Accenture MSS
Leverage the power of Accenture Managed Security Services for continual threat monitoring and customized guidance 24x7.
Connect Accenture MSS with Devo SOAR
Navigate to Automations > Integrations.
Search for Accenture MSS.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
URL: URL to your Accenture MSS instance. Example: https://api.monitoredsecurity.com.
Certificate: Upload Certificate to access your Accenture MSS instance.
Passphrase: Enter Certificate passphrase.
After you've entered all the details, click Connect.
Actions for Accenture MSS
Incident: Get Recent List
Returns a list of security incidents based on given search parameters. If a parameter is left blank or null, the method will return incidents matching all values. This action searches on the created timestamp, updated timestamp, and LatestKeyEvent timestamp of the incidents.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Start Time | Jinja-templated text for star time to fetch incidents created since the specified date in UTC (Default is batch-start-time). | Â |
The format should be | Optional | Â |
End Time | Jinja-templated text for star time to fetch incidents created before the specified date in UTC (Default is batch-end-time). The format should be | Optional |
Severities | Jinja-templated text for comma-delimited list of valid Security Incident severities set by customers. | Optional |
Source Organizations | Jinja-templated text for comma-delimited list of valid Source Organizations. | Optional |
Destination Organizations | Jinja-templated text for comma-delimited list of valid Destination Organizations. | Optional |
Max Incidents | Enter the maximum number of incidents to return. | Optional |
Source IPs | Jinja-templated text for comma-delimited list of valid Source IP Addresses. | Optional |
Categories | Jinja-templated text for comma-delimited list of valid Security Incident Categories to include. | Optional |
Exclude Categories | Jinja-templated text for comma-delimited list of valid Security Incident Categories to exclude. | Optional |
Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (default is no limit on the wait time). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing information of Incident
``` {json}{ "Category": "No Category", "Classification": "Scan for Web Servers", "Correlation": "No", "CountryCode": "CC0", "CountryName": "CName0", "CountryOfOrigin": null, "CustomerSeverity": null, "DaysSeenGlobally": "0", "DaysSeenInLast30Days": "0", "DestOrganizationName": "Org0", "FirstSeenGlobally": "2020-12-16T13:05:38.9816284+00:00", "FirstSeenInLast30Days": "2020-12-16T13:05:38.9816284+00:00", "GlobalLookbackDays": "2", "HostNameList": null, "IncidentNumber": "565656", "IsInternalExternal": null, "LatestKeyEvent": "2020-12-16T13:05:38.9816284+00:00", "PrevalenceGlobally": "L", "Severity": "Informational", "SourceIPString": "0.0.0.0", "SourceOrganizationName": "Org1", "TimeCreated": "2020-12-16T13:05:38.9816284+00:00", "UpdateTimestampGMT": "2020-12-16T13:05:38.9816284+00:00", "UserList": null, "error": null, "has_error": false }
## Incident: Workflow Query
Returns incident details with workflow information for a given incident number.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Incident Number | Select column containing the incident number in the SOC. | Required |
| Max Signatures | If this parameter is set, the method only returns up to this number of Signatures for the Incident. It will first display the signatures with KeyEvents set to true then choose randomly from the other non-key events (default is empty). | Optional |
| Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (default is no limit on the wait time). | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other keys containing information of Incident with workflow
``` {json}{
"IncidentNumber": "566045",
"TimeCreated": "2020-12-16T13:09:05.1934129+00:00",
"Correlation": "Yes",
"Severity": "Informational",
"Classification": "Activity Summary - Scans for Web Servers",
"Description": "Scans for Web Servers have been detected",
"AnalystAssessment": "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
"CountryCode": "US",
"CountryName": "United States of America",
"NumberOfAnalyzedSignatures": "5",
"SourceOrganizationList": {
"Organization": [
{
"OrganizationName": "Org0"
},
{
"OrganizationName": "Org1"
},
{
"OrganizationName": "Org2"
},
{
"OrganizationName": "Org3"
},
{
"OrganizationName": "Org4"
},
{
"OrganizationName": "Org5"
},
{
"OrganizationName": "Org6"
},
{
"OrganizationName": "Org7"
},
{
"OrganizationName": "Org8"
},
{
"OrganizationName": "Org9"
}
]
},
"DestinationOrganizationList": {
"Organization": [
{
"OrganizationName": "Org0"
},
{
"OrganizationName": "Org1"
},
{
"OrganizationName": "Org2"
},
{
"OrganizationName": "Org3"
},
{
"OrganizationName": "Org4"
},
{
"OrganizationName": "Org5"
},
{
"OrganizationName": "Org6"
},
{
"OrganizationName": "Org7"
},
{
"OrganizationName": "Org8"
},
{
"OrganizationName": "Org9"
}
]
},
"RelatedTickets": null,
"SignatureList": {
"Signature": {
"SignatureNumber": "898989",
"SignatureName": "Symantec AV Alert",
"VendorSignature": null,
"FirstSeenInLast30Days": "0001-01-01T00:00:00",
"DaysSeenInLast30Days": "0",
"IsKey": "false",
"FirstSeenGlobally": "0001-01-01T00:00:00",
"DaysSeenGlobally": "0",
"PrevalenceGlobally": null,
"GlobalLookbackDays": "0",
"TimeCreated": "2020-12-16T13:10:05.1934129+00:00",
"Classification": null,
"Category": "Probes",
"SourceIPString": "0.0.0.0",
"HostName": "Host-0.0.0.0",
"NumberBlocked": "0",
"NumberNotBlocked": "0",
"CountryCode": "CC0",
"CountryName": "CName0",
"SourceOrganizationList": null,
"CorrelatedEvent": "No",
"Outcome": null,
"CorrelatedEventList": null,
"SourceIPAddressBinarySQL": null,
"NetworkRanges": null,
"FileDetails": null,
"ReportingDeviceList": null,
"AffectedAssetList": null,
"DestinationOrganizationList": null,
"SourceHostDetailList": null
}
},
"WorkFlowDetail": {
"Status": null,
"Resolution": null,
"Reference": null,
"AssignedOrganization": "Org1",
"AssignedPerson": null
},
"IncidentComments": {
"IncidentComment": {
"CommentedTimeStampGMT": "2012-05-12T00:00:00",
"Comment": "CommentTest",
"CommentedBy": "User1"
}
},
"ActivityLogs": {
"Activity": [
{
"FieldName": "WorkflowComment",
"OldValue": "Activity Summary - Insecure SNMP Community String",
"NewValue": "Activity Summary - Peer-to-Peer Usage",
"ActivityDateGMT": "2012-05-14T00:00:00",
"ActivityBy": "User1"
},
{
"FieldName": "Incident Type",
"OldValue": "-",
"NewValue": "Escalation Comment was added",
"ActivityDateGMT": "2012-07-14T00:00:00",
"ActivityBy": "User2"
}
]
},
"IncidentAttachmentItems": {
"IncidentAttachmentItem": {
"AttachmentNumber": "1234",
"AttachmentName": "Test.sample",
"UploadDateGMT": "2012-07-14T00:00:00",
"UploadBy": "User1",
"Comment": "Test"
}
},
"IsGroupIncidentAvailable": "false",
"RelatedIncidents": {
"IncidentNumber": [
"1235",
"123456",
"123457"
]
},
"error": null,
"has_error": false
}
Update Incident Workflow
Updates an incident workflow in Accenture MSS.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Incident Number | Select column containing the incident number in the SOC. | Required |
Status | Select column containing status to update with. | Required |
Status Resolution | Select column containing Incident Status Resolution to update with. | Required |
Severity | Select column containing Incident Severity to update with. | Required |
Reference Comments | Select column containing reference comments to update with. | Optional |
Assigned to Organization | Select column containing Organization to update assignee with. Exactly one of AssigneeOrganization or AssigneePerson should be non-empty in the parent table. | Optional |
Assigned to Person | Person to update assignee with. Exactly one of AssigneeOrganization or AssigneePerson should be non-empty in the parent table. | Optional |
Comments | Jinja-templated comments to update the incident with. | Optional |
Group Update | Select column containing a value for performing group update true/false. If true, workflow changes are applied to this incident as well as related incidents. Set it to true only if the incident has any related incidents, otherwise, it will throw a DataNotFound exception. | Optional |
Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (Default is no limit on the wait time). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Update operation reported a failure at Accenture MSS/Successfully updated.
``` {json}{ "result": "Successfully updated.", "error": null, "has_error": false }
## Incident: Create Ticket
Creates a ticket for an Incident in Accenture MSS.
> If you encounter a TooManyRequests error, try setting an appropriate value for `Time between consecutive API requests (in millis)` (like 6000).
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- |
| Incident Template | [Jinja-templated](doc:jinja-template) XML body of IncidentCreateRequest containing details of the ticket being created. | Required |
| Attachment File ID | Select column containing comma-delimited Devo SOAR File Ids to upload as attachments. Example: `04d717dd33114e57a2e73583ecdcdedc, e552f9a8dbb847d4b969bae566d869b9`. | Optional |
| Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (Default is no limit on the wait time). | Optional |
```xml
<IncidentRequestCreate>
<IncidentNumber>{{incident_number_column}}</IncidentNumber>
<UrgencyName>{{urgency_column}}</UrgencyName>
<Description>LogicHub created Ticket {{incident_number_column}}</Description>
<RequestedByOrgName>{{requested_org_column}}</RequestedByOrgName>
<AssignedToOrgName>{{assigned_org_column}}</AssignedToOrgName>
<ActivityLog>Created by LogicHub</ActivityLog>
</IncidentRequestCreate>
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing details on the ticket created
``` {json}{ "TicketID": "SC1234", "FilesAttachedCount": "0", "FilesRejected": null, "error": null, "has_error": false }
## Ticket: Query
Returns details of a given ticket by TicketID or ClientReference.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Ticket ID | Select column containing the ticket number in the SOC. Either this field or Client Reference can be blank. If both fields are specified, the Ticket ID will be used. | Optional |
| Client Reference | Select column containing the customer reference ticket number specified during ticket creation (currently, via the portal). Either this field or Ticket ID can be blank. | Optional |
| Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (default is no limit on the wait time). | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other keys containing information of Ticket
``` {json}{
"TicketID": "SC12345",
"TicketCategory": "Alarm / Collection Outages",
"Urgency": "High",
"Description": "Lorem ipsum dolor sit amet",
"RequestedByOrgID": "98765432",
"RequestedByOrgName": "Org0",
"AssignedToOrgID": "98765433",
"AssignedToOrgName": "Org1",
"CreatedDate": "2020-12-16T12:47:06.7034955+00:00",
"LastUpdated": "2020-12-16T13:02:06.7034955+00:00",
"ClosedDate": "2020-12-16T13:17:06.7034955+00:00",
"Deadline": "2020-12-17T12:47:06.7034955+00:00",
"ActivityLog": "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
"ClosureCodeString": null,
"RequestedByPersonName": "Doe, James",
"Active": "false",
"Status": "Closed",
"ClientReference": "portal",
"UpdateTimestampGMT": "0001-01-01T00:00:00",
"RelatedTickets": null,
"RelatedDeviceList": {
"Device": [
{
"DeviceName": "Test0",
"SearchCode": "Test0",
"Status": "Production",
"OwnerOrganization": "Org0",
"LastLogReceived": "2020-12-16T13:32:06.7034955+00:00",
"ChangeManager": "true"
},
{
"DeviceName": "Test1",
"SearchCode": "Test1",
"Status": "Production",
"OwnerOrganization": "Org1",
"LastLogReceived": "2020-12-16T13:31:06.7034955+00:00",
"ChangeManager": "false"
},
{
"DeviceName": "Test2",
"SearchCode": "Test2",
"Status": "Production",
"OwnerOrganization": "Org2",
"LastLogReceived": "2020-12-16T13:30:06.7034955+00:00",
"ChangeManager": "true"
},
{
"DeviceName": "Test3",
"SearchCode": "Test3",
"Status": "Production",
"OwnerOrganization": "Org3",
"LastLogReceived": "2020-12-16T13:29:06.7034955+00:00",
"ChangeManager": "false"
},
{
"DeviceName": "Test4",
"SearchCode": "Test4",
"Status": "Production",
"OwnerOrganization": "Org4",
"LastLogReceived": "2020-12-16T13:28:06.7034955+00:00",
"ChangeManager": "true"
},
{
"DeviceName": "Test5",
"SearchCode": "Test5",
"Status": "Production",
"OwnerOrganization": "Org5",
"LastLogReceived": "2020-12-16T13:27:06.7034955+00:00",
"ChangeManager": "false"
},
{
"DeviceName": "Test6",
"SearchCode": "Test6",
"Status": "Production",
"OwnerOrganization": "Org6",
"LastLogReceived": "2020-12-16T13:26:06.7034955+00:00",
"ChangeManager": "true"
},
{
"DeviceName": "Test7",
"SearchCode": "Test7",
"Status": "Production",
"OwnerOrganization": "Org7",
"LastLogReceived": "2020-12-16T13:25:06.7034955+00:00",
"ChangeManager": "false"
},
{
"DeviceName": "Test8",
"SearchCode": "Test8",
"Status": "Production",
"OwnerOrganization": "Org8",
"LastLogReceived": "2020-12-16T13:24:06.7034955+00:00",
"ChangeManager": "true"
},
{
"DeviceName": "Test9",
"SearchCode": "Test9",
"Status": "Production",
"OwnerOrganization": "Org9",
"LastLogReceived": "2020-12-16T13:23:06.7034955+00:00",
"ChangeManager": "false"
}
]
},
"RelatedSecurityIncidents": null,
"LastModifiedDate": "2020-12-16T13:02:06.7034955+00:00",
"error": null,
"has_error": false
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem