Obsidian
Version: 2.0.0
Obsidian is the cloud detection and response solution that delivers unified visibility of users, privileges and activity in SaaS, allowing you to detect and investigate breaches, uncover insider threats, and secure SaaS apps without affecting productivity.
Connect Obsidian with LogicHub
- Navigate to Automations > Integrations.
- Search for Obsidian.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Key: The API Key to connect to the Obsidian.
- After you've entered all the details, click Connect.
Actions for Obsidian
Get Events
Retrieves the list of events/activities based on filter criteria.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-07-03T12:42:00Z | Optional |
| End Time | Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-07-10T20:42:31Z | Optional |
| Jinja Template for Query | Jinja-templated query containing the query. Example: {{column1}} {{column2}} | Optional |
| Jinja Template for Services | Jinja-templated query containing comma-separated service ids (Default is all services, Service id of Google is GOOGLE). Example: {{column1}}, {{column2}} | Optional |
| Jinja Template for Event Type | Jinja-templated query containing the obsidian event type (Default is all event types). Example: {{column1}}, {{column2}} | Optional |
| Status | Select a value for status to lookup (Default is all status). | Optional |
| Jinja Template for Service Event Type | Jinja-templated query containing the service event type (Default is all service event types). Example: {{column1}}, {{column2}} | Optional |
| Jinja Template for Tenant ID | Jinja-templated query containing the tenant id (Default is all tenant id). Example: {{column1}}, {{column2}} | Optional |
| Limit | Limit of rows to be returned (default is 500). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of events/activities.
Get Alerts
Retrieves the list of alerts based on filter criteria.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-07-03T12:42:00Z) | Optional |
| End Time | Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-07-10T20:42:31Z | Optional |
| Min Alert ID | Column name from the parent table to lookup value for minimum alert id (Default is all records). Records with the greater or equal value of id will be present in the result. | Optional |
| Max Alert ID | Column name from the parent table to lookup value for maximum alert id(Default is all records). Records with the lesser or equal value of id will be present in the result. | Optional |
| Status | Select a value for status to lookup (Default is all status). | Optional |
| Jinja Template for Query | Jinja-templated query containing the query. Example: {{column1}} {{column2}} | Optional |
| Severity | Select a value for severity to lookup (Default is all severity). | Optional |
| Jinja Template for Intelligence Names | Jinja-templated query containing the comma separated intelligence names. Example: {{column1}}, {{column2}} | Optional |
| Jinja Template for Alert IDs | Jinja-templated query containing the comma separated alert ids. Example: {{column1}}, {{column2}} | Optional |
| Jinja Template for Actor IDs | Jinja-templated query containing the comma separated actor ids. Example: {{column1}}, {{column2}} | Optional |
| Jinja Template for Target IDs | Jinja-templated query containing the comma separated target ids. Example: {{column1}}, {{column2}} | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of alerts.
Alert - Update Status
Update alert status.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Column name from the parent table to lookup value for alert id for the update. | Required |
| Alert Status | Select a value for alert status. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message.
Alert - Add Comment
Update alert status.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Column name from the parent table to lookup value for the alert ID. | Required |
| Jinja Template for Alert Comments | Jinja-templated query containing the comments. Example: {{column1}} {{column2}}. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message.
Get Alert Details by ID
Get the alert detailed information.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Column name from the parent table to lookup value for the alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Alert details.
Get Organization Context
Get the organization context-related information.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Organization context details.
Get User Details
Get the user detailed information. Action will pull the last 30 days of activity data for users.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Actor ID | Column name from the parent table to lookup value for actor ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: User details.
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago