[ 1 Connect Obsidian with Devo SOAR ] [ 2 Actions for Obsidian ] [ 2.1 Get Events ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Alerts ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Alert - Update Status ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Alert - Add Comment ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Get Alert Details by ID ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Get Organization Context ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Get User Details ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 3 Release Notes ]

Obsidian is the cloud detection and response solution that delivers unified visibility of users, privileges and activity in SaaS, allowing you to detect and investigate breaches, uncover insider threats, and secure SaaS apps without affecting productivity.

Connect Obsidian with Devo SOAR

Navigate to Automations > Integrations.
Search for Obsidian.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API Key to connect to the Obsidian.
After you've entered all the details, click Connect.

Actions for Obsidian

Get Events

Retrieves the list of events/activities based on filter criteria.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Start Time	Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-07-03T12:42:00Z	Optional
End Time	Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-07-10T20:42:31Z	Optional
Jinja Template for Query	Jinja-templated query containing the query. Example: {{column1}} {{column2}}	Optional
Jinja Template for Services	Jinja-templated query containing comma-separated service ids (Default is all services, Service id of Google is GOOGLE). Example: {{column1}}, {{column2}}	Optional
Jinja Template for Event Type	Jinja-templated query containing the obsidian event type (Default is all event types). Example: {{column1}}, {{column2}}	Optional
Status	Select a value for status to lookup (Default is all status).	Optional
Jinja Template for Service Event Type	Jinja-templated query containing the service event type (Default is all service event types). Example: {{column1}}, {{column2}}	Optional
Jinja Template for Tenant ID	Jinja-templated query containing the tenant id (Default is all tenant id). Example: {{column1}}, {{column2}}	Optional
Limit	Limit of rows to be returned (default is 500).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: List of events/activities.

Get Alerts

Retrieves the list of alerts based on filter criteria.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Start Time	Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-07-03T12:42:00Z)	Optional
End Time	Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-07-10T20:42:31Z	Optional
Min Alert ID	Column name from the parent table to lookup value for minimum alert id (Default is all records). Records with the greater or equal value of id will be present in the result.	Optional
Max Alert ID	Column name from the parent table to lookup value for maximum alert id(Default is all records). Records with the lesser or equal value of id will be present in the result.	Optional
Status	Select a value for status to lookup (Default is all status).	Optional
Jinja Template for Query	Jinja-templated query containing the query. Example: {{column1}} {{column2}}	Optional
Severity	Select a value for severity to lookup (Default is all severity).	Optional
Jinja Template for Intelligence Names	Jinja-templated query containing the comma separated intelligence names. Example: {{column1}}, {{column2}}	Optional
Jinja Template for Alert IDs	Jinja-templated query containing the comma separated alert ids. Example: {{column1}}, {{column2}}	Optional
Jinja Template for Actor IDs	Jinja-templated query containing the comma separated actor ids. Example: {{column1}}, {{column2}}	Optional
Jinja Template for Target IDs	Jinja-templated query containing the comma separated target ids. Example: {{column1}}, {{column2}}	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: List of alerts.

Alert - Update Status

Update alert status.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Alert ID	Column name from the parent table to lookup value for alert id for the update.	Required
Alert Status	Select a value for alert status.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Success/Failure message.

Alert - Add Comment

Update alert status.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Alert ID	Column name from the parent table to lookup value for the alert ID.	Required
Jinja Template for Alert Comments	Jinja-templated query containing the comments. Example: {{column1}} {{column2}}.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Success/Failure message.

Get Alert Details by ID

Get the alert detailed information.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Alert ID	Column name from the parent table to lookup value for the alert ID.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Alert details.

Get Organization Context

Get the organization context-related information.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Organization context details.

Get User Details

Get the user detailed information. Action will pull the last 30 days of activity data for users.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Actor ID	Column name from the parent table to lookup value for actor ID.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: User details.

Release Notes

v2.0.0 - Updated architecture to support IO via filesystem