Gem
This Integration is part of the Gem Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.12.0 and later.
Use Gem alerts as a trigger for Cortex XSOAR’s custom playbooks, to automate response to specific TTPs.
Configure Gem on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Gem.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Incident type False API Endpoint The API endpoint to use for connection (US or EU) True Service Account ID The Service Account ID to use for connection True Service Account Secret The Service Account Secret to use for connection True First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Use system proxy settings False Trust any certificate (not secure) False Fetch incidents False Maximum number of alerts per fetch False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
gem-list-threats#
List all threats detected in Gem.
Base Command#
gem-list-threats
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The number of alert to fetch. Default is 50. | Optional |
| time_start | The start time of the threats to return in ISO format. Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| time_end | The end time of the threats to return in ISO format. Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| ordering | The ordering of the items. Possible values are: -timeframe_start, timeframe_state, -mitre_technique, mitre_technique, -severity, severity, -assignee, assignee, -is_resolved, is_resolved. Default is -timeframe_start. | Optional |
| status | The status of the threats to return. Possible values are: open, resolved, in_progress. | Optional |
| ttp_id | The TTP ID of the threats to return. | Optional |
| title | The title of the threats to return. | Optional |
| severity | The severity of the threats to return. Possible values are: low, medium, high. | Optional |
| cloud_provider | The provider of the threats to return. Possible values are: aws, azure, gcp, okta, huawei. | Optional |
| entity_type | The entity type of the threats to return. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.ThreatsList.accounts.account_status | String | Indicates the current status of the account (e.g., active, suspended). |
| Gem.ThreatsList.accounts.cloud_provider | String | Specifies the cloud service provider for the account (e.g., AWS, Azure). |
| Gem.ThreatsList.accounts.display_name | String | The display name associated with the account. |
| Gem.ThreatsList.accounts.hierarchy_path.id | String | Unique identifier within the account hierarchy path. |
| Gem.ThreatsList.accounts.hierarchy_path.name | String | Name designation within the account hierarchy path. |
| Gem.ThreatsList.accounts.id | Number | The unique numerical identifier for the account. |
| Gem.ThreatsList.accounts.identifier | String | An alternative identifier for the account. |
| Gem.ThreatsList.accounts.organization_name | String | The name of the organization to which the account belongs. |
| Gem.ThreatsList.alert_source | String | The source of the alert. |
| Gem.ThreatsList.alerts.accounts.account_status | String | Indicates the account status related to a specific alert. |
| Gem.ThreatsList.alerts.accounts.cloud_provider | String | Cloud provider associated with the alert's account. |
| Gem.ThreatsList.alerts.accounts.display_name | String | Display name of the account related to the alert. |
| Gem.ThreatsList.alerts.accounts.id | Number | Numerical identifier for the account associated with the alert. |
| Gem.ThreatsList.alerts.accounts.identifier | String | Identifier for the account related to the alert. |
| Gem.ThreatsList.alerts.accounts.organization_name | String | Organization name associated with the alert's account. |
| Gem.ThreatsList.alerts.alert_source | String | The source of individual alerts. |
| Gem.ThreatsList.alerts.datetime | Date | The date and time when the alert was generated. |
| Gem.ThreatsList.alerts.description | String | Description of the alert. |
| Gem.ThreatsList.alerts.entities.activity_by_provider | Unknown | Details about activity by the cloud provider in relation to the alert. |
| Gem.ThreatsList.alerts.entities.cloud_provider | String | Cloud provider related to the alert entities. |
| Gem.ThreatsList.alerts.entities.id | String | Unique identifier for the entities related to the alert. |
| Gem.ThreatsList.alerts.entities.is_main_entity | Boolean | Indicates if the entity is the primary subject of the alert. |
| Gem.ThreatsList.alerts.entities.is_secondary_entity | Boolean | Indicates if the entity is a secondary subject of the alert. |
| Gem.ThreatsList.alerts.entities.resource_id | Unknown | Identifier for the resources involved in the alert. |
| Gem.ThreatsList.alerts.entities.type | String | Type of entities involved in the alert. |
| Gem.ThreatsList.alerts.id | String | Unique identifier for the alert. |
| Gem.ThreatsList.alerts.main_alert_id | String | Identifier for the primary alert, if applicable. |
| Gem.ThreatsList.alerts.mitre_techniques.id | String | Identifier for the MITRE ATT&CK technique associated with the alert. |
| Gem.ThreatsList.alerts.mitre_techniques.technique_name | String | Name of the MITRE ATT&CK technique related to the alert. |
| Gem.ThreatsList.alerts.organization_id | String | Identifier for the organization associated with the alert. |
| Gem.ThreatsList.alerts.severity | Number | Numerical representation of the alert's severity. |
| Gem.ThreatsList.alerts.severity_text | String | Textual description of the alert's severity. |
| Gem.ThreatsList.alerts.status | String | Current status of the alert (e.g., open, resolved. in_progress). |
| Gem.ThreatsList.alerts.title | String | Title or summary of the alert. |
| Gem.ThreatsList.alerts.ttp_id | String | Identifier for the tactics, techniques, and procedures (TTP) related to the alert. |
| Gem.ThreatsList.assignees | Unknown | Information about who is assigned to address the threats. |
| Gem.ThreatsList.category | String | Classification or category of the threat. |
| Gem.ThreatsList.datetime | Date | The date and time when the threat was identified or logged. |
| Gem.ThreatsList.description | String | Detailed description of the threat. |
| Gem.ThreatsList.entities.activity_by_provider | Unknown | Details about the activity conducted by the cloud provider in relation to the threat. |
| Gem.ThreatsList.entities.cloud_provider | String | Cloud service provider associated with the entities in the threat. |
| Gem.ThreatsList.entities.id | String | Unique identifier for the entities involved in the threat. |
| Gem.ThreatsList.entities.is_main_entity | Boolean | Indicates if the entity is the primary focus of the threat. |
| Gem.ThreatsList.entities.is_secondary_entity | Boolean | Indicates if the entity plays a secondary role in the context of the threat. |
| Gem.ThreatsList.entities.resource_id | Unknown | Identifier for the resources targeted or involved in the threat. |
| Gem.ThreatsList.entities.type | String | Type or nature of the entities involved in the threat. |
| Gem.ThreatsList.id | String | Unique identifier for the threat list item. |
| Gem.ThreatsList.main_alert_id | String | Main alert identifier related to the threat. |
| Gem.ThreatsList.mitre_techniques.id | String | Identifier for MITRE ATT&CK techniques associated with the threat. |
| Gem.ThreatsList.mitre_techniques.technique_name | String | Name of the MITRE ATT&CK technique associated with the threat. |
| Gem.ThreatsList.organization_id | String | Identifier of the organization associated with the threat. |
| Gem.ThreatsList.severity_text | String | Textual description of the overall severity of the threat. |
| Gem.ThreatsList.status | String | Current status of the threat (e.g., active, resolved). |
| Gem.ThreatsList.title | String | Title or main description of the threat. |
| Gem.ThreatsList.ttp_id | String | Identifier for the tactics, techniques, and procedures (TTP) associated with the threat. |
gem-get-threat-details#
Get details about a specific threat.
Base Command#
gem-get-threat-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| threat_id | The ID of the threat to get details for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Threat.accounts.account_status | String | Indicates the current status of the account (e.g., active, suspended). |
| Gem.Threat.accounts.cloud_provider | String | Specifies the cloud service provider for the account (e.g., AWS, Azure). |
| Gem.Threat.accounts.display_name | String | The display name associated with the account. |
| Gem.Threat.accounts.hierarchy_path.id | String | Unique identifier within the account hierarchy path. |
| Gem.Threat.accounts.hierarchy_path.name | String | Name designation within the account hierarchy path. |
| Gem.Threat.accounts.id | Number | The unique numerical identifier for the account. |
| Gem.Threat.accounts.identifier | String | An alternative identifier for the account. |
| Gem.Threat.accounts.organization_name | String | The name of the organization to which the account belongs. |
| Gem.Threat.alert_source | String | The source of the alert. |
| Gem.Threat.alerts.accounts.account_status | String | Indicates the account status related to a specific alert. |
| Gem.Threat.alerts.accounts.cloud_provider | String | Cloud provider associated with the alert's account. |
| Gem.Threat.alerts.accounts.display_name | String | Display name of the account related to the alert. |
| Gem.Threat.alerts.accounts.id | Number | Numerical identifier for the account associated with the alert. |
| Gem.Threat.alerts.accounts.identifier | String | Identifier for the account related to the alert. |
| Gem.Threat.alerts.accounts.organization_name | String | Organization name associated with the alert's account. |
| Gem.Threat.alerts.alert_source | String | The source of individual alerts. |
| Gem.Threat.alerts.datetime | Date | The date and time when the alert was generated. |
| Gem.Threat.alerts.description | String | Description of the alert. |
| Gem.Threat.alerts.entities.activity_by_provider | Unknown | Details about activity by the cloud provider in relation to the alert. |
| Gem.Threat.alerts.entities.cloud_provider | String | Cloud provider related to the alert entities. |
| Gem.Threat.alerts.entities.id | String | Unique identifier for the entities related to the alert. |
| Gem.Threat.alerts.entities.is_main_entity | Boolean | Indicates if the entity is the primary subject of the alert. |
| Gem.Threat.alerts.entities.is_secondary_entity | Boolean | Indicates if the entity is a secondary subject of the alert. |
| Gem.Threat.alerts.entities.resource_id | Unknown | Identifier for the resources involved in the alert. |
| Gem.Threat.alerts.entities.type | String | Type of entities involved in the alert. |
| Gem.Threat.alerts.id | String | Unique identifier for the alert. |
| Gem.Threat.alerts.main_alert_id | String | Identifier for the primary alert, if applicable. |
| Gem.Threat.alerts.mitre_techniques.id | String | Identifier for the MITRE ATT&CK technique associated with the alert. |
| Gem.Threat.alerts.mitre_techniques.technique_name | String | Name of the MITRE ATT&CK technique related to the alert. |
| Gem.Threat.alerts.organization_id | String | Identifier for the organization associated with the alert. |
| Gem.Threat.alerts.severity | Number | Numerical representation of the alert's severity. |
| Gem.Threat.alerts.severity_text | String | Textual description of the alert's severity. |
| Gem.Threat.alerts.status | String | Current status of the alert (e.g., open, resolved. in_progress). |
| Gem.Threat.alerts.title | String | Title or summary of the alert. |
| Gem.Threat.alerts.ttp_id | String | Identifier for the tactics, techniques, and procedures (TTP) related to the alert. |
| Gem.Threat.assignees | Unknown | Information about who is assigned to address the threats. |
| Gem.Threat.category | String | Classification or category of the threat. |
| Gem.Threat.datetime | Date | The date and time when the threat was identified or logged. |
| Gem.Threat.description | String | Detailed description of the threat. |
| Gem.Threat.entities.activity_by_provider | Unknown | Details about the activity conducted by the cloud provider in relation to the threat. |
| Gem.Threat.entities.cloud_provider | String | Cloud service provider associated with the entities in the threat. |
| Gem.Threat.entities.id | String | Unique identifier for the entities involved in the threat. |
| Gem.Threat.entities.is_main_entity | Boolean | Indicates if the entity is the primary focus of the threat. |
| Gem.Threat.entities.is_secondary_entity | Boolean | Indicates if the entity plays a secondary role in the context of the threat. |
| Gem.Threat.entities.resource_id | Unknown | Identifier for the resources targeted or involved in the threat. |
| Gem.Threat.entities.type | String | Type or nature of the entities involved in the threat. |
| Gem.Threat.id | String | Unique identifier for the threat list item. |
| Gem.Threat.main_alert_id | String | Main alert identifier related to the threat. |
| Gem.Threat.mitre_techniques.id | String | Identifier for MITRE ATT&CK techniques associated with the threat. |
| Gem.Threat.mitre_techniques.technique_name | String | Name of the MITRE ATT&CK technique associated with the threat. |
| Gem.Threat.organization_id | String | Identifier of the organization associated with the threat. |
| Gem.Threat.severity_text | String | Textual description of the overall severity of the threat. |
| Gem.Threat.status | String | Current status of the threat (e.g., active, resolved). |
| Gem.Threat.title | String | Title or main description of the threat. |
| Gem.Threat.ttp_id | String | Identifier for the tactics, techniques, and procedures (TTP) associated with the threat. |
gem-get-alert-details#
Get details about a specific alert.
Base Command#
gem-get-alert-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The ID of the alert to get details for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Alert.alert_context.account_db_id | String | Database identifier for the account associated with the alert. |
| Gem.Alert.alert_context.alert_id | String | Unique identifier for the alert. |
| Gem.Alert.alert_context.alert_source | String | The source from which the alert originated. |
| Gem.Alert.alert_context.alert_source_id | String | Identifier for the specific source of the alert. |
| Gem.Alert.alert_context.alert_source_url | String | URL associated with the alert source. |
| Gem.Alert.alert_context.cloud_provider | String | The cloud service provider associated with the alert. |
| Gem.Alert.alert_context.created_at | Date | The timestamp when the alert was created. |
| Gem.Alert.alert_context.description | String | Detailed description of the alert. |
| Gem.Alert.alert_context.description_template | String | Template used for generating the alert description. |
| Gem.Alert.alert_context.general_cloud_provider | String | General classification of the cloud provider related to the alert. |
| Gem.Alert.alert_context.mitre_techniques.id | String | Identifier for the MITRE ATT&CK technique associated with the alert. |
| Gem.Alert.alert_context.mitre_techniques.technique_name | String | Name of the MITRE ATT&CK technique related to the alert. |
| Gem.Alert.alert_context.resolved | Boolean | Indicates whether the alert has been resolved. |
| Gem.Alert.alert_context.severity | Number | Numerical representation of the alert's severity. |
| Gem.Alert.alert_context.status | String | Current status of the alert (e.g., open, resolved, in_progress). |
| Gem.Alert.alert_context.timeframe_end | Date | End date and time of the timeframe relevant to the alert. |
| Gem.Alert.alert_context.timeframe_start | Date | Start date and time of the timeframe relevant to the alert. |
| Gem.Alert.alert_context.title | String | Title or main description of the alert. |
| Gem.Alert.alert_context.ttp_id | String | Identifier for the tactics, techniques, and procedures (TTP) related to the alert. |
| Gem.Alert.triage_configuration.analysis | String | Analysis or summary of the triage configuration for the alert. |
| Gem.Alert.triage_configuration.entities.activity_by_provider | String | Activity details by the cloud provider related to the triage entities. |
| Gem.Alert.triage_configuration.entities.cloud_provider | String | Cloud provider associated with the triage entities. |
| Gem.Alert.triage_configuration.entities.id | String | Unique identifier for the entities involved in the triage. |
| Gem.Alert.triage_configuration.entities.is_main_entity | Boolean | Indicates if the entity is the primary focus in the triage. |
| Gem.Alert.triage_configuration.entities.is_secondary_entity | Boolean | Indicates if the entity plays a secondary role in the triage. |
| Gem.Alert.triage_configuration.entities.resource_id | String | Resource identifier associated with the triage entities. |
| Gem.Alert.triage_configuration.entities.type | String | Type or nature of the entities involved in the triage. |
| Gem.Alert.triage_configuration.event_groups.description | String | Description of the event groups involved in the triage. |
| Gem.Alert.triage_configuration.event_groups.end_time | Date | End time for the event groups in the triage. |
| Gem.Alert.triage_configuration.event_groups.error_code | String | Error code associated with the event groups in the triage. |
| Gem.Alert.triage_configuration.event_groups.event_name | String | Name of the specific event within the event group related to the triage. |
| Gem.Alert.triage_configuration.event_groups.event_type | String | Type or category of the event within the event group. |
| Gem.Alert.triage_configuration.event_groups.events | String | Details of the events that are part of the event group in the triage. |
| Gem.Alert.triage_configuration.event_groups.start_time | Date | Start time for the event groups involved in the triage. |
| Gem.Alert.triage_configuration.event_groups.time_indicator_text | String | Textual indicator of the time relevant to the event groups in the triage. |
| Gem.Alert.triage_configuration.event_groups.timeline_item_type | String | Type of timeline item represented by the event groups in the triage. |
| Gem.Alert.triage_configuration.event_groups.title | String | Title or main description of the event groups in the triage. |
| Gem.Alert.triage_configuration.event_groups.type | String | Overall type or classification of the event groups in the triage. |
| Gem.Alert.triage_configuration.resolve_params.include_data_events | Boolean | Indicates whether data events should be included in the resolution process. |
| Gem.Alert.triage_configuration.resolve_params.timeframe_lookup_window_hours | Number | Number of hours in the lookup window for timeframe analysis in the resolution process. |
| Gem.Alert.triage_configuration.state | String | Current state or status of the triage configuration for the alert. |
gem-list-inventory-resources#
List inventory resources in Gem.
Base Command#
gem-list-inventory-resources
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The number of items to return. Default is 50. | Optional |
| include_deleted | Include deleted resources in the response. | Optional |
| region | The region of the resources to return. | Optional |
| resource_type | The type of the resources to return. | Optional |
| search | The search query to use. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.InventoryItems.account.account_status | String | Current status of the account associated with the inventory item (e.g., active, suspended). |
| Gem.InventoryItems.account.cloud_provider | String | Name of the cloud service provider for the account associated with the inventory item. |
| Gem.InventoryItems.account.display_name | String | Display name of the account associated with the inventory item. |
| Gem.InventoryItems.account.hierarchy_path | String | Hierarchical path in the account structure associated with the inventory item. |
| Gem.InventoryItems.account.id | Number | Unique numerical identifier for the account associated with the inventory item. |
| Gem.InventoryItems.account.identifier | String | Alternative identifier for the account associated with the inventory item. |
| Gem.InventoryItems.account.organization_name | String | Name of the organization to which the account associated with the inventory item belongs. |
| Gem.InventoryItems.account.tenant | String | Tenant information for the account associated with the inventory item in a multi-tenant environment. |
| Gem.InventoryItems.categories | String | Categories or types assigned to the inventory item. |
| Gem.InventoryItems.created_at | Date | Timestamp indicating when the inventory item was created. |
| Gem.InventoryItems.deleted | Boolean | Indicates whether the inventory item has been marked as deleted. |
| Gem.InventoryItems.external_url | String | URL linking to external information or resources related to the inventory item. |
| Gem.InventoryItems.identifiers.name | String | Name associated with the identifier of the inventory item. |
| Gem.InventoryItems.identifiers.value | String | Value of the identifier assigned to the inventory item. |
| Gem.InventoryItems.region | String | Geographic region associated with the inventory item. |
| Gem.InventoryItems.resource_id | String | Unique identifier for the resource that the inventory item represents. |
| Gem.InventoryItems.resource_type | String | Type of resource that the inventory item represents (e.g., VM, database). |
| Gem.InventoryItems.tags | String | Tags or labels assigned to the inventory item for categorization or identification. |
gem-get-resource-details#
Get details about a specific resource.
Base Command#
gem-get-resource-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| resource_id | The ID of the resource to get details for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.InventoryItem.account.account_status | String | Current status of the account associated with the inventory item (e.g., active, suspended). |
| Gem.InventoryItem.account.cloud_provider | String | Name of the cloud service provider for the account associated with the inventory item. |
| Gem.InventoryItem.account.display_name | String | Display name of the account associated with the inventory item. |
| Gem.InventoryItem.account.hierarchy_path | String | Hierarchical path in the account structure associated with the inventory item. |
| Gem.InventoryItem.account.id | Number | Unique numerical identifier for the account associated with the inventory item. |
| Gem.InventoryItem.account.identifier | String | Alternative identifier for the account associated with the inventory item. |
| Gem.InventoryItem.account.organization_name | String | Name of the organization to which the account associated with the inventory item belongs. |
| Gem.InventoryItem.account.tenant | String | Tenant information for the account associated with the inventory item in a multi-tenant environment. |
| Gem.InventoryItem.categories | String | Categories or types assigned to the inventory item. |
| Gem.InventoryItem.created_at | Date | Timestamp indicating when the inventory item was created. |
| Gem.InventoryItem.deleted | Boolean | Indicates whether the inventory item has been marked as deleted. |
| Gem.InventoryItem.external_url | String | URL linking to external information or resources related to the inventory item. |
| Gem.InventoryItem.identifiers.name | String | Name associated with the identifier of the inventory item. |
| Gem.InventoryItem.identifiers.value | String | Value of the identifier assigned to the inventory item. |
| Gem.InventoryItem.region | String | Geographic region associated with the inventory item. |
| Gem.InventoryItem.resource_id | String | Unique identifier for the resource that the inventory item represents. |
| Gem.InventoryItem.resource_type | String | Type of resource that the inventory item represents (e.g., VM, database). |
gem-list-ips-by-entity#
List all source IP addresses used by an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-ips-by-entity
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.IP.AS_NAME | String | Name of the Autonomous System (AS) associated with the IP address. |
| Gem.IP.AS_NUMBER | String | Number of the Autonomous System (AS) associated with the IP address. |
| Gem.IP.CITY | String | City where the IP address is located. |
| Gem.IP.COUNTRY_CODE | String | Country code corresponding to the location of the IP address. |
| Gem.IP.COUNTRY_NAME | String | Name of the country where the IP address is located. |
| Gem.IP.COUNT_SOURCEIP | String | Count of occurrences or references to the source IP address. |
| Gem.IP.IP_TYPE | String | Type of the IP address (e.g., IPv4, IPv6). |
| Gem.IP.IS_PRIVATE | String | Indicates whether the IP address is private (e.g., within a local network). |
| Gem.IP.LATITUDE | String | Latitude coordinate of the IP address's location. |
| Gem.IP.LONGITUDE | String | Longitude coordinate of the IP address's location. |
| Gem.IP.PROVIDER | String | Internet service provider associated with the IP address. |
| Gem.IP.SOURCEIPADDRESS | String | The actual IP address being referenced or analyzed. |
gem-list-services-by-entity#
List all services accessed by an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-services-by-entity
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.By.Services.COUNT_SERVICE | String | Number of times the specified service appears or is utilized within the context. |
| Gem.Entity.By.Services.SERVICE | String | Name or type of the service being referenced or analyzed. |
gem-list-events-by-entity#
List all events performed by an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-events-by-entity
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.By.Events.EVENTNAME | String | Name of the event being referenced or analyzed. |
| Gem.Entity.By.Events.EVENTNAME_COUNT | String | Count of occurrences or references to the specified event name. |
gem-list-accessing-entities#
List all entities that accessed an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-accessing-entities
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.Accessing.USER_COUNT | String | Number of users accessing or interacting with the entity. |
| Gem.Entity.Accessing.USER_ID | String | Identifier(s) of the user(s) accessing or interacting with the entity. |
gem-list-using-entities#
List all entities that used an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-using-entities
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.Using.ENTITY_COUNT | String | Count of the number of times the entity is used or referenced. |
| Gem.Entity.Using.ENTITY_ID | String | Unique identifier for the entity being used or referenced. |
gem-list-events-on-entity#
List all events performed on an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-events-on-entity
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.On.Events.EVENTNAME | String | Name of the event associated with the entity. |
| Gem.Entity.On.Events.EVENTNAME_COUNT | String | Count of occurrences or instances of the specified event name related to the entity. |
gem-list-accessing-ips#
List all source IP addresses that accessed an entity in a specific timeframe. The results are sorted by activity volume.
Base Command#
gem-list-accessing-ips
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity_id | Gem ID of the entity. This will usually be the ARN or CSP ID. This property is also available for every resource in the Inventory screen. Example: arn:aws:ec2:us-east-1:112233445566:instance/i-1234567890abcdefg. | Required |
| entity_type | Type of the entity. See documentation for the full options list. | Required |
| read_only | Show read-only events. | Optional |
| start_time | Timeframe start (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
| end_time | Timeframe end (ISO format). Examples: 2023-01-01, 2023-01-01T01:01:01Z, 2023-01-01T01:01:01+00:00. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Gem.Entity.Accessing.IPs.AS_NAME | String | Name of the Autonomous System (AS) associated with the IP address accessing the entity. |
| Gem.Entity.Accessing.IPs.AS_NUMBER | String | Number of the Autonomous System (AS) associated with the IP address accessing the entity. |
| Gem.Entity.Accessing.IPs.CITY | String | City where the IP address accessing the entity is located. |
| Gem.Entity.Accessing.IPs.COUNTRY_CODE | String | Country code corresponding to the location of the IP address accessing the entity. |
| Gem.Entity.Accessing.IPs.COUNTRY_NAME | String | Name of the country where the IP address accessing the entity is located. |
| Gem.Entity.Accessing.IPs.COUNT_SOURCEIP | String | Count of occurrences or references to the source IP address accessing the entity. |
| Gem.Entity.Accessing.IPs.IP_TYPE | String | Type of the IP address (e.g., IPv4, IPv6) accessing the entity. |
| Gem.Entity.Accessing.IPs.IS_PRIVATE | String | Indicates whether the IP address accessing the entity is private (e.g., within a local network). |
| Gem.Entity.Accessing.IPs.LATITUDE | String | Latitude coordinate of the IP address's location accessing the entity. |
| Gem.Entity.Accessing.IPs.LONGITUDE | String | Longitude coordinate of the IP address's location accessing the entity. |
| Gem.Entity.Accessing.IPs.PROVIDER | String | Internet service provider associated with the IP address accessing the entity. |
| Gem.Entity.Accessing.IPs.SOURCEIPADDRESS | String | The actual IP address being referenced or analyzed that is accessing the entity. |
gem-update-threat-status#
Set a threat's status to open, in progress or resolved.
Base Command#
gem-update-threat-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| threat_id | The ID of the threat to update. | Required |
| status | The new status of the threat (open, in_progress, resolved). Possible values are: open, in_progress, resolved. | Required |
| verdict | The verdict of the threat. Possible values are: malicious, security_test, planned_action, not_malicious, inconclusive. | Optional |
| reason | The reason for resolving the threat. | Optional |
Context Output#
There is no context output for this command.
gem-run-action#
Run an action on an entity.
Base Command#
gem-run-action
Input#
| Argument Name | Description | Required |
|---|---|---|
| action | The action to run. | Required |
| entity_id | The ID of the entity to run the action on. | Required |
| entity_type | The type of the entity to run the action on. | Required |
| alert_id | The ID of the alert to run the action on. | Required |
| resource_id | The ID of the resource to run the action on. | Required |
Context Output#
There is no context output for this command.
gem-add-timeline-event#
Add a timeline event to a threat.
Base Command#
gem-add-timeline-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| threat_id | The ID of the threat to add the timeline event to. | Required |
| comment | The comment to add to the timeline event. | Required |
Context Output#
There is no context output for this command.