GCenter 103
This Integration is part of the Gatewatcher AionIQ Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This integration fetch events generated by the GCenter appliance. This integration was integrated and tested with version 2.5.3.103 of GCenter 103.
This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.
Configure GCenter 103 in Cortex#
| Parameter | Description | Required |
|---|---|---|
| GCenter IP address | The IP of the GCenter from where the events will be fetched. | True |
| GCenter API token | False | |
| GCenter account | False | |
| Password | False | |
| GCenter Version | False | |
| Check the TLS certificate | False | |
| Use system proxy settings | False | |
| Fetch incidents | False | |
| Fetch incidents from type | False | |
| Engine alerts selection | False | |
| First fetch | This value represents how far the first fetch will grab the events stored in the GCenter e.g. 2 days | False |
| Fetch limit | This value represents the maximum events fetched by instruction, this integration can handle up to 10000. The default value is 200 and is the optimum for Cortex XSOAR. | False |
| Incident type |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
gcenter103-alerts-list#
List all alerts.
Base Command#
gcenter103-alerts-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| ids | A comma-separated list of alert IDs. | Optional |
| excluded_ids | A comma-separated list of alert IDs to exclude. | Optional |
| acknowledged | Whether to filter on the acknowledgement status. Possible values are: true, false. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| src_ip | Comma-separated list of source IP addresses of the alerts. | Optional |
| dest_ip | Comma-separated list of destination IP addresses of the alerts. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| name | Filter on alert signature. Comma-separated list of signatures. | Optional |
| description | Filter alerts on their description. | Optional |
| tag | Filter on alerts containing tags. Comma-separated list of tag names. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
| excluded_tags | Filter out alerts containing tags. Comma-separated list of tags. Logical OR between the tags. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: date, -date, risk, -risk, name, -name. | Optional |
| type | The type by which to filter alerts on engines. Possible values are: active_cti, beacon_detect, dga_detect, malcore, malcore_retroanalyzer, malicious_powershell_detect, ransomware_detect, retrohunt, shellcode_detect, sigflow_alert. | Optional |
| mitre_tactic_name | Filter alert by MITRE tactic name. Possible values are: Collection, Collection (ICS), Collection (Mobile), Command and Control, Command and Control (ICS), Command and Control (Mobile), Credential Access, Credential Access (Mobile), Defense Evasion, Defense Evasion (Mobile), Discovery, Discovery (ICS), Discovery (Mobile), Evasion, Execution, Execution (ICS), Execution (Mobile), Exfiltration, Exfiltration (Mobile), Impact, Impact (ICS), Impact (Mobile), Impair Process Control, Inhibit Response Function, Initial Access, Initial Access (ICS), Initial Access (Mobile), Lateral Movement, Lateral Movement (ICS), Lateral Movement (Mobile), Persistence, Persistence (ICS), Persistence (Mobile), Privilege Escalation, Privilege Escalation (ICS), Privilege Escalation (Mobile), Reconnaissance, Resource Development. | Optional |
| hostname | Comma-separated list of hostnames. | Optional |
| src_hostname | Comma-separated list of source hostnames. | Optional |
| dest_hostname | Comma-separated list of destination hostnames. | Optional |
| username | Comma-separated list of usernames. | Optional |
| note | User note content. | Optional |
| state | Filter alerts on their state. Possible values are: closed, mute, open. | Optional |
| search | A search term. | Optional |
| page | A page to select in the results set. | Optional |
| page_size | Number of results per page. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.List.uuid | string | Alert UUIDs. |
gcenter103-alerts-get#
Get an alert with its UUID (corresponds to event.id field) or the GCenter ID of the alert.
Base Command#
gcenter103-alerts-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | UUID or GCenter ID of the alert. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Get.uuid | string | The UUID of the alert fetched. |
gcenter103-alerts-note-add#
Add or update a note to an alert.
Base Command#
gcenter103-alerts-note-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| note | The note to set on the alert. | Required |
| uuid | The UUID of the alert to set the note on (corresponds to event.id field). | Required |
| overwrite | Whether to overwrite the note. Possible values are: true, false. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Note.Add.note | string | The note added to the alert. |
gcenter103-alerts-note-remove#
Delete the note of an alert.
Base Command#
gcenter103-alerts-note-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | The UUID of the alert to delete the note on (corresponds to event.id field). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Note.Remove.uuid | string | The UUID of the alert whose note was removed. |
gcenter103-alerts-tags-get#
Get the tags of an alert.
Base Command#
gcenter103-alerts-tags-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | The UUID of the alert to get tags (corresponds to event.id field). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Tags.Get.tags | string | The tags of the alert. |
| Gatewatcher.Alerts.Tags.Get.uuid | string | The UUID of the alert having these tags. |
gcenter103-alerts-tags-add#
Add or update tags of an alert.
Base Command#
gcenter103-alerts-tags-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | The UUID of the alert to add tags (corresponds to event.id field). | Required |
| tags | A comma-separated list of tag names to add to the alert. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Tags.Add.tags | string | The tags added to the alert. |
| Gatewatcher.Alerts.Tags.Add.uuid | string | The UUID of the alert where the tags were added. |
gcenter103-alerts-tags-remove#
Remove tags from an alert.
Base Command#
gcenter103-alerts-tags-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | The UUID of the alert from which to remove tags (corresponds to event.id field). | Required |
| tags | A comma-separated list of tag names to remove to the alert. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Tags.Remove | string | The tags present in the alert. |
gcenter103-alerts-status-update#
Update status of an alert.
Base Command#
gcenter103-alerts-status-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| note_u | A note to add/update. | Optional |
| tag_u | Tags to add/update. | Optional |
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| uuid | UUID of the alert to perform action (corresponds to event.id field). | Required |
| acknowledged | Whether to filter on the acknowledgement status. Possible values are: true, false. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| src_ip | Comma-separated list of source IP addresses of the alerts. | Optional |
| dest_ip | Comma-separated list of destination IP addresses of the alerts. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| name | Filter on alert signature. Comma-separated list of signatures. | Optional |
| description | Filter alerts on their description. | Optional |
| tag | Filter on alerts containing tags. Comma-separated list of tag names. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
| excluded_tags | Filter out alerts containing tags. Comma-separated list of tags. Logical OR between the tags. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: date, -date, risk, -risk, name, -name. | Optional |
| type | The type by which to filter alerts on engines. Possible values are: active_cti, beacon_detect, dga_detect, malcore, malcore_retroanalyzer, malicious_powershell_detect, ransomware_detect, retrohunt, shellcode_detect, sigflow_alert. | Optional |
| mitre_tactic_name | Filter alert by MITRE tactic name. Possible values are: Collection, Collection (ICS), Collection (Mobile), Command and Control, Command and Control (ICS), Command and Control (Mobile), Credential Access, Credential Access (Mobile), Defense Evasion, Defense Evasion (Mobile), Discovery, Discovery (ICS), Discovery (Mobile), Evasion, Execution, Execution (ICS), Execution (Mobile), Exfiltration, Exfiltration (Mobile), Impact, Impact (ICS), Impact (Mobile), Impair Process Control, Inhibit Response Function, Initial Access, Initial Access (ICS), Initial Access (Mobile), Lateral Movement, Lateral Movement (ICS), Lateral Movement (Mobile), Persistence, Persistence (ICS), Persistence (Mobile), Privilege Escalation, Privilege Escalation (ICS), Privilege Escalation (Mobile), Reconnaissance, Resource Development. | Optional |
| hostname | Comma-separated list of hostnames. | Optional |
| src_hostname | Comma-separated list of source hostnames. | Optional |
| dest_hostname | Comma-separated list of destination hostnames. | Optional |
| username | Comma-separated list of usernames. | Optional |
| note | User note content. | Optional |
| state | Filter alerts on their state. Possible values are: closed, mute, open. | Optional |
| search | A search term. | Optional |
| action | The action to perform on the alerts. Possible values are: acknowledge, open, tag, untag, note, open_related, close_related, mute_signature, unmute_signature. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Alerts.Status.Update | string | The updated status of the alerts. |
gcenter103-raw-alerts-get#
Get a raw alert with its UUID.
Base Command#
gcenter103-raw-alerts-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | UUID of the alert to fetch (corresponds to event.id field). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Raw.Alerts.Get | string | The alert content. |
gcenter103-raw-alerts-file-get#
Get a file attached to an alert with its UUID.
Base Command#
gcenter103-raw-alerts-file-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| uuid | UUID of the alert to fetch (corresponds to event.id field). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Raw.Alerts.File.Get | string | The zip file. |
gcenter103-file-scan#
Scan a file on a selected engine. You must upload the file to scan before execution.
Base Command#
gcenter103-file-scan
Input#
| Argument Name | Description | Required |
|---|---|---|
| engine | Engine that will scan the file. Possible values are: malcore, powershell, shellcode. | Required |
| entryID | Entry ID of the file to scan. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.File.Scan | string | Results of the scan. |
gcenter103-file-scan-result-get#
Retrieve previous scan by its ID.
Base Command#
gcenter103-file-scan-result-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | ID of a previous file scan. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.File.Scan.Result.Get | string | Result of the file scan. |
gcenter103-assets-list#
List all assets.
Base Command#
gcenter103-assets-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| name | Comma-separated list of hostnames of the asset. | Optional |
| tag | Filter on assets containing tags. Comma-separated list of tag names. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: risk, -risk, name, -name. | Optional |
| type | Asset type. Possible values are: Smartphone, IoT, Laptop, Videogame, TV, Other, Firewall, Hypervisor, IPBX, Printer, Proxy, Router, Server, Storage, Virtual Machine, WAF, WiFi, unknown. | Optional |
| note | Asset note content. | Optional |
| search | A search term. | Optional |
| page | A page to select in the results set. | Optional |
| page_size | Number of results per page. | Optional |
| fast | The fast mode uses cached data to present faster results. Disabled by default. Possible values are: true, false. | Optional |
| os_firmware | OS/Firwmare of the asset. | Optional |
| mac_address | Asset MAC addresses. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.List | string | List of assets. |
gcenter103-assets-alerts-get#
Retrieve alerts of a given asset.
Base Command#
gcenter103-assets-alerts-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| ids | A comma-separated list of alert IDs. | Optional |
| excluded_ids | A comma-separated list of alert IDs to exclude. | Optional |
| acknowledged | Whether to filter on the acknowledgement status. Possible values are: true, false. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| src_ip | Comma-separated list of source IP addresses of the alerts. | Optional |
| dest_ip | Comma-separated list of destination IP addresses of the alerts. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| name | Filter on alert signature. Comma-separated list of signatures. | Optional |
| description | Filter alerts on their description. | Optional |
| tag | Filter on alerts containing tags. Comma-separated list of tag names. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
| excluded_tags | Filter out alerts containing tags. Comma-separated list of tags. Logical OR between the tags. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: date, -date, risk, -risk, name, -name. | Optional |
| type | The type by which to filter alerts on engines. Possible values are: active_cti, beacon_detect, dga_detect, malcore, malcore_retroanalyzer, malicious_powershell_detect, ransomware_detect, retrohunt, shellcode_detect, sigflow_alert. | Optional |
| mitre_tactic_name | Filter alert by MITRE tactic name. Possible values are: Collection, Collection (ICS), Collection (Mobile), Command and Control, Command and Control (ICS), Command and Control (Mobile), Credential Access, Credential Access (Mobile), Defense Evasion, Defense Evasion (Mobile), Discovery, Discovery (ICS), Discovery (Mobile), Evasion, Execution, Execution (ICS), Execution (Mobile), Exfiltration, Exfiltration (Mobile), Impact, Impact (ICS), Impact (Mobile), Impair Process Control, Inhibit Response Function, Initial Access, Initial Access (ICS), Initial Access (Mobile), Lateral Movement, Lateral Movement (ICS), Lateral Movement (Mobile), Persistence, Persistence (ICS), Persistence (Mobile), Privilege Escalation, Privilege Escalation (ICS), Privilege Escalation (Mobile), Reconnaissance, Resource Development. | Optional |
| hostname | Comma-separated list of hostnames. | Optional |
| src_hostname | Comma-separated list of source hostnames. | Optional |
| dest_hostname | Comma-separated list of destination hostnames. | Optional |
| username | Comma-separated list of usernames. | Optional |
| note | User note content. | Optional |
| state | Filter alerts on their state. Possible values are: closed, mute, open. | Optional |
| page | A page number within the results pages. | Optional |
| page_size | Number of results per page. | Optional |
| asset_name | Name of the asset. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Alerts.Get | string | Get alerts for an asset. |
gcenter103-assets-get#
Retrieve specific asset data.
Base Command#
gcenter103-assets-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| fast | The fast mode uses cached data to present faster results. Disabled by default. Possible values are: true, false. | Optional |
| asset_name | Asset name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Get | string | Asset data. |
gcenter103-assets-note-add#
Add or update a note to an asset.
Base Command#
gcenter103-assets-note-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| asset_name | Asset name. | Required |
| note | Note to update. | Required |
| overwrite | Whether to overwrite the note. Possible values are: true, false. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Note.Add | string | The note added or updated. |
gcenter103-assets-note-remove#
Remove a note from an asset.
Base Command#
gcenter103-assets-note-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| asset_name | Asset name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Note.Remove | string | The request response code. |
gcenter103-assets-tags-get#
Get the tags of an asset.
Base Command#
gcenter103-assets-tags-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| asset_name | Asset name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Tags.Get | string | The tags of the asset. |
gcenter103-assets-tags-add#
Add or update the tags of an asset.
Base Command#
gcenter103-assets-tags-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| asset_name | Asset name. | Required |
| tags | A comma-separated list of tag names to add to the asset. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Tags.Add | string | Added or updated tags of the asset. |
gcenter103-assets-tags-remove#
Remove tags of an asset.
Base Command#
gcenter103-assets-tags-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| asset_name | Asset name. | Required |
| tags | A comma-separated list of tag names to remove to the asset. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Assets.Tags.Remove | string | Removed tags of the asset. |
gcenter103-users-list#
Retrieves a list of Kerberos users.
Base Command#
gcenter103-users-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| search | A search term. | Optional |
| page | A page to select in the results set. | Optional |
| page_size | Number of results per page. | Optional |
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| fast | The fast mode uses cached data to present faster results. Disabled by default. Possible values are: true, false. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: risk, -risk, name, -name. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| username | Comma-separated list of usernames. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| hostname | Comma-separated list of hostnames. | Optional |
| tag | Filter on users containing tags. Comma-separated list of tag names. | Optional |
| note | User note content. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.List | string | The list of Kerberos users. |
gcenter103-users-alerts-get#
Retrieves a list of the alerts of a Kerberos user.
Base Command#
gcenter103-users-alerts-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| ids | A comma-separated list of alert IDs. | Optional |
| excluded_ids | A comma-separated list of alert IDs to exclude. | Optional |
| acknowledged | Whether to filter on the acknowledgement status. Possible values are: true, false. | Optional |
| gcap_id | Comma-separated list of GCap IDs. First GCap has ID 1. | Optional |
| ip | Comma-separated list of IP addresses of the alerts. | Optional |
| src_ip | Comma-separated list of source IP addresses of the alerts. | Optional |
| dest_ip | Comma-separated list of destination IP addresses of the alerts. | Optional |
| risk_min | Minimal risk value. | Optional |
| risk_max | Maximal risk value. | Optional |
| name | Filter on alert signature. Comma-separated list of signatures. | Optional |
| description | Filter alerts on their description. | Optional |
| tag | Filter on users containing tags. Comma-separated list of tag names. | Optional |
| no_tag | Whether to include users with no tags. Possible values are: true, false. | Optional |
| excluded_tags | Filter out alerts containing tags. Comma-separated list of tags. Logical OR between the tags. | Optional |
| sort_by | The filter by which to sort the results. Possible values are: date, -date, risk, -risk, name, -name. | Optional |
| type | The type by which to filter alerts on engines. Possible values are: active_cti, beacon_detect, dga_detect, malcore, malcore_retroanalyzer, malicious_powershell_detect, ransomware_detect, retrohunt, shellcode_detect, sigflow_alert. | Optional |
| mitre_tactic_name | Filter alert by MITRE tactic name. Possible values are: Collection, Collection (ICS), Collection (Mobile), Command and Control, Command and Control (ICS), Command and Control (Mobile), Credential Access, Credential Access (Mobile), Defense Evasion, Defense Evasion (Mobile), Discovery, Discovery (ICS), Discovery (Mobile), Evasion, Execution, Execution (ICS), Execution (Mobile), Exfiltration, Exfiltration (Mobile), Impact, Impact (ICS), Impact (Mobile), Impair Process Control, Inhibit Response Function, Initial Access, Initial Access (ICS), Initial Access (Mobile), Lateral Movement, Lateral Movement (ICS), Lateral Movement (Mobile), Persistence, Persistence (ICS), Persistence (Mobile), Privilege Escalation, Privilege Escalation (ICS), Privilege Escalation (Mobile), Reconnaissance, Resource Development. | Optional |
| hostname | Comma-separated list of hostnames. | Optional |
| src_hostname | Comma-separated list of source hostnames. | Optional |
| dest_hostname | Comma-separated list of destination hostnames. | Optional |
| username | Comma-separated list of usernames. | Optional |
| note | User note content. | Optional |
| state | Filter alerts on their state. Possible values are: closed, mute, open. | Optional |
| page | A page number within the results pages. | Optional |
| page_size | Number of results per page. | Optional |
| kuser_name | Alerts of this Kerberos user name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Alerts.Get | string | The list of alerts of a Kerberos user. |
gcenter103-users-get#
Retrieves Kerberos user data.
Base Command#
gcenter103-users-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | Starting date filter. ISO-8601 date format. | Optional |
| date_to | Ending data filter. ISO-8601 date format. | Optional |
| since | Not compatible with date_from and date_to parameters. Possible values are: 15d, yesterday. | Optional |
| fast | The fast mode uses cached data to present faster results. Disabled by default. Possible values are: true, false. | Optional |
| kuser_name | Alerts of this Kerberos user name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Get | string | Get information of a Kerberos user. |
gcenter103-users-note-add#
Add or update the note of a Kerberos user.
Base Command#
gcenter103-users-note-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| note | Note content to add/update. | Required |
| kuser_name | Kerberos user name. | Required |
| overwrite | Whether to overwrite the note. Possible values are: true, false. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Note.Add | string | Added/updated note. |
gcenter103-users-note-remove#
Remove the note of a Kerberos user.
Base Command#
gcenter103-users-note-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| kuser_name | Kerberos user name. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Note.Remove | string | Request response code. |
gcenter103-users-tags-get#
Get the tags of a Kerberos user.
Base Command#
gcenter103-users-tags-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| kuser_name | Kerberos user name to get tags of. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Tags.Get | string | The tags associated to the Kerberos user. |
gcenter103-users-tags-add#
Add or update the tags of a Kerberos user.
Base Command#
gcenter103-users-tags-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| tags | A comma-separated list of tags to add to the Kerberos user. | Required |
| kuser_name | Kerberos user name to add tags of. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Tags.Add | string | Added/updated tags associated to the Kerberos user. |
gcenter103-users-tags-remove#
Remove tags of a Kerberos user.
Base Command#
gcenter103-users-tags-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| tags | A comma-separated list of tag names to remove to the Kerberos user. | Required |
| kuser_name | Kerberos user name to remove tags from. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Users.Tags.Remove | string | Tags of the Kerberos user. |
gcenter103-yara-rules-get#
Get YARA settings.
Base Command#
gcenter103-yara-rules-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| export | Export state. Possible values are: true, false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Yara.Rules.Get | string | The YARA settings. |
gcenter103-yara-rules-add#
Add YARA rules to Malcore. You must upload the YARA file before execution.
Base Command#
gcenter103-yara-rules-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| enabled | Set if YARA is enabled or not. Possible values are: true, false. | Required |
| name | Name of the YARA ruleset. | Required |
| entryID | EntryID of the YARA file. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Yara.Rules.Add | string | The updated YARA settings. |
gcenter103-malcore-fingerprints-get#
Get fingerprints of the white or black list of Malcore.
Base Command#
gcenter103-malcore-fingerprints-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| ordering | The order by which the results should be sorted. Possible values are: created, sha256, user, -created, -sha256, -user. | Optional |
| page | A page to select in the results set. | Optional |
| list_type | The type of list given. Possible values are: white, black. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Malcore.Fingerprints.Get | string | Hash list informations. |
gcenter103-malcore-fingerprints-add#
Add fingerprints to white or black list to Malcore.
Base Command#
gcenter103-malcore-fingerprints-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256 | The SHA256 to add. | Required |
| comment | An attached comment (200 chars max). | Required |
| threat | Name of the threat for reference (100 chars max). | Required |
| list_type | The type of list given. Possible values are: white, black. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Malcore.Fingerprints.Add | string | Hash list informations. |
gcenter103-malcore-fingerprints-remove#
Remove fingerprints to white or black list to Malcore.
Base Command#
gcenter103-malcore-fingerprints-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256 | The SHA256 to remove. | Required |
| list_type | The type of list to remove from. Possible values are: white, black. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gatewatcher.Malcore.Fingerprints.Remove | string | Hash list informations. |