Bluecat Address Manager

Use the BlueCat integration to enrich IP addresses and manage response policies.

Configure BluecatAddressManager on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for BluecatAddressManager.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Incident type
    • Server URL (e.g., https://192.168.0.1 )
    • Username
    • Trust any certificate (insecure)
    • Use system proxy
    • Configuration Name
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Enrich an IP address: bluecat-am-query-ip
  2. Get all response policies: bluecat-am-get-response-policies
  3. Search response policies by domain: bluecat-am-search-response-policies-by-domain
  4. Add a domain to a response policy: bluecat-am-response-policy-add-domain
  5. Remove a domain from a response policy: bluecat-am-response-policy-remove-domain
  6. Get an IPv4 block containing an IPv4 address: bluecat-am-get-range-by-ip

1. Enrich an IP address


Enriches an IP address with data about IP networks and blocks to which it belongs, linked IPs, MAC addresses, and so on.

Base Command

bluecat-am-query-ip

Input
Argument Name Description Required
ip The IP to get data for. Required

Context Output
Path Type Description
BlueCat.AddressManager.IP.ID Number The address manager ID of the IP address.
BlueCat.AddressManager.IP.Name String Name of the IP address.
BlueCat.AddressManager.IP.MacAddress String Corresponding MAC address.
BlueCat.AddressManager.IP.Parents.ID String ID of the parent IP address.
BlueCat.AddressManager.IP.Parents.Type String Type of the parent IP address.
BlueCat.AddressManager.IP.Parents.Name String Name of the parent IP address.
BlueCat.AddressManager.IP.Parents.CIDR String Classless Inter-Domain Routing.
BlueCat.AddressManager.IP.Type String Type of IP address.
IP.Address String Address of IP.
BlueCat.AddressManager.IP.Parents.Prefix String Prefix of the IP address.

Command Example
bluecat-am-query-ip ip="10.0.0.10"
Context Example
{
    "IP": {
        "Address": "10.0.0.10"
    }, 
    "BlueCat.AddressManager.IP": {
        "Name": null, 
        "LocationInherited": "true", 
        "State": "STATIC", 
        "Parents": [
            {
                "InheritPingBeforeAssign": "true", 
                "InheritDNSRestrictions": "true", 
                "LocationInherited": "true", 
                "PingBeforeAssign": "disable", 
                "AllowDuplicateHost": "disable", 
                "ID": 100913, 
                "InheritAllowDuplicateHost": "true", 
                "InheritDefaultView": "true", 
                "CIDR": "10.0.0.0/24", 
                "DefaultView": "100907", 
                "Type": "IP4Network", 
                "Gateway": "10.0.0.1", 
                "InheritDefaultDomains": "true", 
                "Name": "East Office"
            }, 
            {
                "InheritPingBeforeAssign": "true", 
                "InheritDNSRestrictions": "true", 
                "LocationInherited": "true", 
                "PingBeforeAssign": "disable", 
                "AllowDuplicateHost": "disable", 
                "InheritAllowDuplicateHost": "true", 
                "InheritDefaultView": "true", 
                "CIDR": "10.0.0.0/21", 
                "DefaultView": "100907", 
                "Type": "IP4Block", 
                "ID": 100912, 
                "InheritDefaultDomains": "true", 
                "Name": "Tampa"
            }, 
            {
                "InheritPingBeforeAssign": "true", 
                "InheritDNSRestrictions": "true", 
                "LocationInherited": "true", 
                "PingBeforeAssign": "disable", 
                "AllowDuplicateHost": "disable", 
                "InheritAllowDuplicateHost": "true", 
                "InheritDefaultView": "true", 
                "CIDR": "10.0.0.0/19", 
                "DefaultView": "100907", 
                "Type": "IP4Block", 
                "ID": 100911, 
                "InheritDefaultDomains": "true", 
                "Name": "Florida"
            }, 
            {
                "InheritPingBeforeAssign": "true", 
                "InheritDNSRestrictions": "true", 
                "LocationInherited": "true", 
                "PingBeforeAssign": "disable", 
                "AllowDuplicateHost": "disable", 
                "InheritAllowDuplicateHost": "true", 
                "InheritDefaultView": "true", 
                "CIDR": "10.0.0.0/16", 
                "DefaultView": "100907", 
                "Type": "IP4Block", 
                "ID": 100910, 
                "InheritDefaultDomains": "true", 
                "Name": "North America"
            }, 
            {
                "InheritPingBeforeAssign": "false", 
                "InheritDNSRestrictions": "true", 
                "LocationInherited": "true", 
                "PingBeforeAssign": "disable", 
                "AllowDuplicateHost": "disable", 
                "InheritAllowDuplicateHost": "false", 
                "InheritDefaultView": "false", 
                "CIDR": "10.0.0.0/8", 
                "DefaultView": "100907", 
                "Type": "IP4Block", 
                "ID": 100909, 
                "InheritDefaultDomains": "true", 
                "Name": "global"
            }
        ], 
        "Address": "10.0.0.10", 
        "Type": "IPv4", 
        "ID": 100923
    }
}
Human Readable Output

10.0.0.10 IP Result:

ID Name Type Address State Location Inherited
100923 IPv4 10.0.0.10 STATIC true

Parents Details:

ID Type Name CIDR Allow Duplicate Host Inherit Allow Duplicate Host Ping Before Assign Inherit Ping Before Assign Location Inherited Inherit Default Domains Default View Inherit Default View Inherit DNS Restrictions
100909 IP4Block global 10.0.0.0/8 disable false disable false true true 100907 false true
100910 IP4Block North America 10.0.0.0/16 disable true disable true true true 100907 true true
100911 IP4Block Florida 10.0.0.0/19 disable true disable true true true 100907 true true
100912 IP4Block Tampa 10.0.0.0/21 disable true disable true true true 100907 true true
100913 IP4Network East Office 10.0.0.0/24 disable true disable true true true 100907 true true

2. Get all response policies


Returns all response policies.

Base Command

bluecat-am-get-response-policies

Input
Argument Name Description Required
start Start index from which to get the response policies. Default is 0. Optional
count Maximum number of response policies to return. Optional

Context Output
Path Type Description
BlueCat.AddressManager.ResponsePolicies.ID Number ID of the response policy.
BlueCat.AddressManager.ResponsePolicies.Name String Name of the response policy.
BlueCat.AddressManager.ResponsePolicies.Ttl Unknown Time to live (TTL) of the response policy.
BlueCat.AddressManager.ResponsePolicies.Type String Type of the response policy (BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT).
BlueCat.AddressManager.ResponsePolicies.RedirectTarget String Target of redirect, in case of REDIRECT policy type.

Command Example
bluecat-am-get-response-policies start="0" count="30"
Context Example
{
    "BlueCat.AddressManager.ResponsePolicies": [
        {
            "RedirectTarget": "foo.com", 
            "ResponsePolicyType": "REDIRECT", 
            "Ttl": "30", 
            "Type": "ResponsePolicy", 
            "ID": 100930, 
            "Name": "Malware Trap"
        }
    ]
}
Human Readable Output

Response Policies:

Malware Trap

ID Name Type Ttl ResponsePolicyType RedirectTarget
100930 Malware Trap ResponsePolicy 30 REDIRECT foo.com

3. Search response policies by domain


Searches all response policies in which the given domain is included.

Base Command

bluecat-am-search-response-policies-by-domain

Input
Argument Name Description Required
domain Domain name by which to search. Required

Context Output
Path Type Description
BlueCat.AddressManager.ResponsePolicies.ID Number ID of the response policy.
BlueCat.AddressManager.ResponsePolicies.Name String Name of the response policy.
BlueCat.AddressManager.ResponsePolicies.Ttl Unknown Time to live (TTL) of the response policy
BlueCat.AddressManager.ResponsePolicies.Type String Type of the responce policy ( BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT).
BlueCat.AddressManager.ResponsePolicies.RedirectTarget String Target of redirect, in case of REDIRECT policy type.

Command Example
bluecat-am-search-response-policies-by-domain domain="demisto.com"
Human Readable Output

Could not find any response policy

4. Add a domain to a response policy


Adds a domain to the given response policy.

Base Command

bluecat-am-response-policy-add-domain

Input
Argument Name Description Required
policy_id ID of the response policy to edit. Required
domain Domain to add to the response policy. Required

Context Output

There is no context output for this command.

Command Example
bluecat-am-response-policy-add-domain policy_id="100930" domain="demisto.com"
Human Readable Output

Successfully added demisto.com to response policy 100930

5. Remove a domain from a response policy


Removes a domain from the given response policy.

Base Command

bluecat-am-response-policy-remove-domain

Input
Argument Name Description Required
policy_id ID of the response policy to edit. Required
domain Domain to remove from the response policy. Required

Context Output

There is no context output for this command.

Command Example
bluecat-am-response-policy-remove-domain policy_id="100930" domain="demisto.com"
Human Readable Output

Successfully removed demisto.com from response policy 100930

6. Get an IPv4 block containing an IPv4 address


Gets an IPv4 block, which contains a specified IPv4 address.

Base Command

bluecat-am-get-range-by-ip

Input
Argument Name Description Required
ip The IP address for which to get the range. Required

Context Output
Path Type Description
BlueCat.AddressManager.Range.ID String The address manager ID of the Range.
BlueCat.AddressManager.Range.Name String Name of the Range.
BlueCat.AddressManager.Range.Type String Type of the Range.
BlueCat.AddressManager.Range.Parents.ID String ID of the parent Range.
BlueCat.AddressManager.Range.Parents.Type String Type of the parent Range.
BlueCat.AddressManager.Range.Parents.Name String Name of the parent Range.
BlueCat.AddressManager.Range.Parents.CIDR String Classless Inter-Domain Routing.

Command Example
  !bluecat-am-get-range-by-ip ip=10.0.0.11
Human Readable Output

Screen Shot 2019-08-08 at 15 44 51