Merge pull request #33 from DomainTools/ID-1986-update-for-1.5.0-release

ID-1986 update for 1.5.0 release
splunk-soar-connectors · Jan 2, 2024 · 992a63b · 992a63b
2 parents 5a223dc + 39cc270
commit 992a63b
Show file tree

Hide file tree

Showing 5 changed files with 440 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 # DomainTools Iris Investigate
 
 Publisher: DomainTools  
-Connector Version: 1.4.2  
+Connector Version: 1.5.0  
 Product Vendor: DomainTools  
 Product Name: DomainTools Iris Investigate  
 Product Version Supported (regex): ".\*"  
@@ -24,8 +24,55 @@ This app supports investigative actions to profile domain names, get risk scores
 [comment]: # "either express or implied. See the License for the specific language governing permissions"
 [comment]: # "and limitations under the License."
 [comment]: # ""
-**Note:** For the playbooks on the domain tools data, visit
-[this](https://github.com/DomainTools/playbooks/tree/master/Splunk%20Phantom) Github repository.
+
+[comment]: # "Monitoring/Scheduling Playbook(s) feature"
+## DomainTools Iris Investigate Monitoring Playbook Feature
+This feature allows the user to schedule playbooks to run on an specified interval and run it on a specific container/event ID you provided on each row. Coupled with our reference playbooks, linked below, this can be a powerful tool to notify you of domain infrastructure changes, or when newly created domains match specific infrastructure you're monitoring. See the individual playbooks for more information. This readme covers how to set up Iris Monitoring for those playbooks.
+
+### Configuration
+This feature depends on the 1 asset configuration fields that are **required** when using this feature.
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Yes |
+
+To configure this, you need to:
+1. Go to **Apps**
+2. Select **DomainTools Iris Investigate**
+3. Select a configured asset or create one if you don't have any.
+4. Go to **Asset Settings**
+5. Look for `Splunk SOAR HTTPS port (default: 8443)` field. By default it contains `8443` value.
+
+
+### Prerequisites
+This feature uses a custom list named `domaintools_scheduled_playbooks`. <br>
+To generate the custom list, you need to:
+1. Go to **Apps**
+2. Select **DomainTools Iris Investigate**
+3, Select a configured asset or create one if you don't have any.
+4. Go to **Actions** dropdown then;
+5. Select '`configure scheduled playbooks`' action, then;
+6. Hit `Test Action`.
+
+If you go back to custom list page. you should have the `domaintools_scheduled_playbooks` generated for you.
+
+**Note:** The values of this list has 6 columns and the header should not be altered. The last 3 columns are intentionally left blank and used by the playbook scheduler.<br>
+**Sample domaintools_scheduled_playbooks table:**
+| **repo/playbook_name** | **event_id** | **interval (mins)** | **last_run (server time)** | **last_run_status** | **remarks** |
+| --- | --- | --- | --- | --- | --- |
+| `local/DomainTools Monitor Domain Risk Score`| `<your_event_id>` | 1440 | | | |
+| `local/DomainTools Monitor Domain Infrastructure`| `<your_event_id>` | 1440 | | | |
+| `local/DomainTools Monitor Search Hash`| `<your_event_id>` | 1440 | | | |
+In this example, we've specified to run three separate monitoring playbooks on daily schedules. Note that each scheduled lookup will consume Iris Investigate queries, depending how many domains or Iris search hashes are being monitored.<br>
+
+### How to use monitoring/scheduling feature in DomainTools Iris Investigate App
+1. Under **Apps** > **DomainTools Iris Investigate** > **Asset Settings** > **Ingest Settings** > **Label**, specify or select a label to apply to objects from this source. <br>
+**Recommended:** Use a custom label rather using a predefined label like `events`.
+2. Specify a polling interval to check if playbooks need to be run. Note that this is separate from the playbook run interval specified in step 4. We **recommend** running **every minute** for the most accurate scheduling.
+3. Under Custom Lists > `domaintools_scheduled_playbooks` input your desired playbook schedule following the example in the Configuration Section<br>
+**Note:** Make sure the label of the **playbook** and **event_id** you inputted shares the label that you selected in *Step 1*. The `domaintools_scheduled_playbooks` custom list should have been created when you updated our installed the DomainTools app, but if you don't see it, you can generate it by following the **Prerequisites** section of this page.
+
+**Note:** For the DomainTools reference playbooks, see
+[this](https://github.com/DomainTools/playbooks/tree/main/Splunk%20SOAR) Github repository.
 
 
 ### Configuration Variables
@@ -44,6 +91,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 **custom_ssl_certificate** |  optional  | boolean | Use Custom SSL Certificate
 **ssl** |  optional  | boolean | Use SSL
 **custom_ssl_certificate_path** |  optional  | string | Custom SSL Certificate Path
+**http_port** |  optional  | string | Splunk SOAR HTTPS port (default: 8443)
 
 ### Supported Actions  
 [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity  
@@ -55,6 +103,8 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 [reverse email](#action-reverse-email) - Find domains with email in Whois, DNS SOA or SSL certificate  
 [lookup domain](#action-lookup-domain) - Get all Iris Investigate data for a domain using the Iris Investigate API endpoint (required)  
 [enrich domain](#action-enrich-domain) - Get all Iris Investigate data for a domain except counts using the high volume Iris Enrich API endpoint (if provisioned)  
+[on poll](#action-on-poll) - Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules  
+[configure scheduled playbooks](#action-configure-scheduled-playbooks) - Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.  
 
 ## action: 'test connectivity'
 Validate the asset configuration for connectivity
@@ -554,4 +604,28 @@ action_result.data.\*.website_title.value | string |  |
 action_result.summary | string |  |  
 action_result.message | string |  |  
 summary.total_objects | numeric |  |   1 
-summary.total_objects_successful | numeric |  |   1 
+summary.total_objects_successful | numeric |  |   1   
+
+## action: 'on poll'
+Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules
+
+Type: **ingest**  
+Read only: **True**
+
+#### Action Parameters
+No parameters are required for this action
+
+#### Action Output
+No Output  
+
+## action: 'configure scheduled playbooks'
+Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.
+
+Type: **generic**  
+Read only: **True**
+
+#### Action Parameters
+No parameters are required for this action
+
+#### Action Output
+No Output
diff --git a/domaintools_iris.json b/domaintools_iris.json
@@ -7,8 +7,8 @@
     "type": "information",
     "license": "Copyright (c) 2019-2023 DomainTools, LLC",
     "main_module": "domaintools_iris_connector.py",
-    "app_version": "1.4.2",
-    "utctime_updated": "2023-07-14T15:44:30.000000Z",
+    "app_version": "1.5.0",
+    "utctime_updated": "2023-10-25T15:44:30.000000Z",
     "product_vendor": "DomainTools",
     "product_name": "DomainTools Iris Investigate",
     "product_version_regex": ".*",
@@ -91,6 +91,12 @@
             "description": "Custom SSL Certificate Path",
             "data_type": "string",
             "order": 10
+        },
+        "http_port": {
+            "description": "Splunk SOAR HTTPS port (default: 8443)",
+            "data_type": "string",
+            "default": "8443",
+            "order": 11
         }
     },
     "actions": [
@@ -2041,6 +2047,26 @@
                 }
             ],
             "versions": "EQ(*)"
+        },
+        {
+            "action": "on poll",
+            "description": "Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules",
+            "type": "ingest",
+            "identifier": "on_poll",
+            "read_only": true,
+            "parameters": {},
+            "output": [],
+            "versions": "EQ(*)"
+        },
+        {
+            "action": "configure scheduled playbooks",
+            "description": "Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.",
+            "type": "generic",
+            "identifier": "configure_scheduled_playbooks",
+            "read_only": true,
+            "parameters": {},
+            "output": [],
+            "versions": "EQ(*)"
         }
     ],
     "pip39_dependencies": {
@@ -2131,5 +2157,6 @@
                 "input_file": "wheels/urllib3-1.26.16-py2.py3-none-any.whl"
             }
         ]
-    }
+    },
+    "executable": "spawn3"
 }