Signal Sciences WAF

Use the Signal Sciences next-gen web application firewall to increase security and maintain reliability.

Configure Signal Sciences WAF on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Signal Sciences WAF.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Email
    • Token
    • Corporation Name (should match the pattern [0-9a-z_.-]+)
    • Fetch incidents
    • Incident type
    • Fetch Interval (in minutes)
    • CSV list of sites to fetch from. If no sites are specified, events from all corporation’s sites will be fetched.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get a site’s whitelist: sigsci-get-whitelist
  2. Get a site’s blacklist: sigsci-get-blacklist
  3. Add an IP address to a whitelist: sigsci-whitelist-add-ip
  4. Add an IP address to a blacklist: sigsci-blacklist-add-ip
  5. Remove an IP address from a whitelist: sigsci-whitelist-remove-ip
  6. Remove an IP address from a blacklist: sigsci-blacklist-remove-ip
  7. Get all site names: sigsci-get-sites
  8. Create a list for a site: sigsci-create-site-list
  9. Get information for a site list: sigsci-get-site-list
  10. Delete a site list: sigsci-delete-site-list
  11. Update a site list: sigsci-update-site-list
  12. Add an alert to a site: sigsci-add-alert
  13. Get information for an alert: sigsci-get-alert
  14. Delete an alert from a site: sigsci-delete-alert
  15. Update attributes for an alert: sigsci-update-alert
  16. Get all alerts for a site: sigsci-get-all-alerts
  17. Get all lists for a site: sigsci-get-all-site-lists
  18. Create a corp list: sigsci-create-corp-list
  19. Get information for a corp list: sigsci-get-corp-list
  20. Delete a corp list: sigsci-delete-corp-list
  21. Update a corp list: sigsci-update-corp-list
  22. Get information for all lists of a corp: sigsci-get-all-corp-lists
  23. Get a list of events: sigsci-fetch-events
  24. Get an event by event ID: sigsci-get-event-by-id
  25. Expire an event: sigsci-expire-event
  26. Get requests for a site: sigsci-get-requests
  27. Get a request by request ID: sigsci-get-request-by-id

1. Get a site’s whitelist

Fetches a site’s whitelist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-get-whitelist

Input
Argument Name Description Required
siteName The site that holds the whitelist you want to get. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Whitelist.ID string ID for this particular entry.
SigSciences.Corp.Site.Whitelist.Source string IP Address present in the whitelist.
SigSciences.Corp.Site.Whitelist.ExpiryDate date Expiration Timestamp.
SigSciences.Corp.Site.Whitelist.Note string Note associated with the tag.
SigSciences.Corp.Site.Whitelist.CreatedDate date The created date timestamp
SigSciences.Corp.Site.Whitelist.CreatedBy string The user who added this source.

Command Example 
!sigsci-get-whitelist siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.Whitelist": [
        {
            "ExpiryDate": "", 
            "Note": "docdoc", 
            "Source": "9.7.9.7", 
            "CreatedBy": "user@demisto.com", 
            "CreatedDate": "2019-03-28T09:52:47Z", 
            "ID": "5c9c996fc7213901971d5679"
        }
    ]
}
Human Readable Output

Signal Sciences - Whitelist

Number of IPs in the Whitelist 1

Source Note Created Date Created By
9.7.9.7 docdoc 2019-03-28T09:52:47Z user@demisto.com

2. Get a site’s blacklist: sigsci-get-blacklist

Fetches a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-get-blacklist

Input
Argument Name Description Required
siteName The site that holds the blacklist you wish to get Required

Context Output
Path Type Description
SigSciences.Corp.Site.Blacklist.ID string The ID for this entry.
SigSciences.Corp.Site.Blacklist.Source string The IP address on the blacklist.
SigSciences.Corp.Site.Blacklist.ExpiryDate date The expiration timestamp.
SigSciences.Corp.Site.Blacklist.Note string The note associated with the tag.
SigSciences.Corp.Site.Blacklist.CreatedDate date The created date timestamp.
SigSciences.Corp.Site.Blacklist.CreatedBy string The user who added this source.

Command Example 
!sigsci-get-blacklist siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.Blacklist": [
        {
            "ExpiryDate": "", 
            "Note": "docdoc", 
            "Source": "5.7.5.7", 
            "CreatedBy": "user@demisto.com", 
            "CreatedDate": "2019-03-28T09:52:49Z", 
            "ID": "5c9c9971719dcc0198a38a5b"
        }
    ]
}
Human Readable Output

Signal Sciences - Blacklist

Number of IPs in the Blacklist 1

Source Note Created Date Created By
5.7.5.7 docdoc 2019-03-28T09:52:49Z user@demisto.com

3. Add an IP address to a whitelist: sigsci-whitelist-add-ip

Adds an IP address to a site’s whitelist, which resides the Signal Sciences’ platform.

Base Command

sigsci-whitelist-add-ip

Input
Argument Name Description Required
siteName The site that holds the whitelist you want to add an IP address to. Required
ip The IP address to add to the site’s whitelist. Required
note The note associated with the tag. Required
expires The datetime for the IP address to removed from the site’s whitelist (in RFC3339 format). To keep the IP address on the site’s whitelist indefinitely, do not specify this argument. Optional

Context Output
Path Type Description
SigSciences.Corp.Site.Whitelist.Source string The IP address on the whitelist.
SigSciences.Corp.Site.Whitelist.Note string The note associated with the tag.
SigSciences.Corp.Site.Whitelist.ID string The ID for this entry.
SigSciences.Corp.Site.Whitelist.CreatedBy string The user who added this source.
SigSciences.Corp.Site.Whitelist.CreatedDate date The created date timestamp
SigSciences.Corp.Site.Whitelist.ExpiryDate date The expiration timestamp.

Command Example 
!sigsci-whitelist-add-ip ip=9.7.9.7 note=docdoc siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.Whitelist": {
        "ExpiryDate": "", 
        "Note": "docdoc", 
        "Source": "9.7.9.7", 
        "CreatedBy": "user@demisto.com", 
        "CreatedDate": "2019-03-28T13:30:34Z", 
        "ID": "5c9ccc7a342a24019743d265"
    }
}
Human Readable Output

Signal Sciences - Adding an IP to Whitelist

The IP 9.7.9.7 has been successfully added to whitelist.

Source Note Expiration date
9.7.9.7 docdoc Not Set

4. Add an IP address to a blacklist: sigsci-blacklist-add-ip

Adds an IP to a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-blacklist-add-ip

Input
Argument Name Description Required
siteName The site that holds the blacklist you wish to add to Required
ip The IP address to add to the site’s blacklist. Required
note The note associated with the tag. Required
expires The datetime for the IP address to removed from the site’s blacklist (in RFC3339 format). To keep the IP address on the site’s blacklist indefinitely, do not specify this argument. Optional

Context Output
Path Type Description
SigSciences.Corp.Site.Blacklist.Source string The IP address on the blacklist.
SigSciences.Corp.Site.Blacklist.Note string The note associated with the tag.
SigSciences.Corp.Site.Blacklist.ID string The ID for this entry.
SigSciences.Corp.Site.Blacklist.CreatedBy string The user who added this source.
SigSciences.Corp.Site.Blacklist.CreatedDate date The created date timestamp.
SigSciences.Corp.Site.Blacklist.ExpiryDate date The expiration timestamp.

Command Example 
!sigsci-blacklist-add-ip ip=5.7.5.7 note=docdoc siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.Blacklist": {
        "ExpiryDate": "", 
        "Note": "docdoc", 
        "Source": "5.7.5.7", 
        "CreatedBy": "user@demisto.com", 
        "CreatedDate": "2019-03-28T13:30:35Z", 
        "ID": "5c9ccc7bf7c34301986b1d82"
    }
}
Human Readable Output

Signal Sciences - Adding an IP to Blacklist

The IP 5.7.5.7 has been successfully added to blacklist.

Source Note Expiration date
5.7.5.7 docdoc Not Set

5. Remove an IP address from a whitelist: sigsci-whitelist-remove-ip

Removes an IP address from a site’s whitelist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-whitelist-remove-ip

Input
Argument Name Description Required
siteName The site that contains the whitelist you want to remove an IP address from. Required
IP The IP address entry to remove. Required

Context Output

There is no context output for this command.

Command Example 
!sigsci-whitelist-remove-ip IP=4.7.4.7 siteName=demisto

6. Remove an IP address from a blacklist

Removes an IP from a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-blacklist-remove-ip

Input
Argument Name Description Required
siteName The site that contains the blacklist you want to remove an IP address from. Required
IP The IP address entry to remove. Required

Context Output

There is no context output for this command.

Command Example 
!sigsci-blacklist-remove-ip IP=6.8.6.8 siteName=demisto

7. Get all site names

Returns all site names from the Signal Sciences platform.

Base Command

sigsci-get-sites

Input

There are no input arguments for this command.

Context Output
Path Type Description
SigSciences.Site.Name string The site name.
SigSciences.Site.CreatedDate date The site creation date.

8. Create a list for a site

Creates a new list for a given site on the Signal Sciences platform.

Base Command

sigsci-create-site-list

Input
Argument Name Description Required
siteName The name of the site in Signal Sciences you want to add a list to. Required
list_name The name of the list to create on Signal Sciences. Required
list_type The type for the list you wish to create on Signal Sciences. Legal types are IP, String, Country or Wildcard Required
entries_list A CSV list of values, consistent with the list’s type. Required
description Short text that describes the new list. Optional

Context Output
Path Type Description
SigSciences.Corp.Site.List.Name string The name of the list.
SigSciences.Corp.Site.List.Type string The type of the list.
SigSciences.Corp.Site.List.Entries unknown The entry list of the list.
SigSciences.Corp.Site.List.ID string The ID of the list.
SigSciences.Corp.Site.List.Description string The description of the list.
SigSciences.Corp.Site.List.CreatedBy string The creator of the list.
SigSciences.Corp.Site.List.CreatedDate string The creation date of the list.
SigSciences.Corp.Site.List.UpdatedDate string The last update date of the list.

Command Example 
!sigsci-create-site-list entries_list=56.1.1.1 list_name=sitelistdoc list_type=IP siteName=demisto

9. Get information for a site list

Returns all the data about a site list.

Base Command

sigsci-get-site-list

Input
Argument Name Description Required
siteName The name of the site in Signal Sciences that the list you’re searching for belongs to. Required
list_id The ID of the list. Required

Context Output
Path Type Description
SigSciences.Corp.Site.List.Name string The name of the list.
SigSciences.Corp.Site.List.Type string The type of the list.
SigSciences.Corp.Site.List.Entries unknown The entry list of the list.
SigSciences.Corp.Site.List.ID unknown The ID of the list.
SigSciences.Corp.Site.List.Description unknown The description of the list.
SigSciences.Corp.Site.List.CreatedBy unknown The creator of the list.
SigSciences.Corp.Site.List.CreatedDate unknown The creation date of the list.
SigSciences.Corp.Site.List.UpdatedDate unknown The last update date of the list.

Command Example 
!sigsci-get-site-list list_id=site.sitelistdoc3 siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.List": {
        "Name": "sitelistdoc3", 
        "CreatedDate": "2019-03-28T09:20:34Z", 
        "UpdatedDate": "2019-03-28T09:53:01Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "6.1.7.1", 
            "77.8.77.8"
        ], 
        "Type": "ip", 
        "ID": "site.sitelistdoc3", 
        "Description": ""
    }
}
Human Readable Output

Found data about list with ID: site.sitelistdoc3

Name ID Type Entries Created By Created Date Updated Date
sitelistdoc3 site.sitelistdoc3 ip 6.1.7.1,
77.8.77.8 		user@demisto.com 2019-03-28T09:20:34Z 2019-03-28T09:53:01Z

10. Delete a site list

Deletes a site list in Signal Sciences.

Base Command

sigsci-delete-site-list

Input
Argument Name Description Required
siteName The name of the site in Signal Sciences you want to delete a list from. Required
list_id The ID of the list in Signal Sciences to delete. Required

Context Output

There is no context output for this command.

Command Example 
!sigsci-delete-site-list list_id=site.sitelistdoc2 siteName=demisto

11. Update a site list

Updates a site list in Signal Sciences.

Base Command

sigsci-update-site-list

Input
Argument Name Description Required
siteName The name of the site in Signal Sciences that the list to update belongs to. Required
list_id The ID of the list to update. Required
method The method to use, must be “Add” or “Remove”. The method will determine whether the given entries are added to or removed from the list. Required
entries_list A CSV list of values, consistent with the list’s type. Required
description A description for the updated list. Optional

Context Output
Path Type Description
SigSciences.Corp.Site.List.Name string The name of the list in Signal Sciences.
SigSciences.Corp.Site.List.Type string The type of the list in Signal Sciences.
SigSciences.Corp.Site.List.Entries unknown The entry list of the list in Signal Sciences.
SigSciences.Corp.Site.List.ID string The ID of the list in Signal Sciences.
SigSciences.Corp.Site.List.Description string The description of the list in Signal Sciences. Maximum is 140 characters.
SigSciences.Corp.Site.List.CreatedBy string The creator of the list in Signal Sciences.
SigSciences.Corp.Site.List.CreatedDate string The creation date of the list in Signal Sciences.
SigSciences.Corp.Site.List.UpdatedDate string The last update date of the list in Signal Sciences.

Command Example 
!sigsci-update-site-list entries_list=77.8.77.8 list_id=site.sitelistdoc3 method=Add siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.List": {
        "Name": "sitelistdoc3", 
        "CreatedDate": "2019-03-28T09:20:34Z", 
        "UpdatedDate": "2019-03-28T09:53:01Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "6.1.7.1", 
            "77.8.77.8"
        ], 
        "Type": "ip", 
        "ID": "site.sitelistdoc3", 
        "Description": ""
    }
}
Human Readable Output

Signal Sciences - Updating a list

Name ID Type Entries Created By Created Date Updated Date
sitelistdoc3 site.sitelistdoc3 ip 6.1.7.1,
77.8.77.8 		user@demisto.com 2019-03-28T09:20:34Z 2019-03-28T09:53:01Z

12. Add an alert to a site

Adds a custom alert to a site in Signal Sciences.

Base Command

sigsci-add-alert

Input
Argument Name Description Required
siteName The name of the site to add an alert to. Required
long_name A human readable description of the alert. Must be between 3 and 25 characters. Required
interval The number of minutes of past traffic to examine. Must be 1, 10 or 60. Required
tag_name The name of the tag whose occurrences the alert is watching. Must match an existing tag. Required
threshold The number of occurrences of the tag in the specified interval that are required to trigger the alert. Required
enabled A flag to toggle this alert (“True” or “False”). Required
action A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Alert.ID string The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID string The ID of the site.
SigSciences.Corp.Site.Alert.TagName string The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName string A short description of the alert.
SigSciences.Corp.Site.Alert.Interval number The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold number The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds number The number of seconds that this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications boolean A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled boolean A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action string A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate date The timestamp of event (RFC3339 format).

Command Example 
!sigsci-add-alert action='info' enabled=False interval=60 long_name=tttt siteName=demisto tag_name=USERAGENT threshold=100

13. Get information for an alert

Retrieves data for an alert.

Base Command

sigsci-get-alert

Input
Argument Name Description Required
siteName The name of the site the alert you want to get data for belongs to. Required
alert_id The ID of the alert to retrieve. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Alert.ID string The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID string The ID of the site.
SigSciences.Corp.Site.Alert.TagName string The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName string A short description of the alert.
SigSciences.Corp.Site.Alert.Interval number The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold number The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds number The number of seconds this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications boolean A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled boolean A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action string A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate date The timestamp of the event (RFC3339 format).

Command Example 
!sigsci-get-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto
Human Readable Output

14. Delete an alert from a site

Deletes an alert from a given site in Signal Sciences.

Base Command

sigsci-delete-alert

Input
Argument Name Description Required
siteName The name of the site to delete an alert from. Required
alert_id The ID of the alert to delete. Required

Context Output

There is no context output for this command.

Command Example 
!sigsci-delete-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto

15. Update attributes for an alert

Updates the attributes of a given alert.

Base Command

sigsci-update-alert

Input
Argument Name Description Required
siteName The site of the alert to update. Required
alert_id The ID of the alert to update. Required
tag_name The name of the tag whose occurrences the alert is watching. Required
long_name A human readable description of the alert. Must be between 3 and 25 characters. Required
interval The number of minutes of past traffic to examine. Required
threshold The number of occurrences of the tag in the specified interval that are required to trigger the alert. Required
enabled A flag to toggle this alert. Required
action A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Alert.CreatedDate string The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID string The ID of the site.
SigSciences.Corp.Site.Alert.TagName string The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName string A short description of the alert.
SigSciences.Corp.Site.Alert.Interval number The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold number The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds number The number of seconds that this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications boolean A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled boolean A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action string A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate date The timestamp of event (RFC3339 format).

Command Example 
!sigsci-update-alert action=flagged alert_id=5c9c8f35c7213901971d2e5a enabled=False interval=10 long_name=ggggg siteName=demisto tag_name=SQLI threshold=40
Context Example 
{
    "SigSciences.Corp.Site.Alert": {
        "LongName": "ggggg", 
        "SkipNotifications": "", 
        "Interval": 10, 
        "Enabled": true, 
        "Threshold": 40, 
        "SiteID": "", 
        "TagName": "SQLI", 
        "CreatedDate": "2019-03-28T09:09:09Z", 
        "Action": "flagged", 
        "ID": "5c9c8f35c7213901971d2e5a", 
        "BlockDurationSeconds": ""
    }
}
Human Readable Output

Updated alert 5c9c8f35c7213901971d2e5a. new values:

ID Created Date Tag Name Action Long Name Interval (In Minutes) Threshold Enabled
5c9c8f35c7213901971d2e5a 2019-03-28T09:09:09Z SQLI flagged ggggg 10 40 true

16. Get all alerts for a site

Retrieves all alerts for given a site.

Base Command

sigsci-get-all-alerts

Input
Argument Name Description Required
siteName The name of site to get alerts for. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Alert.ID string The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID string The ID of the site.
SigSciences.Corp.Site.Alert.TagName string The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName string A short description of the alert.
SigSciences.Corp.Site.Alert.Interval number The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold number The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds number The number of seconds this alert is active.
SigSciences.Corp.Site.Alert.SkipNotification boolean A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled boolean A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action string A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate date The timestamp of event (RFC3339 format).

Command Example 
!sigsci-get-all-alerts siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.Alert": [
        {
            "LongName": "ggggg", 
            "SkipNotifications": "", 
            "Interval": 10, 
            "Enabled": true, 
            "Threshold": 40, 
            "SiteID": "", 
            "TagName": "SQLI", 
            "CreatedDate": "2019-03-28T09:09:09Z", 
            "Action": "flagged", 
            "ID": "5c9c8f35c7213901971d2e5a", 
            "BlockDurationSeconds": ""
        }, 
        {
            "LongName": "The site's Online Agent count is zero", 
            "SkipNotifications": "", 
            "Interval": 5, 
            "Enabled": false, 
            "Threshold": 0, 
            "SiteID": "", 
            "TagName": "agent_count", 
            "CreatedDate": "2018-08-30T21:00:03Z", 
            "Action": "siteMetricInfo", 
            "ID": "5b885ad33be3360a3f80237c", 
            "BlockDurationSeconds": 21600
        }, 
        {
            "LongName": "The average RPS across all agents is less than 10", 
            "SkipNotifications": "", 
            "Interval": 5, 
            "Enabled": false, 
            "Threshold": 3000, 
            "SiteID": "", 
            "TagName": "requests_total", 
            "CreatedDate": "2018-08-30T21:00:03Z", 
            "Action": "siteMetricInfo", 
            "ID": "5b885ad33be3360a3f80237b", 
            "BlockDurationSeconds": 21600
        }
    ]
}
Human Readable Output

Signal Sciences - Alert list

Number of alerts in site: 3

ID Created Date Tag Name Action Long Name Interval (In Minutes) Threshold Block Duration Seconds Enabled
5c9c8f35c7213901971d2e5a 2019-03-28T09:09:09Z SQLI flagged ggggg 10 40 true
5b885ad33be3360a3f80237c 2018-08-30T21:00:03Z agent_count siteMetricInfo The site’s Online Agent count is zero 5 0 21600 false
5b885ad33be3360a3f80237b 2018-08-30T21:00:03Z requests_total siteMetricInfo The average RPS across all agents is less than 10 5 3000 21600 false

17. Get all lists for a site

Retrieves all site lists for a given site.

Base Command

sigsci-get-all-site-lists

Input
Argument Name Description Required
siteName The name of the site to retrieve lists for. Required

Context Output
Path Type Description
SigSciences.Corp.Site.List.Name string The name of the list in Signal Sciences.
SigSciences.Corp.Site.List.Type string The type of the list in Signal Sciences.
SigSciences.Corp.Site.List.Entries unknown The entry list of the list in Signal Sciences.
SigSciences.Corp.Site.List.ID string The ID of the list in Signal Sciences.
SigSciences.Corp.Site.List.Description string The description of the list in Signal Sciences. Maximum is 140 characters.
SigSciences.Corp.Site.List.CreatedBy string The creator of the list in Signal Sciences.
SigSciences.Corp.Site.List.CreatedDate string The creation date of the list in Signal Sciences.
SigSciences.Corp.Site.List.UpdatedDate string The last update date of the list in Signal Sciences.

Command Example 
!sigsci-get-all-site-lists siteName=demisto
Context Example 
{
    "SigSciences.Corp.Site.List": [
        {
            "Name": "sitelistdoc", 
            "CreatedDate": "2019-03-28T09:52:55Z", 
            "UpdatedDate": "2019-03-28T09:52:55Z", 
            "CreatedBy": "user@demisto.com", 
            "Entries": [
                "56.1.1.1"
            ], 
            "Type": "ip", 
            "ID": "site.sitelistdoc", 
            "Description": ""
        }, 
        {
            "Name": "sitelistdoc3", 
            "CreatedDate": "2019-03-28T09:20:34Z", 
            "UpdatedDate": "2019-03-28T13:30:41Z", 
            "CreatedBy": "user@demisto.com", 
            "Entries": [
                "6.1.7.1", 
                "77.8.77.8"
            ], 
            "Type": "ip", 
            "ID": "site.sitelistdoc3", 
            "Description": ""
        }
    ]
}
Human Readable Output

Signal Sciences - list of site lists

Number of site lists in site: 2

Name ID Type Entries Created By Created Date Updated Date
sitelistdoc site.sitelistdoc ip 56.1.1.1 user@demisto.com 2019-03-28T09:52:55Z 2019-03-28T09:52:55Z
sitelistdoc3 site.sitelistdoc3 ip 6.1.7.1,
77.8.77.8 		user@demisto.com 2019-03-28T09:20:34Z 2019-03-28T13:30:41Z

18. Create a corp list

Creates a new corp list.

Base Command

sigsci-create-corp-list

Input
Argument Name Description Required
list_name A name for the new list. Required
list_type The type for the new list (“IP”, “String”, “Country”, or “Wildcard”). Required
entries_list A CSV list of values, consistent with the list’s type. Required
description Short text that describes the new list. Optional

Context Output
Path Type Description
SigSciences.Corp.List.Name string The name of the list.
SigSciences.Corp.List.Type string The type of the list.
SigSciences.Corp.List.Entries unknown The entry list of the list.
SigSciences.Corp.List.ID string The ID of the list.
SigSciences.Corp.List.Description string The description of the list.
SigSciences.Corp.List.CreatedBy string The creator of the list.
SigSciences.Corp.List.CreatedDate string The creation date of the list.
SigSciences.Corp.List.UpdatedDate string The last update date of the list.

Command Example 
!sigsci-create-corp-list entries_list=3.5.3.5 list_name=fordoc list_type=IP

19. Get information for a corp list

Retrieves all data about a given corp list.

Base Command

sigsci-get-corp-list

Input
Argument Name Description Required
list_id The ID of the list to get data for. Required

Context Output
Path Type Description
SigSciences.Corp.List.Name unknown The name of the list.
SigSciences.Corp.List.Type unknown The type of the list.
SigSciences.Corp.List.Entries unknown The entry list of the list.
SigSciences.Corp.List.ID unknown The ID of the list.
SigSciences.Corp.List.Description unknown The description of the list.
SigSciences.Corp.List.CreatedBy unknown The creator of the list.
SigSciences.Corp.List.CreatedDate unknown The creation date of the list.
SigSciences.Corp.List.UpdatedDate unknown The last update date of the list.

Command Example 
!sigsci-get-corp-list list_id=corp.fordoc2
Context Example 
{
    "SigSciences.Corp.List": {
        "Name": "fordoc2", 
        "CreatedDate": "2019-03-28T09:14:43Z", 
        "UpdatedDate": "2019-03-28T09:53:14Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "44.2.44.2", 
            "55.7.55.7"
        ], 
        "Type": "ip", 
        "ID": "corp.fordoc2", 
        "Description": ""
    }
}
Human Readable Output

Found data about list with ID: corp.fordoc2

Name ID Type Entries Created By Created Date Updated Date
fordoc2 corp.fordoc2 ip 44.2.44.2,
55.7.55.7 		user@demisto.com 2019-03-28T09:14:43Z 2019-03-28T09:53:14Z

20. Delete a corp list

Deletes a given corp list.

Base Command

sigsci-delete-corp-list

Input
Argument Name Description Required
list_id The ID of the list to delete. Required

Context Output

There is no context output for this command.

Command Example 
!sigsci-delete-corp-list list_id=corp.maya
Human Readable Output

21. Update a corp list

Updates (add or delete) entries for a given corp list.

Base Command

sigsci-update-corp-list

Input
Argument Name Description Required
list_id The ID of the list you wish to update Required
method The method to use - must be “Add” or “Remove”. The method will determine whether the entries you provide are added to the list or removed from it Required
entries_list A list of values, consistent with the list’s type, separated by commas Required
description A description for the updated list. Optional

Context Output
Path Type Description
SigSciences.Corp.List.Name unknown The name of the list.
SigSciences.Corp.List.Type unknown The type of the list.
SigSciences.Corp.List.Entries unknown The entry list of the list.
SigSciences.Corp.List.ID unknown The ID of the list.
SigSciences.Corp.List.Description unknown The description of the list.
SigSciences.Corp.List.CreatedBy unknown The creator of the list.
SigSciences.Corp.List.CreatedDate unknown The creation date of the list.
SigSciences.Corp.List.UpdatedDate unknown The last update date of the list.

Command Example 
!sigsci-update-corp-list entries_list=55.7.55.7 list_id=corp.fordoc2 method=Add
Context Example 
{
    "SigSciences.Corp.List": {
        "Name": "fordoc2", 
        "CreatedDate": "2019-03-28T09:14:43Z", 
        "UpdatedDate": "2019-03-28T09:53:14Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "44.2.44.2", 
            "55.7.55.7"
        ], 
        "Type": "ip", 
        "ID": "corp.fordoc2", 
        "Description": ""
    }
}
Human Readable Output

Signal Sciences - Updating a list

Name ID Type Entries Created By Created Date Updated Date
fordoc2 corp.fordoc2 ip 44.2.44.2,
55.7.55.7 		user@demisto.com 2019-03-28T09:14:43Z 2019-03-28T09:53:14Z

22. Get information for all lists of a corp

Retrieves data about all lists for the given corp.

Base Command

sigsci-get-all-corp-lists

Input

There are no input arguments for this command.

Context Output
Path Type Description
SigSciences.Corp.List.Name unknown The name of the list.
SigSciences.Corp.List.Type unknown The type of the list.
SigSciences.Corp.List.Entries unknown The entry list of the list.
SigSciences.Corp.List.ID unknown The ID of the list.
SigSciences.Corp.List.Description unknown The description of the list.
SigSciences.Corp.List.CreatedBy unknown The creator of the list.
SigSciences.Corp.List.CreatedDate unknown The creation date of the list.
SigSciences.Corp.List.UpdatedDate unknown The last update date of the list.

23. Get a list of events

Fetches events from Signal Sciences.

Base Command

sigsci-fetch-events

Input
Argument Name Description Required
siteName The name of the site to fetch events from. Required
from_time The POSIX Unix time to start. Optional
until_time The POSIX Unix time to end. Optional
sort The sort order (“asc” or “desc”). Optional
since_id The ID of the first object in the set. Optional
max_id The ID of the last object in the set. Optional
limit The maximum number of entries to return. Optional
page The page of the results. Optional
action The action to filter by (‘flagged’ or ‘info’). Optional
tag The tag to filter by. Must be a valid tag name. Optional
ip The ID to filter by. Optional
status The status to filter by (“active” or “expired”). Optional

Context Output
Path Type Description
SigSciences.Corp.Site.Event.ID string The unique ID of the event.
SigSciences.Corp.Site.Event.Timestamp date The timestamp of the event (RFC3339 format).
SigSciences.Corp.Site.Event.Source string The source information, for example, “IP”.
SigSciences.Corp.Site.Event.RemoteCountryCode string The country code.
SigSciences.Corp.Site.Event.RemoteHostname string The remote hostname.
SigSciences.Corp.Site.Event.UserAgents unknown An array of user agents.
SigSciences.Corp.Site.Event.Action unknown If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged.
SigSciences.Corp.Site.Event.Reasons unknown The reason the event was triggered.
SigSciences.Corp.Site.Event.RequestCount number The total number of requests.
SigSciences.Corp.Site.Event.TagCount number The total number of tags.
SigSciences.Corp.Site.Event.Window number The time window (in seconds) when the items were detected.
SigSciences.Corp.Site.Event.DateExpires string The date the event expires (RFC3339 format).
SigSciences.Corp.Site.Event.ExpiredBy string The email address of the user that expired the event (if the event is expired manually).

24. Get an event by event ID

Retrieves an event by the event ID.

Base Command

sigsci-get-event-by-id

Input
Argument Name Description Required
siteName Name of the site to get the event from Required
event_id The ID of the event. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Event.ID unknown The unique ID of the event.
SigSciences.Corp.Site.Event.Timestamp unknown The timestamp of the event (RFC3339 format).
SigSciences.Corp.Site.Event.Source unknown Source information, for example, “IP”.
SigSciences.Corp.Site.Event.RemoteCountryCode unknown The country code.
SigSciences.Corp.Site.Event.RemoteHostname unknown The remote hostname.
SigSciences.Corp.Site.Event.UserAgents unknown An array of user agents.
SigSciences.Corp.Site.Event.Action unknown If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged.
SigSciences.Corp.Site.Event.Reasons unknown The reason the event was triggered.
SigSciences.Corp.Site.Event.RequestCount unknown The total number of requests.
SigSciences.Corp.Site.Event.TagCount unknown The total number of tags.
SigSciences.Corp.Site.Event.Window unknown The time window (in seconds) when the items were detected.
SigSciences.Corp.Site.Event.DateExpires unknown The date the event expires (RFC3339 format).
SigSciences.Corp.Site.Event.ExpiredBy unknown The email address of the user that expired the event (if the event is expired manually).

25. Expire an event

Expires a given event.

Base Command

sigsci-expire-event

Input
Argument Name Description Required
siteName The name of the site to expire an event from. Required
event_id The ID of the event to expire. Required

26. Get requests for a site

Retrieves requests from a given site according to a search query.

Base Command

sigsci-get-requests

Input
Argument Name Description Required
siteName The name of the site to get requests from. Required
page The page of the results. Maximum is 1000 requests. Optional
limit The number of entries to return. Optional
q The search query, in Signal Sciences syntax. If a query is not supplied, no requests will be returned. Optional

Context Output
Path Type Description
SigSciences.Corp.Site.Request.ID unknown The unique ID of the request.
SigSciences.Corp.Site.Request.ServerHostName unknown The server hostname.
SigSciences.Corp.Site.Request.RemoteIP unknown The remote IP address.
SigSciences.Corp.Site.Request.RemoteHostName unknown The remote hostname.
SigSciences.Corp.Site.Request.RemoteCountryCode unknown The remote country code.
SigSciences.Corp.Site.Request.UserAgent unknown The user agent of the request.
SigSciences.Corp.Site.Request.Timestamp unknown The timestamp (RFC3339 format).
SigSciences.Corp.Site.Request.Method unknown The HTTP method, for example, “PUT”.
SigSciences.Corp.Site.Request.ServerName unknown The server name.
SigSciences.Corp.Site.Request.Protocol unknown The HTTP protocol, for example, “HTTP/1.1” .
SigSciences.Corp.Site.Request.Path unknown The path.
SigSciences.Corp.Site.Request.URI unknown The URI.
SigSciences.Corp.Site.Request.ResponseCode unknown The HTTP response code.
SigSciences.Corp.Site.Request.ResponseSize unknown The HTTP response size.
SigSciences.Corp.Site.Request.ResponseMillis unknown The response time in millis.
SigSciences.Corp.Site.Request.AgentResponseCode unknown The agent response code.
SigSciences.Corp.Site.Request.Tags unknown The array of relevant tags.

27. Get a request by request ID

Retrieves a request by request ID.

Base Command

sigsci-get-request-by-id

Input
Argument Name Description Required
siteName The name of the site to get from. Required
request_id The ID of the request to get. Required

Context Output
Path Type Description
SigSciences.Corp.Site.Request.ID unknown The unique ID of the request.
SigSciences.Corp.Site.Request.ServerHostName unknown Server hostname.
SigSciences.Corp.Site.Request.RemoteIP unknown The remote IP address.
SigSciences.Corp.Site.Request.RemoteHostName unknown The remote hostname.
SigSciences.Corp.Site.Request.RemoteCountryCode unknown The remote country code.
SigSciences.Corp.Site.Request.UserAgent unknown The user agent of the request.
SigSciences.Corp.Site.Request.Timestamp unknown The timestamp RFC3339 date time serverHostname string.
SigSciences.Corp.Site.Request.Method unknown The HTTP method, for example, “PUT”.
SigSciences.Corp.Site.Request.ServerName unknown The server name.
SigSciences.Corp.Site.Request.Protocol unknown The HTTP protocol, for example “HTTP/1.1”.
SigSciences.Corp.Site.Request.Path unknown The path.
SigSciences.Corp.Site.Request.URI unknown The URI.
SigSciences.Corp.Site.Request.ResponseCode unknown The HTTP response code.
SigSciences.Corp.Site.Request.ResponseSize unknown The HTTP response size.
SigSciences.Corp.Site.Request.ResponseMillis unknown The response time in milliseconds.
SigSciences.Corp.Site.Request.AgentResponseCode unknown The agent response code.
SigSciences.Corp.Site.Request.Tags unknown An array of relevant tags.
Edit this page
Report an Issue