Skip to main content

Gurucul-GRA

This Integration is part of the Gurucul Risk Analytics Pack.#

Gurucul Risk Analytics (GRA) is a data science backed cloud native platform that predicts, detects and prevents breaches. It ingests and analyzes massive amounts of data from the network, IT systems, cloud platforms, EDR, applications, IoT, HR and much more to give you a comprehensive contextual view of user and entity behaviors This Integration facilitates retrieval of High Risk Entities identified by GRA by creating a case for each entity within GRA. These high risk entities are fetched in Cortex XSOAR and a corresponding incident is created for each entity in Cortex XSOAR. As a part of this integration, workflows can be configured at Cortex XSOAR based on different commands provided by GRA. These will define the actions to be taken on a particular high risk entity based on the Risk Score.

Please make sure you look at the integration source code and comments.

Configure Gurucul on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Gurucul.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://soar.monstersofhack.com)True
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
fetch_incident_casesFetch Incident CasesFalse
apikeyAPI KeyTrue
threshold_ipScore threshold for ip reputation command (0-100)False
threshold_domainScore threshold for domain reputation command (0-100)False
alert_statusFetch alerts with status (ACTIVE, CLOSED)False
alert_typeFetch alerts with typeFalse
min_severityMinimum severity of alerts to fetchTrue
first_fetchFirst fetch timeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gra-fetch-users#


Retrieve List of All Users (Identities)

Base Command#

gra-fetch-users

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Users.firstNameStringFirst Name.
Gra.Users.middleNameStringMiddle Name.
Gra.Users.lastNameStringLast Name.
Gra.Users.employeeIdStringEmployee Name.
Gra.Users.riskScoreStringRisk Name.
Gra.Users.departmentStringDepartment.
Gra.Users.emailStringUsers email.
Gra.Users.phoneStringUsers Phone no.
Gra.Users.locationStringLocation.
Gra.Users.managerStringUsers Manager.
Gra.Users.titleStringUsers title.
Gra.Users.joiningDateStringJoining Date.
Gra.Users.exitDateStringExit Date.
Gra.Users.userRiskStringUser Risk.

Command Example#

!gra-fetch-users page=1 max=25

Context Example#

[{
"firstName":"Evan",
"middleName":null,
"lastName":"Todd",
"employeeId":"Galvin.Chavez",
"riskScore":0,
"userRisk":0,
"department":"Legal Department",
"email":"non.magna@gurucul.corp",
"phone":"(598) 457-3271",
"location":"AK",
"manager":"Asher.Byers",
"title":"QA",
"joiningDate":"11/05/2018 05:27:51",
"exitDate":"08/25/2018 14:58:25",
"profilePicturePath":null
}]

Base Command#

gra-fetch-accounts


Retrieve all Accounts Information

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Accounts.idNumberAccount Id.
Gra.Accounts.nameStringAccount Name.
Gra.Accounts.typeStringAccount type.
Gra.Accounts.created_onDateCreated On.
Gra.Accounts.departmentStringDepartment.
Gra.Accounts.descriptionStringDescription.
Gra.Accounts.resourceStringResource Name.
Gra.Accounts.domainStringDomain.
Gra.Accounts.high_riskStringHigh Risk.
Gra.Accounts.is_orphanStringIs Orphan.
Gra.Accounts.is_reassignedStringIs Reassigned.
Gra.Accounts.risk_scoreNumberRisk Score.
Gra.Accounts.updated_onDateUpdated on.

Command Example#

!gra-fetch-accounts page=1 max=25

Context Example#

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output#

Results#

gra-fetch-active-resource-accounts#


Retrieve List of All Active Accounts for a Given Resource.

Base Command#

!gra-fetch-active-resource-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Active.Resource.Accounts.idNumberAccount Id.
Gra.Active.Resource.Accounts.nameStringAccount Name.
Gra.Active.Resource.Accounts.typeStringAccount type.
Gra.Active.Resource.Accounts.created_onDateCreated On.
Gra.Active.Resource.Accounts.departmentStringDepartment.
Gra.Active.Resource.Accounts.descriptionStringDescription.
Gra.Active.Resource.Accounts.resourceStringResource Name.
Gra.Active.Resource.Accounts.domainStringDomain.
Gra.Active.Resource.Accounts.high_riskStringHigh Risk.
Gra.Active.Resource.Accounts.is_orphanStringIs Orphan.
Gra.Active.Resource.Accounts.is_reassignedStringIs Reassigned.
Gra.Active.Resource.Accounts.risk_scoreNumberRisk Score.
Gra.Active.Resource.Accounts.updated_onDateUpdated on.

Command Example#

!gra-fetch-active-resource-accounts resource_name="Linux" page=1 max=25

Context Example#

[
{
"id":93,
"name":"Asher.Guthrie",
"type":null,
"created_on":"05/16/2019 06:49:18",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"in",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}
]

Human Readable Output#

gra-fetch-user-accounts#


Retrieve List of All Active Accounts and Details for a Given User.

Base Command#

gra-fetch-user-accounts

Input#

Argument NameDescriptionRequired
employee_idEmployee ID.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Accounts.idNumberUser Account Relation Id .
Gra.User.Accounts.nameStringAccount Name.
Gra.User.Accounts.typeStringAccount Type.
Gra.User.Accounts.created_onDateCreated On.
Gra.User.Accounts.departmentStringDepartment.
Gra.User.Accounts.descriptionStringDescription.
Gra.User.Accounts.resourceStringResource Name.
Gra.User.Accounts.domainStringDomain Name.
Gra.User.Accounts.high_riskStringHigh Risk.
Gra.User.Accounts.is_orphanStringIs Account Orphan.
Gra.User.Accounts.is_reassignedStringIs account Reassigned.
Gra.User.Accounts.risk_scoreStringAccount Risk Score.
Gra.User.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-user-accounts employee_id="Alec.Holland01_NN" page=1 max=25

Context Example#

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output#

gra-fetch-resource-highrisk-accounts#


Retrieve High Risk Accounts for a Given Resource

Base Command#

gra-fetch-resource-highrisk-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Highrisk.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Highrisk.Accounts.nameStringAccount Name.
Gra.Resource.Highrisk.Accounts.typeStringAccount Type.
Gra.Resource.Highrisk.Accounts.created_onDateCreated On.
Gra.Resource.Highrisk.Accounts.departmentStringDepartment.
Gra.Resource.Highrisk.Accounts.descriptionStringDescription.
Gra.Resource.Highrisk.Accounts.resourceStringResource Name.
Gra.Resource.Highrisk.Accounts.domainStringDomain Name.
Gra.Resource.Highrisk.Accounts.high_riskStringHigh Risk.
Gra.Resource.Highrisk.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Highrisk.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Highrisk.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Highrisk.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-highrisk-accounts resource_name="Windows Security" page=1 max=25

Context Example#

[{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}]

Human Readable Output#

gra-fetch-hpa#


Retrieve List of All High Risk Privileged Accounts.

Base Command#

!gra-fetch-hpa

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Hpa.idNumberUser Account Relation Id .
Gra.Hpa.nameStringAccount Name.
Gra.Hpa.typeStringAccount Type.
Gra.Hpa.created_onDateCreated On.
Gra.Hpa.departmentStringDepartment.
Gra.Hpa.descriptionStringDescription.
Gra.Hpa.resourceStringResource Name.
Gra.Hpa.domainStringDomain Name.
Gra.Hpa.high_riskStringHigh Risk.
Gra.Hpa.is_orphanStringIs Account Orphan.
Gra.Hpa.is_reassignedStringIs account Reassigned.
Gra.Hpa.risk_scoreStringAccount Risk Score.
Gra.Hpa.updated_onDateUpdated On.

Command Example#

!gra-fetch-hpa page=1 max=25

Context Example#

{
"id":35,
"name":"Alec.Holland01_NN",
"type":null,
"created_on":"02/09/2018 10:00:00",
"department":null,
"description":null,
"resource":"IPS",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":69,
"updated_on":null
}

Human Readable Output#

#

gra-fetch-resource-hpa#


Retrieve all High Privileged Accounts for a Given Resource.

Base Command#

gra-fetch-resource-hpa

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Hpa.idNumberUser Account Relation Id .
Gra.Resource.Hpa.nameStringAccount Name.
Gra.Resource.Hpa.typeStringAccount Type.
Gra.Resource.Hpa.created_onDateCreated On.
Gra.Resource.Hpa.departmentStringDepartment.
Gra.Resource.Hpa.descriptionStringDescription.
Gra.Resource.Hpa.resourceStringResource Name.
Gra.Resource.Hpa.domainStringDomain Name.
Gra.Resource.Hpa.high_riskStringHigh Risk.
Gra.Resource.Hpa.is_orphanStringIs Account Orphan.
Gra.Resource.Hpa.is_reassignedStringIs account Reassigned.
Gra.Resource.Hpa.risk_scoreStringAccount Risk Score.
Gra.Resource.Hpa.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-hpa resource_name="Linux" page=1 max=25

Context Example#

[{
"id":2,
"name":"user1",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

gra-fetch-orphan-accounts#


Retrieve List of All Orphan / Rogue Accounts.

Base Command#

gra-fetch-orphan-accounts

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Orphan.Accounts.nameStringAccount Name.
Gra.Orphan.Accounts.typeStringAccount Type.
Gra.Orphan.Accounts.created_onDateCreated On.
Gra.Orphan.Accounts.departmentStringDepartment.
Gra.Orphan.Accounts.descriptionStringDescription.
Gra.Orphan.Accounts.resourceStringResource Name.
Gra.Orphan.Accounts.domainStringDomain Name.
Gra.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Orphan.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-orphan-accounts page=1 max=25

Context Example#

[{
"id":2,
"name":"user1",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Linux",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

gra-fetch-resource-orphan-accounts#


Retrieve All Orphan / Rogue Accounts for a Given Resource.

Base Command#

gra-fetch-resource-orphan-accounts

Input#

Argument NameDescriptionRequired
resource_nameResource Name.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Resource.Orphan.Accounts.idNumberUser Account Relation Id .
Gra.Resource.Orphan.Accounts.nameStringAccount Name.
Gra.Resource.Orphan.Accounts.typeStringAccount Type.
Gra.Resource.Orphan.Accounts.created_onDateCreated On.
Gra.Resource.Orphan.Accounts.departmentStringDepartment.
Gra.Resource.Orphan.Accounts.descriptionStringDescription.
Gra.Resource.Orphan.Accounts.resourceStringResource Name.
Gra.Resource.Orphan.Accounts.domainStringDomain Name.
Gra.Resource.Orphan.Accounts.high_riskStringHigh Risk.
Gra.Resource.Orphan.Accounts.is_orphanStringIs Account Orphan.
Gra.Resource.Orphan.Accounts.is_reassignedStringIs account Reassigned.
Gra.Resource.Orphan.Accounts.risk_scoreStringAccount Risk Score.
Gra.Resource.Orphan.Accounts.updated_onDateUpdated On.

Command Example#

!gra-fetch-resource-orphan-accounts resource_name="Windows Security" page=1 max=25

Context Example#

[{
"id":2,
"name":"user1",
"type":null,
"created_on":"02/09/2017 10:00:00",
"department":null,
"description":null,
"resource":"Windows Security",
"domain":"com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":0,
"updated_on":null
}]

Human Readable Output#

#

gra-fetch-orphan-accounts#


Retrieve List of All Orphan / Rogue Accounts.

Base Command#

gra-user-activities

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Activity.employee_idStringEmployee Id .
Gra.User.Activity.account_nameStringAccount Name .
Gra.User.Activity.resource_nameStringResource Name .
Gra.User.Activity.event_descStringEvent Description .
Gra.User.Activity.event_dateStringEvent Date .
Gra.User.Activity.risk_scoreNumberRisk Score .

Command Example#

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example#

{
"employee_id":"aa17600",
"account_name":null,
"resource_name":"Print",
"event_desc":"Print",
"event_date":"09/02/2019 11:51:14",
"risk_score":0.0
}

Human Readable Output#

gra-fetch-users-details#


get details of the user.

Base Command#

gra-fetch-users-details

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required

Context Output#

PathTypeDescription
Gra.User.firstNameStringFirst Name.
Gra.User.middleNameStringMiddle Name.
Gra.User.lastNameStringLast Name.
Gra.User.employeeIdStringEmployee Id.
Gra.User.riskScoreStringRisk Score.
Gra.User.userRiskStringUser Risk.
Gra.User.departmentStringDepartment.
Gra.User.emailStringEmail.
Gra.User.phoneStringPhone.
Gra.User.locationStringLocation .
Gra.User.managerStringManager.
Gra.User.titleStringTitle.
Gra.User.joiningDateStringJoining Date.
Gra.User.profilePicturePathStringProfile Picture Path.
Gra.User.exitDateDateExit Date.

Command Example#

!gra-user-activities employee_id="aa17600" page=1 max=25

Context Example#

[
{
"firstName":"Jonathan",
"middleName":null,
"lastName":"Osterman01_NN",
"employeeId":"user1",
"riskScore":88,
"userRisk":88,
"department":"IT",
"email":"Jonathan.Osterman@abc.com",
"phone":"(91)-123-4567-890",
"location":"USA",
"manager":"Thor.Odinson01_NN",
"title":"Sr.Developer",
"joiningDate":"01/01/2017 12:47:00",
"exitDate":"12/31/2019 23:47:00",
"profilePicturePath":null
}
]

Human Readable Output#

gra-fetch-users-details#


get details of the user.

Base Command#

gra-highRisk-users

Input#

Argument NameDescriptionRequired
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Highrisk.Users.idNumberUser Id .
Gra.Highrisk.Users.nameStringUser Name.
Gra.Highrisk.Users.typeStringType.
Gra.Highrisk.Users.created_onDateCreated On .
Gra.Highrisk.Users.departmentStringDepartment.
Gra.Highrisk.Users.descriptionStringDescription.
Gra.Highrisk.Users.resourceStringResource Name.
Gra.Highrisk.Users.domainStringDomain.
Gra.Highrisk.Users.high_riskStringHigh Risk.
Gra.Highrisk.Users.is_orphanStringIs Orphan Account .
Gra.Highrisk.Users.is_reassignedStringIs Reassigned .
Gra.Highrisk.Users.updated_onDateUpdated On .
Gra.Highrisk.Users.exitDateDateExit Date .
Gra.Highrisk.Users.created_onDateCreated On .
Gra.Highrisk.Users.joiningDateDateJoining Date .
Gra.Highrisk.Users.managerStringManager .
Gra.Highrisk.Users.employeeIdStringEmployee Id .
Gra.Highrisk.Users.firstNameStringFirst Name .
Gra.Highrisk.Users.middleNameStringMiddle Name .
Gra.Highrisk.Users.lastNameStringLast Name .
Gra.Highrisk.Users.locationStringLocation .
Gra.Highrisk.Users.titleStringTitle .
Gra.Highrisk.Users.userRiskNumberUser Risk .
Gra.Highrisk.Users.riskScoreNumberRisk Score .
Gra.Highrisk.Users.descriptionStringDescription .
Gra.Highrisk.Users.is_orphanStringIs Orphan .
Gra.Highrisk.Users.phoneStringPhone .
Gra.Highrisk.Users.emailStringEmail .

Command Example#

!gra-highRisk-users page=1 max=25

Context Example#

[
{
"id":188,
"name":"Vitoria Inger",
"type":null,
"created_on":"02/02/2020 10:00:00",
"department":null,
"description":"Mozilla/5.0 (Windows NT) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20",
"resource":"AIX",
"domain":"163.com",
"high_risk":null,
"is_orphan":"No",
"is_reassigned":null,
"risk_score":88,
"updated_on":null
}
]

Human Readable Output#

gra-cases#


get details of the user.

Base Command#

gra-cases

Input#

Argument NameDescriptionRequired
statusCase Status.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.Cases.entityIdNumberEntity Id .
Gra.Cases.entityTypeIdNumberEntity Type Id.
Gra.Cases.entityStringEntity Name.
Gra.Cases.caseIdNumberCase Id .
Gra.Cases.openDateDateCase Open Date.
Gra.Cases.ownerIdNumberOwner Id.
Gra.Cases.ownerTypeStringOwner Type.
Gra.Cases.ownerNameStringOwner Name.
Gra.Cases.riskDateDateRisk Risk.
Gra.Cases.statusStringCase Status .
Gra.Cases.anomaliesStringAnomalies .

Command Example#

!gra-cases status="OPEN" page=1 max=25

Context Example#

[
{
"entityId":366,
"entityTypeId":2,
"entity":"Ulises Ellerby",
"caseId":58,
"openDate":"10/13/2020 18:44:06",
"ownerId":1,
"ownerType":"User",
"ownerName":"graadmin",
"riskDate":"10/12/2020 00:00:00",
"status":"Open"
}
]

Human Readable Output#

gra-user-anomalies#


get details of the user.

Base Command#

gra-user-anomalies

Input#

Argument NameDescriptionRequired
employee_idEmployee Id.Required
pagePage no.Optional
maxPer page record countOptional

Context Output#

PathTypeDescription
Gra.User.Anomalies.anomaly_nameStringAnomaly Name .

Command Example#

!gra-user-anomalies employeeId="AB1234" page=1 max=25

Context Example#

[
{
"anomaly_name":"SOD_role_13oct"
}
]

Human Readable Output#

gra-case-action#


Closing a case and updating the anomaly status as Closed / Risk Managed / Model Reviewed.

Base Command#

gra-case-action

Input#

Argument NameDescriptionRequired
actionActionRequired
caseIdCase IDRequired
subOptionSub OptionRequired
caseCommentCase CommentRequired
riskAcceptDateRisk Accept Date (applicable only in case of closing a case as Risk Managed)Optional

Context Output#

PathTypeDescription
Gra.Case.Action.MessageStringMessage

Command Example#

!gra-case-action action=modelReviewCase caseId=5 subOption="Tuning Required" caseComment="This is Completed"

Context Example#

[
{
"Message": "1 Anomalies in this case closed successfully."
}
]

Human Readable Output#

gra-case-action-anomaly#


Closing an anomaly or anomalies within a case and updating the anomaly status as Closed / Risk Managed / Model Reviewed.

Base Command#

gra-case-action-anomaly

Input#

Argument NameDescriptionRequired
actionActionRequired
caseIdCase IDRequired
anomalyNamesAnomaly NamesRequired
subOptionSub OptionRequired
caseCommentCase CommentRequired
riskAcceptDateRisk Accept Date (applicable only in case of closing a case as Risk Managed)Optional

Context Output#

PathTypeDescription
Gra.Case.Action.Anomaly.MessageStringMessage
Gra.Case.Action.Anomaly.anomalyNameStringAnomaly Name

Command Example#

!gra-case-action-anomaly action=modelReviewCaseAnomaly caseId=5 anomalyNames=anomalyName1 subOption="Tuning Required" caseComment="This is Completed"

Context Example#

[
{
"Message": {
"anomalyName1": "Anomaly risk accepted successfully."
}
}
]

Human Readable Output#

gra-investigate-anomaly-summary#


Retrieve detailed anomaly summary of specified anomaly name.

Base Command#

gra-investigate-anomaly-summary

Input#

Argument NameDescriptionRequired
modelNameModel NameRequired
fromDateFrom Date ( yyyy-MM-dd )Optional
toDateTo Date ( yyyy-MM-dd )Optional

Context Output#

PathTypeDescription
Gra.Investigate.Anomaly.Summary.analyticalFeaturesStringAnalytical Features
Gra.Investigate.Anomaly.Summary.entityCountStringEntity Count
Gra.Investigate.Anomaly.Summary.resourceCountStringResource Count
Gra.Investigate.Anomaly.Summary.recordsStringRecords
Gra.Investigate.Anomaly.Summary.anomalyBaselineStringAnomaly Baseline
Gra.Investigate.Anomaly.Summary.anomalyLastCatchStringAnomaly Last Catch
Gra.Investigate.Anomaly.Summary.executionDaysStringExecution Days
Gra.Investigate.Anomaly.Summary.chainDetailsStringChain Details
Gra.Investigate.Anomaly.Summary.resourceNameStringresourceName
Gra.Investigate.Anomaly.Summary.typeStringtype
Gra.Investigate.Anomaly.Summary.valueStringvalue
Gra.Investigate.Anomaly.Summary.anomalousActivityNumberanomalousActivity
Gra.Investigate.Anomaly.Summary.anomalyNameStringanomalyName
Gra.Investigate.Anomaly.Summary.classifierStringclassifier
Gra.Investigate.Anomaly.Summary.anomalyFirstCatchStringanomalyFirstCatch
Gra.Investigate.Anomaly.Summary.anomalyDescriptionStringanomalyDescription
Gra.Investigate.Anomaly.Summary.similarTemplateAnomaliesStringSimilar Template Anomalies
Gra.Investigate.Anomaly.Summary.entitiesFlaggedNumberEntities Flagged

Command Example#

!gra-investigate-anomaly-summary modelName=ModelName

Context Example#

{
"analyticalFeatures": {
"eventdesc": 8
},
"entityCount": "466",
"resourceCount": "4",
"records": {
"anomalyBaseline": "Baseline period is not configured.",
"anomalyLastCatch": "2020-12-06 10:00:59",
"executionDays": "null",
"chainDetails": [
{
"resourceName": "resourceName",
"type": "model",
"value": "modelName"
}
],
"anomalousActivity": 0,
"anomalyName": "modelName",
"classifier": "Categories -> Categories Name, Categories -> Default, Resources -> resourceName",
"anomalyFirstCatch": "2020-11-08 12:15:00",
"anomalyDescription": "This template can be used to create models using the saved search query."
},
"similarTemplateAnomalies": {
"anomaly1": 442,
"anomaly2": 4,
"anomaly3": 4,
"anomaly4": 21,
"anomaly5": 8,
"anomaly6": 1
},
"entitiesFlagged": 0
}

Human Readable Output#