Icebrg
ICEBRG is a network security product which is used in conjunction with Demisto to get events and reports produced in ICEBRG for queries.
The following data is fetched :
- Fetching reports which contain more than one asset.
- Events cannot be fetched.
- Flittering by published date.
- Fetching every 10 minutes.
To set up ICEBRG to work with Demisto:
To obtain API token (on ICEBRG):
- Go to ‘Settings > Profile Settings > Tokens’.
- Click ‘Create new token’.
- Enter description.
- Click ‘Create’
- Record this token to use in the next steps.
To set up the integration on Demisto:
- Go to ‘Settings > Integrations > Servers & Services’
- Locate ‘ICEBRG’ by searching for it using the search box on the top of the page.
-
Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
Name : A textual name for the integration instance.
Server URL for the search API : The URL appliance.
API username : ICEBRG API token.
Server URL for the reports API: The server used for the reports API.
Password : ICEBRG API password.
ICEBRG token: The token obtained in the steps above.
Fetch incidents : Select whether to automatically create Demisto incidents from ICEBRG offenses.
Demisto engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
For more information on Demisto engines see:
https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines -
Press the ‘Test’ button to validate connection.
If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com - After completing the test successfully, press the ‘Done’ button.
Top Use-cases:
- Search events by query.
- Get reports by UUID..
Commands:
- icebrg-search-events
Input:
|
Query (mandatory)
- The query string or entity for which to search.
|
Context output:
|
Icebrg.Events.QueryType
- Query type
Icebrg.Events.Total - Total events Icebrg.Events.OrderBy - Key to order events by Icebrg.Events.Order - Order of the events Icebrg.Events.Offset - Events offset Icebrg.Events.History - History of events Icebrg.Events.Limit - Limit number of events to show |
Raw output:
{
"total": 135359505,
"offset": 0,
"limit": 100,
"order_by": "timestamp",
"query_type": "complex",
"events": [ ... ]
}
|
- icebrg-get-history
Input:
| none |
Context output:
|
Icebrg.UserQueryHistory.Total
- Total user queries
|
Raw output:
{
"history": [{
"total": 3393897721,
"timestamp": "2017-03-30T20:56:11.556Z",
"query": "port = 80",
"id": "725be4f112f5b5ae9807b7130b2cea97"
},
{
"total": 211313295,
"timestamp": "2017-03-30T17:44:35.748Z",
"query": "google.com",
"id": "655765009424c447765d06773e711dd3"
}],
"User_id": "f3259c9f-e54a-4e93-b71d-8e995a2cd96b"
}
|
- icebrg-saved-searches
Input:
| none |
Context output:
|
Icebrg.SavedSearches.Tags
- Query tags
Icebrg.SavedSearches.Description - Query description Icebrg.SavedSearches.Title - Query title Icebrg.SavedSearches.Timestamp - Query timestamp Icebrg.SavedSearches.Query - Called query Icebrg.SavedSearches.Id - Query ID |
Raw output:
{
"saved_queries": [{
"tags": [],
"description": "",
"title": "Test",
"timestamp": "2017-03-17T00:48:34.359Z",
"query": "ip='127.0.0.1'",
"id": "AVrZvNBGl0ZSNz2usg93"
}]
}
|
- icebrg-get-reports
Input:
|
Limit
- The maximum number of records to return. The default is no limit.
Offset - The number of records to skip. The default is none. Sort by - The field to sort by (created, updated, or published). The default is unsorted. Sort order - The sort order asc or desc. The default is asc if sort_by is provided. Account UUID - UUID of account to filter by. Archived - Archived status to filter by. Confidence - Confidence to filter by (low, moderate, high). Risk - Risk to filter by (low, moderate, high). Search - Text string to search the title and summary. Status - Status to filter by. Published start - Published start date to filter by (inclusive), RFC3339 format. Published end - Published end date to filter by (exclusive), RFC3339 format. |
Context output:
|
Icebrg.Reports.Publishes.UserUuid
- User UUID that published the report
Icebrg.Reports.Publishes.Publishe
- Timestamp of published report
Icebrg.Reports.AssetCount
- Asset count of report
Icebrg.Reports.IndicatorCount - Indicator count of report Icebrg.Reports.Archived - True if archived, else false Icebrg.Reports.Details - Report details Icebrg.Reports.Summary - Report summary Icebrg.Reports.Category - Category of the report Icebrg.Reports.Confidence - Indicator count of report Icebrg.Reports.Archived - Confidence of report Icebrg.Reports.Risk - Risk of report Icebrg.Reports.Title - Report title Icebrg.Reports.Status - Status of report Icebrg.Reports.AccountUuid - Account UUID of report Icebrg.Reports.UpdatedUserUuid - User UUID that updated the report Icebrg.Reports.CreatedUserUuid - User UUID that created the report Icebrg.Reports.Updated - Timestamp of report update Icebrg.Reports.Created - Timestamp of report creation Icebrg.Reports.Uuid - Report UUID |
Raw output:
{
"reports": [{
"publishes": [{
"user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42",
"published": "2017-01-24T10:13:13.418Z"
}],
"asset_count": 1,
"indicator_count": 5,
"archived": false,
"details": "On 21 January, ...",
"summary": "A host was infected with Cerber ransomware after opening a
|
- icebrg-get-report-assets
Input:
| Report UUID (mandatory) - Report UUID to get the indicator |
Context output:
| Icebrg.ReportAssets.Asset - Assets of Report UUID |
Raw output:
{
"assets": [{
"asset" : "10.248.100.74"
}]
}
|
Troubleshooting
This integration was integrated and tested with version 1.3 of ICEBRG.