Skip to main content

Gem

This Integration is part of the Gem Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.12.0 and later.

Use Gem alerts as a trigger for Cortex XSOAR’s custom playbooks, to automate response to specific TTPs.

Configure Gem on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Gem.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Incident typeFalse
    API EndpointThe API endpoint to use for connection (US or EU)True
    Service Account IDThe Service Account ID to use for connectionTrue
    Service Account SecretThe Service Account Secret to use for connectionTrue
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Maximum number of alerts per fetchFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gem-list-threats#


List all threats detected in Gem.

Base Command#

gem-list-threats

Input#

Argument NameDescriptionRequired
limitThe number of alert to fetch. Default is 50.Optional
time_startThe start time of the threats to return in ISO format. Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
time_endThe end time of the threats to return in ISO format. Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
orderingThe ordering of the items. Possible values are: -timeframe_start, timeframe_state, -mitre_technique, mitre_technique, -severity, severity, -assignee, assignee, -is_resolved, is_resolved. Default is -timeframe_start.Optional
statusThe status of the threats to return. Possible values are: open, resolved, in_progress.Optional
ttp_idThe TTP ID of the threats to return.Optional
titleThe title of the threats to return.Optional
severityThe severity of the threats to return. Possible values are: low, medium, high.Optional
cloud_providerThe provider of the threats to return. Possible values are: aws, azure, gcp, okta, huawei.Optional
entity_typeThe entity type of the threats to return.Optional

Context Output#

PathTypeDescription
Gem.ThreatsList.accounts.account_statusStringIndicates the current status of the account (e.g., active, suspended).
Gem.ThreatsList.accounts.cloud_providerStringSpecifies the cloud service provider for the account (e.g., AWS, Azure).
Gem.ThreatsList.accounts.display_nameStringThe display name associated with the account.
Gem.ThreatsList.accounts.hierarchy_path.idStringUnique identifier within the account hierarchy path.
Gem.ThreatsList.accounts.hierarchy_path.nameStringName designation within the account hierarchy path.
Gem.ThreatsList.accounts.idNumberThe unique numerical identifier for the account.
Gem.ThreatsList.accounts.identifierStringAn alternative identifier for the account.
Gem.ThreatsList.accounts.organization_nameStringThe name of the organization to which the account belongs.
Gem.ThreatsList.alert_sourceStringThe source of the alert.
Gem.ThreatsList.alerts.accounts.account_statusStringIndicates the account status related to a specific alert.
Gem.ThreatsList.alerts.accounts.cloud_providerStringCloud provider associated with the alert's account.
Gem.ThreatsList.alerts.accounts.display_nameStringDisplay name of the account related to the alert.
Gem.ThreatsList.alerts.accounts.idNumberNumerical identifier for the account associated with the alert.
Gem.ThreatsList.alerts.accounts.identifierStringIdentifier for the account related to the alert.
Gem.ThreatsList.alerts.accounts.organization_nameStringOrganization name associated with the alert's account.
Gem.ThreatsList.alerts.alert_sourceStringThe source of individual alerts.
Gem.ThreatsList.alerts.datetimeDateThe date and time when the alert was generated.
Gem.ThreatsList.alerts.descriptionStringDescription of the alert.
Gem.ThreatsList.alerts.entities.activity_by_providerUnknownDetails about activity by the cloud provider in relation to the alert.
Gem.ThreatsList.alerts.entities.cloud_providerStringCloud provider related to the alert entities.
Gem.ThreatsList.alerts.entities.idStringUnique identifier for the entities related to the alert.
Gem.ThreatsList.alerts.entities.is_main_entityBooleanIndicates if the entity is the primary subject of the alert.
Gem.ThreatsList.alerts.entities.is_secondary_entityBooleanIndicates if the entity is a secondary subject of the alert.
Gem.ThreatsList.alerts.entities.resource_idUnknownIdentifier for the resources involved in the alert.
Gem.ThreatsList.alerts.entities.typeStringType of entities involved in the alert.
Gem.ThreatsList.alerts.idStringUnique identifier for the alert.
Gem.ThreatsList.alerts.main_alert_idStringIdentifier for the primary alert, if applicable.
Gem.ThreatsList.alerts.mitre_techniques.idStringIdentifier for the MITRE ATT&CK technique associated with the alert.
Gem.ThreatsList.alerts.mitre_techniques.technique_nameStringName of the MITRE ATT&CK technique related to the alert.
Gem.ThreatsList.alerts.organization_idStringIdentifier for the organization associated with the alert.
Gem.ThreatsList.alerts.severityNumberNumerical representation of the alert's severity.
Gem.ThreatsList.alerts.severity_textStringTextual description of the alert's severity.
Gem.ThreatsList.alerts.statusStringCurrent status of the alert (e.g., open, resolved. in_progress).
Gem.ThreatsList.alerts.titleStringTitle or summary of the alert.
Gem.ThreatsList.alerts.ttp_idStringIdentifier for the tactics, techniques, and procedures (TTP) related to the alert.
Gem.ThreatsList.assigneesUnknownInformation about who is assigned to address the threats.
Gem.ThreatsList.categoryStringClassification or category of the threat.
Gem.ThreatsList.datetimeDateThe date and time when the threat was identified or logged.
Gem.ThreatsList.descriptionStringDetailed description of the threat.
Gem.ThreatsList.entities.activity_by_providerUnknownDetails about the activity conducted by the cloud provider in relation to the threat.
Gem.ThreatsList.entities.cloud_providerStringCloud service provider associated with the entities in the threat.
Gem.ThreatsList.entities.idStringUnique identifier for the entities involved in the threat.
Gem.ThreatsList.entities.is_main_entityBooleanIndicates if the entity is the primary focus of the threat.
Gem.ThreatsList.entities.is_secondary_entityBooleanIndicates if the entity plays a secondary role in the context of the threat.
Gem.ThreatsList.entities.resource_idUnknownIdentifier for the resources targeted or involved in the threat.
Gem.ThreatsList.entities.typeStringType or nature of the entities involved in the threat.
Gem.ThreatsList.idStringUnique identifier for the threat list item.
Gem.ThreatsList.main_alert_idStringMain alert identifier related to the threat.
Gem.ThreatsList.mitre_techniques.idStringIdentifier for MITRE ATT&CK techniques associated with the threat.
Gem.ThreatsList.mitre_techniques.technique_nameStringName of the MITRE ATT&CK technique associated with the threat.
Gem.ThreatsList.organization_idStringIdentifier of the organization associated with the threat.
Gem.ThreatsList.severity_textStringTextual description of the overall severity of the threat.
Gem.ThreatsList.statusStringCurrent status of the threat (e.g., active, resolved).
Gem.ThreatsList.titleStringTitle or main description of the threat.
Gem.ThreatsList.ttp_idStringIdentifier for the tactics, techniques, and procedures (TTP) associated with the threat.

gem-get-threat-details#


Get details about a specific threat.

Base Command#

gem-get-threat-details

Input#

Argument NameDescriptionRequired
threat_idThe ID of the threat to get details for.Required

Context Output#

PathTypeDescription
Gem.Threat.accounts.account_statusStringIndicates the current status of the account (e.g., active, suspended).
Gem.Threat.accounts.cloud_providerStringSpecifies the cloud service provider for the account (e.g., AWS, Azure).
Gem.Threat.accounts.display_nameStringThe display name associated with the account.
Gem.Threat.accounts.hierarchy_path.idStringUnique identifier within the account hierarchy path.
Gem.Threat.accounts.hierarchy_path.nameStringName designation within the account hierarchy path.
Gem.Threat.accounts.idNumberThe unique numerical identifier for the account.
Gem.Threat.accounts.identifierStringAn alternative identifier for the account.
Gem.Threat.accounts.organization_nameStringThe name of the organization to which the account belongs.
Gem.Threat.alert_sourceStringThe source of the alert.
Gem.Threat.alerts.accounts.account_statusStringIndicates the account status related to a specific alert.
Gem.Threat.alerts.accounts.cloud_providerStringCloud provider associated with the alert's account.
Gem.Threat.alerts.accounts.display_nameStringDisplay name of the account related to the alert.
Gem.Threat.alerts.accounts.idNumberNumerical identifier for the account associated with the alert.
Gem.Threat.alerts.accounts.identifierStringIdentifier for the account related to the alert.
Gem.Threat.alerts.accounts.organization_nameStringOrganization name associated with the alert's account.
Gem.Threat.alerts.alert_sourceStringThe source of individual alerts.
Gem.Threat.alerts.datetimeDateThe date and time when the alert was generated.
Gem.Threat.alerts.descriptionStringDescription of the alert.
Gem.Threat.alerts.entities.activity_by_providerUnknownDetails about activity by the cloud provider in relation to the alert.
Gem.Threat.alerts.entities.cloud_providerStringCloud provider related to the alert entities.
Gem.Threat.alerts.entities.idStringUnique identifier for the entities related to the alert.
Gem.Threat.alerts.entities.is_main_entityBooleanIndicates if the entity is the primary subject of the alert.
Gem.Threat.alerts.entities.is_secondary_entityBooleanIndicates if the entity is a secondary subject of the alert.
Gem.Threat.alerts.entities.resource_idUnknownIdentifier for the resources involved in the alert.
Gem.Threat.alerts.entities.typeStringType of entities involved in the alert.
Gem.Threat.alerts.idStringUnique identifier for the alert.
Gem.Threat.alerts.main_alert_idStringIdentifier for the primary alert, if applicable.
Gem.Threat.alerts.mitre_techniques.idStringIdentifier for the MITRE ATT&CK technique associated with the alert.
Gem.Threat.alerts.mitre_techniques.technique_nameStringName of the MITRE ATT&CK technique related to the alert.
Gem.Threat.alerts.organization_idStringIdentifier for the organization associated with the alert.
Gem.Threat.alerts.severityNumberNumerical representation of the alert's severity.
Gem.Threat.alerts.severity_textStringTextual description of the alert's severity.
Gem.Threat.alerts.statusStringCurrent status of the alert (e.g., open, resolved. in_progress).
Gem.Threat.alerts.titleStringTitle or summary of the alert.
Gem.Threat.alerts.ttp_idStringIdentifier for the tactics, techniques, and procedures (TTP) related to the alert.
Gem.Threat.assigneesUnknownInformation about who is assigned to address the threats.
Gem.Threat.categoryStringClassification or category of the threat.
Gem.Threat.datetimeDateThe date and time when the threat was identified or logged.
Gem.Threat.descriptionStringDetailed description of the threat.
Gem.Threat.entities.activity_by_providerUnknownDetails about the activity conducted by the cloud provider in relation to the threat.
Gem.Threat.entities.cloud_providerStringCloud service provider associated with the entities in the threat.
Gem.Threat.entities.idStringUnique identifier for the entities involved in the threat.
Gem.Threat.entities.is_main_entityBooleanIndicates if the entity is the primary focus of the threat.
Gem.Threat.entities.is_secondary_entityBooleanIndicates if the entity plays a secondary role in the context of the threat.
Gem.Threat.entities.resource_idUnknownIdentifier for the resources targeted or involved in the threat.
Gem.Threat.entities.typeStringType or nature of the entities involved in the threat.
Gem.Threat.idStringUnique identifier for the threat list item.
Gem.Threat.main_alert_idStringMain alert identifier related to the threat.
Gem.Threat.mitre_techniques.idStringIdentifier for MITRE ATT&CK techniques associated with the threat.
Gem.Threat.mitre_techniques.technique_nameStringName of the MITRE ATT&CK technique associated with the threat.
Gem.Threat.organization_idStringIdentifier of the organization associated with the threat.
Gem.Threat.severity_textStringTextual description of the overall severity of the threat.
Gem.Threat.statusStringCurrent status of the threat (e.g., active, resolved).
Gem.Threat.titleStringTitle or main description of the threat.
Gem.Threat.ttp_idStringIdentifier for the tactics, techniques, and procedures (TTP) associated with the threat.

gem-get-alert-details#


Get details about a specific alert.

Base Command#

gem-get-alert-details

Input#

Argument NameDescriptionRequired
alert_idThe ID of the alert to get details for.Required

Context Output#

PathTypeDescription
Gem.Alert.alert_context.account_db_idStringDatabase identifier for the account associated with the alert.
Gem.Alert.alert_context.alert_idStringUnique identifier for the alert.
Gem.Alert.alert_context.alert_sourceStringThe source from which the alert originated.
Gem.Alert.alert_context.alert_source_idStringIdentifier for the specific source of the alert.
Gem.Alert.alert_context.alert_source_urlStringURL associated with the alert source.
Gem.Alert.alert_context.cloud_providerStringThe cloud service provider associated with the alert.
Gem.Alert.alert_context.created_atDateThe timestamp when the alert was created.
Gem.Alert.alert_context.descriptionStringDetailed description of the alert.
Gem.Alert.alert_context.description_templateStringTemplate used for generating the alert description.
Gem.Alert.alert_context.general_cloud_providerStringGeneral classification of the cloud provider related to the alert.
Gem.Alert.alert_context.mitre_techniques.idStringIdentifier for the MITRE ATT&CK technique associated with the alert.
Gem.Alert.alert_context.mitre_techniques.technique_nameStringName of the MITRE ATT&CK technique related to the alert.
Gem.Alert.alert_context.resolvedBooleanIndicates whether the alert has been resolved.
Gem.Alert.alert_context.severityNumberNumerical representation of the alert's severity.
Gem.Alert.alert_context.statusStringCurrent status of the alert (e.g., open, resolved, in_progress).
Gem.Alert.alert_context.timeframe_endDateEnd date and time of the timeframe relevant to the alert.
Gem.Alert.alert_context.timeframe_startDateStart date and time of the timeframe relevant to the alert.
Gem.Alert.alert_context.titleStringTitle or main description of the alert.
Gem.Alert.alert_context.ttp_idStringIdentifier for the tactics, techniques, and procedures (TTP) related to the alert.
Gem.Alert.triage_configuration.analysisStringAnalysis or summary of the triage configuration for the alert.
Gem.Alert.triage_configuration.entities.activity_by_providerStringActivity details by the cloud provider related to the triage entities.
Gem.Alert.triage_configuration.entities.cloud_providerStringCloud provider associated with the triage entities.
Gem.Alert.triage_configuration.entities.idStringUnique identifier for the entities involved in the triage.
Gem.Alert.triage_configuration.entities.is_main_entityBooleanIndicates if the entity is the primary focus in the triage.
Gem.Alert.triage_configuration.entities.is_secondary_entityBooleanIndicates if the entity plays a secondary role in the triage.
Gem.Alert.triage_configuration.entities.resource_idStringResource identifier associated with the triage entities.
Gem.Alert.triage_configuration.entities.typeStringType or nature of the entities involved in the triage.
Gem.Alert.triage_configuration.event_groups.descriptionStringDescription of the event groups involved in the triage.
Gem.Alert.triage_configuration.event_groups.end_timeDateEnd time for the event groups in the triage.
Gem.Alert.triage_configuration.event_groups.error_codeStringError code associated with the event groups in the triage.
Gem.Alert.triage_configuration.event_groups.event_nameStringName of the specific event within the event group related to the triage.
Gem.Alert.triage_configuration.event_groups.event_typeStringType or category of the event within the event group.
Gem.Alert.triage_configuration.event_groups.eventsStringDetails of the events that are part of the event group in the triage.
Gem.Alert.triage_configuration.event_groups.start_timeDateStart time for the event groups involved in the triage.
Gem.Alert.triage_configuration.event_groups.time_indicator_textStringTextual indicator of the time relevant to the event groups in the triage.
Gem.Alert.triage_configuration.event_groups.timeline_item_typeStringType of timeline item represented by the event groups in the triage.
Gem.Alert.triage_configuration.event_groups.titleStringTitle or main description of the event groups in the triage.
Gem.Alert.triage_configuration.event_groups.typeStringOverall type or classification of the event groups in the triage.
Gem.Alert.triage_configuration.resolve_params.include_data_eventsBooleanIndicates whether data events should be included in the resolution process.
Gem.Alert.triage_configuration.resolve_params.timeframe_lookup_window_hoursNumberNumber of hours in the lookup window for timeframe analysis in the resolution process.
Gem.Alert.triage_configuration.stateStringCurrent state or status of the triage configuration for the alert.

gem-list-inventory-resources#


List inventory resources in Gem.

Base Command#

gem-list-inventory-resources

Input#

Argument NameDescriptionRequired
limitThe number of items to return. Default is 50.Optional
include_deletedInclude deleted resources in the response.Optional
regionThe region of the resources to return.Optional
resource_typeThe type of the resources to return.Optional
searchThe search query to use.Optional

Context Output#

PathTypeDescription
Gem.InventoryItems.account.account_statusStringCurrent status of the account associated with the inventory item (e.g., active, suspended).
Gem.InventoryItems.account.cloud_providerStringName of the cloud service provider for the account associated with the inventory item.
Gem.InventoryItems.account.display_nameStringDisplay name of the account associated with the inventory item.
Gem.InventoryItems.account.hierarchy_pathStringHierarchical path in the account structure associated with the inventory item.
Gem.InventoryItems.account.idNumberUnique numerical identifier for the account associated with the inventory item.
Gem.InventoryItems.account.identifierStringAlternative identifier for the account associated with the inventory item.
Gem.InventoryItems.account.organization_nameStringName of the organization to which the account associated with the inventory item belongs.
Gem.InventoryItems.account.tenantStringTenant information for the account associated with the inventory item in a multi-tenant environment.
Gem.InventoryItems.categoriesStringCategories or types assigned to the inventory item.
Gem.InventoryItems.created_atDateTimestamp indicating when the inventory item was created.
Gem.InventoryItems.deletedBooleanIndicates whether the inventory item has been marked as deleted.
Gem.InventoryItems.external_urlStringURL linking to external information or resources related to the inventory item.
Gem.InventoryItems.identifiers.nameStringName associated with the identifier of the inventory item.
Gem.InventoryItems.identifiers.valueStringValue of the identifier assigned to the inventory item.
Gem.InventoryItems.regionStringGeographic region associated with the inventory item.
Gem.InventoryItems.resource_idStringUnique identifier for the resource that the inventory item represents.
Gem.InventoryItems.resource_typeStringType of resource that the inventory item represents (e.g., VM, database).
Gem.InventoryItems.tagsStringTags or labels assigned to the inventory item for categorization or identification.

gem-get-resource-details#


Get details about a specific resource.

Base Command#

gem-get-resource-details

Input#

Argument NameDescriptionRequired
resource_idThe ID of the resource to get details for.Required

Context Output#

PathTypeDescription
Gem.InventoryItem.account.account_statusStringCurrent status of the account associated with the inventory item (e.g., active, suspended).
Gem.InventoryItem.account.cloud_providerStringName of the cloud service provider for the account associated with the inventory item.
Gem.InventoryItem.account.display_nameStringDisplay name of the account associated with the inventory item.
Gem.InventoryItem.account.hierarchy_pathStringHierarchical path in the account structure associated with the inventory item.
Gem.InventoryItem.account.idNumberUnique numerical identifier for the account associated with the inventory item.
Gem.InventoryItem.account.identifierStringAlternative identifier for the account associated with the inventory item.
Gem.InventoryItem.account.organization_nameStringName of the organization to which the account associated with the inventory item belongs.
Gem.InventoryItem.account.tenantStringTenant information for the account associated with the inventory item in a multi-tenant environment.
Gem.InventoryItem.categoriesStringCategories or types assigned to the inventory item.
Gem.InventoryItem.created_atDateTimestamp indicating when the inventory item was created.
Gem.InventoryItem.deletedBooleanIndicates whether the inventory item has been marked as deleted.
Gem.InventoryItem.external_urlStringURL linking to external information or resources related to the inventory item.
Gem.InventoryItem.identifiers.nameStringName associated with the identifier of the inventory item.
Gem.InventoryItem.identifiers.valueStringValue of the identifier assigned to the inventory item.
Gem.InventoryItem.regionStringGeographic region associated with the inventory item.
Gem.InventoryItem.resource_idStringUnique identifier for the resource that the inventory item represents.
Gem.InventoryItem.resource_typeStringType of resource that the inventory item represents (e.g., VM, database).

gem-list-ips-by-entity#


List all source IP addresses used by an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-ips-by-entity

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.IP.AS_NAMEStringName of the Autonomous System (AS) associated with the IP address.
Gem.IP.AS_NUMBERStringNumber of the Autonomous System (AS) associated with the IP address.
Gem.IP.CITYStringCity where the IP address is located.
Gem.IP.COUNTRY_CODEStringCountry code corresponding to the location of the IP address.
Gem.IP.COUNTRY_NAMEStringName of the country where the IP address is located.
Gem.IP.COUNT_SOURCEIPStringCount of occurrences or references to the source IP address.
Gem.IP.IP_TYPEStringType of the IP address (e.g., IPv4, IPv6).
Gem.IP.IS_PRIVATEStringIndicates whether the IP address is private (e.g., within a local network).
Gem.IP.LATITUDEStringLatitude coordinate of the IP address's location.
Gem.IP.LONGITUDEStringLongitude coordinate of the IP address's location.
Gem.IP.PROVIDERStringInternet service provider associated with the IP address.
Gem.IP.SOURCEIPADDRESSStringThe actual IP address being referenced or analyzed.

gem-list-services-by-entity#


List all services accessed by an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-services-by-entity

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.By.Services.COUNT_SERVICEStringNumber of times the specified service appears or is utilized within the context.
Gem.Entity.By.Services.SERVICEStringName or type of the service being referenced or analyzed.

gem-list-events-by-entity#


List all events performed by an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-events-by-entity

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.By.Events.EVENTNAMEStringName of the event being referenced or analyzed.
Gem.Entity.By.Events.EVENTNAME_COUNTStringCount of occurrences or references to the specified event name.

gem-list-accessing-entities#


List all entities that accessed an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-accessing-entities

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.Accessing.USER_COUNTStringNumber of users accessing or interacting with the entity.
Gem.Entity.Accessing.USER_IDStringIdentifier(s) of the user(s) accessing or interacting with the entity.

gem-list-using-entities#


List all entities that used an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-using-entities

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.Using.ENTITY_COUNTStringCount of the number of times the entity is used or referenced.
Gem.Entity.Using.ENTITY_IDStringUnique identifier for the entity being used or referenced.

gem-list-events-on-entity#


List all events performed on an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-events-on-entity

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.On.Events.EVENTNAMEStringName of the event associated with the entity.
Gem.Entity.On.Events.EVENTNAME_COUNTStringCount of occurrences or instances of the specified event name related to the entity.

gem-list-accessing-ips#


List all source IP addresses that accessed an entity in a specific timeframe. The results are sorted by activity volume.

Base Command#

gem-list-accessing-ips

Input#

Argument NameDescriptionRequired
entity_idGem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg.Required
entity_typeType of the entity. See documentation for the full options list.Required
read_onlyShow read-only events.Optional
start_timeTimeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required
end_timeTimeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00.Required

Context Output#

PathTypeDescription
Gem.Entity.Accessing.IPs.AS_NAMEStringName of the Autonomous System (AS) associated with the IP address accessing the entity.
Gem.Entity.Accessing.IPs.AS_NUMBERStringNumber of the Autonomous System (AS) associated with the IP address accessing the entity.
Gem.Entity.Accessing.IPs.CITYStringCity where the IP address accessing the entity is located.
Gem.Entity.Accessing.IPs.COUNTRY_CODEStringCountry code corresponding to the location of the IP address accessing the entity.
Gem.Entity.Accessing.IPs.COUNTRY_NAMEStringName of the country where the IP address accessing the entity is located.
Gem.Entity.Accessing.IPs.COUNT_SOURCEIPStringCount of occurrences or references to the source IP address accessing the entity.
Gem.Entity.Accessing.IPs.IP_TYPEStringType of the IP address (e.g., IPv4, IPv6) accessing the entity.
Gem.Entity.Accessing.IPs.IS_PRIVATEStringIndicates whether the IP address accessing the entity is private (e.g., within a local network).
Gem.Entity.Accessing.IPs.LATITUDEStringLatitude coordinate of the IP address's location accessing the entity.
Gem.Entity.Accessing.IPs.LONGITUDEStringLongitude coordinate of the IP address's location accessing the entity.
Gem.Entity.Accessing.IPs.PROVIDERStringInternet service provider associated with the IP address accessing the entity.
Gem.Entity.Accessing.IPs.SOURCEIPADDRESSStringThe actual IP address being referenced or analyzed that is accessing the entity.

gem-update-threat-status#


Set a threat's status to open, in progress or resolved.

Base Command#

gem-update-threat-status

Input#

Argument NameDescriptionRequired
threat_idThe ID of the threat to update.Required
statusThe new status of the threat (open, in_progress, resolved). Possible values are: open, in_progress, resolved.Required
verdictThe verdict of the threat. Possible values are: malicious, security_test, planned_action, not_malicious, inconclusive.Optional
reasonThe reason for resolving the threat.Optional

Context Output#

There is no context output for this command.

gem-run-action#


Run an action on an entity.

Base Command#

gem-run-action

Input#

Argument NameDescriptionRequired
actionThe action to run.Required
entity_idThe ID of the entity to run the action on.Required
entity_typeThe type of the entity to run the action on.Required
alert_idThe ID of the alert to run the action on.Required
resource_idThe ID of the resource to run the action on.Required

Context Output#

There is no context output for this command.

gem-add-timeline-event#


Add a timeline event to a threat.

Base Command#

gem-add-timeline-event

Input#

Argument NameDescriptionRequired
threat_idThe ID of the threat to add the timeline event to.Required
commentThe comment to add to the timeline event.Required

Context Output#

There is no context output for this command.