Cortex XSOAR

Use the Signal Sciences next-gen web application firewall to increase security and maintain reliability.

Configure Signal Sciences WAF on Demisto

Navigate to Settings > Integrations > Servers & Services .
Search for Signal Sciences WAF.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Email
- Token
- Corporation Name (should match the pattern [0-9a-z_.-]+)
- Fetch incidents
- Incident type
- Fetch Interval (in minutes)
- CSV list of sites to fetch from. If no sites are specified, events from all corporation’s sites will be fetched.
Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get a site’s whitelist: sigsci-get-whitelist
Get a site’s blacklist: sigsci-get-blacklist
Add an IP address to a whitelist: sigsci-whitelist-add-ip
Add an IP address to a blacklist: sigsci-blacklist-add-ip
Remove an IP address from a whitelist: sigsci-whitelist-remove-ip
Remove an IP address from a blacklist: sigsci-blacklist-remove-ip
Get all site names: sigsci-get-sites
Create a list for a site: sigsci-create-site-list
Get information for a site list: sigsci-get-site-list
Delete a site list: sigsci-delete-site-list
Update a site list: sigsci-update-site-list
Add an alert to a site: sigsci-add-alert
Get information for an alert: sigsci-get-alert
Delete an alert from a site: sigsci-delete-alert
Update attributes for an alert: sigsci-update-alert
Get all alerts for a site: sigsci-get-all-alerts
Get all lists for a site: sigsci-get-all-site-lists
Create a corp list: sigsci-create-corp-list
Get information for a corp list: sigsci-get-corp-list
Delete a corp list: sigsci-delete-corp-list
Update a corp list: sigsci-update-corp-list
Get information for all lists of a corp: sigsci-get-all-corp-lists
Get a list of events: sigsci-fetch-events
Get an event by event ID: sigsci-get-event-by-id
Expire an event: sigsci-expire-event
Get requests for a site: sigsci-get-requests
Get a request by request ID: sigsci-get-request-by-id

1. Get a site’s whitelist

Fetches a site’s whitelist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-get-whitelist

Input

Argument Name	Description	Required
siteName	The site that holds the whitelist you want to get.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Whitelist.ID	string	ID for this particular entry.
SigSciences.Corp.Site.Whitelist.Source	string	IP Address present in the whitelist.
SigSciences.Corp.Site.Whitelist.ExpiryDate	date	Expiration Timestamp.
SigSciences.Corp.Site.Whitelist.Note	string	Note associated with the tag.
SigSciences.Corp.Site.Whitelist.CreatedDate	date	The created date timestamp
SigSciences.Corp.Site.Whitelist.CreatedBy	string	The user who added this source.

Command Example

!sigsci-get-whitelist siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.Whitelist": [
        {
            "ExpiryDate": "", 
            "Note": "docdoc", 
            "Source": "9.7.9.7", 
            "CreatedBy": "user@demisto.com", 
            "CreatedDate": "2019-03-28T09:52:47Z", 
            "ID": "5c9c996fc7213901971d5679"
        }
    ]
}

Human Readable Output

Signal Sciences - Whitelist

Number of IPs in the Whitelist 1

Source	Note	Created Date	Created By
9.7.9.7	docdoc	2019-03-28T09:52:47Z	user@demisto.com

2. Get a site’s blacklist: sigsci-get-blacklist

Fetches a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-get-blacklist

Input

Argument Name	Description	Required
siteName	The site that holds the blacklist you wish to get	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Blacklist.ID	string	The ID for this entry.
SigSciences.Corp.Site.Blacklist.Source	string	The IP address on the blacklist.
SigSciences.Corp.Site.Blacklist.ExpiryDate	date	The expiration timestamp.
SigSciences.Corp.Site.Blacklist.Note	string	The note associated with the tag.
SigSciences.Corp.Site.Blacklist.CreatedDate	date	The created date timestamp.
SigSciences.Corp.Site.Blacklist.CreatedBy	string	The user who added this source.

Command Example

!sigsci-get-blacklist siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.Blacklist": [
        {
            "ExpiryDate": "", 
            "Note": "docdoc", 
            "Source": "5.7.5.7", 
            "CreatedBy": "user@demisto.com", 
            "CreatedDate": "2019-03-28T09:52:49Z", 
            "ID": "5c9c9971719dcc0198a38a5b"
        }
    ]
}

Human Readable Output

Signal Sciences - Blacklist

Number of IPs in the Blacklist 1

Source	Note	Created Date	Created By
5.7.5.7	docdoc	2019-03-28T09:52:49Z	user@demisto.com

3. Add an IP address to a whitelist: sigsci-whitelist-add-ip

Adds an IP address to a site’s whitelist, which resides the Signal Sciences’ platform.

Base Command

sigsci-whitelist-add-ip

Input

Argument Name	Description	Required
siteName	The site that holds the whitelist you want to add an IP address to.	Required
ip	The IP address to add to the site’s whitelist.	Required
note	The note associated with the tag.	Required
expires	The datetime for the IP address to removed from the site’s whitelist (in RFC3339 format). To keep the IP address on the site’s whitelist indefinitely, do not specify this argument.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.Whitelist.Source	string	The IP address on the whitelist.
SigSciences.Corp.Site.Whitelist.Note	string	The note associated with the tag.
SigSciences.Corp.Site.Whitelist.ID	string	The ID for this entry.
SigSciences.Corp.Site.Whitelist.CreatedBy	string	The user who added this source.
SigSciences.Corp.Site.Whitelist.CreatedDate	date	The created date timestamp
SigSciences.Corp.Site.Whitelist.ExpiryDate	date	The expiration timestamp.

Command Example

!sigsci-whitelist-add-ip ip=9.7.9.7 note=docdoc siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.Whitelist": {
        "ExpiryDate": "", 
        "Note": "docdoc", 
        "Source": "9.7.9.7", 
        "CreatedBy": "user@demisto.com", 
        "CreatedDate": "2019-03-28T13:30:34Z", 
        "ID": "5c9ccc7a342a24019743d265"
    }
}

Human Readable Output

Signal Sciences - Adding an IP to Whitelist

The IP 9.7.9.7 has been successfully added to whitelist.

Source	Note	Expiration date
9.7.9.7	docdoc	Not Set

4. Add an IP address to a blacklist: sigsci-blacklist-add-ip

Adds an IP to a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-blacklist-add-ip

Input

Argument Name	Description	Required
siteName	The site that holds the blacklist you wish to add to	Required
ip	The IP address to add to the site’s blacklist.	Required
note	The note associated with the tag.	Required
expires	The datetime for the IP address to removed from the site’s blacklist (in RFC3339 format). To keep the IP address on the site’s blacklist indefinitely, do not specify this argument.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.Blacklist.Source	string	The IP address on the blacklist.
SigSciences.Corp.Site.Blacklist.Note	string	The note associated with the tag.
SigSciences.Corp.Site.Blacklist.ID	string	The ID for this entry.
SigSciences.Corp.Site.Blacklist.CreatedBy	string	The user who added this source.
SigSciences.Corp.Site.Blacklist.CreatedDate	date	The created date timestamp.
SigSciences.Corp.Site.Blacklist.ExpiryDate	date	The expiration timestamp.

Command Example

!sigsci-blacklist-add-ip ip=5.7.5.7 note=docdoc siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.Blacklist": {
        "ExpiryDate": "", 
        "Note": "docdoc", 
        "Source": "5.7.5.7", 
        "CreatedBy": "user@demisto.com", 
        "CreatedDate": "2019-03-28T13:30:35Z", 
        "ID": "5c9ccc7bf7c34301986b1d82"
    }
}

Human Readable Output

Signal Sciences - Adding an IP to Blacklist

The IP 5.7.5.7 has been successfully added to blacklist.

Source	Note	Expiration date
5.7.5.7	docdoc	Not Set

5. Remove an IP address from a whitelist: sigsci-whitelist-remove-ip

Removes an IP address from a site’s whitelist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-whitelist-remove-ip

Input

Argument Name	Description	Required
siteName	The site that contains the whitelist you want to remove an IP address from.	Required
IP	The IP address entry to remove.	Required

Context Output

There is no context output for this command.

Command Example

!sigsci-whitelist-remove-ip IP=4.7.4.7 siteName=demisto

6. Remove an IP address from a blacklist

Removes an IP from a site’s blacklist, which resides on the Signal Sciences’ platform.

Base Command

sigsci-blacklist-remove-ip

Input

Argument Name	Description	Required
siteName	The site that contains the blacklist you want to remove an IP address from.	Required
IP	The IP address entry to remove.	Required

Context Output

There is no context output for this command.

Command Example

!sigsci-blacklist-remove-ip IP=6.8.6.8 siteName=demisto

7. Get all site names

Returns all site names from the Signal Sciences platform.

Base Command

sigsci-get-sites

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
SigSciences.Site.Name	string	The site name.
SigSciences.Site.CreatedDate	date	The site creation date.

8. Create a list for a site

Creates a new list for a given site on the Signal Sciences platform.

Base Command

sigsci-create-site-list

Input

Argument Name	Description	Required
siteName	The name of the site in Signal Sciences you want to add a list to.	Required
list_name	The name of the list to create on Signal Sciences.	Required
list_type	The type for the list you wish to create on Signal Sciences. Legal types are IP, String, Country or Wildcard	Required
entries_list	A CSV list of values, consistent with the list’s type.	Required
description	Short text that describes the new list.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.List.Name	string	The name of the list.
SigSciences.Corp.Site.List.Type	string	The type of the list.
SigSciences.Corp.Site.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.Site.List.ID	string	The ID of the list.
SigSciences.Corp.Site.List.Description	string	The description of the list.
SigSciences.Corp.Site.List.CreatedBy	string	The creator of the list.
SigSciences.Corp.Site.List.CreatedDate	string	The creation date of the list.
SigSciences.Corp.Site.List.UpdatedDate	string	The last update date of the list.

Command Example

!sigsci-create-site-list entries_list=56.1.1.1 list_name=sitelistdoc list_type=IP siteName=demisto

9. Get information for a site list

Returns all the data about a site list.

Base Command

sigsci-get-site-list

Input

Argument Name	Description	Required
siteName	The name of the site in Signal Sciences that the list you’re searching for belongs to.	Required
list_id	The ID of the list.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.List.Name	string	The name of the list.
SigSciences.Corp.Site.List.Type	string	The type of the list.
SigSciences.Corp.Site.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.Site.List.ID	unknown	The ID of the list.
SigSciences.Corp.Site.List.Description	unknown	The description of the list.
SigSciences.Corp.Site.List.CreatedBy	unknown	The creator of the list.
SigSciences.Corp.Site.List.CreatedDate	unknown	The creation date of the list.
SigSciences.Corp.Site.List.UpdatedDate	unknown	The last update date of the list.

Command Example

!sigsci-get-site-list list_id=site.sitelistdoc3 siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.List": {
        "Name": "sitelistdoc3", 
        "CreatedDate": "2019-03-28T09:20:34Z", 
        "UpdatedDate": "2019-03-28T09:53:01Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "6.1.7.1", 
            "77.8.77.8"
        ], 
        "Type": "ip", 
        "ID": "site.sitelistdoc3", 
        "Description": ""
    }
}

Human Readable Output

Found data about list with ID: site.sitelistdoc3

Name	ID	Type	Entries	Created By	Created Date	Updated Date
sitelistdoc3	site.sitelistdoc3	ip	6.1.7.1, 77.8.77.8	user@demisto.com	2019-03-28T09:20:34Z	2019-03-28T09:53:01Z

10. Delete a site list

Deletes a site list in Signal Sciences.

Base Command

sigsci-delete-site-list

Input

Argument Name	Description	Required
siteName	The name of the site in Signal Sciences you want to delete a list from.	Required
list_id	The ID of the list in Signal Sciences to delete.	Required

Context Output

There is no context output for this command.

Command Example

!sigsci-delete-site-list list_id=site.sitelistdoc2 siteName=demisto

11. Update a site list

Updates a site list in Signal Sciences.

Base Command

sigsci-update-site-list

Input

Argument Name	Description	Required
siteName	The name of the site in Signal Sciences that the list to update belongs to.	Required
list_id	The ID of the list to update.	Required
method	The method to use, must be “Add” or “Remove”. The method will determine whether the given entries are added to or removed from the list.	Required
entries_list	A CSV list of values, consistent with the list’s type.	Required
description	A description for the updated list.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.List.Name	string	The name of the list in Signal Sciences.
SigSciences.Corp.Site.List.Type	string	The type of the list in Signal Sciences.
SigSciences.Corp.Site.List.Entries	unknown	The entry list of the list in Signal Sciences.
SigSciences.Corp.Site.List.ID	string	The ID of the list in Signal Sciences.
SigSciences.Corp.Site.List.Description	string	The description of the list in Signal Sciences. Maximum is 140 characters.
SigSciences.Corp.Site.List.CreatedBy	string	The creator of the list in Signal Sciences.
SigSciences.Corp.Site.List.CreatedDate	string	The creation date of the list in Signal Sciences.
SigSciences.Corp.Site.List.UpdatedDate	string	The last update date of the list in Signal Sciences.

Command Example

!sigsci-update-site-list entries_list=77.8.77.8 list_id=site.sitelistdoc3 method=Add siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.List": {
        "Name": "sitelistdoc3", 
        "CreatedDate": "2019-03-28T09:20:34Z", 
        "UpdatedDate": "2019-03-28T09:53:01Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "6.1.7.1", 
            "77.8.77.8"
        ], 
        "Type": "ip", 
        "ID": "site.sitelistdoc3", 
        "Description": ""
    }
}

Human Readable Output

Signal Sciences - Updating a list

Name	ID	Type	Entries	Created By	Created Date	Updated Date
sitelistdoc3	site.sitelistdoc3	ip	6.1.7.1, 77.8.77.8	user@demisto.com	2019-03-28T09:20:34Z	2019-03-28T09:53:01Z

12. Add an alert to a site

Adds a custom alert to a site in Signal Sciences.

Base Command

sigsci-add-alert

Input

Argument Name	Description	Required
siteName	The name of the site to add an alert to.	Required
long_name	A human readable description of the alert. Must be between 3 and 25 characters.	Required
interval	The number of minutes of past traffic to examine. Must be 1, 10 or 60.	Required
tag_name	The name of the tag whose occurrences the alert is watching. Must match an existing tag.	Required
threshold	The number of occurrences of the tag in the specified interval that are required to trigger the alert.	Required
enabled	A flag to toggle this alert (“True” or “False”).	Required
action	A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Alert.ID	string	The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID	string	The ID of the site.
SigSciences.Corp.Site.Alert.TagName	string	The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName	string	A short description of the alert.
SigSciences.Corp.Site.Alert.Interval	number	The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold	number	The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds	number	The number of seconds that this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications	boolean	A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled	boolean	A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action	string	A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate	date	The timestamp of event (RFC3339 format).

Command Example

!sigsci-add-alert action='info' enabled=False interval=60 long_name=tttt siteName=demisto tag_name=USERAGENT threshold=100

13. Get information for an alert

Retrieves data for an alert.

Base Command

sigsci-get-alert

Input

Argument Name	Description	Required
siteName	The name of the site the alert you want to get data for belongs to.	Required
alert_id	The ID of the alert to retrieve.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Alert.ID	string	The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID	string	The ID of the site.
SigSciences.Corp.Site.Alert.TagName	string	The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName	string	A short description of the alert.
SigSciences.Corp.Site.Alert.Interval	number	The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold	number	The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds	number	The number of seconds this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications	boolean	A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled	boolean	A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action	string	A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate	date	The timestamp of the event (RFC3339 format).

Command Example

!sigsci-get-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto

Human Readable Output

14. Delete an alert from a site

Deletes an alert from a given site in Signal Sciences.

Base Command

sigsci-delete-alert

Input

Argument Name	Description	Required
siteName	The name of the site to delete an alert from.	Required
alert_id	The ID of the alert to delete.	Required

Context Output

There is no context output for this command.

Command Example

!sigsci-delete-alert alert_id=5b8ba7fd7a54b34f0c0f12cc siteName=demisto

15. Update attributes for an alert

Updates the attributes of a given alert.

Base Command

sigsci-update-alert

Input

Argument Name	Description	Required
siteName	The site of the alert to update.	Required
alert_id	The ID of the alert to update.	Required
tag_name	The name of the tag whose occurrences the alert is watching.	Required
long_name	A human readable description of the alert. Must be between 3 and 25 characters.	Required
interval	The number of minutes of past traffic to examine.	Required
threshold	The number of occurrences of the tag in the specified interval that are required to trigger the alert.	Required
enabled	A flag to toggle this alert.	Required
action	A flag that describes what happens when the alert is triggered. “info” creates an incident in the dashboard. “flagged” creates an incident and blocks traffic for 24 hours.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Alert.CreatedDate	string	The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID	string	The ID of the site.
SigSciences.Corp.Site.Alert.TagName	string	The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName	string	A short description of the alert.
SigSciences.Corp.Site.Alert.Interval	number	The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold	number	The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds	number	The number of seconds that this alert is active.
SigSciences.Corp.Site.Alert.SkipNotifications	boolean	A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled	boolean	A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action	string	A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate	date	The timestamp of event (RFC3339 format).

Command Example

!sigsci-update-alert action=flagged alert_id=5c9c8f35c7213901971d2e5a enabled=False interval=10 long_name=ggggg siteName=demisto tag_name=SQLI threshold=40

Context Example

{
    "SigSciences.Corp.Site.Alert": {
        "LongName": "ggggg", 
        "SkipNotifications": "", 
        "Interval": 10, 
        "Enabled": true, 
        "Threshold": 40, 
        "SiteID": "", 
        "TagName": "SQLI", 
        "CreatedDate": "2019-03-28T09:09:09Z", 
        "Action": "flagged", 
        "ID": "5c9c8f35c7213901971d2e5a", 
        "BlockDurationSeconds": ""
    }
}

Human Readable Output

Updated alert 5c9c8f35c7213901971d2e5a. new values:

ID	Created Date	Tag Name	Action	Long Name	Interval (In Minutes)	Threshold	Enabled
5c9c8f35c7213901971d2e5a	2019-03-28T09:09:09Z	SQLI	flagged	ggggg	10	40	true

16. Get all alerts for a site

Retrieves all alerts for given a site.

Base Command

sigsci-get-all-alerts

Input

Argument Name	Description	Required
siteName	The name of site to get alerts for.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Alert.ID	string	The unique ID of the alert.
SigSciences.Corp.Site.Alert.SiteID	string	The ID of the site.
SigSciences.Corp.Site.Alert.TagName	string	The name of the tag whose occurrences the alert is watching.
SigSciences.Corp.Site.Alert.LongName	string	A short description of the alert.
SigSciences.Corp.Site.Alert.Interval	number	The number of minutes of past traffic to examine.
SigSciences.Corp.Site.Alert.Threshold	number	The number of occurrences of the tag in the specified interval that are required to trigger the alert.
SigSciences.Corp.Site.Alert.BlockDurationSeconds	number	The number of seconds this alert is active.
SigSciences.Corp.Site.Alert.SkipNotification	boolean	A flag to disable external notifications - Slack, webhooks, emails, and so on.
SigSciences.Corp.Site.Alert.Enabled	boolean	A flag to toggle this alert.
SigSciences.Corp.Site.Alert.Action	string	A flag that describes what happens when the alert is triggered.
SigSciences.Corp.Site.Alert.CreatedDate	date	The timestamp of event (RFC3339 format).

Command Example

!sigsci-get-all-alerts siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.Alert": [
        {
            "LongName": "ggggg", 
            "SkipNotifications": "", 
            "Interval": 10, 
            "Enabled": true, 
            "Threshold": 40, 
            "SiteID": "", 
            "TagName": "SQLI", 
            "CreatedDate": "2019-03-28T09:09:09Z", 
            "Action": "flagged", 
            "ID": "5c9c8f35c7213901971d2e5a", 
            "BlockDurationSeconds": ""
        }, 
        {
            "LongName": "The site's Online Agent count is zero", 
            "SkipNotifications": "", 
            "Interval": 5, 
            "Enabled": false, 
            "Threshold": 0, 
            "SiteID": "", 
            "TagName": "agent_count", 
            "CreatedDate": "2018-08-30T21:00:03Z", 
            "Action": "siteMetricInfo", 
            "ID": "5b885ad33be3360a3f80237c", 
            "BlockDurationSeconds": 21600
        }, 
        {
            "LongName": "The average RPS across all agents is less than 10", 
            "SkipNotifications": "", 
            "Interval": 5, 
            "Enabled": false, 
            "Threshold": 3000, 
            "SiteID": "", 
            "TagName": "requests_total", 
            "CreatedDate": "2018-08-30T21:00:03Z", 
            "Action": "siteMetricInfo", 
            "ID": "5b885ad33be3360a3f80237b", 
            "BlockDurationSeconds": 21600
        }
    ]
}

Human Readable Output

Signal Sciences - Alert list

Number of alerts in site: 3

ID	Created Date	Tag Name	Action	Long Name	Interval (In Minutes)	Threshold	Block Duration Seconds	Enabled
5c9c8f35c7213901971d2e5a	2019-03-28T09:09:09Z	SQLI	flagged	ggggg	10	40		true
5b885ad33be3360a3f80237c	2018-08-30T21:00:03Z	agent_count	siteMetricInfo	The site’s Online Agent count is zero	5	0	21600	false
5b885ad33be3360a3f80237b	2018-08-30T21:00:03Z	requests_total	siteMetricInfo	The average RPS across all agents is less than 10	5	3000	21600	false

17. Get all lists for a site

Retrieves all site lists for a given site.

Base Command

sigsci-get-all-site-lists

Input

Argument Name	Description	Required
siteName	The name of the site to retrieve lists for.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.List.Name	string	The name of the list in Signal Sciences.
SigSciences.Corp.Site.List.Type	string	The type of the list in Signal Sciences.
SigSciences.Corp.Site.List.Entries	unknown	The entry list of the list in Signal Sciences.
SigSciences.Corp.Site.List.ID	string	The ID of the list in Signal Sciences.
SigSciences.Corp.Site.List.Description	string	The description of the list in Signal Sciences. Maximum is 140 characters.
SigSciences.Corp.Site.List.CreatedBy	string	The creator of the list in Signal Sciences.
SigSciences.Corp.Site.List.CreatedDate	string	The creation date of the list in Signal Sciences.
SigSciences.Corp.Site.List.UpdatedDate	string	The last update date of the list in Signal Sciences.

Command Example

!sigsci-get-all-site-lists siteName=demisto

Context Example

{
    "SigSciences.Corp.Site.List": [
        {
            "Name": "sitelistdoc", 
            "CreatedDate": "2019-03-28T09:52:55Z", 
            "UpdatedDate": "2019-03-28T09:52:55Z", 
            "CreatedBy": "user@demisto.com", 
            "Entries": [
                "56.1.1.1"
            ], 
            "Type": "ip", 
            "ID": "site.sitelistdoc", 
            "Description": ""
        }, 
        {
            "Name": "sitelistdoc3", 
            "CreatedDate": "2019-03-28T09:20:34Z", 
            "UpdatedDate": "2019-03-28T13:30:41Z", 
            "CreatedBy": "user@demisto.com", 
            "Entries": [
                "6.1.7.1", 
                "77.8.77.8"
            ], 
            "Type": "ip", 
            "ID": "site.sitelistdoc3", 
            "Description": ""
        }
    ]
}

Human Readable Output

Signal Sciences - list of site lists

Number of site lists in site: 2

Name	ID	Type	Entries	Created By	Created Date	Updated Date
sitelistdoc	site.sitelistdoc	ip	56.1.1.1	user@demisto.com	2019-03-28T09:52:55Z	2019-03-28T09:52:55Z
sitelistdoc3	site.sitelistdoc3	ip	6.1.7.1, 77.8.77.8	user@demisto.com	2019-03-28T09:20:34Z	2019-03-28T13:30:41Z

18. Create a corp list

Creates a new corp list.

Base Command

sigsci-create-corp-list

Input

Argument Name	Description	Required
list_name	A name for the new list.	Required
list_type	The type for the new list (“IP”, “String”, “Country”, or “Wildcard”).	Required
entries_list	A CSV list of values, consistent with the list’s type.	Required
description	Short text that describes the new list.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.List.Name	string	The name of the list.
SigSciences.Corp.List.Type	string	The type of the list.
SigSciences.Corp.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.List.ID	string	The ID of the list.
SigSciences.Corp.List.Description	string	The description of the list.
SigSciences.Corp.List.CreatedBy	string	The creator of the list.
SigSciences.Corp.List.CreatedDate	string	The creation date of the list.
SigSciences.Corp.List.UpdatedDate	string	The last update date of the list.

Command Example

!sigsci-create-corp-list entries_list=3.5.3.5 list_name=fordoc list_type=IP

19. Get information for a corp list

Retrieves all data about a given corp list.

Base Command

sigsci-get-corp-list

Input

Argument Name	Description	Required
list_id	The ID of the list to get data for.	Required

Context Output

Path	Type	Description
SigSciences.Corp.List.Name	unknown	The name of the list.
SigSciences.Corp.List.Type	unknown	The type of the list.
SigSciences.Corp.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.List.ID	unknown	The ID of the list.
SigSciences.Corp.List.Description	unknown	The description of the list.
SigSciences.Corp.List.CreatedBy	unknown	The creator of the list.
SigSciences.Corp.List.CreatedDate	unknown	The creation date of the list.
SigSciences.Corp.List.UpdatedDate	unknown	The last update date of the list.

Command Example

!sigsci-get-corp-list list_id=corp.fordoc2

Context Example

{
    "SigSciences.Corp.List": {
        "Name": "fordoc2", 
        "CreatedDate": "2019-03-28T09:14:43Z", 
        "UpdatedDate": "2019-03-28T09:53:14Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "44.2.44.2", 
            "55.7.55.7"
        ], 
        "Type": "ip", 
        "ID": "corp.fordoc2", 
        "Description": ""
    }
}

Human Readable Output

Found data about list with ID: corp.fordoc2

Name	ID	Type	Entries	Created By	Created Date	Updated Date
fordoc2	corp.fordoc2	ip	44.2.44.2, 55.7.55.7	user@demisto.com	2019-03-28T09:14:43Z	2019-03-28T09:53:14Z

20. Delete a corp list

Deletes a given corp list.

Base Command

sigsci-delete-corp-list

Input

Argument Name	Description	Required
list_id	The ID of the list to delete.	Required

Context Output

There is no context output for this command.

Command Example

!sigsci-delete-corp-list list_id=corp.maya

Human Readable Output

21. Update a corp list

Updates (add or delete) entries for a given corp list.

Base Command

sigsci-update-corp-list

Input

Argument Name	Description	Required
list_id	The ID of the list you wish to update	Required
method	The method to use - must be “Add” or “Remove”. The method will determine whether the entries you provide are added to the list or removed from it	Required
entries_list	A list of values, consistent with the list’s type, separated by commas	Required
description	A description for the updated list.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.List.Name	unknown	The name of the list.
SigSciences.Corp.List.Type	unknown	The type of the list.
SigSciences.Corp.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.List.ID	unknown	The ID of the list.
SigSciences.Corp.List.Description	unknown	The description of the list.
SigSciences.Corp.List.CreatedBy	unknown	The creator of the list.
SigSciences.Corp.List.CreatedDate	unknown	The creation date of the list.
SigSciences.Corp.List.UpdatedDate	unknown	The last update date of the list.

Command Example

!sigsci-update-corp-list entries_list=55.7.55.7 list_id=corp.fordoc2 method=Add

Context Example

{
    "SigSciences.Corp.List": {
        "Name": "fordoc2", 
        "CreatedDate": "2019-03-28T09:14:43Z", 
        "UpdatedDate": "2019-03-28T09:53:14Z", 
        "CreatedBy": "user@demisto.com", 
        "Entries": [
            "44.2.44.2", 
            "55.7.55.7"
        ], 
        "Type": "ip", 
        "ID": "corp.fordoc2", 
        "Description": ""
    }
}

Human Readable Output

Signal Sciences - Updating a list

Name	ID	Type	Entries	Created By	Created Date	Updated Date
fordoc2	corp.fordoc2	ip	44.2.44.2, 55.7.55.7	user@demisto.com	2019-03-28T09:14:43Z	2019-03-28T09:53:14Z

22. Get information for all lists of a corp

Retrieves data about all lists for the given corp.

Base Command

sigsci-get-all-corp-lists

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
SigSciences.Corp.List.Name	unknown	The name of the list.
SigSciences.Corp.List.Type	unknown	The type of the list.
SigSciences.Corp.List.Entries	unknown	The entry list of the list.
SigSciences.Corp.List.ID	unknown	The ID of the list.
SigSciences.Corp.List.Description	unknown	The description of the list.
SigSciences.Corp.List.CreatedBy	unknown	The creator of the list.
SigSciences.Corp.List.CreatedDate	unknown	The creation date of the list.
SigSciences.Corp.List.UpdatedDate	unknown	The last update date of the list.

23. Get a list of events

Fetches events from Signal Sciences.

Base Command

sigsci-fetch-events

Input

Argument Name	Description	Required
siteName	The name of the site to fetch events from.	Required
from_time	The POSIX Unix time to start.	Optional
until_time	The POSIX Unix time to end.	Optional
sort	The sort order (“asc” or “desc”).	Optional
since_id	The ID of the first object in the set.	Optional
max_id	The ID of the last object in the set.	Optional
limit	The maximum number of entries to return.	Optional
page	The page of the results.	Optional
action	The action to filter by (‘flagged’ or ‘info’).	Optional
tag	The tag to filter by. Must be a valid tag name.	Optional
ip	The ID to filter by.	Optional
status	The status to filter by (“active” or “expired”).	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.Event.ID	string	The unique ID of the event.
SigSciences.Corp.Site.Event.Timestamp	date	The timestamp of the event (RFC3339 format).
SigSciences.Corp.Site.Event.Source	string	The source information, for example, “IP”.
SigSciences.Corp.Site.Event.RemoteCountryCode	string	The country code.
SigSciences.Corp.Site.Event.RemoteHostname	string	The remote hostname.
SigSciences.Corp.Site.Event.UserAgents	unknown	An array of user agents.
SigSciences.Corp.Site.Event.Action	unknown	If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged.
SigSciences.Corp.Site.Event.Reasons	unknown	The reason the event was triggered.
SigSciences.Corp.Site.Event.RequestCount	number	The total number of requests.
SigSciences.Corp.Site.Event.TagCount	number	The total number of tags.
SigSciences.Corp.Site.Event.Window	number	The time window (in seconds) when the items were detected.
SigSciences.Corp.Site.Event.DateExpires	string	The date the event expires (RFC3339 format).
SigSciences.Corp.Site.Event.ExpiredBy	string	The email address of the user that expired the event (if the event is expired manually).

24. Get an event by event ID

Retrieves an event by the event ID.

Base Command

sigsci-get-event-by-id

Input

Argument Name	Description	Required
siteName	Name of the site to get the event from	Required
event_id	The ID of the event.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Event.ID	unknown	The unique ID of the event.
SigSciences.Corp.Site.Event.Timestamp	unknown	The timestamp of the event (RFC3339 format).
SigSciences.Corp.Site.Event.Source	unknown	Source information, for example, “IP”.
SigSciences.Corp.Site.Event.RemoteCountryCode	unknown	The country code.
SigSciences.Corp.Site.Event.RemoteHostname	unknown	The remote hostname.
SigSciences.Corp.Site.Event.UserAgents	unknown	An array of user agents.
SigSciences.Corp.Site.Event.Action	unknown	If “flagged”, the IP address is flagged and subsequent malicious requests will be blocked. If “info”, the IP address is flagged and subsequent requests will be logged.
SigSciences.Corp.Site.Event.Reasons	unknown	The reason the event was triggered.
SigSciences.Corp.Site.Event.RequestCount	unknown	The total number of requests.
SigSciences.Corp.Site.Event.TagCount	unknown	The total number of tags.
SigSciences.Corp.Site.Event.Window	unknown	The time window (in seconds) when the items were detected.
SigSciences.Corp.Site.Event.DateExpires	unknown	The date the event expires (RFC3339 format).
SigSciences.Corp.Site.Event.ExpiredBy	unknown	The email address of the user that expired the event (if the event is expired manually).

25. Expire an event

Expires a given event.

Base Command

sigsci-expire-event

Input

Argument Name	Description	Required
siteName	The name of the site to expire an event from.	Required
event_id	The ID of the event to expire.	Required

26. Get requests for a site

Retrieves requests from a given site according to a search query.

Base Command

sigsci-get-requests

Input

Argument Name	Description	Required
siteName	The name of the site to get requests from.	Required
page	The page of the results. Maximum is 1000 requests.	Optional
limit	The number of entries to return.	Optional
q	The search query, in Signal Sciences syntax. If a query is not supplied, no requests will be returned.	Optional

Context Output

Path	Type	Description
SigSciences.Corp.Site.Request.ID	unknown	The unique ID of the request.
SigSciences.Corp.Site.Request.ServerHostName	unknown	The server hostname.
SigSciences.Corp.Site.Request.RemoteIP	unknown	The remote IP address.
SigSciences.Corp.Site.Request.RemoteHostName	unknown	The remote hostname.
SigSciences.Corp.Site.Request.RemoteCountryCode	unknown	The remote country code.
SigSciences.Corp.Site.Request.UserAgent	unknown	The user agent of the request.
SigSciences.Corp.Site.Request.Timestamp	unknown	The timestamp (RFC3339 format).
SigSciences.Corp.Site.Request.Method	unknown	The HTTP method, for example, “PUT”.
SigSciences.Corp.Site.Request.ServerName	unknown	The server name.
SigSciences.Corp.Site.Request.Protocol	unknown	The HTTP protocol, for example, “HTTP/1.1” .
SigSciences.Corp.Site.Request.Path	unknown	The path.
SigSciences.Corp.Site.Request.URI	unknown	The URI.
SigSciences.Corp.Site.Request.ResponseCode	unknown	The HTTP response code.
SigSciences.Corp.Site.Request.ResponseSize	unknown	The HTTP response size.
SigSciences.Corp.Site.Request.ResponseMillis	unknown	The response time in millis.
SigSciences.Corp.Site.Request.AgentResponseCode	unknown	The agent response code.
SigSciences.Corp.Site.Request.Tags	unknown	The array of relevant tags.

27. Get a request by request ID

Retrieves a request by request ID.

Base Command

sigsci-get-request-by-id

Input

Argument Name	Description	Required
siteName	The name of the site to get from.	Required
request_id	The ID of the request to get.	Required

Context Output

Path	Type	Description
SigSciences.Corp.Site.Request.ID	unknown	The unique ID of the request.
SigSciences.Corp.Site.Request.ServerHostName	unknown	Server hostname.
SigSciences.Corp.Site.Request.RemoteIP	unknown	The remote IP address.
SigSciences.Corp.Site.Request.RemoteHostName	unknown	The remote hostname.
SigSciences.Corp.Site.Request.RemoteCountryCode	unknown	The remote country code.
SigSciences.Corp.Site.Request.UserAgent	unknown	The user agent of the request.
SigSciences.Corp.Site.Request.Timestamp	unknown	The timestamp RFC3339 date time serverHostname string.
SigSciences.Corp.Site.Request.Method	unknown	The HTTP method, for example, “PUT”.
SigSciences.Corp.Site.Request.ServerName	unknown	The server name.
SigSciences.Corp.Site.Request.Protocol	unknown	The HTTP protocol, for example “HTTP/1.1”.
SigSciences.Corp.Site.Request.Path	unknown	The path.
SigSciences.Corp.Site.Request.URI	unknown	The URI.
SigSciences.Corp.Site.Request.ResponseCode	unknown	The HTTP response code.
SigSciences.Corp.Site.Request.ResponseSize	unknown	The HTTP response size.
SigSciences.Corp.Site.Request.ResponseMillis	unknown	The response time in milliseconds.
SigSciences.Corp.Site.Request.AgentResponseCode	unknown	The agent response code.
SigSciences.Corp.Site.Request.Tags	unknown	An array of relevant tags.

PAN-OS

Cortex Data Lake

Cortex XSOAR

PAN-OS

Cortex Data Lake

Cortex XSOAR

Configure Signal Sciences WAF on Demisto

Commands

1. Get a site’s whitelist

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Signal Sciences - Whitelist

2. Get a site’s blacklist: sigsci-get-blacklist

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Signal Sciences - Blacklist

3. Add an IP address to a whitelist: sigsci-whitelist-add-ip

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Signal Sciences - Adding an IP to Whitelist

4. Add an IP address to a blacklist: sigsci-blacklist-add-ip

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Signal Sciences - Adding an IP to Blacklist

5. Remove an IP address from a whitelist: sigsci-whitelist-remove-ip

Base Command

Input

Context Output

Command Example

6. Remove an IP address from a blacklist

Base Command

Input

Context Output

Command Example

7. Get all site names

Base Command

Input

Context Output

8. Create a list for a site

Base Command

Input

Context Output

Command Example

9. Get information for a site list

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Found data about list with ID: site.sitelistdoc3

10. Delete a site list

Base Command

Input

Context Output

Command Example

11. Update a site list

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Signal Sciences - Updating a list