Incident ResponderIncident Responder

Table of Contents

Configure Incident Responder Settings

Integrate Incident Responder with services in Incident Responder settings.

In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., then select Settings. Depending on your permissions, select Core or Analytics:

  • If you have Core Manage Users and Context Sources permissions, you can only access Core settings.

  • If you have Advanced AnalyticsAll Admin Ops permissions, you can access both Core and Analytics settings. In Analytics settings, you can configure and customize more settings than in Core settings.

Core Settings

In Core settings, view all settings under ALL APPS or click the INCIDENT RESPONDER tab to view Case Manager and Incident Responder settings.

Incident Responder tab in Core settings.

Under SERVICE INTEGRATIONS, select Services to configure a service, edit a service, disable a service, and upload or delete a custom service.Configure Services

Analytics Settings

In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Automation.

Analytics settings with the Automation section highlighted with a red rectangle. The subsection is Services.

In Services, configure a service, edit a service, disable a service, and upload or delete a custom service.Configure Services

Configure Services

Integrate a service with Incident Responder to gather the data needed to run actions and playbooks. This service is usually one your organization already uses.

Before you configure an Incident Responder service, ensure you have the correct product versions, have the permissions and credentials you need, and whitelist relevant URLs and ports if you use a proxy.

To configure a third-party service, you enter information about the service. This information differs for each service.

Configure the Amazon Elastic Compute Cloud (EC2) Service

Configure Amazon EC2 as a service to manage instances, groups, accounts and run other Amazon EC2 actions.

  • Create and save an Amazon Web Services (AWS) access key. You enter the secret access key and access key ID later.

  • Note the Region code of your AWS Regional endpoint. You enter the Region code later.

  • If you use a proxy, ensure that you whitelist the AWS Regional endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Amazon EC2.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of a person or group responsible for the service.

    • Access Key ID – Enter the ID of the Amazon Web Services (AWS) access key you previously created.

    • Secret Access Key – Enter the AWS secret access key you previously created.

    • Region – Enter the code of your AWS Regional endpoint.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Anomali ThreatStream API Service

Configure Anomali ThreatStream as a service to get entity and artifact reputations, upload entities and artifacts, and run other Anomali ThreatStream API actions.

  • Note the URL you use to access the Anomali ThreatStream API.

  • Note your Anomali ThreatStream API key.

  • If you use a proxy, ensure that you whitelist the URL you use to access the Anomali ThreatStream API.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Anomali ThreatStream.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • apiUser – Enter your Anomali ThreatStream username, typically the email address associated with your Anomali ThreatStream account.

    • apiKey – Enter the Anomali ThreatStream API key you previously noted.

    • apiURL – Enter the URL you use to access the Anomali ThreatStream API; for example, https://api.threatstream.com/api/<api_version>/<resource>/

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Atlassian Jira Service

Configure Atlassian Jira as a service to create and update Jira tickets and run other Atlassian Jira actions.

  • Note the URL of your Atlassian Jira API endpoint.

  • Generate an Atlassian API token.

  • If you use a proxy, ensure that you whitelist your Atlassian Jira API endpoint URL.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Jira.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Server URL – Enter the URL of your Atlassian Jira API endpoint; for example, https://your-domain.atlassian.net/rest/api/3/issue/DEMO-1.

    • Login – Enter the username for your Atlassian Jira account.

    • API token – Enter the Atlassian API token you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the BMC Remedy Service

Configure BMC Remedy as a service to create and update tickets and run other BMC Remedy actions.

If you use a proxy, ensure that you whitelist the IP address of your BMC Remedy AR System endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is BMC Remedy.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • URL – Enter the URL of your BMC Remedy AR System endpoint.

    • Username – Enter the username of your BMC account.

    • Password – Enter the password to your BMC account.

    • Server – Enter the server name of your BMC Remedy AR System endpoint.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Check Point Firewall Service

Configure Check Point Firewall as a service to block IP addresses using actions.

If you use a proxy, ensure that you whitelist your Checkpoint server IP address.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is CheckPoint Firewall.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Server – Enter the IP address of your Checkpoint firewall server.

    • Username – Enter the username for your Checkpoint account.

    • Password – Enter the password to your Checkpoint account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Cisco AMP for Endpoints Service

Configure Cisco AMP for Endpoints as a service to get device details, search endpoints, and run other Cisco AMP for Endpoints actions.

  • Generate a Cisco AMP for Endpoints API client ID and API key.

  • If you use a proxy, ensure that you whitelist https://api.amp.cisco.com/v1/version

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is CiscoAMP.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Client ID – Enter the Cisco AMP for Endpoints API client ID you previously generated.

    • API Key – Enter the Cisco AMP for Endpoints API key you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Cisco Services Engine (ISE) Service

Configure Cisco ISE as a service to get information about devices and use other Cisco ISE actions.

  • You must have Incident Responder i56 or a cloud-delivered deployment.

  • If you use a proxy, ensure that you whitelist the IP address or domain of your Cisco ISE API endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Cisco ISE.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Endpoint Host – Enter the IP address or domain of your Cisco ISE endpoint.

    • Username – Enter the username of your Cisco ISE account.

    • Password – Enter the password to your Cisco ISE account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Cisco Threat Grid Service

Configure Cisco SecureX malware analytics, formerly known as Threat Grid, as a service to detonate files using actions.

  • Note the IP address, host name, or URL you use to access the Cisco Secure Malware Analytics API (see the API Access or the Searching for a Sample Submission by API sections.)

  • Note your Cisco Secure Malware Analytics API key.

  • Note if your privacy setting for samples you submit to Cisco Secure Malware Analytics is Public or Private.

  • Note the default virtual machine environment your organization uses for UI and API samples.

  • If you use a proxy, ensure that you whitelist the IP address or URL you use to access the Cisco Secure Malware Analytics API.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is ThreatGrid.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the IP, host name, or URL you use to access the Cisco Secure Malware Analytics API you previously noted; for example, https://panacea.threatgrid.com/api/v2/

    • API Key – Enter your Cisco Secure Malware Analytics API key you previously noted.

    • Private Submissions – Select whether your Cisco Secure Malware Analytics API privacy setting makes samples private or public: if your privacy setting is Private, select True; if your privacy setting is Public, select False.

    • Sandbox VM – Enter the default virtual machine environment your organization uses for UI and API samples; for example, win7-x64.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the CrowdStrike Falcon Host API Service Service

Configure the CrowdStrike Falcon key-based API as a service to get entity and artifact information, search hosts, and run other CrowdStrike Falcon actions.

  • Note your CrowdStrike Falcon API credentials or create new ones.

  • If you use a proxy, ensure that you whitelist https://api.crowdstrike.com

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is CrowdstrikeFalcon.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API User – Enter the CrowdStrike Falcon username you previously generated.

    • API Password – Enter the CrowdStrike Falcon password you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the CyberArk Service

Configure CyberArk as a service to manage users and run other CyberArk actions.

If you use a proxy, ensure that you whitelist the URL you use to access the CyberArk Identity Security platform.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is CyberArk.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the URL you use to access CyberArk Identity Security platform; for example, https://abc1234.my.adaptive.app/

    • Username – Enter the username for your CyberArk Identity Security platform account.

    • Password – Enter the password to your CyberArk Identity Security platform account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Cylance Protect Service

Configure Cylance Protect as a service to get entity and asset details, add and remove hashes, and run other Cylance Protect actions.

  • Note your BlackBerry Protect tenant ID.

  • Note your BlackBerry Protect application ID and secret.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is CylanceProtect.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Tenant ID – Enter the BlackBerry Protect tenant ID you previously noted.

    • Application ID – Enter the BlackBerry Protect application ID you previously noted.

    • Application Secret – Enter the BlackBerry Protect application secret you previously noted.

    • Region – Select the region to which your organization's service endpoints belong: North America, US Government, or Other.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Exabeam Advanced Analytics Service

Configure Advanced Analytics as a service to get information like risk scores and triggered rules, manage context tables, accept sessions, and run other Exabeam Advanced Analytics actions.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Exabeam Advanced Analytics.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API URL – Enter https://exabeam-web-common:8484/.

    • Username – Enter the username of your Exabeam account.

    • Password – Enter the password to your Exabeam account.

    • Version – Enter the Advanced Analytics version number you use; for example, I56.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Exabeam DL Service

Configure Data Lake as a service to search Data Lake logs, manage context tables, run queries, and run other Exabeam DL actions.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Exabeam Data Lake.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the IP address or hostname of your Data Lake instance.

    • Port – Enter the port number you use to connect to Data Lake.

    • Username – Enter the username of your Exabeam account.

    • Password – Enter the password to your Exabeam account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the FireEye HX Service

Configure FireEye HX as a service to search for and get information about entity and assets, get the containment state of a FireEye host, and run other FireEye HX actions.

  • Note the domain of your FireEye HX endpoint.

  • Note the port number of your FireEye HX endpoint.

  • If you use a proxy, ensure that you whitelist the hostname of your FireEye HX endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is FireEyeHX.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the domain of your FireEye HX endpoint.

    • Port – Enter the port number of your FireEye HX endpoint.

    • Username – Enter the username for your FireEye account.

    • Password – Enter the password to your FireEye account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Fortinet Service

Configure Fortinet as a service to block and unblock IP addresses using actions.

  • Create a PyFortiAPI firewall object. You use the ipaddr, username, and password later.

  • If you use a proxy, ensure that you whitelist your the IP address or domain of your Fortinet API endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Fortinet.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the management IP address of the target device. This is the value of the ipaddr parameter you used for the firewall object.

    • Username – Enter the username of the account used to log in to the target device. This is the value of the username parameter you used for the firewall object.

    • Password – Enter the password of the account used to log in to the target device. This is the value of the password parameter you used for the firewall object.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Google Gmail Service

Configure Gmail as a service to manage emails and run other Google Gmail actions.

  • Create a Google Workspace service account with domain-wide delegation of authority. You use the service account public/private key pair JSON file later. When you set OAuth scopes, ensure that you enter https://mail.google.com/.

  • If you use a proxy, ensure that you whitelist https://mail.google.com/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Gmail.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Account JSON – Enter the Google Workspace service account public/private key pair JSON you downloaded.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the IntSights Cyber Intelligence Ltd. Service

Configure IntSights as a service to get entity and asset reputations using actions.

  • Obtain your API account ID from IntSights's Subscription page. For more information, contact Intsights Customer Support.

  • Obtain an API key from IntSights's Subscription page. Since this API key is the same key used to connect to IntSights's virtual appliance and cloud platform, you can reuse a key you previously generated. For more information, contact Intsights Customer Support.

  • If you use a proxy, ensure that you whitelist https://api.intsights.com

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Intsights.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Account ID – Enter the IntSight API account ID you obtained from the IntSights Subscription page.

    • API Key – Enter the Intsight API key you obtained from the IntSights Subscription page.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the IRNotificationSMTPService Service

Configure IRNotificationSMTPService as a service to send email notifications using actions.

To configure IRNotificationSMTPService, you must configure Advanced Analytics system activity email notifications. After you configure email notifications, IRNotificationSMTPService automatically appears as a service in Incident Responder Services settings.Configure Advanced Analytics System Activity NotificationsConfigure Advanced Analytics System Activity Notifications

Configure the Joe Security Joe Sandbox Service Service

Configure Joe Sandbox as a service to detonate files and URLs using actions.

  • Generate a Joe Sandbox API key. For more information, contact Joe Security Technical Support. You use this API key later.

  • If you use a proxy, ensure that you whitelist the URL of your Joe Sandbox API endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Joe Security.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API URL – Enter the URL of your Joe Sandbox API endpoint; for example, https://jbxcloud.joesecurity.org/api

    • API Key – Enter the API key you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Microsoft Active Directory (AD) (Latest) Service

Configure Microsoft Azure AD as a service to manage groups, accounts, and credentials, and run other Microsoft Active Directory (AD) (Latest) actions.

If you use a proxy, ensure that you whitelist the IP address of your Microsoft AD endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Active Directory Latest.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the IP address or hostname of your Microsoft Azure AD endpoint.

    • Username – Enter the username of your Microsoft account.

    • Password – Enter the password to your Microsoft account.

    • Domain (One per line) – Enter the domains of the domain controllers running Microsoft Azure AD. Enter one domain per line.

    • TCP port – Enter the TCP port number you use to connect to your Microsoft Azure AD endpoint.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Microsoft Exchange Service

Configure Microsoft EWS Exchange as a service to delete and search for emails using actions.

  • Ensure that you properly set up your EWS application.

  • If you use a proxy, whitelist the IP address of your EWS server.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Microsoft Exchange Email.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Server – Enter the IP address of your Exchange server.

    • Username – Enter the username of your Exchange account.

    • Password – Enter the password to your Exchange account.

    • Version – Select the version of your Exchange server: EXCHANGE 2010 SP2, EXCHANGE 2010 SP1, or EXCHANGE 2010. If you don't know the version of your Exchange server, select AUTONEGOTIATE.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Microsoft Outlook Office 365 Service

Configure Microsoft Outlook Office 365 as a service to delete emails and search for emails using actions.

  • In the Microsoft Exchange admin center (EAC), ensure you have an admin role group with ApplicationImpersonation and View-Only Recipients permissions.

  • Assign an Microsoft Outlook Office 365 account with an active mailbox the admin role with ApplicationImpersonation and View-Only Recipients permissions. You use the email address and password for this account later.

  • If you use a proxy, ensure that you whitelist https://reports.office365.com/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Microsoft Exchange Email.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Server – Enter the IP address of your Exchange server.

    • Username – Enter the username of your Exchange account.

    • Password – Enter the password to your Exchange account.

    • Version – Select the version of your Exchange server: EXCHANGE 2010 SP2, EXCHANGE 2010 SP1, or EXCHANGE 2010. If you don't know the version of your Exchange server, select AUTONEGOTIATE.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Netskope Service

Configure Netskope as a service to update file hash lists and URL lists using actions.

  • Note your Netskope API token.

  • If you use a proxy, ensure that you whitelist https://<tenant>.goskope.com/api/v1/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Netskope.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API Token – Enter the Netskope API token you previously noted.

    • Tenant Name – Enter the name of your Netskope tenant. Find the tenant name in the URL you use to access Netskope; for example, https://<tenant>.goskope.com.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Okta Service

Configure Okta as a service to manage users and run other Okta actions.

  • Ensure you have your organization's unique API URL, which Okta provided when you set up Exabeam on the Okta Integration Network.

  • Create an Okta API token.

  • If you use a proxy, ensure that you whitelist your organization's unique API URL.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Okta.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API URL – Enter your organization's unique Okta API URL.

    • API Token – Enter the API token you previously created.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Palo Alto Networks Wildfire Service

Configure Palo Alto Networks WildFire as a service to detonate files using actions.

  • Note your Palo Alto Networks WildFire API key or generate a new one.

  • If you use a proxy, ensure that you whitelist https://wildfire.paloaltonetworks.com/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Palo Alto Networks Wildfire.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API Key – Enter the Palo Alto Networks WildFire API key you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Rapid7 insightVM Service

Configure Rapid7 insightVM as a service to manage scans and reports and run other Rapid7 insightVM actions.

If you use a proxy, ensure you whitelist the IP address or host name of your insightVM endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is insightVM.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the IP address or host name of your insightVM endpoint.

    • Login – Enter the username of your Rapid7 insightVM account.

    • Password – Enter the password to your Rapid7 insightVM account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the SentinelOne Service

Configure SentinelOne as a service to manage two-factor authentication, get information about entities and artifacts, and run other SentinelOne actions.

  • Generate a SentinelOne API token, then save it. For more information, contact SentinelOne Customer Support.

  • If you use a proxy, ensure that you whitelist the domain for your SentinelOne API endpoint; for example https://yourcompany.sentinelone.net/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is SentinelOne.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the domain of your SentinelOne API endpoint; for example https://yourcompany.sentinelone.net/

    • API Token – Enter the API token you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the SentinelOneV2 Service

Configure SentineOneV2 as a service to manage two-factor authentication, get information about entities and artifacts, mark threats as resolved, and run other SentinelOneV2 actions.

  • Generate a SentinelOneV2 API token, then save it. For more information, contact SentinelOne Customer Support.

  • If you use a proxy, ensure that you whitelist the domain for your SentinelOneV2 API endpoint; for example https://yourcompany.sentinelone.net/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is SentinelOneV2.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the domain of your SentinelOneV2 API endpoint; for example, https://yourcompany.sentinelone.net/

    • API Token – Enter the API token you previously generated.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Service Now Service

Configure Service Now as a service to manage incidents and run other Service Now actions.

If you use a proxy, ensure that you whitelist the IP address or domain of your ServiceNow API endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is ServiceNow.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the IP address or domain of your ServiceNow API endpoint.

    • Username – Enter the username of your ServiceNow account.

    • Password – Enter the password to your ServiceNow account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Slack Service

Configure Slack as a service to send messages using actions.

  • Note your Slack API access token.

  • If you use a proxy, ensure that you whitelist https://slack.com/api/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Slack.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Access Token – Enter your Slack API access token.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the SlashNext Service

Configure SlashNext as a service to get entity and artifact reputations, download scans, and run other SlashNext actions.

  • Note your unique API key SlashNext provided when you set up the SlashNext API. If you have any questions about your API key, contact SlashNext Support at support@slashnext.com.

  • If you use a proxy, ensure that you whitelist https://oti.slashnext.cloud/api/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is SlashNext.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API Base URL – Enter the base URL for for the SlashNext API, https://oti.slashnext.cloud/api/

    • API Key – Enter your unique API key. If you have any questions about your API key, contact SlashNext Support at support@slashnext.com.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Splunk Service

Configure Splunk as a service to search logs and context tables and run other Splunk actions.

  • Note the hostname of your Splunk API endpoint.

  • If you use a proxy, ensure that you whitelist the hostname of your Splunk API endpoint.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Splunk.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • Host – Enter the hostname of your Splunk API endpoint.

    • Admin Port – Enter 8089, the splunkd management port.

    • Username – Enter the username for your Splunk account.

    • Password – Enter the password to your Splunk account.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the ThreatConnect API Service

Configure ThreatConnect as a service to get entity and artifact reputations and run other ThreatConnect actions.

  • Create a ThreatConnect API key.

  • Note the access ID of the API user you use to make requests.

  • Note your ThreatConnect base API URL; for example, https://app.threatconnect.com/api or https://sandbox.threatconnect.com/api/

  • Note your organization's name as it appears in ThreatConnect.

  • If you use a proxy, ensure that you whitelist your ThreatConnect base API URL.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Splunk.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API ID – Enter the ID of the API user you use to make requests.

    • API Key – Enter the ThreatConnect API key you created.

    • API URL – Enter your ThreatConnect base API URL.

    • API ORG – Enter your organization's name, as it appears in ThreatConnect.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Urlscan.io API Service

Configure urlscan.io as a service to get entity and artifact reputations using actions.

  • Ensure that you have your urlscan.io API key. For more information, contact urlscan.io technical support.

  • Ensure that the scan visibility level of your urlscan.ioi application is Public or Private. We don't support the Unlisted scan visibility.

  • If you use a proxy, ensure that you whitelist https://urlscan.io/api/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is URLScan.io.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API Key – Enter your urlscan.io API key. For more information, contact urlscan.io technical support.

    • Scan Type – Select the scan visibility of your urlscan.io application, Public or Private. If the scan visibility level of your urlscan.io application is Unlisted, change it to Public or Private.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the VirusTotal Service

Configure VirusTotal as a service to get entity and artifact reputations and run other VirusTotal actions.

  • Note your VirusTotal API key.

  • If you use a proxy, ensure that you whitelist https://www.virustotal.com/api/

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is VirusTotal.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • API Key – Enter the VirusTotal API key you previously noted.

    • API Type – Select your VirusTotal API type. If you use VirusTotal Public API, select Public; if you use VirusTotal Premium API, select Private.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Configure the Zscaler Service

Configure Zscaler as a service to manage blacklists and configuration changes and run other Zscaler actions.

  • On the Zscaler API Key Management page, note the base URL for the cloud service API.

  • On the Zscaler API Key Management page, note your cloud service API key string.

  • If you use a proxy, ensure that you whitelist the base URL for the cloud service API.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Zscaler.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service.

    • URL – Enter the base URL for the Zscaler cloud service API.

    • Username – Enter the username of your Zscaler account.

    • Password – Enter the password to your Zscaler account.

    • API Key – Enter the Zscaler cloud service API key string.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.

Test a Service

Ensure the service you configured or uploaded is working correctly. You create a new test incident, run the service in the workbench, then view the results.Configure a ServiceConfigure ServicesConfigure ServicesUpload a Custom ServiceUpload a Custom Service

If you have a cloud-delivered deployment, contact your Technical Account Manager to debug the results.

  1. Ensure that you configured the service you're testing and you can access the command line interface (CLI).Configure a ServiceConfigure ServicesConfigure Services

  2. Manually create a test incident. The information you enter doesn't need to be accurate.Manually Create an IncidentManually Create an IncidentManually Create an Incident

  3. Manually run an action supported by the service you're testing, and ensure you enter the input values you wish to check, like IP addresses, domain, and URLs.Manually Run an Action

    If the action runs successfully, it appears in the workbench ACTIONS tab with a A green check mark. check mark, and you see its output in the workbench.

  4. (Optional) To debug the results, log into the CLI and view the results in /opt/exabeam/data/logs/soar/python-action-engine/pythonActionEngine.log

Edit a Service

Change the details of a service you previously configured.Configure Services

 
  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select the Configured tab.

  4. Hover over a service, then click Edit Configuration A grey pencil..

  5. Change the service details.

  6. To validate the configuration, select TEST CONNECTIVITY.

  7. Select SAVE.

Disable a Service

Disable a service you previously configured. Once you disable a service, you can't use it in an action or playbook.Configure Services

  1. Remove the service from any playbooks. If you disable a service that's used in a playbook, that playbook may run incorrectly.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under SERVICE INTEGRATIONS, select Services.

  4. Select the Configured tab.

  5. Hover over a service, then select Delete Configuration A grey trash can.. If you disable a service and it is still part of a playbook, you are warned that the "playbook contains errors" when you run the playbook.

Upload a Custom Service

If you created your own service, upload the ZIP file to Incident Responder .

You can create and upload two types of custom services: one you develop from scratch, and one that customizes an existing third-party service. If you upload a custom service that customizes an existing third-party service, all related actions and playbooks will start using this custom service.

If you create your own service from scratch, without using Exabeam Action Editor, ensure your ZIP file includes certain components. If you introduce any Python dependencies, you must include any Python modules as Python wheels and a requirements.txt file containing these wheels. Place the requirements.txt file under the python_dep directory.Exabeam Action Editor

You can't upload the same custom service more than once. To edit a custom service, delete the service, then upload it again.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Click Upload service package A blue circle with a white line and arrow in the center..

  4. Click UPLOAD PACKAGE, then upload a ZIP file, no more more than 10MB. If the custom service changes or removes existing actions, playbooks that use these actions may not run as expected.

  5. Click SUBMIT. The service is added to the list with a Custom label.

Delete a Custom Service

Delete a custom service you previously uploaded.

You can create and upload two types of custom services: one that you've developed from scratch, and one that customizes an out-of-the-box service. If you delete a custom service that customizes an out-of-the-box service, all related actions and playbooks will return to using the out-of-the-box service.

You can only delete a custom service. You can't delete an out-of-the-box service, but you can disable ones you configured.

  1. Ensure that you're not using the custom service in any playbooks. If you delete a service that's used in a playbook, that playbook may run incorrectly.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under SERVICE INTEGRATIONS, select Services.

  4. Hover over the service, then select the trash A grey trash can..

  5. Click DELETE.

Create an Email Template for the Notify by Email Action

Use templates to customize the emails sent when you run the Notify by email Exabeam action.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Email Notifications, then select the EMAIL TEMPLATES tab.

  3. Click Add Email TemplateA dark blue plus sign..

  4. Configure the template settings:

    • Template Type – Select Notify by Email Action.

    • Template Name – Name the email template. This name is used to identify the template when you manually run the Notify by email action or configure a playbook action node using the Notify by email action.

    • Subject – Enter the subject line for the email notification.

    • In the text box, create the email body using Scalate's Mustache HTML template language.

      Under Variable Fields, view all the template variables you can use in the email body. For the Notify by Email Action template type, you can use any variable under both Notify by Email Action Fields and Case Manager Incident Fields.

      You can create a more elaborate email with CSS formatting; for example:

      "<!DOCTYPE html>
      <html lang=\"en\">
          <head>
              <title>Exabeam Incident Responder</title>
                  <style type=\"text/css\">
                      body {
                          background:#F4F6F8;
                          font: 15px arial, sans-serif;
                      }
                      #sides{
                          display: flex;
                      }
                      #sides_left{
                          flex-grow: 1;
                          padding-left: 10px;
                      }
                      #header {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#6ABA4F;
                          color: #FFFFFF;
                          font: 20px arial, sans-serif;
                          width: 800px;
                          padding: 10px;
                          margin-top: 30px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2p2 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#FFFFFF;
                          color: #000000;
                          font: 16px arial, sans-serif;
                          width: 820px;
                          margin-top: 15px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_header {
                          width: 800px;
                          padding: 10px;
                          background: #E9ECF0;
                          color: #2B2C34;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_body {
                          width: 800px;
                          background: #FFFFFF;
                          color: #2B2C34;
                          padding: auto;
                          padding-top: 20px;
                          padding-bottom: 20px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                  </style>
          </head>
          <body>
              <div id=\"header\">Exabeam Incident Response</div>
              <div id=\"block\">
              <div id=\"sides\">
              <div id=\"sides_left\">
              <div id=\"block_body\">
                  Hi,
                  <p>Thank you for letting us know - our assessment determined that the email with subject <b>{{input_subject}}</b> received on {{input_incident_date}} is an <b>unsolicited SPAM email</b>. You can safely delete this message. If you no longer wish to receive similar type of messages from the sender in the future - you can block the sender or sender's domain by right clicking the email in Outlook -> Junk -> Block Sender.</p>
                  {{#input_description}}
                  <p>{{input_description}}</p>
                  {{/input_description}}
                  {{#signature}}
                  <p>Regards,<br>{{signature}}</p>
                  {{/signature}}
                  {{^signature}}
                  <p>Regards,<br>Exabeam IR</p>
                  {{/signature}}
              </div>
              </div>
              </div>
              </div>
          </body>
      </html>

      You can also create something more simple; for example:

      <html>
          <head>
          </head>
              <body>
                  <p>Thank you for letting us know - our assessment determined that 
      the email with subject <b>{{input_subject}}</b> received on 
      {{input_incident_date}} is an <b>unsolicited SPAM email</b>.
       You can safely delete this message. If you no longer wish to receive 
      similar type of messages from the sender in the future - you can block 
      the sender or sender's domain by right clicking the email in Outlook 
      -> Junk -> Block Sender.</p>
              </body>
      </html>
  5. Click SAVE. Now, you can select this template when you configure a playbook action node using the Notify by email action.