
- Add an IP address to a blacklist: sigsci-blacklist-add-ip
- Remove an IP address from a whitelist: sigsci-whitelist-remove-ip
- Remove an IP address from a blacklist: sigsci-blacklist-remove-ip
- Get all site names: sigsci-get-sites
- Create a list for a site: sigsci-create-site-list
- Get information for a site list: sigsci-get-site-list
- Delete a site list: sigsci-delete-site-list
- Update a site list: sigsci-update-site-list
- Add an alert to a site: sigsci-add-alert
- Get information for an alert: sigsci-get-alert
- Delete an alert from a site: sigsci-delete-alert
- Update attributes for an alert: sigsci-update-alert
- Get all alerts for a site: sigsci-get-all-alerts
- Get all lists for a site: sigsci-get-all-site-lists
- Create a corp list: sigsci-create-corp-list
- Get information for a corp list: sigsci-get-corp-list
- Delete a corp list: sigsci-delete-corp-list
- Update a corp list: sigsci-update-corp-list
- Get information for all lists of a corp: sigsci-get-all-corp-lists
- Get a list of events: sigsci-fetch-events
- Get an event by event ID: sigsci-get-event-by-id
- Expire an event: sigsci-expire-event
- Get requests for a site: sigsci-get-requests
- Get a request by request ID: sigsci-get-request-by-id
1. Get a site’s whitelist
Fetches a site’s whitelist, which resides on the Signal Sciences’ platform.
Base Command
sigsci-get-whitelist
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that holds the whitelist you want to get. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Whitelist.ID | string | ID for this particular entry. |
SigSciences.Corp.Site.Whitelist.Source | string | IP Address present in the whitelist. |
SigSciences.Corp.Site.Whitelist.ExpiryDate | date | Expiration Timestamp. |
SigSciences.Corp.Site.Whitelist.Note | string | Note associated with the tag. |
SigSciences.Corp.Site.Whitelist.CreatedDate | date | The created date timestamp |
SigSciences.Corp.Site.Whitelist.CreatedBy | string | The user who added this source. |
Command Example
!sigsci-get-whitelist siteName=demisto
Context Example
{ "SigSciences.Corp.Site.Whitelist": [ { "ExpiryDate": "", "Note": "docdoc", "Source": "9.7.9.7", "CreatedBy": "user@demisto.com", "CreatedDate": "2019-03-28T09:52:47Z", "ID": "5c9c996fc7213901971d5679" } ] }
Human Readable Output
Signal Sciences - Whitelist
Number of IPs in the Whitelist 1
Source | Note | Created Date | Created By |
---|---|---|---|
9.7.9.7 | docdoc | 2019-03-28T09:52:47Z | user@demisto.com |
2. Get a site’s blacklist: sigsci-get-blacklist
Fetches a site’s blacklist, which resides on the Signal Sciences’ platform.
Base Command
sigsci-get-blacklist
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that holds the blacklist you wish to get | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Blacklist.ID | string | The ID for this entry. |
SigSciences.Corp.Site.Blacklist.Source | string | The IP address on the blacklist. |
SigSciences.Corp.Site.Blacklist.ExpiryDate | date | The expiration timestamp. |
SigSciences.Corp.Site.Blacklist.Note | string | The note associated with the tag. |
SigSciences.Corp.Site.Blacklist.CreatedDate | date | The created date timestamp. |
SigSciences.Corp.Site.Blacklist.CreatedBy | string | The user who added this source. |
Command Example
!sigsci-get-blacklist siteName=demisto
Context Example
{ "SigSciences.Corp.Site.Blacklist": [ { "ExpiryDate": "", "Note": "docdoc", "Source": "5.7.5.7", "CreatedBy": "user@demisto.com", "CreatedDate": "2019-03-28T09:52:49Z", "ID": "5c9c9971719dcc0198a38a5b" } ] }
Human Readable Output
Signal Sciences - Blacklist
Number of IPs in the Blacklist 1
Source | Note | Created Date | Created By |
---|---|---|---|
5.7.5.7 | docdoc | 2019-03-28T09:52:49Z | user@demisto.com |
3. Add an IP address to a whitelist: sigsci-whitelist-add-ip
Adds an IP address to a site’s whitelist, which resides the Signal Sciences’ platform.
Base Command
sigsci-whitelist-add-ip
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that holds the whitelist you want to add an IP address to. | Required |
ip | The IP address to add to the site’s whitelist. | Required |
note | The note associated with the tag. | Required |
expires | The datetime for the IP address to removed from the site’s whitelist (in RFC3339 format). To keep the IP address on the site’s whitelist indefinitely, do not specify this argument. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Whitelist.Source | string | The IP address on the whitelist. |
SigSciences.Corp.Site.Whitelist.Note | string | The note associated with the tag. |
SigSciences.Corp.Site.Whitelist.ID | string | The ID for this entry. |
SigSciences.Corp.Site.Whitelist.CreatedBy | string | The user who added this source. |
SigSciences.Corp.Site.Whitelist.CreatedDate | date | The created date timestamp |
SigSciences.Corp.Site.Whitelist.ExpiryDate | date | The expiration timestamp. |
Command Example
!sigsci-whitelist-add-ip ip=9.7.9.7 note=docdoc siteName=demisto
Context Example
{ "SigSciences.Corp.Site.Whitelist": { "ExpiryDate": "", "Note": "docdoc", "Source": "9.7.9.7", "CreatedBy": "user@demisto.com", "CreatedDate": "2019-03-28T13:30:34Z", "ID": "5c9ccc7a342a24019743d265" } }
Human Readable Output
Signal Sciences - Adding an IP to Whitelist
The IP 9.7.9.7 has been successfully added to whitelist.
Source | Note | Expiration date |
---|---|---|
9.7.9.7 | docdoc | Not Set |
4. Add an IP address to a blacklist: sigsci-blacklist-add-ip
Adds an IP to a site’s blacklist, which resides on the Signal Sciences’ platform.
Base Command
sigsci-blacklist-add-ip
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that holds the blacklist you wish to add to | Required |
ip | The IP address to add to the site’s blacklist. | Required |
note | The note associated with the tag. | Required |
expires | The datetime for the IP address to removed from the site’s blacklist (in RFC3339 format). To keep the IP address on the site’s blacklist indefinitely, do not specify this argument. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Blacklist.Source | string | The IP address on the blacklist. |
SigSciences.Corp.Site.Blacklist.Note | string | The note associated with the tag. |
SigSciences.Corp.Site.Blacklist.ID | string | The ID for this entry. |
SigSciences.Corp.Site.Blacklist.CreatedBy | string | The user who added this source. |
SigSciences.Corp.Site.Blacklist.CreatedDate | date | The created date timestamp. |
SigSciences.Corp.Site.Blacklist.ExpiryDate | date | The expiration timestamp. |
Command Example
!sigsci-blacklist-add-ip ip=5.7.5.7 note=docdoc siteName=demisto
Context Example
{ "SigSciences.Corp.Site.Blacklist": { "ExpiryDate": "", "Note": "docdoc", "Source": "5.7.5.7", "CreatedBy": "user@demisto.com", "CreatedDate": "2019-03-28T13:30:35Z", "ID": "5c9ccc7bf7c34301986b1d82" } }
Human Readable Output
Signal Sciences - Adding an IP to Blacklist
The IP 5.7.5.7 has been successfully added to blacklist.
Source | Note | Expiration date |
---|---|---|
5.7.5.7 | docdoc | Not Set |
5. Remove an IP address from a whitelist: sigsci-whitelist-remove-ip
Removes an IP address from a site’s whitelist, which resides on the Signal Sciences’ platform.
Base Command
sigsci-whitelist-remove-ip
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that contains the whitelist you want to remove an IP address from. | Required |
IP | The IP address entry to remove. | Required |
Context Output
There is no context output for this command.
Command Example
!sigsci-whitelist-remove-ip IP=4.7.4.7 siteName=demisto
6. Remove an IP address from a blacklist
Removes an IP from a site’s blacklist, which resides on the Signal Sciences’ platform.
Base Command
sigsci-blacklist-remove-ip
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site that contains the blacklist you want to remove an IP address from. | Required |
IP | The IP address entry to remove. | Required |
Context Output
There is no context output for this command.
Command Example
!sigsci-blacklist-remove-ip IP=6.8.6.8 siteName=demisto
7. Get all site names
Returns all site names from the Signal Sciences platform.
Base Command
sigsci-get-sites
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Site.Name | string | The site name. |
SigSciences.Site.CreatedDate | date | The site creation date. |
8. Create a list for a site
Creates a new list for a given site on the Signal Sciences platform.
Base Command
sigsci-create-site-list
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site in Signal Sciences you want to add a list to. | Required |
list_name | The name of the list to create on Signal Sciences. | Required |
list_type | The type for the list you wish to create on Signal Sciences. Legal types are IP, String, Country or Wildcard | Required |
entries_list | A CSV list of values, consistent with the list’s type. | Required |
description | Short text that describes the new list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.List.Name | string | The name of the list. |
SigSciences.Corp.Site.List.Type | string | The type of the list. |
SigSciences.Corp.Site.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.Site.List.ID | string | The ID of the list. |
SigSciences.Corp.Site.List.Description | string | The description of the list. |
SigSciences.Corp.Site.List.CreatedBy | string | The creator of the list. |
SigSciences.Corp.Site.List.CreatedDate | string | The creation date of the list. |
SigSciences.Corp.Site.List.UpdatedDate | string | The last update date of the list. |
Command Example
!sigsci-create-site-list entries_list=56.1.1.1 list_name=sitelistdoc list_type=IP siteName=demisto
9. Get information for a site list
Returns all the data about a site list.
Base Command
sigsci-get-site-list
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site in Signal Sciences that the list you’re searching for belongs to. | Required |
list_id | The ID of the list. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.List.Name | string | The name of the list. |
SigSciences.Corp.Site.List.Type | string | The type of the list. |
SigSciences.Corp.Site.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.Site.List.ID | unknown | The ID of the list. |
SigSciences.Corp.Site.List.Description | unknown | The description of the list. |
SigSciences.Corp.Site.List.CreatedBy | unknown | The creator of the list. |
SigSciences.Corp.Site.List.CreatedDate | unknown | The creation date of the list. |
SigSciences.Corp.Site.List.UpdatedDate | unknown | The last update date of the list. |
Command Example
!sigsci-get-site-list list_id=site.sitelistdoc3 siteName=demisto
Context Example
{ "SigSciences.Corp.Site.List": { "Name": "sitelistdoc3", "CreatedDate": "2019-03-28T09:20:34Z", "UpdatedDate": "2019-03-28T09:53:01Z", "CreatedBy": "user@demisto.com", "Entries": [ "6.1.7.1", "77.8.77.8" ], "Type": "ip", "ID": "site.sitelistdoc3", "Description": "" } }
Human Readable Output
Found data about list with ID: site.sitelistdoc3
Name | ID | Type | Entries | Created By | Created Date | Updated Date |
---|---|---|---|---|---|---|
sitelistdoc3 | site.sitelistdoc3 | ip |
6.1.7.1,
77.8.77.8 |
user@demisto.com | 2019-03-28T09:20:34Z | 2019-03-28T09:53:01Z |
10. Delete a site list
Deletes a site list in Signal Sciences.
Base Command
sigsci-delete-site-list
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site in Signal Sciences you want to delete a list from. | Required |
list_id | The ID of the list in Signal Sciences to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!sigsci-delete-site-list list_id=site.sitelistdoc2 siteName=demisto
11. Update a site list
Updates a site list in Signal Sciences.
Base Command
sigsci-update-site-list
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site in Signal Sciences that the list to update belongs to. | Required |
list_id | The ID of the list to update. | Required |
method | The method to use, must be “Add” or “Remove”. The method will determine whether the given entries are added to or removed from the list. | Required |
entries_list | A CSV list of values, consistent with the list’s type. | Required |
description | A description for the updated list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.List.Name | string | The name of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Type | string | The type of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Entries | unknown | The entry list of the list in Signal Sciences. |
SigSciences.Corp.Site.List.ID | string | The ID of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Description | string | The description of the list in Signal Sciences. Maximum is 140 characters. |
SigSciences.Corp.Site.List.CreatedBy | string | The creator of the list in Signal Sciences. |
SigSciences.Corp.Site.List.CreatedDate | string | The creation date of the list in Signal Sciences. |
SigSciences.Corp.Site.List.UpdatedDate | string | The last update date of the list in Signal Sciences. |
Command Example
!sigsci-update-site-list entries_list=77.8.77.8 list_id=site.sitelistdoc3 method=Add siteName=demisto
Context Example
{ "SigSciences.Corp.Site.List": { "Name": "sitelistdoc3", "CreatedDate": "2019-03-28T09:20:34Z", "UpdatedDate": "2019-03-28T09:53:01Z", "CreatedBy": "user@demisto.com", "Entries": [ "6.1.7.1", "77.8.77.8" ], "Type": "ip", "ID": "site.sitelistdoc3", "Description": "" } }
Human Readable Output
Signal Sciences - Updating a list
Name | ID | Type | Entries | Created By | Created Date | Updated Date |
---|---|---|---|---|---|---|
sitelistdoc3 | site.sitelistdoc3 | ip |
6.1.7.1,
77.8.77.8 |
user@demisto.com | 2019-03-28T09:20:34Z | 2019-03-28T09:53:01Z |
12. Add an alert to a site
Adds a custom alert to a site in Signal Sciences.
Base Command
sigsci-add-alert
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to add an alert to. | Required |
long_name | A human readable description of the alert. Must be between 3 and 25 characters. | Required |
interval | The number of minutes of past traffic to examine. Must be 1, 10 or 60. | Required |
tag_name | The name of the tag whose occurrences the alert is watching. Must match an existing tag. | Required |
threshold | The number of occurrences of the tag in the specified interval that are required to trigger the alert. | Required |
enabled | A flag to toggle this alert (“True” or “False”). | Required |
action | A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Alert.ID | string | The unique ID of the alert. |
SigSciences.Corp.Site.Alert.SiteID | string | The ID of the site. |
SigSciences.Corp.Site.Alert.TagName | string | The name of the tag whose occurrences the alert is watching. |
SigSciences.Corp.Site.Alert.LongName | string | A short description of the alert. |
SigSciences.Corp.Site.Alert.Interval | number | The number of minutes of past traffic to examine. |
SigSciences.Corp.Site.Alert.Threshold | number | The number of occurrences of the tag in the specified interval that are required to trigger the alert. |
SigSciences.Corp.Site.Alert.BlockDurationSeconds | number | The number of seconds that this alert is active. |
SigSciences.Corp.Site.Alert.SkipNotifications | boolean | A flag to disable external notifications - Slack, webhooks, emails, and so on. |
SigSciences.Corp.Site.Alert.Enabled | boolean | A flag to toggle this alert. |
SigSciences.Corp.Site.Alert.Action | string | A flag that describes what happens when the alert is triggered. |
SigSciences.Corp.Site.Alert.CreatedDate | date | The timestamp of event (RFC3339 format). |
Command Example
!sigsci-add-alert action='info' enabled=False interval=60 long_name=tttt siteName=demisto tag_name=USERAGENT threshold=100
13. Get information for an alert
Retrieves data for an alert.
Base Command
sigsci-get-alert
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site the alert you want to get data for belongs to. | Required |
alert_id | The ID of the alert to retrieve. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Alert.ID | string | The unique ID of the alert. |
SigSciences.Corp.Site.Alert.SiteID | string | The ID of the site. |
SigSciences.Corp.Site.Alert.TagName | string | The name of the tag whose occurrences the alert is watching. |
SigSciences.Corp.Site.Alert.LongName | string | A short description of the alert. |
SigSciences.Corp.Site.Alert.Interval | number | The number of minutes of past traffic to examine. |
SigSciences.Corp.Site.Alert.Threshold | number | The number of occurrences of the tag in the specified interval that are required to trigger the alert. |
SigSciences.Corp.Site.Alert.BlockDurationSeconds | number | The number of seconds this alert is active. |
SigSciences.Corp.Site.Alert.SkipNotifications | boolean | A flag to disable external notifications - Slack, webhooks, emails, and so on. |
SigSciences.Corp.Site.Alert.Enabled | boolean | A flag to toggle this alert. |
SigSciences.Corp.Site.Alert.Action | string | A flag that describes what happens when the alert is triggered. |
SigSciences.Corp.Site.Alert.CreatedDate | date | The timestamp of the event (RFC3339 format). |
Command Example
!sigsci-get-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto
Human Readable Output
14. Delete an alert from a site
Deletes an alert from a given site in Signal Sciences.
Base Command
sigsci-delete-alert
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to delete an alert from. | Required |
alert_id | The ID of the alert to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!sigsci-delete-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto
15. Update attributes for an alert
Updates the attributes of a given alert.
Base Command
sigsci-update-alert
Input
Argument Name | Description | Required |
---|---|---|
siteName | The site of the alert to update. | Required |
alert_id | The ID of the alert to update. | Required |
tag_name | The name of the tag whose occurrences the alert is watching. | Required |
long_name | A human readable description of the alert. Must be between 3 and 25 characters. | Required |
interval | The number of minutes of past traffic to examine. | Required |
threshold | The number of occurrences of the tag in the specified interval that are required to trigger the alert. | Required |
enabled | A flag to toggle this alert. | Required |
action | A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Alert.CreatedDate | string | The unique ID of the alert. |
SigSciences.Corp.Site.Alert.SiteID | string | The ID of the site. |
SigSciences.Corp.Site.Alert.TagName | string | The name of the tag whose occurrences the alert is watching. |
SigSciences.Corp.Site.Alert.LongName | string | A short description of the alert. |
SigSciences.Corp.Site.Alert.Interval | number | The number of minutes of past traffic to examine. |
SigSciences.Corp.Site.Alert.Threshold | number | The number of occurrences of the tag in the specified interval that are required to trigger the alert. |
SigSciences.Corp.Site.Alert.BlockDurationSeconds | number | The number of seconds that this alert is active. |
SigSciences.Corp.Site.Alert.SkipNotifications | boolean | A flag to disable external notifications - Slack, webhooks, emails, and so on. |
SigSciences.Corp.Site.Alert.Enabled | boolean | A flag to toggle this alert. |
SigSciences.Corp.Site.Alert.Action | string | A flag that describes what happens when the alert is triggered. |
SigSciences.Corp.Site.Alert.CreatedDate | date | The timestamp of event (RFC3339 format). |
Command Example
!sigsci-update-alert action=flagged alert_id=5c9c8f35c7213901971d2e5a enabled=False interval=10 long_name=ggggg siteName=demisto tag_name=SQLI threshold=40
Context Example
{ "SigSciences.Corp.Site.Alert": { "LongName": "ggggg", "SkipNotifications": "", "Interval": 10, "Enabled": true, "Threshold": 40, "SiteID": "", "TagName": "SQLI", "CreatedDate": "2019-03-28T09:09:09Z", "Action": "flagged", "ID": "5c9c8f35c7213901971d2e5a", "BlockDurationSeconds": "" } }
Human Readable Output
Updated alert 5c9c8f35c7213901971d2e5a. new values:
ID | Created Date | Tag Name | Action | Long Name | Interval (In Minutes) | Threshold | Enabled |
---|---|---|---|---|---|---|---|
5c9c8f35c7213901971d2e5a | 2019-03-28T09:09:09Z | SQLI | flagged | ggggg | 10 | 40 | true |
16. Get all alerts for a site
Retrieves all alerts for given a site.
Base Command
sigsci-get-all-alerts
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of site to get alerts for. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Alert.ID | string | The unique ID of the alert. |
SigSciences.Corp.Site.Alert.SiteID | string | The ID of the site. |
SigSciences.Corp.Site.Alert.TagName | string | The name of the tag whose occurrences the alert is watching. |
SigSciences.Corp.Site.Alert.LongName | string | A short description of the alert. |
SigSciences.Corp.Site.Alert.Interval | number | The number of minutes of past traffic to examine. |
SigSciences.Corp.Site.Alert.Threshold | number | The number of occurrences of the tag in the specified interval that are required to trigger the alert. |
SigSciences.Corp.Site.Alert.BlockDurationSeconds | number | The number of seconds this alert is active. |
SigSciences.Corp.Site.Alert.SkipNotification | boolean | A flag to disable external notifications - Slack, webhooks, emails, and so on. |
SigSciences.Corp.Site.Alert.Enabled | boolean | A flag to toggle this alert. |
SigSciences.Corp.Site.Alert.Action | string | A flag that describes what happens when the alert is triggered. |
SigSciences.Corp.Site.Alert.CreatedDate | date | The timestamp of event (RFC3339 format). |
Command Example
!sigsci-get-all-alerts siteName=demisto
Context Example
{ "SigSciences.Corp.Site.Alert": [ { "LongName": "ggggg", "SkipNotifications": "", "Interval": 10, "Enabled": true, "Threshold": 40, "SiteID": "", "TagName": "SQLI", "CreatedDate": "2019-03-28T09:09:09Z", "Action": "flagged", "ID": "5c9c8f35c7213901971d2e5a", "BlockDurationSeconds": "" }, { "LongName": "The site's Online Agent count is zero", "SkipNotifications": "", "Interval": 5, "Enabled": false, "Threshold": 0, "SiteID": "", "TagName": "agent_count", "CreatedDate": "2018-08-30T21:00:03Z", "Action": "siteMetricInfo", "ID": "5b885ad33be3360a3f80237c", "BlockDurationSeconds": 21600 }, { "LongName": "The average RPS across all agents is less than 10", "SkipNotifications": "", "Interval": 5, "Enabled": false, "Threshold": 3000, "SiteID": "", "TagName": "requests_total", "CreatedDate": "2018-08-30T21:00:03Z", "Action": "siteMetricInfo", "ID": "5b885ad33be3360a3f80237b", "BlockDurationSeconds": 21600 } ] }
Human Readable Output
Signal Sciences - Alert list
Number of alerts in site: 3
ID | Created Date | Tag Name | Action | Long Name | Interval (In Minutes) | Threshold | Block Duration Seconds | Enabled |
---|---|---|---|---|---|---|---|---|
5c9c8f35c7213901971d2e5a | 2019-03-28T09:09:09Z | SQLI | flagged | ggggg | 10 | 40 | true | |
5b885ad33be3360a3f80237c | 2018-08-30T21:00:03Z | agent_count | siteMetricInfo | The site’s Online Agent count is zero | 5 | 0 | 21600 | false |
5b885ad33be3360a3f80237b | 2018-08-30T21:00:03Z | requests_total | siteMetricInfo | The average RPS across all agents is less than 10 | 5 | 3000 | 21600 | false |
17. Get all lists for a site
Retrieves all site lists for a given site.
Base Command
sigsci-get-all-site-lists
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to retrieve lists for. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.List.Name | string | The name of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Type | string | The type of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Entries | unknown | The entry list of the list in Signal Sciences. |
SigSciences.Corp.Site.List.ID | string | The ID of the list in Signal Sciences. |
SigSciences.Corp.Site.List.Description | string | The description of the list in Signal Sciences. Maximum is 140 characters. |
SigSciences.Corp.Site.List.CreatedBy | string | The creator of the list in Signal Sciences. |
SigSciences.Corp.Site.List.CreatedDate | string | The creation date of the list in Signal Sciences. |
SigSciences.Corp.Site.List.UpdatedDate | string | The last update date of the list in Signal Sciences. |
Command Example
!sigsci-get-all-site-lists siteName=demisto
Context Example
{ "SigSciences.Corp.Site.List": [ { "Name": "sitelistdoc", "CreatedDate": "2019-03-28T09:52:55Z", "UpdatedDate": "2019-03-28T09:52:55Z", "CreatedBy": "user@demisto.com", "Entries": [ "56.1.1.1" ], "Type": "ip", "ID": "site.sitelistdoc", "Description": "" }, { "Name": "sitelistdoc3", "CreatedDate": "2019-03-28T09:20:34Z", "UpdatedDate": "2019-03-28T13:30:41Z", "CreatedBy": "user@demisto.com", "Entries": [ "6.1.7.1", "77.8.77.8" ], "Type": "ip", "ID": "site.sitelistdoc3", "Description": "" } ] }
Human Readable Output
Signal Sciences - list of site lists
Number of site lists in site: 2
Name | ID | Type | Entries | Created By | Created Date | Updated Date |
---|---|---|---|---|---|---|
sitelistdoc | site.sitelistdoc | ip | 56.1.1.1 | user@demisto.com | 2019-03-28T09:52:55Z | 2019-03-28T09:52:55Z |
sitelistdoc3 | site.sitelistdoc3 | ip |
6.1.7.1,
77.8.77.8 |
user@demisto.com | 2019-03-28T09:20:34Z | 2019-03-28T13:30:41Z |
18. Create a corp list
Creates a new corp list.
Base Command
sigsci-create-corp-list
Input
Argument Name | Description | Required |
---|---|---|
list_name | A name for the new list. | Required |
list_type | The type for the new list (“IP”, “String”, “Country”, or “Wildcard”). | Required |
entries_list | A CSV list of values, consistent with the list’s type. | Required |
description | Short text that describes the new list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.List.Name | string | The name of the list. |
SigSciences.Corp.List.Type | string | The type of the list. |
SigSciences.Corp.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.List.ID | string | The ID of the list. |
SigSciences.Corp.List.Description | string | The description of the list. |
SigSciences.Corp.List.CreatedBy | string | The creator of the list. |
SigSciences.Corp.List.CreatedDate | string | The creation date of the list. |
SigSciences.Corp.List.UpdatedDate | string | The last update date of the list. |
Command Example
!sigsci-create-corp-list entries_list=3.5.3.5 list_name=fordoc list_type=IP
19. Get information for a corp list
Retrieves all data about a given corp list.
Base Command
sigsci-get-corp-list
Input
Argument Name | Description | Required |
---|---|---|
list_id | The ID of the list to get data for. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.List.Name | unknown | The name of the list. |
SigSciences.Corp.List.Type | unknown | The type of the list. |
SigSciences.Corp.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.List.ID | unknown | The ID of the list. |
SigSciences.Corp.List.Description | unknown | The description of the list. |
SigSciences.Corp.List.CreatedBy | unknown | The creator of the list. |
SigSciences.Corp.List.CreatedDate | unknown | The creation date of the list. |
SigSciences.Corp.List.UpdatedDate | unknown | The last update date of the list. |
Command Example
!sigsci-get-corp-list list_id=corp.fordoc2
Context Example
{ "SigSciences.Corp.List": { "Name": "fordoc2", "CreatedDate": "2019-03-28T09:14:43Z", "UpdatedDate": "2019-03-28T09:53:14Z", "CreatedBy": "user@demisto.com", "Entries": [ "44.2.44.2", "55.7.55.7" ], "Type": "ip", "ID": "corp.fordoc2", "Description": "" } }
Human Readable Output
Found data about list with ID: corp.fordoc2
Name | ID | Type | Entries | Created By | Created Date | Updated Date |
---|---|---|---|---|---|---|
fordoc2 | corp.fordoc2 | ip |
44.2.44.2,
55.7.55.7 |
user@demisto.com | 2019-03-28T09:14:43Z | 2019-03-28T09:53:14Z |
20. Delete a corp list
Deletes a given corp list.
Base Command
sigsci-delete-corp-list
Input
Argument Name | Description | Required |
---|---|---|
list_id | The ID of the list to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!sigsci-delete-corp-list list_id=corp.maya
Human Readable Output
21. Update a corp list
Updates (add or delete) entries for a given corp list.
Base Command
sigsci-update-corp-list
Input
Argument Name | Description | Required |
---|---|---|
list_id | The ID of the list you wish to update | Required |
method | The method to use - must be “Add” or “Remove”. The method will determine whether the entries you provide are added to the list or removed from it | Required |
entries_list | A list of values, consistent with the list’s type, separated by commas | Required |
description | A description for the updated list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.List.Name | unknown | The name of the list. |
SigSciences.Corp.List.Type | unknown | The type of the list. |
SigSciences.Corp.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.List.ID | unknown | The ID of the list. |
SigSciences.Corp.List.Description | unknown | The description of the list. |
SigSciences.Corp.List.CreatedBy | unknown | The creator of the list. |
SigSciences.Corp.List.CreatedDate | unknown | The creation date of the list. |
SigSciences.Corp.List.UpdatedDate | unknown | The last update date of the list. |
Command Example
!sigsci-update-corp-list entries_list=55.7.55.7 list_id=corp.fordoc2 method=Add
Context Example
{ "SigSciences.Corp.List": { "Name": "fordoc2", "CreatedDate": "2019-03-28T09:14:43Z", "UpdatedDate": "2019-03-28T09:53:14Z", "CreatedBy": "user@demisto.com", "Entries": [ "44.2.44.2", "55.7.55.7" ], "Type": "ip", "ID": "corp.fordoc2", "Description": "" } }
Human Readable Output
Signal Sciences - Updating a list
Name | ID | Type | Entries | Created By | Created Date | Updated Date |
---|---|---|---|---|---|---|
fordoc2 | corp.fordoc2 | ip |
44.2.44.2,
55.7.55.7 |
user@demisto.com | 2019-03-28T09:14:43Z | 2019-03-28T09:53:14Z |
22. Get information for all lists of a corp
Retrieves data about all lists for the given corp.
Base Command
sigsci-get-all-corp-lists
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.List.Name | unknown | The name of the list. |
SigSciences.Corp.List.Type | unknown | The type of the list. |
SigSciences.Corp.List.Entries | unknown | The entry list of the list. |
SigSciences.Corp.List.ID | unknown | The ID of the list. |
SigSciences.Corp.List.Description | unknown | The description of the list. |
SigSciences.Corp.List.CreatedBy | unknown | The creator of the list. |
SigSciences.Corp.List.CreatedDate | unknown | The creation date of the list. |
SigSciences.Corp.List.UpdatedDate | unknown | The last update date of the list. |
23. Get a list of events
Fetches events from Signal Sciences.
Base Command
sigsci-fetch-events
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to fetch events from. | Required |
from_time | The POSIX Unix time to start. | Optional |
until_time | The POSIX Unix time to end. | Optional |
sort | The sort order (“asc” or “desc”). | Optional |
since_id | The ID of the first object in the set. | Optional |
max_id | The ID of the last object in the set. | Optional |
limit | The maximum number of entries to return. | Optional |
page | The page of the results. | Optional |
action | The action to filter by (‘flagged’ or ‘info’). | Optional |
tag | The tag to filter by. Must be a valid tag name. | Optional |
ip | The ID to filter by. | Optional |
status | The status to filter by (“active” or “expired”). | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Event.ID | string | The unique ID of the event. |
SigSciences.Corp.Site.Event.Timestamp | date | The timestamp of the event (RFC3339 format). |
SigSciences.Corp.Site.Event.Source | string | The source information, for example, “IP”. |
SigSciences.Corp.Site.Event.RemoteCountryCode | string | The country code. |
SigSciences.Corp.Site.Event.RemoteHostname | string | The remote hostname. |
SigSciences.Corp.Site.Event.UserAgents | unknown | An array of user agents. |
SigSciences.Corp.Site.Event.Action | unknown | If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged. |
SigSciences.Corp.Site.Event.Reasons | unknown | The reason the event was triggered. |
SigSciences.Corp.Site.Event.RequestCount | number | The total number of requests. |
SigSciences.Corp.Site.Event.TagCount | number | The total number of tags. |
SigSciences.Corp.Site.Event.Window | number | The time window (in seconds) when the items were detected. |
SigSciences.Corp.Site.Event.DateExpires | string | The date the event expires (RFC3339 format). |
SigSciences.Corp.Site.Event.ExpiredBy | string | The email address of the user that expired the event (if the event is expired manually). |
24. Get an event by event ID
Retrieves an event by the event ID.
Base Command
sigsci-get-event-by-id
Input
Argument Name | Description | Required |
---|---|---|
siteName | Name of the site to get the event from | Required |
event_id | The ID of the event. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Event.ID | unknown | The unique ID of the event. |
SigSciences.Corp.Site.Event.Timestamp | unknown | The timestamp of the event (RFC3339 format). |
SigSciences.Corp.Site.Event.Source | unknown | Source information, for example, “IP”. |
SigSciences.Corp.Site.Event.RemoteCountryCode | unknown | The country code. |
SigSciences.Corp.Site.Event.RemoteHostname | unknown | The remote hostname. |
SigSciences.Corp.Site.Event.UserAgents | unknown | An array of user agents. |
SigSciences.Corp.Site.Event.Action | unknown | If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged. |
SigSciences.Corp.Site.Event.Reasons | unknown | The reason the event was triggered. |
SigSciences.Corp.Site.Event.RequestCount | unknown | The total number of requests. |
SigSciences.Corp.Site.Event.TagCount | unknown | The total number of tags. |
SigSciences.Corp.Site.Event.Window | unknown | The time window (in seconds) when the items were detected. |
SigSciences.Corp.Site.Event.DateExpires | unknown | The date the event expires (RFC3339 format). |
SigSciences.Corp.Site.Event.ExpiredBy | unknown | The email address of the user that expired the event (if the event is expired manually). |
25. Expire an event
Expires a given event.
Base Command
sigsci-expire-event
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to expire an event from. | Required |
event_id | The ID of the event to expire. | Required |
26. Get requests for a site
Retrieves requests from a given site according to a search query.
Base Command
sigsci-get-requests
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to get requests from. | Required |
page | The page of the results. Maximum is 1000 requests. | Optional |
limit | The number of entries to return. | Optional |
q | The search query, in Signal Sciences syntax. If a query is not supplied, no requests will be returned. | Optional |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Request.ID | unknown | The unique ID of the request. |
SigSciences.Corp.Site.Request.ServerHostName | unknown | The server hostname. |
SigSciences.Corp.Site.Request.RemoteIP | unknown | The remote IP address. |
SigSciences.Corp.Site.Request.RemoteHostName | unknown | The remote hostname. |
SigSciences.Corp.Site.Request.RemoteCountryCode | unknown | The remote country code. |
SigSciences.Corp.Site.Request.UserAgent | unknown | The user agent of the request. |
SigSciences.Corp.Site.Request.Timestamp | unknown | The timestamp (RFC3339 format). |
SigSciences.Corp.Site.Request.Method | unknown | The HTTP method, for example, “PUT”. |
SigSciences.Corp.Site.Request.ServerName | unknown | The server name. |
SigSciences.Corp.Site.Request.Protocol | unknown | The HTTP protocol, for example, “HTTP/1.1” . |
SigSciences.Corp.Site.Request.Path | unknown | The path. |
SigSciences.Corp.Site.Request.URI | unknown | The URI. |
SigSciences.Corp.Site.Request.ResponseCode | unknown | The HTTP response code. |
SigSciences.Corp.Site.Request.ResponseSize | unknown | The HTTP response size. |
SigSciences.Corp.Site.Request.ResponseMillis | unknown | The response time in millis. |
SigSciences.Corp.Site.Request.AgentResponseCode | unknown | The agent response code. |
SigSciences.Corp.Site.Request.Tags | unknown | The array of relevant tags. |
27. Get a request by request ID
Retrieves a request by request ID.
Base Command
sigsci-get-request-by-id
Input
Argument Name | Description | Required |
---|---|---|
siteName | The name of the site to get from. | Required |
request_id | The ID of the request to get. | Required |
Context Output
Path | Type | Description |
---|---|---|
SigSciences.Corp.Site.Request.ID | unknown | The unique ID of the request. |
SigSciences.Corp.Site.Request.ServerHostName | unknown | Server hostname. |
SigSciences.Corp.Site.Request.RemoteIP | unknown | The remote IP address. |
SigSciences.Corp.Site.Request.RemoteHostName | unknown | The remote hostname. |
SigSciences.Corp.Site.Request.RemoteCountryCode | unknown | The remote country code. |
SigSciences.Corp.Site.Request.UserAgent | unknown | The user agent of the request. |
SigSciences.Corp.Site.Request.Timestamp | unknown | The timestamp RFC3339 date time serverHostname string. |
SigSciences.Corp.Site.Request.Method | unknown | The HTTP method, for example, “PUT”. |
SigSciences.Corp.Site.Request.ServerName | unknown | The server name. |
SigSciences.Corp.Site.Request.Protocol | unknown | The HTTP protocol, for example “HTTP/1.1”. |
SigSciences.Corp.Site.Request.Path | unknown | The path. |
SigSciences.Corp.Site.Request.URI | unknown | The URI. |
SigSciences.Corp.Site.Request.ResponseCode | unknown | The HTTP response code. |
SigSciences.Corp.Site.Request.ResponseSize | unknown | The HTTP response size. |
SigSciences.Corp.Site.Request.ResponseMillis | unknown | The response time in milliseconds. |
SigSciences.Corp.Site.Request.AgentResponseCode | unknown | The agent response code. |
SigSciences.Corp.Site.Request.Tags | unknown | An array of relevant tags. |