Looker
This Integration is part of the Looker Pack.#
This integration was integrated and tested with Looker version 6.10.20.
Use Cases
- Ingest query results as incidents.
- Run a custom (inline) query as part of a playbook.
- Automatically create and save a query as a look.
Important Information
Make sure you read this information on how to obtain information required for configuring the integration.
Generate an API3 key for a Looker user:
- Log in to the Looker web interface with an account that is permitted to manage users.
- At the top of the page, click on the “Admin” drop down and select “Users”
- Select the user you would like to generate the API3 key for.
- Go to “API3 Keys” and select “Edit Keys”
- Click on “New API3 Key”
Get a Look ID:
Usages:
- “Look name or ID to fetch incidents from” integration parameter.
- Look ID command arguments.
- Uniquely identify a Look (the name is not unique).
Option A: Looker Web Interface
- Click on a look.
- The number at the end of the URL is the ID of the look.
Option B: Cortex XSOAR commands
- Configure the Looker integration without fetching incidents, or filling in the parameter.
-
Run the
looker-search-queriesorlooker-search-lookscommand. - The ID will be part of the results (among other look details).
Get model and view names from an explore’s URL:
- Navigate to the explore.
-
The URL will be formatted like this:
https://<looker server>/explore/<model>/<view>
Get a field’s SQL name (for command arguments):
- Navigate to the explore.
- Click a field.
- In the DATA tab, click SQL .
You will see the field name in the following format:
object_name.field_name
.
Configure Looker on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Looker.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- API URL and port (e.g., https://example.looker.com:19999)
- Trust any certificate (not secure)
- Use system proxy settings
- API3 Client ID
- API3 Client Secret
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Run a saved look
Runs a saved look and returns the results in the specified format.
Base Command
looker-run-look
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the look. Can be found in the look’s URL, or by running the ‘looker-search-looks’ command. | Optional |
| fields | Fields to return. | Optional |
| name | Name of the look. | Optional |
| limit | Maximum number of looks to return (0 for looker-determined limit). | Optional |
| result_format | Format of the result. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| LookerResults.LookID | Number | Look ID. |
| LookerResults.Results | Unknown | Look Results. |
Command Example
looker-run-look name="Look 1" limit="2" result_format="json"
Context Example
"LookerResults": {
"LookID": 3,
"Results": [
{
"OrderItems_Id": 160086,
"OrderItems_OrderId": 153797,
"OrderItems_Status": "Complete",
"OrderItems_CreatedDate": "2019-04-02",
"OrderItems_SalePrice": 54,
"Products_Brand": "Alternative",
"Products_ItemName": "Alternative Women's Alice Drop Shoulder V-Neck",
"Users_Name": "Chelsea Mccormick",
"Users_Email": "example@gmail.com"
},
{
"OrderItems_Id": 63757,
"OrderItems_OrderId": 58557,
"OrderItems_Status": "Cancelled",
"OrderItems_CreatedDate": "2019-04-19",
"OrderItems_SalePrice": 49.5,
"Products_Brand": "Lucky Brand",
"Products_ItemName": "Lucky Brand Women's Plus-Size Moroccan Medallion Tee",
"Users_Name": "Darrell Nelson",
"Users_Email": "example@aol.com"
}
]
}
Human Readable Output
Results for look Look 1
| LookerResults.Results.OrderItems_Id | LookerResults.Results.OrderItems_OrderId | LookerResults.Results.OrderItems_Status | LookerResults.Results.OrderItems_CreatedDate | LookerResults.Results.OrderItems_SalePrice | LookerResults.Results.Products_Brand | LookerResults.Results.Products_ItemName | LookerResults.Results.Users_Name | LookerResults.Results.Users_Email |
|---|---|---|---|---|---|---|---|---|
| 160086 | 153797 | Complete | 2019-04-02 | 54 | Alternative | Alternative Women’s Alice Drop Shoulder V-Neck | Chelsea Mccormick | example.gmail.com |
| 63757 | 58557 | Cancelled | 2019-04-19 | 49.5 | Lucky Brand | Lucky Brand Women’s Plus-Size Moroccan Medallion Tee | Darrell Nelson | example.gmail.com |
This command has dynamic output keys.
To access them in the context, copy the key’s path from the column header in the results table.
2. Search for saved looks
Retrieves saved looks that match the search criteria.
Base Command
looker-search-looks
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Match look name. | Optional |
| space_id | Filter results by a particular space. | Optional |
| user_id | Filter by dashboards created by a particular user. | Optional |
| limit | Maximum number of looks to return (0 for looker-determined limit). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Looker.Look.ID | Number | Look ID. |
| Looker.Look.Name | String | Look name. |
| Looker.Look.SpaceID | Number | ID of the space that contains the look. |
| Looker.Look.SpaceName | String | Name of the space that contains the look. |
| Looker.Look.LastUpdated | Date | The time that the look was last updated. |
Command Example
!looker-search-looks limit="2"
Context Example
"Looker": {
"Look": {
[
{
"ID": 3,
"LastUpdated": "2019-04-10T16:11:43.249Z",
"Name": "Look 1",
"SpaceID": 6,
"SpaceName": "Space 1"
},
{
"ID": 4,
"LastUpdated": "2019-04-16T11:41:57.482Z",
"Name": "Look 2",
"SpaceID": 7,
"SpaceName": "Space 2"
}
]
}
}
Human Readable Output
Look search results
| ID | Name | SpaceID | SpaceName | LastUpdated |
|---|---|---|---|---|
| 3 | Look 1 | 6 | Space 1 | 2019-04-10T16:11:43.249Z |
| 4 | Look 2 | 7 | Space 2 | 2019-04-16T11:41:57.482Z |
3. Run an inline query
Runs a query by defining it in the command arguments, rather than a saved query in looker.
Base Command
looker-run-inline-query
Input
| Argument Name | Description | Required |
|---|---|---|
| model | Name of the model - can be found in the explore’s URL | Required |
| view | Name of the view or explore. Can be found in the explore’s URL. | Required |
| fields | List of fields to display. (Field name format: “object_name.field_name”). | Optional |
| filters | Filters for the query, passed as a comma-separated list with the format: “field name=filter value;…” (Field name format: “object_name.field_name”). | Optional |
| pivots | List of pivots. (Field name format: “object_name.field_name”). | Optional |
| sorts | Sorting for the query results. (Field name format: “object_name.field_name”). | Optional |
| limit | Maximum number of looks to return (0 for looker-determined limit). | Optional |
| result_format | Format of the result. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| LookerResults.InlineQuery | Unknown | Inline query results. |
Command Example
looker-run-inline-query model="thelook" view="order_items" fields="order_items.status, order_items.order_id, products.brand" filters="products.brand=Ray-Ban, Calvin Klein" limit="2" result_format="json"
Context Example
"LookerResults": {
"InlineQuery": [
{
"OrderItems_OrderId": 5704,
"OrderItems_Status": "Cancelled",
"Products_Brand": "Ray-Ban"
},
{
"OrderItems_OrderId": 1535,
"OrderItems_Status": "Cancelled",
"Products_Brand": "Ray-Ban"
}
]
}
Human Readable Output
Inline Query Results
| LookerResults.InlineQuery.OrderItems_Status | LookerResults.InlineQuery.OrderItems_OrderId | LookerResults.InlineQuery.Products_Brand |
|---|---|---|
| Cancelled | 5704 | Ray-Ban |
| Cancelled | 1535 | Ray-Ban |
4. Create a look
Creates a look from a query
Base Command
looker-create-look
Input
| Argument Name | Description | Required |
|---|---|---|
| model | Name of the model. Can be found in the explore’s URL. | Required |
| view | Name of the view or Explore. Can be found in the explore’s URL. | Required |
| fields | List of fields to display. (Field name format: “object_name.field_name”). | Optional |
| filters | Filters for the query, passed as a comma-separated list with the format: “field name=filter value;…” (Field name format: “object_name.field_name”). | Optional |
| pivots | List of pivots. (Field name format: “object_name.field_name”). | Optional |
| sorts | Sorting for the query results. (Field name format: “object_name.field_name”). | Optional |
| look_title | Title of the look. | Required |
| look_description | Description of the look. | Optional |
| look_space_id | ID of the space that will contain the look. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Looker.Look.ID | Number | Look ID. |
| Looker.Look.Name | String | Look name. |
| Looker.Look.SpaceID | Number | ID of the space that contains the look. |
| Looker.Look.SpaceName | String | Name of the space that contains the look. |
| Looker.Look.LastUpdated | Date | The time that the look was last updated. |
This command has dynamic output keys.
To access them in the context, copy the key’s path from the column header in the results table.
Command Example
looker-run-inline-query model="thelook" view="order_items" fields="order_items.status, order_items.order_id, products.brand" filters="products.brand=Ray-Ban, Calvin Klein" limit="2" result_format="json" look_space_id=6 look_title="Look 3" look_description="This is my third saved look"
Context Example
"Looker": {
"Look": {
"ID": 7,
"LastUpdated": "2019-04-10T16:11:43.249Z",
"Name": "Look 3",
"SpaceID": 6,
"SpaceName": "Space 1"
}
}
Human Readable Output
Look “Look 3” created successfully
| ID | Name | SpaceID | SpaceName | LastUpdated |
|---|---|---|---|---|
| 7 | Look 3 | 6 | Space 1 | 2019-04-10T16:11:43.249Z |