Stairwell
App Vendor: Stairwell
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.3.0
API Version: 1.0.0
About App
Stairwell helps security teams outsmart any attacker, put intelligence into action, and take back the cybersecurity high ground with the inception platform.
The Stairwell app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Tag to Object | This action adds a tag to an object. |
Get File Reputation | This action retrieves the reputation information for a file hash. |
Get Inception Variants | This action retrieves the inception variants for a file hash. |
Submit File for Detonation | This action submits a file for detonation. |
Get Notifications | This action retrieves notifications. |
Generic Action | This is a generic action to perform any additional use case that you want on Stairwell. |
Update YARA Rule | This action updates a YARA rule in Stairwell |
Upload YARA Rule | This action uploads a new YARA rule in Stairwell |
Configuration Parameters
The following configuration parameters are required for the Stairwell app to communicate with the Stairwell enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to connect to the Stairwell application. Example: "unbbwpdqy9mk123rrmkprnfabc7dm3kjh9rjd9w9437lm3a" | Password | Required |
|
Timeout | Enter the timeout value for the actions. | Integer | Optional | Allowed value: 15 - 120 Default value: 15 |
SSL Verification | Enter the SSL verification status. | Boolean | Optional | Allowed values:
Default value: true |
Action: Add Tag to Object
This action adds a tag to an object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag | Enter a tag that you need to add to the object. Example: "dlpstatus-notdetected" | Text | Required | |
Environment ID | Enter the environment ID of the object. Example: "67l9bw-p6qxl9-sa8hp9-79nrlbrj" | Text | Required | |
Object Type | Enter the object type. Example: "sha1" | Text | Required | |
Object ID | Enter the object ID. Example: "c3af5fc4fiee141fe11ab14a22b03ff955a0ddac8da7c6c49f38d22960cf2756" | Text | Required |
Example Request
[
{
"tag": "playbook_tag_2022-09-26 18:17:38.664766",
"object_id": "2fc2cde68c0e9362299f4bb08963eeca1d0772b4",
"object_type": "sha1",
"environment_id": "67L9BW-P6QXL9-SA8HP9-79NRLBRJ"
}
]Action: Get File Reputation
This action retrieves the reputation information for a file hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter the file hash to retrieve the file reputation (md5, sha-1, or sha-256 hash) Example: "63c07fee52774afc380f0b005345fcc0" | Text | Required |
Example Request
[
{
"file_hash": "63c07fee52774afc380f0b005345fcc0"
}
]Action: Get Inception Variants
This action retrieves the reputation information for a file hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter the hash value to retrieve the inception variants for a file hash. Note: Currently, only SHA256 is supported. Example: "63c07fee52774afc380f0b005345fcc0" | Text | Required |
|
Example Request
[
{
"file_hash": "63c07fee52774afc380f0b005345fcc0"
}
]
Submit File for Detonation
This action submits a file for detonation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Name | Enter the path and name of the file to upload for detonation. Example: "tmp/b477f311-f569-4d8c-987c-b439be4384ac/test_fie" | Text | Required | |
Inception Asset ID | Enter the inception asset ID. Example: "AT3UZX-YBKZEE-7BBFSU-KTFMJ87A" | Text | Required | You can retrieve the inception asset ID using the action Get Inception Variants. |
Example Request
[
{
"filename": "tmp/b477f311-f569-4d8c-987c-b439be4384ac/test_fie",
"inception_asset_id": "AT3UZX-YBKZEE-7BBFSU-KTFMJ87A"
}
]
Action: Get Notifications
This action retrieves notifications.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query Parameters | Enter the query parameters in key-value format to retrieve notifications. Example: {'newest_time':'2023-01-19T13:25:00Z'} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"query_param":{
"newest_time":"2023-01-19T13:25:00Z"
}
}
]Generic Action
This is a generic action to perform any additional use case that you want on Stairwell.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
URL | Enter the complete URL to make the call to. | Text | Required |
|
HTTP Method | Enter the HTTP endpoint method in capitals. Example: GET | Text | Required | Allowed values:
|
Request Body | Enter the request body in JSON format. | Any | Optional |
|
Query Parameters | Enter the query parameters to pass alongside the request. | Any | Optional |
|
Update YARA Rule
This action updates a YARA rule in Stairwell.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Environment ID | Enter the environment ID to load the YARA rule. Example: "2DAYC7-8IDAXU-IDAAAC-IDAF29MW" | Text | Required |
|
Rule | Enter the YARA rule with special characters escaped. Example: "rule ExampleRule\n{\n strings:\n $my_text_string = \"text here\"\n $my_hex_string = { E2 34 A1 C8 23 FB }\n\n condition:\n $my_text_string or $my_hex_string\n}" | Text | Required |
|
Example request
[
{
"rule": "rule ExampleRule\\n{\\n strings:\\n $my_text_string = \"text here\"\\n $my_hex_string = { E2 34 A1 C8 23 FB }\\n\\n condition:\\n $my_text_string or $my_hex_string\\n}",
"environment_id": "2DAYC7-8IDAXU-IDAAAC-IDAF29MW"
}
]Upload YARA Rule
This action uploads a new YARA rule in Stairwell.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Environment ID | Enter the environment ID to load the YARA rule. Example: "2DAYC7-8IDAXU-IDAAAC-IDAF29MW" | Text | Required |
|
Rule | Enter the YARA rule with special characters escaped. Example: "rule ExampleRule\n{\n strings:\n $my_text_string = \"text here\"\n $my_hex_string = { E2 34 A1 C8 23 FB }\n\n condition:\n $my_text_string or $my_hex_string\n}" | Text | Required |
|
Example request
[
{
"rule": "rule ExampleRule\\n{\\n strings:\\n $my_text_string = \"text here\"\\n $my_hex_string = { E2 34 A1 C8 23 FB }\\n\\n condition:\\n $my_text_string or $my_hex_string\\n}",
"environment_id": "2DAYC7-8IDAXU-IDAAAC-IDAF29MW"
}
]