Aella Star Light

Overview


Use the Aella Starlight integration to get detailed information for security events detected by Aella Breach Detection software.

This integration was integrated and tested with Aella Startlight v2.2.1.

Use cases


  • Monitor security events and get event details
    Periodically fetch new security events detected by Aella Starlight. Each security event will have a unique event_id , which you can pass to the | aella-get-event command to get the detailed information for. You can perform a follow-up action, such as sending a notification to security staff.

Fetched Incidents Data


name : Incident name
label : "Starlight event"
aella_eid : Aella event ID
aella_event : Aella event name
event_severity : Severity of the event

Configure Aella Starlight on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Aella Star Light.
  3. Click Add instance to create and configure a new integration instance.
    You should configure the following settings:
  • Name : a textual name for the integration instance.
  • Server URL (e.g. https://starlight.companyname.com:8889 )
  • User name
  • Fetch incidents
  • Incident type
  • Fetching interval in minutes (default is 15, minimum is 15 )
  • The specific security event to look for. Default is all events
  • Security event severity threshold, between 0-100
  • Trust any certificate (not secure)
  • Use system proxy settings
  1. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get event details: aella-get-event

1. Get event details


Get details for a specific Startlight event.

Base Command

aella-get-event

Input
Argument Name Description Required
event_id Event ID from the Starlight incident Required
Context Output
Path Type Description
Aella.Event.event_name string Event name
Aella.Event.severity string Severity score
Aella.Event.dstip string Destination IP
Aella.Event.srcip string Source IP
Aella.Event.tenantid string Tenant ID
Aella.Event.srcip_reputation string Source IP reputation
Aella.Event.dstip_reputation string Destination IP reputation
Aella.Event.dstip_geo unknown Destination IP geolocation
Aella.Event.srcip_geo unknown Source IP geolocation