Gurucul-GRA

This is the Gurucul GRA integration for getting started and learn how to build an integration with Cortex XSOAR. You can check the Design Document of this integration here.

Please make sure you look at the integration source code and comments.

This integration was built to interact with the sample SOAR Gurucul API To check the API source code go to GitHub.

Configure Gurucul on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Gurucul.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://soar.monstersofhack.com\)True
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
apikeyAPI KeyTrue
threshold_ipScore threshold for ip reputation command (0-100)False
threshold_domainScore threshold for domain reputation command (0-100)False
alert_statusFetch alerts with status (ACTIVE, CLOSED)False
alert_typeFetch alerts with typeFalse
min_severityMinimum severity of alerts to fetchTrue
first_fetchFirst fetch timeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gra-fetch-users


Retrieve List of All Users (Identities)

Base Command

gra-fetch-users

Input

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Users.firstNameStringFirst Name.
Gra.Users.middleNameStringMiddle Name.
Gra.Users.lastNameStringLast Name.
Gra.Users.employeeIdStringEmployee Name.
Gra.Users.riskScoreStringRisk Name.
Gra.Users.departmentStringDepartment.
Gra.Users.emailStringUsers email.
Gra.Users.phoneStringUsers Phone no.
Gra.Users.locationStringLocation.
Gra.Users.managerStringUsers Manager.
Gra.Users.titleStringUsers title.
Gra.Users.joiningDateStringJoining Date.
Gra.Users.exitDateStringExit Date.

Command Example

!gra-fetch-users page=1 max=25

Context Example

[{
"firstName":"Evan",
"middleName":null,
"lastName":"Todd",
"employeeId":"Galvin.Chavez",
"riskScore":0,
"userRisk":0,
"department":"Legal Department",
"email":"non.magna@gurucul.corp",
"phone":"(598) 457-3271",
"location":"AK",
"manager":"Asher.Byers",
"title":"QA",
"joiningDate":"11/05/2018 05:27:51",
"exitDate":"08/25/2018 14:58:25",
"profilePicturePath":null
}]

Base Command

gra-fetch-accounts


Retrieve all Accounts Information

Input

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Accounts.idNumberAccount Id.
Gra.Accounts.nameStringAccount Name.
Gra.Accounts.typeStringAccount type.
Gra.Accounts.created_onDateCreated On.
Gra.Accounts.departmentStringDepartment.
Gra.Accounts.descriptionStringDescription.
Gra.Accounts.resourceStringResource Name.
Gra.Accounts.domainStringDomain.
Gra.Accounts.high_riskStringHigh Risk.
Gra.Accounts.is_orphanStringIs Orphan.
Gra.Accounts.is_reassignedStringIs Reassigned.
Gra.Accounts.risk_scoreNumberRisk Score.
Gra.Accounts.updated_onDateUpdated on.

Command Example

!gra-fetch-accounts page=1 max=25

Context Example

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output

Results

gra-fetch-active-resource-accounts


Retrieve List of All Active Accounts for a Given Resource.

Base Command

!gra-fetch-active-resource-accounts

Input

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Active.Resource.Accounts.idNumberAccount Id.
Gra.Active.Resource.Accounts.nameStringAccount Name.
Gra.Active.Resource.Accounts.typeStringAccount type.
Gra.Active.Resource.Accounts.created_onDateCreated On.
Gra.Active.Resource.Accounts.departmentStringDepartment.
Gra.Active.Resource.Accounts.descriptionStringDescription.
Gra.Active.Resource.Accounts.resourceStringResource Name.
Gra.Active.Resource.Accounts.domainStringDomain.
Gra.Active.Resource.Accounts.high_riskStringHigh Risk.
Gra.Active.Resource.Accounts.is_orphanStringIs Orphan.
Gra.Active.Resource.Accounts.is_reassignedStringIs Reassigned.
Gra.Active.Resource.Accounts.risk_scoreNumberRisk Score.
Gra.Active.Resource.Accounts.updated_onDateUpdated on.

Command Example

!gra-fetch-active-resource-accounts resource_name="Linux" page=1 max=25

Context Example

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output

gra-fetch-user-accounts


Retrieve List of All Active Accounts and Details for a Given User.

Base Command

gra-fetch-user-accounts

Input

Argument NameDescriptionRequired
employee_idEmployee ID.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.User.Accounts.idNumberUser Account Relation Id .
Gra.User.Accounts.nameStringAccount Name.
Gra.User.Accounts.typeStringAccount Type.
Gra.User.Accounts.created_onDateCreated On.
Gra.User.Accounts.departmentStringDepartment.
Gra.User.Accounts.descriptionStringDescription.
Gra.User.Accounts.resourceStringResource Name.
Gra.User.Accounts.domainStringDomain Name.
Gra.User.Accounts.high_riskStringHigh Risk.
Gra.User.Accounts.is_orphanStringIs Account Orphan.
Gra.User.Accounts.is_reassignedStringIs account Reassigned.
Gra.User.Accounts.risk_scoreStringAccount Risk Score.
Gra.User.Accounts.updated_onDateUpdated On.

Command Example

!gra-fetch-user-accounts employee_id="Alec.Holland01_NN" page=1 max=25

Context Example

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output

gra-fetch-resource-highrisk-accounts


Retrieve High Risk Accounts for a Given Resource

Base Command

gra-fetch-resource-highrisk-accounts

Input

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Resource.Highrisk.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Highrisk.Accounts.nameStringAccount Name.
Gra.Resource.Highrisk.Accounts.typeStringAccount Type.
Gra.Resource.Highrisk.Accounts.created_onDateCreated On.
Gra.Resource.Highrisk.Accounts.departmentStringDepartment.
Gra.Resource.Highrisk.Accounts.descriptionStringDescription.
Gra.Resource.Highrisk.Accounts.resourceStringResource Name.
Gra.Resource.Highrisk.Accounts.domainStringDomain Name.
Gra.Resource.Highrisk.Accounts.high_riskStringHigh Risk.
Gra.Resource.Highrisk.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Highrisk.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Highrisk.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Highrisk.Accounts.updated_onDateUpdated On.

Command Example

!gra-fetch-resource-highrisk-accounts resource_name="Windows Security" page=1 max=25

Context Example

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output

gra-fetch-hpa


Retrieve List of All High Risk Privileged Accounts.

Base Command

!gra-fetch-hpa

Input

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Hpa.idNumberUser Account Relation Id .
Gra.Hpa.nameStringAccount Name.
Gra.Hpa.typeStringAccount Type.
Gra.Hpa.created_onDateCreated On.
Gra.Hpa.departmentStringDepartment.
Gra.Hpa.descriptionStringDescription.
Gra.Hpa.resourceStringResource Name.
Gra.Hpa.domainStringDomain Name.
Gra.Hpa.high_riskStringHigh Risk.
Gra.Hpa.is_orphanStringIs Account Orphan.
Gra.Hpa.is_reassignedStringIs account Reassigned.
Gra.Hpa.risk_scoreStringAccount Risk Score.
Gra.Hpa.updated_onDateUpdated On.

Command Example

!gra-fetch-hpa page=1 max=25

Context Example

{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}

Human Readable Output

gra-fetch-resource-hpa


Retrieve all High Privileged Accounts for a Given Resource.

Base Command

gra-fetch-resource-hpa

Input

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Resource.Hpa.idNumberUser Account Relation Id .
Gra.Resource.Hpa.nameStringAccount Name.
Gra.Resource.Hpa.typeStringAccount Type.
Gra.Resource.Hpa.created_onDateCreated On.
Gra.Resource.Hpa.departmentStringDepartment.
Gra.Resource.Hpa.descriptionStringDescription.
Gra.Resource.Hpa.resourceStringResource Name.
Gra.Resource.Hpa.domainStringDomain Name.
Gra.Resource.Hpa.high_riskStringHigh Risk.
Gra.Resource.Hpa.is_orphanStringIs Account Orphan.
Gra.Resource.Hpa.is_reassignedStringIs account Reassigned.
Gra.Resource.Hpa.risk_scoreStringAccount Risk Score.
Gra.Resource.Hpa.updated_onDateUpdated On.

Command Example

!gra-fetch-resource-hpa resource_name="Linux" page=1 max=25

Context Example

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output

gra-fetch-orphan-accounts


Retrieve List of All Orphan / Rogue Accounts.

Base Command

gra-fetch-orphan-accounts

Input

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Orphan.Accounts.nameStringAccount Name.
Gra.Orphan.Accounts.typeStringAccount Type.
Gra.Orphan.Accounts.created_onDateCreated On.
Gra.Orphan.Accounts.departmentStringDepartment.
Gra.Orphan.Accounts.descriptionStringDescription.
Gra.Orphan.Accounts.resourceStringResource Name.
Gra.Orphan.Accounts.domainStringDomain Name.
Gra.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Orphan.Accounts.updated_onDateUpdated On.

Command Example

!gra-fetch-orphan-accounts page=1 max=25

Context Example

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output

gra-fetch-resource-orphan-accounts


Retrieve All Orphan / Rogue Accounts for a Given Resource.

Base Command

gra-fetch-resource-orphan-accounts

Input

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Resource.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Orphan.Accounts.nameStringAccount Name.
Gra.Resource.Orphan.Accounts.typeStringAccount Type.
Gra.Resource.Orphan.Accounts.created_onDateCreated On.
Gra.Resource.Orphan.Accounts.departmentStringDepartment.
Gra.Resource.Orphan.Accounts.descriptionStringDescription.
Gra.Resource.Orphan.Accounts.resourceStringResource Name.
Gra.Resource.Orphan.Accounts.domainStringDomain Name.
Gra.Resource.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Resource.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Orphan.Accounts.updated_onDateUpdated On.

Command Example

!gra-fetch-resource-orphan-accounts resource_name="Windows Security" page=1 max=25

Context Example

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output

gra-fetch-orphan-accounts


Retrieve List of All Orphan / Rogue Accounts.

Base Command

gra-user-activities

Input

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.User.Activity.employee_idStringEmployee Id .
Gra.User.Activity.account_nameStringAccount Name .
Gra.User.Activity.resource_nameStringResource Name .
Gra.User.Activity.event_descStringEvent Description .
Gra.User.Activity.event_dateStringEvent Date .
Gra.User.Activity.risk_scoreNumberRisk Score .

Command Example

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example

{
"employee_id":"aa17600",
"account_name":null,
"resource_name":"Print",
"event_desc":"Print",
"event_date":"09/02/2019 11:51:14",
"risk_score":0.0
}

Human Readable Output

gra-fetch-users-details


get details of the user.

Base Command

gra-fetch-users-details

Input

Argument NameDescriptionRequired
employee_idEmployee Id.Required

Context Output

PathTypeDescription
Gra.User.firstNameStringFirst Name.
Gra.User.middleNameStringMiddle Name.
Gra.User.lastNameStringLast Name.
Gra.User.employeeIdStringEmployee Id.
Gra.User.riskScoreStringRisk Score.
Gra.User.userRiskStringUser Risk.
Gra.User.departmentStringDepartment.
Gra.User.emailStringEmail.
Gra.User.phoneStringPhone.
Gra.User.locationStringLocation .
Gra.User.managerStringManager.
Gra.User.titleStringTitle.
Gra.User.joiningDateStringJoining Date.
Gra.User.profilePicturePathStringProfile Picture Path.

Command Example

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example

[
{
"firstName":"Jonathan",
"middleName":null,
"lastName":"Osterman01_NN",
"employeeId":"Jonathan.Osterman01_NN",
"riskScore":88,
"userRisk":88,
"department":"IT",
"email":"Jonathan.Osterman@abc.com",
"phone":"(91)-123-4567-890",
"location":"USA",
"manager":"Thor.Odinson01_NN",
"title":"Sr.Developer",
"joiningDate":"01/01/2017 12:47:00",
"exitDate":"12/31/2019 23:47:00",
"profilePicturePath":null
}
]

Human Readable Output

gra-fetch-users-details


get details of the user.

Base Command

gra-highRisk-users

Input

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Highrisk.Users.idNumberUser Id .
Gra.Highrisk.Users.nameStringUser Name.
Gra.Highrisk.Users.typeStringType.
Gra.Highrisk.Users.created_onDateCreated On .
Gra.Highrisk.Users.departmentStringDepartment.
Gra.Highrisk.Users.descriptionStringDescription.
Gra.Highrisk.Users.resourceStringResource Name.
Gra.Highrisk.Users.domainStringDomain.
Gra.Highrisk.Users.high_riskStringHigh Risk.
Gra.Highrisk.Users.is_orphanStringIs Orphan Account .
Gra.Highrisk.Users.is_reassignedStringIs Reassigned .
Gra.Highrisk.Users.risk_scoreStringRisk Score .
Gra.Highrisk.Users.updated_onDateUpdated On .

Command Example

!gra-highRisk-users page=1 max=25

Context Example

[
{
"id":188,
"name":"Vitoria Inger",
"type":null,
"created_on":"02/02/2020 10:00:00",
"department":null,
"description":"Mozilla/5.0 (Windows NT) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20",
"resource":"AIX",
"domain":"163.com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":88,
"updated_on":null
}
]

Human Readable Output

gra-cases


get details of the user.

Base Command

gra-cases

Input

Argument NameDescriptionRequired
statusCase Status.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Cases.entityIdNumberEntity Id .
Gra.Cases.entityTypeIdNumberEntity Type Id.
Gra.Cases.entityStringEntity Name.
Gra.Cases.caseIdNumberCase Id .
Gra.Cases.openDateDateCase Open Date.
Gra.Cases.ownerIdNumberOwner Id.
Gra.Cases.ownerTypeStringOwner Type.
Gra.Cases.ownerNameStringOwner Name.
Gra.Cases.riskDateDateRisk Risk.
Gra.Cases.statusStringCase Status .

Command Example

!gra-cases status="OPEN" page=1 max=25

Context Example

[
{
"entityId":366,
"entityTypeId":2,
"entity":"Ulises Ellerby",
"caseId":58,
"openDate":"10/13/2020 18:44:06",
"ownerId":1,
"ownerType":"User",
"ownerName":"graadmin",
"riskDate":"10/12/2020 00:00:00",
"status":"Open"
}
]

Human Readable Output

gra-user-anomalies


get details of the user.

Base Command

gra-user-anomalies

Input

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output

PathTypeDescription
Gra.Anomalies.anomaly_nameStringAnomaly Name .

Command Example

!gra-user-anomalies employeeId="AB1234" page=1 max=25

Context Example

[
{
"anomaly_name":"SOD_role_13oct"
}
]

Human Readable Output