This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Custom Action - Get package SAS URI API

Posted a month ago
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

HI All,

I'm building this custom action - https://learn.microsoft.com/en-us/defender-endpoint/api/get-package-sas-uri 

I need some guidance to Handle rate limit since it is 2 calls per minute

"Rate limitations for this API are 2 calls per minute and 120 calls per hour."

What will be the best approach to handle this?

and i have one question - if we got 10 alerts and at same time playbook which got attached had this action - then this action will fail rest 8 alerts and 2 alerts had successful playbook run?

 
Solved Solved
0 5 154
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @vanitharaj1208 ,

The best practice would be to implement the action with retry mechanism. Meaning that, if you've encountered status code 429, the action will wait until it will receive status code 200. In that way, over time the action will finish for all 10 alerts.

Retry mechanism will need to be done in async way. We have a lot of actions that work like that, you can look into action "Wait For Custom Fields" in Siemplify for inspiration.  

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @vanitharaj1208 ,

The best practice would be to implement the action with retry mechanism. Meaning that, if you've encountered status code 429, the action will wait until it will receive status code 200. In that way, over time the action will finish for all 10 alerts.

Retry mechanism will need to be done in async way. We have a lot of actions that work like that, you can look into action "Wait For Custom Fields" in Siemplify for inspiration.  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Chica
Bronze 4
Bronze 4
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

hi @ylandovskyy , are you sure that we should go with async action ? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to Chica
Reply posted on --/--/---- --:-- AM

It sounds best to me too.

There is a roadmap item for x retries, however that will be a little more limited in retry count compared to Async that can try for hours/days.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @ylandovskyy ,

Can i get some info on modules which starts with TIPCommon and where can i find the code?

I have implemented with retry mechanism in sync action , its working but i'm not sure ... is this right way?

and  in this action "Wait For Custom Fields"  where is Retry mechanism is implemented i didn't find it?

vanitharaj1208_0-1745226817301.png

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to vanitharaj1208
Reply posted on --/--/---- --:-- AM

@vanitharaj1208 

In terms of TIP Common, you can find the code base in the "Script Dependencies" section of the integration.

To review the code, you can export the integration itself and review the code locally in the "Dependencies" folder. If you wanted to include TIP common in your own integrations, Google had a post a few weeks ago on how to perform that action: https://www.googlecloudcommunity.com/gc/SecOps-SOAR/Retrieving-latest-version-of-TIPCommon-and-its-d... 

Jump to Solution
Top Solution Authors
View all