Gurucul-GRA

Gurucul Risk Analytics (GRA) is a data science backed cloud native platform that predicts, detects and prevents breaches. It ingests and analyzes massive amounts of data from the network, IT systems, cloud platforms, EDR, applications, IoT, HR and much more to give you a comprehensive contextual view of user and entity behaviors This Integration facilitates retrieval of High Risk Entities identified by GRA by creating a case for each entity within GRA. These high risk entities are fetched in Cortex XSOAR and a corresponding incident is created for each entity in Cortex XSOAR. As a part of this integration, workflows can be configured at Cortex XSOAR based on different commands provided by GRA. These will define the actions to be taken on a particular high risk entity based on the Risk Score.

Configure Gurucul on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Gurucul.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://soar.monstersofhack.com\)True
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
apikeyAPI KeyTrue
threshold_ipScore threshold for ip reputation command (0-100)False
threshold_domainScore threshold for domain reputation command (0-100)False
alert_statusFetch alerts with status (ACTIVE, CLOSED)False
alert_typeFetch alerts with typeFalse
min_severityMinimum severity of alerts to fetchTrue
first_fetchFirst fetch timeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gra-fetch-users#

Retrieve List of All Users (Identities)

Base Command#

gra-fetch-users

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Users.firstNameStringFirst Name.
Gra.Users.middleNameStringMiddle Name.
Gra.Users.lastNameStringLast Name.
Gra.Users.employeeIdStringEmployee Name.
Gra.Users.riskScoreStringRisk Name.
Gra.Users.departmentStringDepartment.
Gra.Users.emailStringUsers email.
Gra.Users.phoneStringUsers Phone no.
Gra.Users.locationStringLocation.
Gra.Users.managerStringUsers Manager.
Gra.Users.titleStringUsers title.
Gra.Users.joiningDateStringJoining Date.
Gra.Users.exitDateStringExit Date.

Command Example#

!gra-fetch-users page=1 max=25

Context Example#

[{
"firstName":"Evan",
"middleName":null,
"lastName":"Todd",
"employeeId":"Galvin.Chavez",
"riskScore":0,
"userRisk":0,
"department":"Legal Department",
"email":"non.magna@gurucul.corp",
"phone":"(598) 457-3271",
"location":"AK",
"manager":"Asher.Byers",
"title":"QA",
"joiningDate":"11/05/2018 05:27:51",
"exitDate":"08/25/2018 14:58:25",
"profilePicturePath":null
}]

Base Command#

gra-fetch-accounts

Retrieve all Accounts Information

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Accounts.idNumberAccount Id.
Gra.Accounts.nameStringAccount Name.
Gra.Accounts.typeStringAccount type.
Gra.Accounts.created_onDateCreated On.
Gra.Accounts.departmentStringDepartment.
Gra.Accounts.descriptionStringDescription.
Gra.Accounts.resourceStringResource Name.
Gra.Accounts.domainStringDomain.
Gra.Accounts.high_riskStringHigh Risk.
Gra.Accounts.is_orphanStringIs Orphan.
Gra.Accounts.is_reassignedStringIs Reassigned.
Gra.Accounts.risk_scoreNumberRisk Score.
Gra.Accounts.updated_onDateUpdated on.

Command Example#

!gra-fetch-accounts page=1 max=25

Context Example#

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output#

Results#

gra-fetch-active-resource-accounts#

Retrieve List of All Active Accounts for a Given Resource.

Base Command#

!gra-fetch-active-resource-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Active.Resource.Accounts.idNumberAccount Id.
Gra.Active.Resource.Accounts.nameStringAccount Name.
Gra.Active.Resource.Accounts.typeStringAccount type.
Gra.Active.Resource.Accounts.created_onDateCreated On.
Gra.Active.Resource.Accounts.departmentStringDepartment.
Gra.Active.Resource.Accounts.descriptionStringDescription.
Gra.Active.Resource.Accounts.resourceStringResource Name.
Gra.Active.Resource.Accounts.domainStringDomain.
Gra.Active.Resource.Accounts.high_riskStringHigh Risk.
Gra.Active.Resource.Accounts.is_orphanStringIs Orphan.
Gra.Active.Resource.Accounts.is_reassignedStringIs Reassigned.
Gra.Active.Resource.Accounts.risk_scoreNumberRisk Score.
Gra.Active.Resource.Accounts.updated_onDateUpdated on.

Command Example#

!gra-fetch-active-resource-accounts resource_name="Linux" page=1 max=25

Context Example#

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output#

gra-fetch-user-accounts#

Retrieve List of All Active Accounts and Details for a Given User.

Base Command#

gra-fetch-user-accounts

Input#

Argument NameDescriptionRequired
employee_idEmployee ID.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Accounts.idNumberUser Account Relation Id .
Gra.User.Accounts.nameStringAccount Name.
Gra.User.Accounts.typeStringAccount Type.
Gra.User.Accounts.created_onDateCreated On.
Gra.User.Accounts.departmentStringDepartment.
Gra.User.Accounts.descriptionStringDescription.
Gra.User.Accounts.resourceStringResource Name.
Gra.User.Accounts.domainStringDomain Name.
Gra.User.Accounts.high_riskStringHigh Risk.
Gra.User.Accounts.is_orphanStringIs Account Orphan.
Gra.User.Accounts.is_reassignedStringIs account Reassigned.
Gra.User.Accounts.risk_scoreStringAccount Risk Score.
Gra.User.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-user-accounts employee_id="Alec.Holland01_NN" page=1 max=25

Context Example#

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output#

gra-fetch-resource-highrisk-accounts#

Retrieve High Risk Accounts for a Given Resource

Base Command#

gra-fetch-resource-highrisk-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Highrisk.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Highrisk.Accounts.nameStringAccount Name.
Gra.Resource.Highrisk.Accounts.typeStringAccount Type.
Gra.Resource.Highrisk.Accounts.created_onDateCreated On.
Gra.Resource.Highrisk.Accounts.departmentStringDepartment.
Gra.Resource.Highrisk.Accounts.descriptionStringDescription.
Gra.Resource.Highrisk.Accounts.resourceStringResource Name.
Gra.Resource.Highrisk.Accounts.domainStringDomain Name.
Gra.Resource.Highrisk.Accounts.high_riskStringHigh Risk.
Gra.Resource.Highrisk.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Highrisk.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Highrisk.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Highrisk.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-highrisk-accounts resource_name="Windows Security" page=1 max=25

Context Example#

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output#

gra-fetch-hpa#

Retrieve List of All High Risk Privileged Accounts.

Base Command#

!gra-fetch-hpa

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Hpa.idNumberUser Account Relation Id .
Gra.Hpa.nameStringAccount Name.
Gra.Hpa.typeStringAccount Type.
Gra.Hpa.created_onDateCreated On.
Gra.Hpa.departmentStringDepartment.
Gra.Hpa.descriptionStringDescription.
Gra.Hpa.resourceStringResource Name.
Gra.Hpa.domainStringDomain Name.
Gra.Hpa.high_riskStringHigh Risk.
Gra.Hpa.is_orphanStringIs Account Orphan.
Gra.Hpa.is_reassignedStringIs account Reassigned.
Gra.Hpa.risk_scoreStringAccount Risk Score.
Gra.Hpa.updated_onDateUpdated On.

Command Example#

!gra-fetch-hpa page=1 max=25

Context Example#

{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}

Human Readable Output#

#

gra-fetch-resource-hpa#

Retrieve all High Privileged Accounts for a Given Resource.

Base Command#

gra-fetch-resource-hpa

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Hpa.idNumberUser Account Relation Id .
Gra.Resource.Hpa.nameStringAccount Name.
Gra.Resource.Hpa.typeStringAccount Type.
Gra.Resource.Hpa.created_onDateCreated On.
Gra.Resource.Hpa.departmentStringDepartment.
Gra.Resource.Hpa.descriptionStringDescription.
Gra.Resource.Hpa.resourceStringResource Name.
Gra.Resource.Hpa.domainStringDomain Name.
Gra.Resource.Hpa.high_riskStringHigh Risk.
Gra.Resource.Hpa.is_orphanStringIs Account Orphan.
Gra.Resource.Hpa.is_reassignedStringIs account Reassigned.
Gra.Resource.Hpa.risk_scoreStringAccount Risk Score.
Gra.Resource.Hpa.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-hpa resource_name="Linux" page=1 max=25

Context Example#

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

gra-fetch-orphan-accounts#

Retrieve List of All Orphan / Rogue Accounts.

Base Command#

gra-fetch-orphan-accounts

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Orphan.Accounts.nameStringAccount Name.
Gra.Orphan.Accounts.typeStringAccount Type.
Gra.Orphan.Accounts.created_onDateCreated On.
Gra.Orphan.Accounts.departmentStringDepartment.
Gra.Orphan.Accounts.descriptionStringDescription.
Gra.Orphan.Accounts.resourceStringResource Name.
Gra.Orphan.Accounts.domainStringDomain Name.
Gra.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Orphan.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-orphan-accounts page=1 max=25

Context Example#

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

gra-fetch-resource-orphan-accounts#

Retrieve All Orphan / Rogue Accounts for a Given Resource.

Base Command#

gra-fetch-resource-orphan-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Orphan.Accounts.nameStringAccount Name.
Gra.Resource.Orphan.Accounts.typeStringAccount Type.
Gra.Resource.Orphan.Accounts.created_onDateCreated On.
Gra.Resource.Orphan.Accounts.departmentStringDepartment.
Gra.Resource.Orphan.Accounts.descriptionStringDescription.
Gra.Resource.Orphan.Accounts.resourceStringResource Name.
Gra.Resource.Orphan.Accounts.domainStringDomain Name.
Gra.Resource.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Resource.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Orphan.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-orphan-accounts resource_name="Windows Security" page=1 max=25

Context Example#

[{
"id":2,
"name":"Jonathan.Osterman01_NN",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

#

gra-fetch-orphan-accounts#

Retrieve List of All Orphan / Rogue Accounts.

Base Command#

gra-user-activities

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Activity.employee_idStringEmployee Id .
Gra.User.Activity.account_nameStringAccount Name .
Gra.User.Activity.resource_nameStringResource Name .
Gra.User.Activity.event_descStringEvent Description .
Gra.User.Activity.event_dateStringEvent Date .
Gra.User.Activity.risk_scoreNumberRisk Score .

Command Example#

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example#

{
"employee_id":"aa17600",
"account_name":null,
"resource_name":"Print",
"event_desc":"Print",
"event_date":"09/02/2019 11:51:14",
"risk_score":0.0
}

Human Readable Output#

gra-fetch-users-details#

get details of the user.

Base Command#

gra-fetch-users-details

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required

Context Output#

PathTypeDescription
Gra.User.firstNameStringFirst Name.
Gra.User.middleNameStringMiddle Name.
Gra.User.lastNameStringLast Name.
Gra.User.employeeIdStringEmployee Id.
Gra.User.riskScoreStringRisk Score.
Gra.User.userRiskStringUser Risk.
Gra.User.departmentStringDepartment.
Gra.User.emailStringEmail.
Gra.User.phoneStringPhone.
Gra.User.locationStringLocation .
Gra.User.managerStringManager.
Gra.User.titleStringTitle.
Gra.User.joiningDateStringJoining Date.
Gra.User.profilePicturePathStringProfile Picture Path.

Command Example#

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example#

[
{
"firstName":"Jonathan",
"middleName":null,
"lastName":"Osterman01_NN",
"employeeId":"Jonathan.Osterman01_NN",
"riskScore":88,
"userRisk":88,
"department":"IT",
"email":"Jonathan.Osterman@abc.com",
"phone":"(91)-123-4567-890",
"location":"USA",
"manager":"Thor.Odinson01_NN",
"title":"Sr.Developer",
"joiningDate":"01/01/2017 12:47:00",
"exitDate":"12/31/2019 23:47:00",
"profilePicturePath":null
}
]

Human Readable Output#

gra-fetch-users-details#

get details of the user.

Base Command#

gra-highRisk-users

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Highrisk.Users.idNumberUser Id .
Gra.Highrisk.Users.nameStringUser Name.
Gra.Highrisk.Users.typeStringType.
Gra.Highrisk.Users.created_onDateCreated On .
Gra.Highrisk.Users.departmentStringDepartment.
Gra.Highrisk.Users.descriptionStringDescription.
Gra.Highrisk.Users.resourceStringResource Name.
Gra.Highrisk.Users.domainStringDomain.
Gra.Highrisk.Users.high_riskStringHigh Risk.
Gra.Highrisk.Users.is_orphanStringIs Orphan Account .
Gra.Highrisk.Users.is_reassignedStringIs Reassigned .
Gra.Highrisk.Users.risk_scoreStringRisk Score .
Gra.Highrisk.Users.updated_onDateUpdated On .

Command Example#

!gra-highRisk-users page=1 max=25

Context Example#

[
{
"id":188,
"name":"Vitoria Inger",
"type":null,
"created_on":"02/02/2020 10:00:00",
"department":null,
"description":"Mozilla/5.0 (Windows NT) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20",
"resource":"AIX",
"domain":"163.com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":88,
"updated_on":null
}
]

Human Readable Output#

gra-cases#

get details of the user.

Base Command#

gra-cases

Input#

Argument NameDescriptionRequired
statusCase Status.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Cases.entityIdNumberEntity Id .
Gra.Cases.entityTypeIdNumberEntity Type Id.
Gra.Cases.entityStringEntity Name.
Gra.Cases.caseIdNumberCase Id .
Gra.Cases.openDateDateCase Open Date.
Gra.Cases.ownerIdNumberOwner Id.
Gra.Cases.ownerTypeStringOwner Type.
Gra.Cases.ownerNameStringOwner Name.
Gra.Cases.riskDateDateRisk Risk.
Gra.Cases.statusStringCase Status .

Command Example#

!gra-cases status="OPEN" page=1 max=25

Context Example#

[
{
"entityId":366,
"entityTypeId":2,
"entity":"Ulises Ellerby",
"caseId":58,
"openDate":"10/13/2020 18:44:06",
"ownerId":1,
"ownerType":"User",
"ownerName":"graadmin",
"riskDate":"10/12/2020 00:00:00",
"status":"Open"
}
]

Human Readable Output#

gra-user-anomalies#

get details of the user.

Base Command#

gra-user-anomalies

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Anomalies.anomaly_nameStringAnomaly Name .

Command Example#

!gra-user-anomalies employeeId="AB1234" page=1 max=25

Context Example#

[
{
"anomaly_name":"SOD_role_13oct"
}
]

Human Readable Output#

Edit this page
Report an Issue