Requirements for publishing integration
Supported in:
Integration Requirements:
- Python 3.7 – we recommend developing all integrations in Python 3.7.
- Integration Description – the integration should include a description of the product you have chosen to integrate with.
-
Icons
- SVG Icon – each integration should be published with an SVG icon that will affect all the integration icons in the platform.
- PNG Icon – each integration should also include a PNG icon that will display as the picture presented in the Google Security Operations Marketplace.
- Integration Category – we recommend defining the integration category to enable other users to filter the integration in the Google Security Operations Marketplace by its category (You can select one of the categories from the list in the Google Security Operations Marketplace).
- Dependencies – if there is a need to use external libraries, add the dependencies in the integration settings.
- Integration Parameters – each integration should include the parameters required for a successful integration with the product, including a description of the parameter.
- Manager – in order to avoid reusing code, we recommended adding a manager to the integration. A manager is a Python file that can be referenced from every other script in the integration.
- Ping action – a ping action is a required action to test a successful connection to the product. The result value of the action should be true when the connection is successful. This action should be disabled since it's not an action that is used in a Playbook.
- Linux – the integration should support Centos OS 7 and above.
Action Requirements:
- Action description – each action should include a description that explains the functionality of the action.
- Action structure – we recommended following the template presented in the IDE when creating a new action.
- Action parameters – each action should include the parameters relevant to the action, including a description explaining the parameter. Make sure you match the type of the parameter according to the requirements of the action.
-
Running action on a context of an alert – we recommended creating the actions in the context of an alert. This means applying the logic so that the action will allow running on a specific scope of entities, for example on URL entities. This can be done by using the
siemplify.target_entities
method which returns a list of all the target entities in the scope we have chosen to run the action on. An example of implementation can be found in the article "My first Action". - JSON Result – for actions that return data, the action should return a JSON result by using the function add_result_json.
- Add JSON Example – we recommended adding a JSON example that can be used in the expression builder when creating a playbook using your integration. This can be done by clicking on the JSON icon in the IDE and importing your JSON example. The JSON example enables the user to use the JSON result values as "placeholders" in a playbook.
-
Enrich Entities – if enrichment is relevant to the action we recommend adding an enrichment step in the action to enrich the entities with the data coming from the product you integrated with. It is highly recommended to add a prefix to the enrichment field keys.
For example, suppose we want to enrich an entity with the following data:
entity_enrichment = {"first_name":"First Name", "last_name":"Last Name"}
First, you have to make sure that the dictionary is not nested and has only one hierarchy in it.
Then, add the product name as a prefix.
For example, in the following code we are adding the prefix "Zoom" to the new fields that were added by the enrichment action
entity_enrichment=add_prefix_to_dict(entity_enrichment, "Zoom")
Then, update the additional properties of the specific entity by using the method:entity.additional_properties.update(entity_enrichment)
Once the entity's additional properties were updated we will add them to the alert by using this method:siemplify.update_entities(enriched_entities)
You can see the entity's full details by clicking on it. - Logging – it is very important to add logs, especially in complicated actions. Every exception or error should be logged with the appropriate level, such as info, warn, error and exception.