Document toolboxDocument toolbox

Accenture MSS

Leverage the power of Accenture Managed Security Services for continual threat monitoring and customized guidance 24x7.

Connect Accenture MSS with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Accenture MSS.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your Accenture MSS instance. Example: https://api.monitoredsecurity.com.

  9. Certificate: Upload Certificate to access your Accenture MSS instance.

  10. Passphrase: Enter Certificate passphrase.

  11. After you've entered all the details, click Connect.

Actions for Accenture MSS

Incident: Get Recent List

Returns a list of security incidents based on given search parameters. If a parameter is left blank or null, the method will return incidents matching all values. This action searches on the created timestamp, updated timestamp, and LatestKeyEvent timestamp of the incidents.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Jinja-templated text for star time to fetch incidents created since the specified date in UTC (Default is batch-start-time).

 

The format should be %Y-%m-%dT%H:%M:%S. Example: {{start_time_column}}

Optional

 

End Time

Jinja-templated text for star time to fetch incidents created before the specified date in UTC (Default is batch-end-time). The format should be %Y-%m-%dT%H:%M:%S. Example: {{end_time_column}}

Optional

Severities

Jinja-templated text for comma-delimited list of valid Security Incident severities set by customers.

Optional

Source Organizations

Jinja-templated text for comma-delimited list of valid Source Organizations.

Optional

Destination Organizations

Jinja-templated text for comma-delimited list of valid Destination Organizations.

Optional

Max Incidents

Enter the maximum number of incidents to return.

Optional

Source IPs

Jinja-templated text for comma-delimited list of valid Source IP Addresses.

Optional

Categories

Jinja-templated text for comma-delimited list of valid Security Incident Categories to include.

Optional

Exclude Categories

Jinja-templated text for comma-delimited list of valid Security Incident Categories to exclude.

Optional

Timeout for each parallel execution in seconds

Time out for per row API requests in seconds (default is no limit on the wait time).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing information of Incident

``` {json}{ "Category": "No Category", "Classification": "Scan for Web Servers", "Correlation": "No", "CountryCode": "CC0", "CountryName": "CName0", "CountryOfOrigin": null, "CustomerSeverity": null, "DaysSeenGlobally": "0", "DaysSeenInLast30Days": "0", "DestOrganizationName": "Org0", "FirstSeenGlobally": "2020-12-16T13:05:38.9816284+00:00", "FirstSeenInLast30Days": "2020-12-16T13:05:38.9816284+00:00", "GlobalLookbackDays": "2", "HostNameList": null, "IncidentNumber": "565656", "IsInternalExternal": null, "LatestKeyEvent": "2020-12-16T13:05:38.9816284+00:00", "PrevalenceGlobally": "L", "Severity": "Informational", "SourceIPString": "0.0.0.0", "SourceOrganizationName": "Org1", "TimeCreated": "2020-12-16T13:05:38.9816284+00:00", "UpdateTimestampGMT": "2020-12-16T13:05:38.9816284+00:00", "UserList": null, "error": null, "has_error": false }

## Incident: Workflow Query Returns incident details with workflow information for a given incident number. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Incident Number | Select column containing the incident number in the SOC. | Required | | Max Signatures | If this parameter is set, the method only returns up to this number of Signatures for the Incident. It will first display the signatures with KeyEvents set to true then choose randomly from the other non-key events (default is empty). | Optional | | Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (default is no limit on the wait time). | Optional | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - other keys containing information of Incident with workflow ``` {json}{ "IncidentNumber": "566045", "TimeCreated": "2020-12-16T13:09:05.1934129+00:00", "Correlation": "Yes", "Severity": "Informational", "Classification": "Activity Summary - Scans for Web Servers", "Description": "Scans for Web Servers have been detected", "AnalystAssessment": "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.", "CountryCode": "US", "CountryName": "United States of America", "NumberOfAnalyzedSignatures": "5", "SourceOrganizationList": { "Organization": [ { "OrganizationName": "Org0" }, { "OrganizationName": "Org1" }, { "OrganizationName": "Org2" }, { "OrganizationName": "Org3" }, { "OrganizationName": "Org4" }, { "OrganizationName": "Org5" }, { "OrganizationName": "Org6" }, { "OrganizationName": "Org7" }, { "OrganizationName": "Org8" }, { "OrganizationName": "Org9" } ] }, "DestinationOrganizationList": { "Organization": [ { "OrganizationName": "Org0" }, { "OrganizationName": "Org1" }, { "OrganizationName": "Org2" }, { "OrganizationName": "Org3" }, { "OrganizationName": "Org4" }, { "OrganizationName": "Org5" }, { "OrganizationName": "Org6" }, { "OrganizationName": "Org7" }, { "OrganizationName": "Org8" }, { "OrganizationName": "Org9" } ] }, "RelatedTickets": null, "SignatureList": { "Signature": { "SignatureNumber": "898989", "SignatureName": "Symantec AV Alert", "VendorSignature": null, "FirstSeenInLast30Days": "0001-01-01T00:00:00", "DaysSeenInLast30Days": "0", "IsKey": "false", "FirstSeenGlobally": "0001-01-01T00:00:00", "DaysSeenGlobally": "0", "PrevalenceGlobally": null, "GlobalLookbackDays": "0", "TimeCreated": "2020-12-16T13:10:05.1934129+00:00", "Classification": null, "Category": "Probes", "SourceIPString": "0.0.0.0", "HostName": "Host-0.0.0.0", "NumberBlocked": "0", "NumberNotBlocked": "0", "CountryCode": "CC0", "CountryName": "CName0", "SourceOrganizationList": null, "CorrelatedEvent": "No", "Outcome": null, "CorrelatedEventList": null, "SourceIPAddressBinarySQL": null, "NetworkRanges": null, "FileDetails": null, "ReportingDeviceList": null, "AffectedAssetList": null, "DestinationOrganizationList": null, "SourceHostDetailList": null } }, "WorkFlowDetail": { "Status": null, "Resolution": null, "Reference": null, "AssignedOrganization": "Org1", "AssignedPerson": null }, "IncidentComments": { "IncidentComment": { "CommentedTimeStampGMT": "2012-05-12T00:00:00", "Comment": "CommentTest", "CommentedBy": "User1" } }, "ActivityLogs": { "Activity": [ { "FieldName": "WorkflowComment", "OldValue": "Activity Summary - Insecure SNMP Community String", "NewValue": "Activity Summary - Peer-to-Peer Usage", "ActivityDateGMT": "2012-05-14T00:00:00", "ActivityBy": "User1" }, { "FieldName": "Incident Type", "OldValue": "-", "NewValue": "Escalation Comment was added", "ActivityDateGMT": "2012-07-14T00:00:00", "ActivityBy": "User2" } ] }, "IncidentAttachmentItems": { "IncidentAttachmentItem": { "AttachmentNumber": "1234", "AttachmentName": "Test.sample", "UploadDateGMT": "2012-07-14T00:00:00", "UploadBy": "User1", "Comment": "Test" } }, "IsGroupIncidentAvailable": "false", "RelatedIncidents": { "IncidentNumber": [ "1235", "123456", "123457" ] }, "error": null, "has_error": false }

Update Incident Workflow

Updates an incident workflow in Accenture MSS.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Incident Number

Select column containing the incident number in the SOC.

Required

Status

Select column containing status to update with.

Required

Status Resolution

Select column containing Incident Status Resolution to update with.

Required

Severity

Select column containing Incident Severity to update with.

Required

Reference Comments

Select column containing reference comments to update with.

Optional

Assigned to Organization

Select column containing Organization to update assignee with. Exactly one of AssigneeOrganization or AssigneePerson should be non-empty in the parent table.

Optional

Assigned to Person

Person to update assignee with. Exactly one of AssigneeOrganization or AssigneePerson should be non-empty in the parent table.

Optional

Comments

Jinja-templated comments to update the incident with.

Optional

Group Update

Select column containing a value for performing group update true/false. If true, workflow changes are applied to this incident as well as related incidents. Set it to true only if the incident has any related incidents, otherwise, it will throw a DataNotFound exception.

Optional

Timeout for each parallel execution in seconds

Time out for per row API requests in seconds (Default is no limit on the wait time).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Update operation reported a failure at Accenture MSS/Successfully updated.

``` {json}{ "result": "Successfully updated.", "error": null, "has_error": false }

## Incident: Create Ticket Creates a ticket for an Incident in Accenture MSS. > If you encounter a TooManyRequests error, try setting an appropriate value for `Time between consecutive API requests (in millis)` (like 6000). ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- | | Incident Template | [Jinja-templated](doc:jinja-template) XML body of IncidentCreateRequest containing details of the ticket being created. | Required | | Attachment File ID | Select column containing comma-delimited Devo SOAR File Ids to upload as attachments. Example: `04d717dd33114e57a2e73583ecdcdedc, e552f9a8dbb847d4b969bae566d869b9`. | Optional | | Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (Default is no limit on the wait time). | Optional | ```xml <IncidentRequestCreate> <IncidentNumber>{{incident_number_column}}</IncidentNumber> <UrgencyName>{{urgency_column}}</UrgencyName> <Description>LogicHub created Ticket {{incident_number_column}}</Description> <RequestedByOrgName>{{requested_org_column}}</RequestedByOrgName> <AssignedToOrgName>{{assigned_org_column}}</AssignedToOrgName> <ActivityLog>Created by LogicHub</ActivityLog> </IncidentRequestCreate>

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing details on the ticket created

``` {json}{ "TicketID": "SC1234", "FilesAttachedCount": "0", "FilesRejected": null, "error": null, "has_error": false }

## Ticket: Query Returns details of a given ticket by TicketID or ClientReference. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Ticket ID | Select column containing the ticket number in the SOC. Either this field or Client Reference can be blank. If both fields are specified, the Ticket ID will be used. | Optional | | Client Reference | Select column containing the customer reference ticket number specified during ticket creation (currently, via the portal). Either this field or Ticket ID can be blank. | Optional | | Timeout for each parallel execution in seconds | Time out for per row API requests in seconds (default is no limit on the wait time). | Optional | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - other keys containing information of Ticket ``` {json}{ "TicketID": "SC12345", "TicketCategory": "Alarm / Collection Outages", "Urgency": "High", "Description": "Lorem ipsum dolor sit amet", "RequestedByOrgID": "98765432", "RequestedByOrgName": "Org0", "AssignedToOrgID": "98765433", "AssignedToOrgName": "Org1", "CreatedDate": "2020-12-16T12:47:06.7034955+00:00", "LastUpdated": "2020-12-16T13:02:06.7034955+00:00", "ClosedDate": "2020-12-16T13:17:06.7034955+00:00", "Deadline": "2020-12-17T12:47:06.7034955+00:00", "ActivityLog": "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.", "ClosureCodeString": null, "RequestedByPersonName": "Doe, James", "Active": "false", "Status": "Closed", "ClientReference": "portal", "UpdateTimestampGMT": "0001-01-01T00:00:00", "RelatedTickets": null, "RelatedDeviceList": { "Device": [ { "DeviceName": "Test0", "SearchCode": "Test0", "Status": "Production", "OwnerOrganization": "Org0", "LastLogReceived": "2020-12-16T13:32:06.7034955+00:00", "ChangeManager": "true" }, { "DeviceName": "Test1", "SearchCode": "Test1", "Status": "Production", "OwnerOrganization": "Org1", "LastLogReceived": "2020-12-16T13:31:06.7034955+00:00", "ChangeManager": "false" }, { "DeviceName": "Test2", "SearchCode": "Test2", "Status": "Production", "OwnerOrganization": "Org2", "LastLogReceived": "2020-12-16T13:30:06.7034955+00:00", "ChangeManager": "true" }, { "DeviceName": "Test3", "SearchCode": "Test3", "Status": "Production", "OwnerOrganization": "Org3", "LastLogReceived": "2020-12-16T13:29:06.7034955+00:00", "ChangeManager": "false" }, { "DeviceName": "Test4", "SearchCode": "Test4", "Status": "Production", "OwnerOrganization": "Org4", "LastLogReceived": "2020-12-16T13:28:06.7034955+00:00", "ChangeManager": "true" }, { "DeviceName": "Test5", "SearchCode": "Test5", "Status": "Production", "OwnerOrganization": "Org5", "LastLogReceived": "2020-12-16T13:27:06.7034955+00:00", "ChangeManager": "false" }, { "DeviceName": "Test6", "SearchCode": "Test6", "Status": "Production", "OwnerOrganization": "Org6", "LastLogReceived": "2020-12-16T13:26:06.7034955+00:00", "ChangeManager": "true" }, { "DeviceName": "Test7", "SearchCode": "Test7", "Status": "Production", "OwnerOrganization": "Org7", "LastLogReceived": "2020-12-16T13:25:06.7034955+00:00", "ChangeManager": "false" }, { "DeviceName": "Test8", "SearchCode": "Test8", "Status": "Production", "OwnerOrganization": "Org8", "LastLogReceived": "2020-12-16T13:24:06.7034955+00:00", "ChangeManager": "true" }, { "DeviceName": "Test9", "SearchCode": "Test9", "Status": "Production", "OwnerOrganization": "Org9", "LastLogReceived": "2020-12-16T13:23:06.7034955+00:00", "ChangeManager": "false" } ] }, "RelatedSecurityIncidents": null, "LastModifiedDate": "2020-12-16T13:02:06.7034955+00:00", "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem