Digital Shadows
App Vendor: Digital Shadows
Connector Category: Data Enrichment and Threat Intelligence
App Version in Orchestrate: 2.0.0
API Version: 1.0.0
About App
Digital Shadows is designed to gain control of the digital footprint and protect against external threats, by continuously identifying where assets are exposed, providing relevant context to understand the risk, and suggestions for remediation. By using Digital Shadows, security analysts can discover fraudulent domains, and take quick and confident actions.
The Digital Shadow app allows security teams to connect with the enterprise version of Digital Shadows to get better visibility into alerts and triage items. The Digital Shadow app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Get Alert | This action retrieves details about a particular alert. |
Get Triage Item | This action retrieves details about a particular triage item. |
Get All Triage Item Events | This action retrieves all the triage item events from Digital Shadows. |
Get All Alert Events | This action retrieves all the alert events from Digital Shadows. |
Get All Alerts | This action retrieves all alerts from Digital Shadows. |
Configuration Parameters
The following configuration parameters are required for the Digital Shadows app to communicate with the Digital Shadows enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Token | Enter the API token to authenticate to Digital Shadows. Example: "RN42S02IT" | Required | Text | |
Searchlight Account ID | Enter the Searchlight account ID to contextualise data with. Example: "test010203" | Required | Text | |
API Secret | Enter the API secret to authenticate to Digital Shadows. Example: "XXXXBCSJNPXZ7899gsh678B5TVOYWMARS" | Required | Password |
Action: Get Alert
This action retrieves details about a particular alert such as classification, associated risk factors, risk level, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to get the corresponding alert details. Example: "00005283-869a" | Text | Required | You can retrieve the alert ID using Get All Alerts action. |
Example Request
[
{
"alert_id": "00005283-869a-49d1-aead-ec73cb130877"
}
]Action: Get Triage Item
This action retrieves details about a specific triage item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Triage ID | Enter the triage item ID to retrieve the corresponding triage details. | Text | Required | You can retrieve the triage item ID using the Get All Triage Item Events action. |
Example Request
[
{
"triage_id": "3ca266d3-4eb6-4852-a46a-9f42545fc412"
}
]Action: Get All Triage Item Events
This action retrieves all the triage item events from Digital Shadows.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Classification | Enter any classification to filter the triage item events. Triage item classifications relate to the various alert and incident types. Example: "exposed-credential-alert" | Text | Optional | Allowed values:
|
Limit | Enter the limit of responses to display between 0 and 1000. Example: 500 | Integer | Optional | Default value: 200 |
Event Created Before | Specify the time to return events created before this value. Example: 2020-04-01T08:30:00Z | Text | Optional | |
Event Created After | Specify the time to return events created after this value. Example: 2020-04-01T08:30:00Z | Text | Optional | |
Classification Exclusion | Enter the classification list to return events with a classification not in the provided list. Example: ['marked-document-alert', 'phishing-site-alert'] | List | Optional | Allowed values:
|
Event Numbered After | Enter the event number to return events greater than this value. Example: 9 | Integer | Optional |
Example Request
[
{
"limit": 100,
"classification": "exposed-credential-alert",
"event-num-after": 9,
"event-created-before": "2020-04-01T08:30:00Z",
"event-created-after": "2020-04-01T08:30:00Z",
"classification-exclusion":
[
'marked-document-alert', 'phishing-site-alert'
]
}
]Action: Get All Alert Events
This action retrieves all alert events from Digital Shadows which includes details such as alert-id, risk-level, and so on based on the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Classification | Enter any classification to filter the alert events. Triage item classifications relate to the various alert and incident types. Example: "exposed-credential-alert" | Text | Optional | Allowed values:
|
Limit | Enter the limit of responses to display between 0 and 1000. Example: 100 | Integer | Optional | |
Event Created Before | Specify the time to return events created before this value. Example: 2020-04-01T08:30:00Z | Text | Optional | |
Event Created After | Specify the time to return events created after this value. Example: 2020-04-01T08:30:00Z | Text | Optional | |
Classification Exclusion | Enter the classification list to return events with a classification not in the provided list. Example: ['marked-document-alert', 'phishing-site-alert'] | List | Optional | Allowed values:
|
Event Numbered After | Enter the event number to return events greater than this value. Example: 9 | Integer | Optional |
Example Request
[
{
"limit": 100,
"classification": "exposed-credential-alert",
"event-num-after": 9,
"event-created-before": "2020-04-01T08:30:00Z",
"event-created-after": "2020-04-01T08:30:00Z",
"classification-exclusion":
[
'marked-document-alert', 'phishing-site-alert'
]
}
]Action: Get All Alerts
This action retrieves all alerts from Digital Shadows.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID List | Enter a list of alert IDs to search for. This list can contain IDs in the range of 1-100. Example: ['ID1', 'ID2', 'ID3'] | List | Optional | |
Limit | Enter the limit of responses to display. Example: 10 | Integer | Optional | |
Offset | Enter the offset to get values from. Example: 2 | Integer | Optional |
Example Request
[
{
"alert_id_list": ['ID1', 'ID2', 'ID3'],
"limit": 3,
"offset": 2
}
]