Singularity Data Lake
App Vendor: Singularity Data Lake
App Category: Data Enrichment and Threat Intelligence
Connector Version: 2.0.0
API Version: v1
About App
The Singularity Data Lake Connector allows security teams to perform queries on log data.
The Singularity Data Lake app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Perform Power Query | This action performs a power query by piping one or more search expressions together into a set of commands to transform, manipulate, group, and summarize your data. |
Perform Query | This action performs a query on Singularity Data Lake based on the provided search expressions/query filters to get matching log records. |
Configuration Parameters
The following configuration parameters are required for the Singularity Data Lake app to communicate with the Singularity Data Lake enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Singularity Data Lake. | Text | Required | |
Bearer Token | Enter the bearer token to access Singularity Data Lake. | Password | Required | |
Verify | Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. If no is passed, it may result in an incorrect establishment of the connection, potentially causing it to break. | Boolean | Optional | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Singularity Data Lake app. | Integer | Optional |
Action: Perform Query
This action performs a query on Singularity Data Lake based on the provided search expressions/query filters to get matching log records.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Filter | A search expression to get matching events. Example: "status >= 400 status < 500". defaults to "". | Text | Optional | Note: For JSON requests, single quotes are invalid, and you must add \" escape double quotes in strings. |
Start Time | Enter the start time of the query. | Text | Optional | Default value: 24 hrs If the start time is not set and the end time is set, then the query starts 24 hours before the end time. |
End Time | Enter the end time of the query. | Text | Optional | Default value: 24 hrs If the end time is not set but the start time is set, then the query starts from 24 hours from the start time. |
Max Count | Enter the maximum number of events to retrieve. | Integer | Optional | Default value: 100 Allowed range: 1-5000 |
Page Mode | Retrieves oldest or newest max_count mails. When the number of matching events exceeds Max Count, set to head to retrieve the older Max Count events, and tail to retrieve the newer Max Count events. | Text | Optional | Default value: head - if the start time is set tail - if the start time is not set |
Columns | Enter a comma-delimited list of fields to retrieve for each log message. | Text | Optional | Defaults value: "" - all fields |
Priority | Set the execution priority of the query. Set "low" when a delay of approximately a second is acceptable. | Text | Optional | Allowed values:
Default value: low |
Team Emails | Enter an array of account emails to query. | List | Optional | Defaults value: [] - empty list |
[
{
"query_filter": "endpoint.name = 'as-seclab-dev' event.category = 'file'"
}
]Action: Perform Power Query
This action performs a power query by piping one or more search expressions together into a set of commands to transform, manipulate, group, and summarize your data.
Action Input Parameters
Parameter | Description | Field Type | Required/Comments | Comments |
|---|---|---|---|---|
Query | Enter the power query search expression. Example: "status >= 100 status <= 599 | group count() by status" | Text | Required | Note: for JSON requests, single quotes are invalid, and you must add \" escape double quotes in strings. |
Start Time | Enter the start time of the query. Example: “10/27 1 PM” | Text | Optional | Default value: 24 hrs If the start time is not set and the end time is set, then the query starts 24 hours before the end time. |
End Time | Enter the end time of the query. Example: "10/27 4 PM" | Text | Optional | Default value: 24 hrs If the end time is not set but the start time is set, then the query starts from 24 hours from the start time. |
Priority | Set the execution priority of the query. | Text | Optional | Default value:
Set "low" when a delay of approximately a second is acceptable. |
Team Emails | Pass an array of account emails to query. | List | Optional | Default value: [] (empty list) |
Example Request
[
{
"query": "status >= 100 status <=599 | group count() by status"
}
]