Overview

Enrichment is a set of actions created to power up playbook capabilities.

Configuration

In the configuration screen, add the Siemplify API to enrich entities from Explorer. To retrieve an API key, go to Settings -> Advanced -> API Keys.

ParameterTypeDefault ValueIs MandatoryDescription
API KeyStringN/ANoSpecify the Chronicle API key, which is required to enrich entities from Explorer.


Actions

Enrich Entity from Explorer Attributes

Description

Enriches entities with historic enrichment data using the entity explorer.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Field NameStringN/ANoSpecify the fields from the entity explorer that will be used to enrich the target entity. Supports comma delimited string.
Use field Name as AllowlistCheckboxCheckedNoIf checked, entities will be enriched with fields from the “Field Name” parameter. If unchecked, the list will be used as a blocklist and other fields added.

Example

In this scenario, we’re enriching all entities with data from entity explorer. All available fields are listed in “Entity Details” within entity explorer. Return JSON result of the key/value pairs in entity details.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultJSON ResultResult Shown below
  • JSON Result
    {
    "193.0.0.44": {}, "ATTACHMENT.TXT": {"Source": "Added by <InternalSDK API Key>", "size": "64", "extension": "txt", "hash_md5": "6529d73ba8183760ad174644e75684fe", "hash_sha1": "dd88508cda7bcfc71ffdbc0e26afe97d3fb9a0b6", "hash_sha256": "1f209f1560df8cb6e983dff99d7a7d2db8dc3e439226abd38ef34facdffd82ec", "hash_sha512": "310d2df6f770dafdf4f84d9851e3fad011d4eb0c5a8af9a5f6d237fb733bca41d41ad6b00efdc2b5c218207f1a1ac99339923d3c389368f0c1d2ba58e8e1893a", "mime_type": "ASCII text, with no line terminators", "mime_type_short": "text/plain", "ole_data_1_id": "ftype", "ole_data_1_value": "Unknown file type", "ole_data_1_name": "File format", "ole_data_1_description": "", "ole_data_1_risk": "info", "ole_data_1_hide_if_false": "true", "ole_data_2_id": "container", "ole_data_2_value": "Unknown Container", "ole_data_2_name": "Container format", "ole_data_2_description": "Container type", "ole_data_2_risk": "info", "ole_data_2_hide_if_false": "true", "ole_data_3_id": "encrypted", "ole_data_3_value": "", "ole_data_3_name": "Encrypted", "ole_data_3_description": "The file is not encrypted", "ole_data_3_risk": "none", "ole_data_3_hide_if_false": "", "ole_data_4_id": "vba", "ole_data_4_value": "Yes", "ole_data_4_name": "VBA Macros", "ole_data_4_description": "This file contains VBA macros. No suspicious keyword was found. Use olevba and mraptor for more info.", "ole_data_4_risk": "Medium", "ole_data_4_hide_if_false": "", "ole_data_5_id": "xlm", "ole_data_5_value": "No", "ole_data_5_name": "XLM Macros", "ole_data_5_description": "This file does not contain Excel 4/XLM macros.", "ole_data_5_risk": "none", "ole_data_5_hide_if_false": "", "ole_data_6_id": "ext_rels", "ole_data_6_value": "", "ole_data_6_name": "External Relationships", "ole_data_6_description": "External relationships such as remote templates, remote OLE objects, etc", "ole_data_6_risk": "none", "ole_data_6_hide_if_false": "", "ole_data_7_id": "ObjectPool", "ole_data_7_value": "", "ole_data_7_name": "ObjectPool", "ole_data_7_description": "Contains an ObjectPool stream, very likely to contain embedded OLE objects or files. Use oleobj to check it.", "ole_data_7_risk": "none", "ole_data_7_hide_if_false": "true", "ole_data_8_id": "flash", "ole_data_8_value": "", "ole_data_8_name": "Flash objects", "ole_data_8_description": "Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.", "ole_data_8_risk": "none", "ole_data_8_hide_if_false": "true", "content_header_content-type_1": "text/plain; name=\"attachment.txt\"", "content_header_content-transfer-encoding_1": "base64", "content_header_content-disposition_1": "attachment; filename=\"attachment.txt\"", "level": "", "attachment_id": "18"}
    }

Whois

Description

Queries WHOIS servers for domain registration information. Supports IP Addresses, URLs, Email, Domains. Supports creation of Domain entities linked to target entity and a domain age threshold to set the entity to suspicious.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Create EntitiesCheckboxCheckedNoSpecify whether you want to create and link domain entities to URL Email/User Names.
Domain Age ThresholdIntegerCheckedNoIf the domain's age is less than the supplied number of days, it will be marked as suspicious.

Example

In this scenario, any external hostname entities attached to a case with a domain age of less than 365 days will be marked as suspicious.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultTrue/Falsetrue
  • JSON Result
    {
    "Entity": "badsite.com", 
    "EntityResult": 
    {"id": ["32621649_DOMAIN_COM-VRSN"], 
    "status": ["clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited", "clientRenewProhibited https://icann.org/epp#clientRenewProhibited", "clientTransferProhibited https://icann.org/epp#clientTransferProhibited", "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited"], "creation_date": ["2000-08-09T11:17:46"], 
    "expiration_date": ["2023-08-09T11:17:46"], 
    "updated_date": ["2022-09-18T23:31:54"], 
    "registrar": ["GoDaddy.com, LLC"], 
    "whois_server": ["whois.godaddy.com"], 
    "nameservers": ["NS49.DOMAINCONTROL.COM", "NS50.DOMAINCONTROL.COM"], 
    "emails": ["abuse@godaddy.com"], 
    "contacts": {"registrant": null, "tech": null, "admin": null, "billing": null}, "age_in_days": 8092}
    }

Enrich Entity from List with Field

Description

Enriches list of supplied entities with a field and a value. This action is often used with “Entity Selection” action to list the entities.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
List of EntitiesStringN/AYesSpecify a list of entities of the same type.
Entity TypeStringN/AYesSpecify the type of entity.
Entity DelimiterString,YesSpecify delimiter of list entities.
Enrichment FieldStringN/AYesSpecify the field name that will be added to the entity.
Enrichment ValueStringN/AYesSpecify the value of the field that will be enriched to the entity.

Example

In this scenario, we’re selecting IP Address entities using EntitySelection action and passing the results to the “List of Entities” field for enrichment.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultNumber of entitled successfully enriched3



Enrich Entity from Event Field

Description

Extracts fields from an event and adds them to the entity fields.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Fields to enrichStringN/AYesSpecify the name of the field(s) in the event that will be used to enrich the entity. Supports comma separated list.

Example

In this scenario, fields payload_id and event_description are extracted from a case event and added to entity fields for all entities.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultNumber of entitled successfully enriched7



Enrich Entity With Field

Description

Adds enrichment fields to the entity based on a list of key values.

Parameters

ParameterTypeDefault ValueIs MandatoryDescriptionExample
Fields to enrichJSONN/AYesSpecify a list of key value pairs that will be used to enrich the entity. It needs to be in JSON format.[ { "entity_field_name": "Title", "entity_field_value": "SalseManager" }, { "entity_field_name": "City", "entity_field_value": "NewYork" } ]

Example

In this example we’re enriching user entities with two fields: Title and City.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultNumber of entities successfully enriched13

Mark Entity as Suspicious

Description

Marks entities in scope as suspicious.

Parameters

Specify the entity scope you want to mark as suspicious.

Example

In this scenario, we’re marking all external IP entities and suspicious. Entity field “is_suspicious” in entity explorer is updated to “true”.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultNumber of entitled marked as suspicious3

Enrich FileName Entity With Path

Description

Parses path, file name and extension from an entity and enriches it with file_path, file_name, and file_extensions.

Parameters

Specify the file entity scope you want to parse the fields from.

Example

In this scenario, we’re looping through all file name entities and parsing any paths, file names and extensions from the entity identifier.

Action Results

  • Script Result
Script Result NameValue optionsExample
ScriptResultList of entities enriched.WORD/THEME/THEME1.XML,WORD/DOCUMENT.XML

Enrich Source and Destinations

Description

Adds the source and destination links to IPs and Hostnames in an alert.

Parameters

Specify the entity scope you want to parse the fields from.

Example

In this scenario, we’re looping through all IP and hostname entities and enriching them with source and destination links.

Action Results

  • Script Result
Script Result NameValue optionsExample
N/AN/AN/A

Enrich Entity from JSON

Description

Adds the source and destination links to IPs and Hostnames in an alert.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Enrichment JSONJSONN/AYesSpecify the JSON in which you would like to enrich an entity.
Identifier KeyPathStringN/AYesSpecify the keypath to the entity identifier in the JSON
SeparatorString.YesSpecify the separator/delimiter for the key path.
PrefixForErichmentStringN/ANoSpecify a prefix to use for the enrichment.
Enrichment JSON PathStringN/ANoSpecify the JSON

Example

In this scenario, we’re using an entity identifier of a hash value with field “sha1” to enrich it with data in the Enrichment JSON field. Note the entity needs to exist in the alert before running this action.

Action Results

  • Script Result
Script Result NameValue optionsExample
Script Result# of entities enriched1