Indeni

Overview


Indeni Integration This integration was integrated and tested with version 7.1.1 of Indeni

Indeni Playbook


The playbook periodically pulls vulnerability issues for Palo Alto Network devices and converts them to Demisto incidents. For every incident that's created, it posts a note back to Indeni to let user know that the issue is been handled by Demisto and creates a Jira ticket with all the relevant information pulled from Inden API. One the assigned user marks the Jira ticket as Done, the playbook will automatically acknowledge the issue in Indeni and close the incident.

Use Cases


  1. Pull in critical Indeni issues and triage the issues

Configure Indeni on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Indeni.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Trust any certificate (not secure)
    • API url: for exampe, https://10.11.80.21:9443
    • API Key: can be obtained from Indeni UI, Settings -> About page
    • Fetch incidents
    • Incident type
    • Only Pull Palo Alto Network Vulnerability Issues: true if only wants Palo Alto Network vulnerability issues, false will pull all issues
    • Use system proxy settings
    • Number of issues to pull per fetch: max number of issues that will be ingested as incidents per fetch cycle
    • Lowest Issue Severity To Pull: Any issue with higher or equivalent severity will be pulled
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


{
[
{
"occurred": "2019-10-07T19:55:39.424Z",
"updated": "2019-12-11T06:08:50.216Z",
"name": "High disk space utilization",
"rawJSON": {...},
"severity": 4,
"details": "Some disks or file systems are under high usage. Determine the cause for the high disk usage of the listed file systems."
}
]
}

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. indeni-get-device-info
  2. indeni-get-alert-info
  3. indeni-get-alert-summary
  4. indeni-post-note
  5. indeni-archive-issue
  6. indeni-unarchive-issue
  7. indeni-get-notes

1. indeni-get-device-info


get the device information

Base Command

indeni-get-device-info

Input
Argument NameDescriptionRequired
device_iddevice id stringRequired
Context Output
PathTypeDescription
Indeni.DeviceInfo.DeviceIdstringdevice id string
Indeni.DeviceInfo.DeviceIPstringdevice ip string
Indeni.DeviceInfo.DeviceNamestringdevice hostname
Indeni.DeviceInfo.DeviceModelstringdevice model
Indeni.DeviceInfo.OSVersionstringdevice OS version
Indeni.DeviceInfo.CriticalAlertStatsnumber# of critical alerts on the device
Indeni.DeviceInfo.ErrorAlertStatsnumber# of error alerts on the device
Indeni.DeviceInfo.WarnAlertStatsnumber# of warn alerts on the device
Indeni.DeviceInfo.InfoAlertStatsnumber# of info alerts on the device
Command Example

!indeni-get-device-info device_id=01178b51-b8af-4249-aecf-6e5b8da4a04f

Context Example
{
"Indeni.DeviceInfo": {
"DeviceIP": "172.16.20.80",
"DeviceModel": "PA-200",
"DeviceName": "kdlab-pa200",
"WarnAlertStats": 7,
"DeviceId": "01178b51-b8af-4249-aecf-6e5b8da4a04f",
"CriticalAlertStats": 3,
"ErrorAlertStats": 9,
"OSVersion": "7.0.9",
"InfoAlertStats": 1
}
}
Human Readable Output

Device Info

CriticalAlertStatsDeviceIPDeviceIdDeviceModelDeviceNameErrorAlertStatsInfoAlertStatsOSVersionWarnAlertStats
3172.16.20.8001178b51-b8af-4249-aecf-6e5b8da4a04fPA-200kdlab-pa200917.0.97

2. indeni-get-alert-info


get detailed alert info

Base Command

indeni-get-alert-info

Input
Argument NameDescriptionRequired
alert_idthe id of the alertRequired
Context Output
PathTypeDescription
Indeni.AlertInfo.AlertIdstringid of the alert
Indeni.AlertInfo.Headlinestringheadline of the alert
Indeni.AlertInfo.DeviceIdstringdevice id
Indeni.AlertInfo.AlertTypestringthe alert type unique identifier
Command Example

!indeni-get-alert-info alert_id=7f0a5ded-571a-4ba0-835d-ba2f76469226

Context Example
{
"Indeni.AlertInfo": {
"Headline": "Vulnerability in the PAN-OS DNS Proxy PAN-SA-2017-0021",
"AlertType": "panos_vulnerability_pansa_20170021_rule",
"DeviceId": "01178b51-b8af-4249-aecf-6e5b8da4a04f",
"AlertId": "7f0a5ded-571a-4ba0-835d-ba2f76469226"
}
}
Human Readable Output

Alert ID 7f0a5ded-571a-4ba0-835d-ba2f76469226

acknowledgedalert_blocksalert_idalert_typeconfiguration_set_idcreate_atdevice_idevidenceheadlineidnotesresolvedrevalidated_atseverityunique_identifierupdated_at
falseA Remote Code Execution vulnerability exists in the PAN-OS DNS Proxy. This issue affects customers who have DNS Proxy enabled in PAN-OS. This issue affects both the Data and Management planes of the firewall. When DNS Proxy processes a specially crafted fully qualified domain names (FQDN), it is possible to execute code on the firewall. (Ref # PAN-77516 / CVE-2017-8390).
Vendor Severity Rating: Critical
Palo Alto Networks recommends disabling DNS Proxy for those customers who are affected and are unable to apply the update.
For more information please review: https://securityadvisories.paloaltonetworks.com/Home/Detail/91
49517UNAUTOREMEDIATABLE_ISSUE34092019-10-07T19:55:41.344Z01178b51-b8af-4249-aecf-6e5b8da4a04fts:
snapshot:
Vulnerability in the PAN-OS DNS Proxy PAN-SA-2017-00217f0a5ded-571a-4ba0-835d-ba2f76469226Demisto
Demisto
Issue has been marked as unacknowledged.
Issue has been marked as acknowledged.
Demisto
Issue has been marked as unacknowledged.
Issue has been marked as acknowledged.
Demisto
Issue has been marked as unacknowledged.
Jira ticket created ["IKP-3864"]
This issue is currently been handled by Demisto
Issue has been marked as acknowledged.
Jira ticket is resolved.
Jira ticket created ["IKP-3849"]
This issue is currently been handled by Demisto
This issue is currently been handled by Demisto
Issue created.
false2020-02-14T08:40:45.891Zlevel: 0
description: CRITICAL
panos_vulnerability_pansa_20170021_rule2020-02-13T08:38:23.445Z

3. indeni-get-alert-summary


gets summary of given alert type for all devices

Base Command

indeni-get-alert-summary

Input
Argument NameDescriptionRequired
alert_type_identifieridentifier for alert typeRequired
Context Output
PathTypeDescription
Indeni.AffectedDevices.AlertTypeStringAlert type that's affecting the devices
Indeni.AffectedDevices.Device.DeviceNameStringName of the affected device
Indeni.AffectedDevices.Device.DeviceIdStringId of the affected device
Command Example

!indeni-get-alert-summary alert_type_identifier=panos_vulnerability_pansa_20170021_rule

Context Example
{
"Indeni.AffectedDevices": {
"Device": [
{
"DeviceName": "kdlab-pa200",
"DeviceId": "01178b51-b8af-4249-aecf-6e5b8da4a04f",
"Items": []
}
],
"AlertType": "panos_vulnerability_pansa_20170021_rule"
}
}
Human Readable Output

Devices Experiencing Alert panos_vulnerability_pansa_20170021_rule

DeviceIdDeviceName
01178b51-b8af-4249-aecf-6e5b8da4a04fkdlab-pa200

4. indeni-post-note


Post a note to a given issue id

Base Command

indeni-post-note

Input
Argument NameDescriptionRequired
alert_idthe id of the alertRequired
notethe content of the noteRequired
Context Output

There is no context output for this command.

Command Example

!indeni-post-note alert_id=7f0a5ded-571a-4ba0-835d-ba2f76469226 note=Demisto

Human Readable Output

Done

5. indeni-archive-issue


Archive an issue for the given alert id

Base Command

indeni-archive-issue

Input
Argument NameDescriptionRequired
alert_idthe alert id of the issueRequired
Context Output

There is no context output for this command.

Command Example

!indeni-archive-issue alert_id=7f0a5ded-571a-4ba0-835d-ba2f76469226

Human Readable Output

Done

6. indeni-unarchive-issue


Unarchive an existing issue

Base Command

indeni-unarchive-issue

Input
Argument NameDescriptionRequired
alert_idthe alert id of the issueRequired
Context Output

There is no context output for this command.

Command Example

!indeni-unarchive-issue alert_id=7f0a5ded-571a-4ba0-835d-ba2f76469226

Human Readable Output

Done

7. indeni-get-notes


Gets the notes from issue

Base Command

indeni-get-notes

Input
Argument NameDescriptionRequired
alert_idThe id of the alertRequired
Context Output
PathTypeDescription
Indeni.AlertInfo.NoteUnknownNotes for the given issue
Command Example

!indeni-get-notes alert_id=7f0a5ded-571a-4ba0-835d-ba2f76469226

Context Example
{
"Indeni.AlertInfo": [
{
"note": "Issue has been marked as unacknowledged.",
"timestamp": "2020-02-14T08:41:21.000Z"
},
{
"note": "Issue has been marked as acknowledged.",
"timestamp": "2020-02-14T08:41:20.000Z"
},
{
"note": "Demisto",
"timestamp": "2020-02-14T08:41:19.000Z"
},
{
"note": "Demisto",
"timestamp": "2020-02-14T08:31:29.000Z"
},
{
"note": "Demisto",
"timestamp": "2020-02-14T08:27:59.000Z"
},
{
"note": "Issue has been marked as unacknowledged.",
"timestamp": "2020-02-13T08:38:23.000Z"
},
{
"note": "Issue has been marked as acknowledged.",
"timestamp": "2020-02-13T08:37:51.000Z"
},
{
"note": "Demisto",
"timestamp": "2020-02-13T08:35:33.000Z"
},
{
"note": "Issue has been marked as unacknowledged.",
"timestamp": "2020-02-10T21:39:47.000Z"
},
{
"note": "Issue has been marked as acknowledged.",
"timestamp": "2020-02-10T21:39:46.000Z"
},
{
"note": "Demisto",
"timestamp": "2020-02-10T21:39:45.000Z"
},
{
"note": "Issue has been marked as unacknowledged.",
"timestamp": "2020-02-10T21:37:58.000Z"
},
{
"note": "Jira ticket created [\"IKP-3864\"]",
"timestamp": "2020-02-10T21:25:33.000Z"
},
{
"note": "This issue is currently been handled by Demisto",
"timestamp": "2020-02-10T21:25:28.000Z"
},
{
"note": "Issue has been marked as acknowledged.",
"timestamp": "2020-02-04T21:25:03.000Z"
},
{
"note": "Jira ticket is resolved. ",
"timestamp": "2020-02-04T21:25:01.000Z"
},
{
"note": "Jira ticket created [\"IKP-3849\"]",
"timestamp": "2020-02-04T21:14:03.000Z"
},
{
"note": "This issue is currently been handled by Demisto",
"timestamp": "2020-02-04T21:13:59.000Z"
},
{
"note": "This issue is currently been handled by Demisto",
"timestamp": "2020-01-31T20:16:49.000Z"
},
{
"note": "Issue created.",
"timestamp": "2019-10-07T19:55:41.000Z"
}
]
}
Human Readable Output

Issue Notes

notetimestamp
Issue has been marked as unacknowledged.2020-02-14T08:41:21.000Z
Issue has been marked as acknowledged.2020-02-14T08:41:20.000Z
Demisto2020-02-14T08:41:19.000Z
Demisto2020-02-14T08:31:29.000Z
Demisto2020-02-14T08:27:59.000Z
Issue has been marked as unacknowledged.2020-02-13T08:38:23.000Z
Issue has been marked as acknowledged.2020-02-13T08:37:51.000Z
Demisto2020-02-13T08:35:33.000Z
Issue has been marked as unacknowledged.2020-02-10T21:39:47.000Z
Issue has been marked as acknowledged.2020-02-10T21:39:46.000Z
Demisto2020-02-10T21:39:45.000Z
Issue has been marked as unacknowledged.2020-02-10T21:37:58.000Z
Jira ticket created ["IKP-3864"]2020-02-10T21:25:33.000Z
This issue is currently been handled by Demisto2020-02-10T21:25:28.000Z
Issue has been marked as acknowledged.2020-02-04T21:25:03.000Z
Jira ticket is resolved.2020-02-04T21:25:01.000Z
Jira ticket created ["IKP-3849"]2020-02-04T21:14:03.000Z
This issue is currently been handled by Demisto2020-02-04T21:13:59.000Z
This issue is currently been handled by Demisto2020-01-31T20:16:49.000Z
Issue created.2019-10-07T19:55:41.000Z

Additional Information


Known Limitations


Troubleshooting