- Action Editor
- Customize an Out-of-the-Box Service Using Action Editor
- Create a Custom Service Using Action Editor
- Edit a Custom Service in Action Editor
- Delete a Custom Service in Action Editor
- Edit a Custom Service Configuration Document
- Create a Custom Action Using Action Editor
- Edit a Custom Action in Action Editor
- Delete a Custom Action in Action Editor
Edit a Custom Service Configuration Document
To build the logic behind a custom service and how a custom action communicates with it, edit the __init__.py, connector.py, and requirements.txt files.
Each custom service has three configuration documents: __init__.py, connector.py, and requirements.txt. These documents determine how all actions for a service communicate with it and are required for Incident Responder to process and upload the service.
When you first create a custom service, the documents are empty. You can populate a document in two ways: directly in the service itself, and when you create or edit a custom action.
Edit a Configuration Document in the Service
Select a custom service.
Under Documents, select a document:
__init__.py,connector.py, orrequirements.txt.Make changes to the document.
Click SAVE.
Edit connector.py
Build the logic the action uses to communicate — send and receive all requests — to the service.
The connector must:
Define a class named after the service.
Define the
__init__method for this class so it assigns values to the service's configuration fields.For example, if you created service configuration fields for username and password, the __init__ method takes
usernameandpasswordas parameters and assigns them to objects:def __init__(self, username: str=None, password: str=None) -> None: self.username = username self.password = passwordDefine the
test_connectionmethod so if the configuration fields are valid, it returnsTrue; if the configuration fields are invalid, it returnsFalseor an exception.For example, if you created configuration fields for username and password:
def authorize(self) -> bool: if not self._username or not self._password: return True res = self._session.post("auth/login", json={"username": self._username, "password": self._password}) if not res.ok: raise ExabeamConnectorException("Invalid credentials") def test_connection(self) -> bool: return self.authorize()
Add any other logic necessary for actions to communicate to the service.
Edit __init__.py
Import all actions classes, the connector, and the test connection method, so it's contained in one location.
Each time you create a new action for a service, you must update
__init__.pyso it imports the action class:from .modulename import actionclass
For example:
from .get_reputation import GetFileReputation, GetIPReputation, GetURLReputation
You must import all action classes. If you don't import it, you can't use it in Incident Responder .
The connector contains methods for all actions and makes all API calls. Import the
connectorclass under the alias,Connector:from .connector import yourservice as Connector
To call
test_connection, a method in theconnectorclass used to test the service, import theTestServiceConnectionclass under an alias. The alias should be TestService followed by the service name, without spaces:from soar.library.common.test_connection import TestServiceConnection as TestServiceYourService
For example:
from soar.library.common.test_connection import TestServiceConnection as TestServiceCode42
If your service does not support connection testing, import the
TestServiceConnectionNotSupportedclass instead ofTestServiceConnectionfrom the same package, under the same alias:from soar.library.common.test_connection import TestServiceConnectionNotSupported as TestServiceCode42
Add Dependencies to requirements.txt
In requirements.txt, list all external dependencies and libraries you must install to use connector.py and __init__.py.