Gem

Use Gem alerts as a trigger for Cortex XSOAR’s custom playbooks, to automate response to specific TTPs.

Cloud Services · Gem

Configuration parameters

  • incidentType — Incident type
  • api_endpoint — API Endpoint (required)
  • credentials — Service Account ID (required)
  • first_fetch — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • proxy — Use system proxy settings
  • insecure — Trust any certificate (not secure)
  • isFetch — Fetch incidents
  • max_fetch — Maximum number of alerts per fetch

Commands (15)

  • gem-add-timeline-event

    Add a timeline event to a threat.

  • gem-get-alert-details

    Get details about a specific alert.

  • gem-get-resource-details

    Get details about a specific resource.

  • gem-get-threat-details

    Get details about a specific threat.

  • gem-list-accessing-entities

    List all entities that accessed an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-accessing-ips

    List all source IP addresses that accessed an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-events-by-entity

    List all events performed by an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-events-on-entity

    List all events performed on an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-inventory-resources

    List inventory resources in Gem.

  • gem-list-ips-by-entity

    List all source IP addresses used by an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-services-by-entity

    List all services accessed by an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-list-threats

    List all threats detected in Gem.

  • gem-list-using-entities

    List all entities that used an entity in a specific timeframe. The results are sorted by activity volume.

  • gem-run-action

    Run an action on an entity.

  • gem-update-threat-status

    Set a threat's status to open, in progress or resolved.