Icebrg

ICEBRG is a network security product which is used in conjunction with Demisto to get events and reports produced in ICEBRG for queries.

The following data is fetched :

  • Fetching reports which contain more than one asset.
  • Events cannot be fetched.
  • Flittering by published date.
  • Fetching every 10 minutes.

To set up ICEBRG to work with Demisto:

To obtain API token (on ICEBRG):

  1. Go to ‘Settings > Profile Settings > Tokens’.
  2. Click ‘Create new token’.
  3. Enter description.
  4. Click ‘Create’
  5. Record this token to use in the next steps.

To set up the integration on Demisto:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate ‘ICEBRG’ by searching for it using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
    Name : A textual name for the integration instance.
    Server URL for the search API : The URL appliance.
    API username : ICEBRG API token.
    Server URL for the reports API: The server used for the reports API.
    Password : ICEBRG API password.
    ICEBRG token: The token obtained in the steps above.
    Fetch incidents : Select whether to automatically create Demisto incidents from ICEBRG offenses.
    Demisto engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
    For more information on Demisto engines see:
    https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines
  4. Press the ‘Test’ button to validate connection.
    If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com
  5. After completing the test successfully, press the ‘Done’ button.

Top Use-cases:

  • Search events by query.
  • Get reports by UUID..

Commands:

  • icebrg-search-events

Input:

Query (mandatory) - The query string or entity for which to search.
Start date - The beginning of the temporal extent by which to restrict filter results, inclusive (in RFC3339 format).
End date - The end of the temporal extent by which to restrict filter results, exclusive (in RFC3339 format).
Order by - The event property by which to order results. Default: timestamp.
Order - The order of results, either "asc" or "desc". Default: desc.
Customer ID - The customer ID by which to restrict filter results. Default: user's account.
History - When true, save this query in user's Query History and include up to the last 50 queries from user's Query History. Default: false.
Service traffic - When true, the service will include the service_traffic aggregation. Default: false.

Context output:

Icebrg.Events.QueryType - Query type
Icebrg.Events.Total - Total events
Icebrg.Events.OrderBy - Key to order events by
Icebrg.Events.Order - Order of the events
Icebrg.Events.Offset - Events offset
Icebrg.Events.History - History of events
Icebrg.Events.Limit - Limit number of events to show

Raw output:

{
	"total": 135359505,
	"offset": 0,
	"limit": 100,
	"order_by": "timestamp",
	"query_type": "complex",
	"events": [ ... ]
}
  • icebrg-get-history

Input:

none

Context output:

Icebrg.UserQueryHistory.Total - Total user queries
Icebrg.UserQueryHistory.Timestamp - Timestamp of user query
Icebrg.UserQueryHistory.Query - Called query
Icebrg.UserQueryHistory.QueryId - ID of query
Icebrg.UserQueryHistory.UserId - User ID

Raw output:

{
 	"history": [{
    			"total": 3393897721,
    			"timestamp": "2017-03-30T20:56:11.556Z",
    			"query": "port = 80",
    			"id": "725be4f112f5b5ae9807b7130b2cea97"
	 },
		{
    			"total": 211313295,
    			"timestamp": "2017-03-30T17:44:35.748Z",
    			"query": "google.com",
 			"id": "655765009424c447765d06773e711dd3"
	}],
	"User_id": "f3259c9f-e54a-4e93-b71d-8e995a2cd96b"
 }
  • icebrg-saved-searches

Input:

none

Context output:

Icebrg.SavedSearches.Tags - Query tags
Icebrg.SavedSearches.Description - Query description
Icebrg.SavedSearches.Title - Query title
Icebrg.SavedSearches.Timestamp - Query timestamp
Icebrg.SavedSearches.Query - Called query
Icebrg.SavedSearches.Id - Query ID

Raw output:

{
	"saved_queries": [{
   			 "tags": [],
    			"description": "",
    			"title": "Test",
    			"timestamp": "2017-03-17T00:48:34.359Z",
    			"query": "ip='127.0.0.1'",
    			"id": "AVrZvNBGl0ZSNz2usg93"
		}]
}
  • icebrg-get-reports

Input:

Limit - The maximum number of records to return. The default is no limit.
Offset - The number of records to skip. The default is none.
Sort by - The field to sort by (created, updated, or published). The default is unsorted.
Sort order - The sort order asc or desc. The default is asc if sort_by is provided.
Account UUID - UUID of account to filter by.
Archived - Archived status to filter by.
Confidence - Confidence to filter by (low, moderate, high).
Risk - Risk to filter by (low, moderate, high).
Search - Text string to search the title and summary.
Status - Status to filter by.
Published start - Published start date to filter by (inclusive), RFC3339 format.
Published end - Published end date to filter by (exclusive), RFC3339 format.

Context output:

Icebrg.Reports.Publishes.UserUuid - User UUID that published the report Icebrg.Reports.Publishes.Publishe - Timestamp of published report Icebrg.Reports.AssetCount - Asset count of report
Icebrg.Reports.IndicatorCount - Indicator count of report
Icebrg.Reports.Archived - True if archived, else false
Icebrg.Reports.Details - Report details
Icebrg.Reports.Summary - Report summary
Icebrg.Reports.Category - Category of the report
Icebrg.Reports.Confidence - Indicator count of report
Icebrg.Reports.Archived - Confidence of report
Icebrg.Reports.Risk - Risk of report
Icebrg.Reports.Title - Report title
Icebrg.Reports.Status - Status of report
Icebrg.Reports.AccountUuid - Account UUID of report
Icebrg.Reports.UpdatedUserUuid - User UUID that updated the report Icebrg.Reports.CreatedUserUuid - User UUID that created the report Icebrg.Reports.Updated - Timestamp of report update
Icebrg.Reports.Created - Timestamp of report creation
Icebrg.Reports.Uuid - Report UUID

Raw output:

{
    "reports": [{
		 "publishes": [{
   			     "user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42",
     			     "published": "2017-01-24T10:13:13.418Z"
  		   }],
  		 "asset_count": 1,
 		 "indicator_count": 5,
  		"archived": false,
  		"details": "On 21 January, ...",
  		"summary": "A host was infected with Cerber ransomware after opening a
malicious Word document received via email.", "category": "Ransomware", "confidence": "high", "risk": "moderate", "title": "Cerber Malware Infection", "status": "published", "account_uuid": "6bc3d2f1-af77-4236-a9db-17dacd06e4d9", "updated_user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "created_user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "updated": "2017-01-24T10:12:32.534Z", "created": "2017-01-24T07:25:36.363Z", "uuid": "2d35734f-5b16-41ff-a482-b08a7c74202a" }], }
  • icebrg-get-report-assets

Input:

Report UUID (mandatory) - Report UUID to get the indicator

Context output:

Icebrg.ReportAssets.Asset - Assets of Report UUID

Raw output:

{
	"assets": [{
    			"asset" : "10.248.100.74"
		}]
}

Troubleshooting

This integration was integrated and tested with version 1.3 of ICEBRG.