Actions

Types of Actions

An Action helps you execute specific tasks depending on your needs. There are 5 main types of actions in the playbooks:

Interact with the platform: getters and setters
Extract data: data collection enrichers
Connect and use third-party applications
Set up notifications
Use helpers to build your own actions

The Actions Library lists all available actions in playbooks with their detailed configuration.

Sekoia.io Actions

Getters

Name	Description
Get Event Field Common Values	Retrieve the most common values of an ECS field based on the time window
List Assets	Retrieve detailed information about assets based on a filter
Search Alerts	Retrieve detailed information about alerts (such as the urgency, name of the rule, etc… except events) based on a filter.
Get Alert	Retrieve detailed alert information such as the urgency, name of the rule, pattern, etc… except events.
Get Events	Retrieve events based on a search. This action is equivalent to a search on the event page and takes into consideration 3 parameters: a query with filters (`source.ip=xx.xxx.xx`), and earliest time/latest time: two dates to determine the date range of the search.

Note

Get Events can be used to retrieve events from an alert. Events associated to an alert contain the key alert_short_ids with the value of the ID of the alert.

Setters

Name	Description
Create an asset	Create an asset
Delete an asset	Delete an asset
Add attribute to asset	Add attribute to asset
Add key to asset	Add key to asset
Edit alert	Edit an alert details such as the urgency or the alert category
Comment alert	Add a comment to the alert
Update alert status	Change the status of an alert
Push Events to Intake	Push one or more events to an Intake
Attach Alerts to Case	Attach one or more alerts to a case.

How to update an alert status

To update an alert status, you need to copy the status_uuid corresponding to the needed action.

Action	Description	status_uuid
Pending	This alert needs to be addressed	`2efc4930-1442-4abb-acf2-58ba219a4fd0`
Acknowledge	Alert will be evaluated (true or false positive?)	`8f206505-af6d-433e-93f4-775d46dc7d0f`
Ongoing	Alert might be a true positive and action must be taken	`1f2f88d5-ff5b-48bf-bbbc-00c2fff82d9f`
Reject	It is a false positive or the alert will be not addressed	`4f68da89-38e0-4703-a6ab-652f02bdf24e`
Close	It was a true positive and the alert has been addressed	`1738b1c1-767d-489e-bada-19176621a007`

Notifications

To get notified, you can rely on these tools:

Mandrill: Send Message
Mattermost: Post message / Post Sekoia.io alert
Pagerduty: Trigger Alert
The Hive: Create an alert in the Hive
...

Data collection

If you have an account in one of the listed tools below, you can easily extract data from there and import it to Sekoia.io. This is made possible with an API key.

Helpers

Name	Description
fileutils	Extract data from XML or JSON files
http	Request HTTP resources (download file, request URL)
STIX	Add source, add tags, create relationships, cryptolaemus to STIX, CVE to STIX, filter bundle, JSON objects to observables, VirusTotal LiveHunt to observables, MISP to STIX, observables to contextualized indicators, observables to indicators, remove orphan objects, STIX to MISP, string to observables

These helpers need their associated trigger to function properly:

Name	Description
MISP	Gather, store, share and correlate threat intelligence. Convert from MISP to STIX, publish MISP event
MWDB	Convert a MWDB config to a bundle of observables
Triage	Triage raw results to observables

Third-party applications

More actions are available in the Actions Library. To learn how to set up an action, please refer to its documentation.

Note

The dynamic content is written in JINJA. For more information on this language, please follow this documentation.