Icebrg
ICEBRG is a network security product which is used in conjunction with Demisto to get events and reports produced in ICEBRG for queries.
The following data is fetched :
- Fetching reports which contain more than one asset.
- Events cannot be fetched.
- Flittering by published date.
- Fetching every 10 minutes.
To set up ICEBRG to work with Demisto:
To obtain API token (on ICEBRG):
- Go to ‘Settings > Profile Settings > Tokens’.
- Click ‘Create new token’.
- Enter description.
- Click ‘Create’
- Record this token to use in the next steps.
To set up the integration on Demisto:
- Go to ‘Settings > Integrations > Servers & Services’
- Locate ‘ICEBRG’ by searching for it using the search box on the top of the page.
-
Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
Name : A textual name for the integration instance.
Server URL for the search API : The URL appliance.
API username : ICEBRG API token.
Server URL for the reports API: The server used for the reports API.
Password : ICEBRG API password.
ICEBRG token: The token obtained in the steps above.
Fetch incidents : Select whether to automatically create Demisto incidents from ICEBRG offenses.
Demisto engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
For more information on Demisto engines see:
https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines -
Press the ‘Test’ button to validate connection.
If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com - After completing the test successfully, press the ‘Done’ button.
Top Use-cases:
- Search events by query.
- Get reports by UUID..
Commands:
- icebrg-search-events
Input:
Query (mandatory)
- The query string or entity for which to search.
|
Context output:
Icebrg.Events.QueryType
- Query type
Icebrg.Events.Total - Total events Icebrg.Events.OrderBy - Key to order events by Icebrg.Events.Order - Order of the events Icebrg.Events.Offset - Events offset Icebrg.Events.History - History of events Icebrg.Events.Limit - Limit number of events to show |
Raw output:
{ "total": 135359505, "offset": 0, "limit": 100, "order_by": "timestamp", "query_type": "complex", "events": [ ... ] } |
- icebrg-get-history
Input:
none |
Context output:
Icebrg.UserQueryHistory.Total
- Total user queries
|
Raw output:
{ "history": [{ "total": 3393897721, "timestamp": "2017-03-30T20:56:11.556Z", "query": "port = 80", "id": "725be4f112f5b5ae9807b7130b2cea97" }, { "total": 211313295, "timestamp": "2017-03-30T17:44:35.748Z", "query": "google.com", "id": "655765009424c447765d06773e711dd3" }], "User_id": "f3259c9f-e54a-4e93-b71d-8e995a2cd96b" } |
- icebrg-saved-searches
Input:
none |
Context output:
Icebrg.SavedSearches.Tags
- Query tags
Icebrg.SavedSearches.Description - Query description Icebrg.SavedSearches.Title - Query title Icebrg.SavedSearches.Timestamp - Query timestamp Icebrg.SavedSearches.Query - Called query Icebrg.SavedSearches.Id - Query ID |
Raw output:
{ "saved_queries": [{ "tags": [], "description": "", "title": "Test", "timestamp": "2017-03-17T00:48:34.359Z", "query": "ip='127.0.0.1'", "id": "AVrZvNBGl0ZSNz2usg93" }] } |
- icebrg-get-reports
Input:
Limit
- The maximum number of records to return. The default is no limit.
Offset - The number of records to skip. The default is none. Sort by - The field to sort by (created, updated, or published). The default is unsorted. Sort order - The sort order asc or desc. The default is asc if sort_by is provided. Account UUID - UUID of account to filter by. Archived - Archived status to filter by. Confidence - Confidence to filter by (low, moderate, high). Risk - Risk to filter by (low, moderate, high). Search - Text string to search the title and summary. Status - Status to filter by. Published start - Published start date to filter by (inclusive), RFC3339 format. Published end - Published end date to filter by (exclusive), RFC3339 format. |
Context output:
Icebrg.Reports.Publishes.UserUuid
- User UUID that published the report
Icebrg.Reports.Publishes.Publishe
- Timestamp of published report
Icebrg.Reports.AssetCount
- Asset count of report
Icebrg.Reports.IndicatorCount - Indicator count of report Icebrg.Reports.Archived - True if archived, else false Icebrg.Reports.Details - Report details Icebrg.Reports.Summary - Report summary Icebrg.Reports.Category - Category of the report Icebrg.Reports.Confidence - Indicator count of report Icebrg.Reports.Archived - Confidence of report Icebrg.Reports.Risk - Risk of report Icebrg.Reports.Title - Report title Icebrg.Reports.Status - Status of report Icebrg.Reports.AccountUuid - Account UUID of report Icebrg.Reports.UpdatedUserUuid - User UUID that updated the report Icebrg.Reports.CreatedUserUuid - User UUID that created the report Icebrg.Reports.Updated - Timestamp of report update Icebrg.Reports.Created - Timestamp of report creation Icebrg.Reports.Uuid - Report UUID |
Raw output:
{ "reports": [{ "publishes": [{ "user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "published": "2017-01-24T10:13:13.418Z" }], "asset_count": 1, "indicator_count": 5, "archived": false, "details": "On 21 January, ...", "summary": "A host was infected with Cerber ransomware after opening a |
- icebrg-get-report-assets
Input:
Report UUID (mandatory) - Report UUID to get the indicator |
Context output:
Icebrg.ReportAssets.Asset - Assets of Report UUID |
Raw output:
{ "assets": [{ "asset" : "10.248.100.74" }] } |
Troubleshooting
This integration was integrated and tested with version 1.3 of ICEBRG.