Bastille Networks

RF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for details.

This integration was integrated and tested with Bastille Networks product version 1.5.0.

Configure BastilleNetworks on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for BastilleNetworks.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
api_urlServer URLFalse
api_keyAPI KeyTrue
siteSiteTrue
concentratorConcentratorTrue
mapMapTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
tagsTagsFalse
event_typesEvent typesFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

bastille-get-device-events


Command to fetch device detection events

Base Command

bastille-get-device-events

Input

Argument NameDescriptionRequired
protocolFilter by transmitter protocol nameOptional
sinceEarliest time to return incidents fromOptional
untilLatest time to return incidents fromOptional
limitLimit the number of fetched eventsOptional
tagsList of tags to filter events byOptional
event_idUnique identifier of the zone detection eventOptional
transmitter_idDevice identifier to query the detections forOptional

Context Output

PathTypeDescription
Bastille.DeviceEvent.event_idStringUnique identifier of the event
Bastille.DeviceEvent.event_typeStringType of the event
Bastille.DeviceEvent.time_sDateEvent detection timestamp
Bastille.DeviceEvent.tagsStringTags attached to the zone event
Bastille.DeviceEvent.zone_nameStringZone name where the incident took place
Bastille.DeviceEvent.area.site_idStringDeployment site identifier
Bastille.DeviceEvent.area.concentrator_idStringDeployment concentrator identifier
Bastille.DeviceEvent.area.map_idStringDeployment map identifier
Bastille.DeviceEvent.emitter.protocolStringWireless protcol used by the detected transmitter
Bastille.DeviceEvent.emitter.transmitter_idStringWireless transmitter identifier
Bastille.DeviceEvent.emitter.vendorStringWireless transmitter vendor
Bastille.DeviceEvent.emitter.network.nameStringName of the network the transmitter is connected to
Bastille.DeviceEvent.device_info.manufacturerStringManufacturer associated with device in the deployment
Bastille.DeviceEvent.device_info.userStringUser associated with device in the deployment
Bastille.DeviceEvent.device_info.modelStringModel associated with device in the deployment
Bastille.DeviceEvent.device_info.nameStringName associated with device in the deployment
Bastille.DeviceEvent.first_seen.time_sNumberEvent first seen timestamp
Bastille.DeviceEvent.first_seen.positionUnknownEvent first seen coordinates
Bastille.DeviceEvent.last_seen.time_sNumberEvent last seen timestamp
Bastille.DeviceEvent.last_seen.positionUnknownEvent last seen coordinates

Command Example

!bastille-get-device-events since=2020-05-01T13:00:00T until=2020-05-01T17:00:00T

Context Example

{
"Bastille": {
"DeviceEvent": [
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338000",
"event_type": "device_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-05-01T13:00:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-05-01T13:00:00+00:00"
},
"tags": [],
"time_s": "2020-05-01T13:00:00+00:00"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338060",
"event_type": "device_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-05-01T13:01:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-05-01T13:01:00+00:00"
},
"tags": [],
"time_s": "2020-05-01T13:01:00+00:00"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338120",
"event_type": "device_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-05-01T13:02:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-05-01T13:02:00+00:00"
},
"tags": [],
"time_s": "2020-05-01T13:02:00+00:00"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338180",
"event_type": "device_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-05-01T13:03:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-05-01T13:03:00+00:00"
},
"tags": [],
"time_s": "2020-05-01T13:03:00+00:00"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338240",
"event_type": "device_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-05-01T13:04:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-05-01T13:04:00+00:00"
},
"tags": [],
"time_s": "2020-05-01T13:04:00+00:00"
}
]
}
}

Human Readable Output

Device Events

areadevice_infoemitterevent_idfirst_seenlast_seentagstime_s
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338000time_s: 2020-05-01T13:00:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-05-01T13:00:00+00:00
2020-05-01T13:00:00+00:00
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338060time_s: 2020-05-01T13:01:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-05-01T13:01:00+00:00
2020-05-01T13:01:00+00:00
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338120time_s: 2020-05-01T13:02:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-05-01T13:02:00+00:00
2020-05-01T13:02:00+00:00
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338180time_s: 2020-05-01T13:03:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-05-01T13:03:00+00:00
2020-05-01T13:03:00+00:00
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
LTE_vzw:1100:249:6f4d_s1_c1_m1_1588338240time_s: 2020-05-01T13:04:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-05-01T13:04:00+00:00
2020-05-01T13:04:00+00:00

bastille-get-zone-events


Command to fetch zone detection events

Base Command

bastille-get-zone-events

Input

Argument NameDescriptionRequired
zoneFilter by zone nameOptional
protocolFilter by transmitter protocol nameOptional
sinceEarliest time to return incidents fromOptional
untilLatest time to return incidents fromOptional
limitLimit the number of fetched eventsOptional
tagsList of tags to filter events byOptional
event_idUnique identifier of the zone detection eventOptional

Context Output

PathTypeDescription
Bastille.ZoneEvent.event_idStringUnique identifier of the event
Bastille.ZoneEvent.event_typeStringType of the event
Bastille.ZoneEvent.time_sDateEvent detection timestamp
Bastille.ZoneEvent.tagsStringTags attached to the zone event
Bastille.ZoneEvent.zone_nameStringZone name where the incident took place
Bastille.ZoneEvent.area.site_idStringDeployment site identifier
Bastille.ZoneEvent.area.concentrator_idStringDeployment concentrator identifier
Bastille.ZoneEvent.area.map_idStringDeployment map identifier
Bastille.ZoneEvent.emitter.protocolStringWireless protcol used by the detected transmitter
Bastille.ZoneEvent.emitter.transmitter_idStringWireless transmitter identifier
Bastille.ZoneEvent.emitter.vendorStringWireless transmitter vendor
Bastille.ZoneEvent.emitter.network.nameStringName of the network the transmitter is connected to
Bastille.ZoneEvent.device_info.manufacturerStringManufacturer associated with device in the deployment
Bastille.ZoneEvent.device_info.userStringUser associated with device in the deployment
Bastille.ZoneEvent.device_info.modelStringModel associated with device in the deployment
Bastille.ZoneEvent.device_info.nameStringName associated with device in the deployment
Bastille.ZoneEvent.first_seen.time_sNumberEvent first seen timestamp
Bastille.ZoneEvent.first_seen.positionUnknownEvent first seen coordinates
Bastille.ZoneEvent.last_seen.time_sNumberEvent last seen timestamp
Bastille.ZoneEvent.last_seen.positionUnknownEvent last seen coordinates

Command Example

!bastille-get-zone-events zone=conference-1

Context Example

{
"Bastille": {
"ZoneEvent": [
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699200",
"event_type": "zone_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-04-01T00:00:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-04-01T00:00:00+00:00"
},
"tags": [],
"time_s": "2020-04-01T00:00:00+00:00",
"zone_name": "conference-1"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699260",
"event_type": "zone_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-04-01T00:01:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-04-01T00:01:00+00:00"
},
"tags": [],
"time_s": "2020-04-01T00:01:00+00:00",
"zone_name": "conference-1"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699320",
"event_type": "zone_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-04-01T00:02:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-04-01T00:02:00+00:00"
},
"tags": [],
"time_s": "2020-04-01T00:02:00+00:00",
"zone_name": "conference-1"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699380",
"event_type": "zone_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-04-01T00:03:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-04-01T00:03:00+00:00"
},
"tags": [],
"time_s": "2020-04-01T00:03:00+00:00",
"zone_name": "conference-1"
},
{
"area": {
"concentrator_id": "c1",
"map_id": "m1",
"site_id": "s1"
},
"device_info": {
"manufacturer": "Apple",
"model": "iPhone 7",
"name": "Jane's iPhone 7",
"user": "Jane Doe"
},
"emitter": {
"network": {
"name": "Verizon"
},
"protocol": "LTE",
"transmitter_id": "vzw:1100:249:6f4d",
"vendor": "Unknown"
},
"event_id": "conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699440",
"event_type": "zone_event",
"first_seen": {
"position": [
34.61,
13.31
],
"time_s": "2020-04-01T00:04:00+00:00"
},
"last_seen": {
"position": [
32.31,
11.24
],
"time_s": "2020-04-01T00:04:00+00:00"
},
"tags": [],
"time_s": "2020-04-01T00:04:00+00:00",
"zone_name": "conference-1"
}
]
}
}

Human Readable Output

Zone Events

areadevice_infoemitterevent_idfirst_seenlast_seentagstime_szone_name
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699200time_s: 2020-04-01T00:00:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-04-01T00:00:00+00:00
2020-04-01T00:00:00+00:00conference-1
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699260time_s: 2020-04-01T00:01:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-04-01T00:01:00+00:00
2020-04-01T00:01:00+00:00conference-1
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699320time_s: 2020-04-01T00:02:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-04-01T00:02:00+00:00
2020-04-01T00:02:00+00:00conference-1
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699380time_s: 2020-04-01T00:03:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-04-01T00:03:00+00:00
2020-04-01T00:03:00+00:00conference-1
site_id: s1
concentrator_id: c1
map_id: m1
manufacturer: Apple
user: Jane Doe
model: iPhone 7
name: Jane's iPhone 7
protocol: LTE
transmitter_id: vzw:1100:249:6f4d
vendor: Unknown
network: {"name": "Verizon"}
conference-1_LTE_vzw:1100:249:6f4d_s1_c1_m1_1585699440time_s: 2020-04-01T00:04:00+00:00
position: 34.61,
13.31
position: 32.31,
11.24
time_s: 2020-04-01T00:04:00+00:00
2020-04-01T00:04:00+00:00conference-1

bastille-add-device-tag


Command to add tag to an existing device

Base Command

bastille-add-device-tag

Input

Argument NameDescriptionRequired
transmitter_idUnique identifier of an existing admin devices entryRequired
tagTag to append to the admin devices entryRequired

Context Output

There is no context output for this command.

Command Example

!bastille-add-device-tag transmitter_id=78:9f:70:7b:62:82 tag=test-tag

Context Example

{}

Human Readable Output

created

bastille-remove-device-tag


Command to remove tag from an existing device

Base Command

bastille-remove-device-tag

Input

Argument NameDescriptionRequired
transmitter_idUnique identifier of an existing admin devices entryRequired
tagTag to be removed from the admin devices entryRequired

Context Output

There is no context output for this command.

Command Example

!bastille-remove-device-tag transmitter_id=78:9f:70:7b:62:82 tag=test-tag

Context Example

{}

Human Readable Output

updated