Preempt

Overview

Use the Preempt integration to eliminate security breaches and internal threats. Preempt is an Adaptive Threat Prevention platform based on identity, behavior, and risk.

This integration was integrated and tested with Preempt v2.3.1086.


Use Cases

  • Enable multi-factor authentication (MFA)
  • Retrieve user activities and the endpoints used by users
  • Retrieve alerts from the Preempt platform.

Prerequisites

You need to obtain the following Preempt information.

  • Server address
  • API key

Get Your Preempt API Key

  1. Log in to the Preempt platform.
  2. Navigate to Administration > System > Settings > API Keys .
  3. Enable the API Token option.
  4. Create a token for Demisto if one was not already created.
  5. Click the link icon on the row for the token.
    The API key is copied to your clipboard. You will paste this when configuring the integration in Demisto.

Configure the Preempt Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Preempt.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Preempt server address : for example, https://192.168.0.1
    • API key : paste the token that you copied.
    • Days to look back
    • Client Secret
    • Refresh Token
  4. Click Test to validate the URLs and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Add an account to the watch list: preempt-add-to-watch-list

Add a user account to the Preempt watch list.

Input

accountObjectGuid: preempt-get-activities

Ouput

There is no output for this command.


Remove an account from the watch list: preempt-add-to-watch-list

Remove a user account from the Preempt watch list.

Input

accountObjectGuid: preempt-get-activities

Ouput

There is no output for this command.


Retrieve User Activities: preempt-get-activities

Retrieve the activities and the activity data for a specific user.

Command Example

!preempt-get-activities sourceUserId=" userID " types="LOGIN" numOfHours="48"

Input

Parameter Description
sourceUserId ID of user that you want to retrieve the activities for
types List of specific incident types (comma delimited)
endTime For example: 2012-03-04 12:08:12.354
numOfHours Number of hours to search back (from the endTime)

Context Output

Parameter Description
Preempt.Activities.EndpointHostName Hostname of the activity's endpoint
Preempt.Activities.EventType Activity type
Preempt.Activities.AuthenticationType Authentication type
Preempt.Activities.Timestamp Activity's date and time
Preempt.Activities.Cursor Cursor of last retrieved activity for pagination

Human Readable Output

Raw Output

{  
   "Preeempt":{  
      "Activities":[  
         {  
            "AuthenticationType":"DOMAIN_LOGIN",
            "EndpointHostName":"xxxxxx.xxxxx.xxx",
            "EventType":"SUCCESSFUL_AUTHENTICATION",
            "Timestamp":"2018-03-11T12:41:00.000Z"
         }
      ]
   }
}

Retrieve User Endpoints: preempt-get-user-endpoints

Retrieve the endpoints used by a spefic user.

Input

Parameter Description
sourceUserId ID of user that you want to retrieve the endpoints for

Context Output

Parameter Description
Endpoint.Hostname Hostname of the endpoint
Endpoint.ID Object GUID of the computer account
Endpoint.PrimaryDisplayName Computer's display name in Active Directory (AD)
Endpoint.IsOwnedByUser Indicates if the user owns this endpoint (boolean)
Endpoint.IPAddress Last IP address associated with the endpoint, detected by the system
Endpoint.StaticIpAddresses Static IP address that has been associated with the endpoint

Raw Output

{  
   "Preempt":{  
      "Endpoint":[  
         {  
            "HostName":"xxxxxx.xx.xxx",
            "Id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
            "IsOwnedByUser":T/F,
            "LastIpAddress":"xxx.xxx.xxx.xxx",
            "PrimaryDisplayName":"xxx-xxxx",
            "StaticIpAddresses":[  
               "xxx.xxx.x.xxx"
            ]
         }

Retrieve User Alerts: preempt-get-alerts

Retrieve the alerts for a specific user.

Command Example

!preempt-get-alerts sourceUserId=" userID " numOfHours="48"

Input

Parameter Description
sourceUserId ID of user that you want to retrieve the activities for
endTime For example: 2012-03-04 12:08:12.354
numOfHours Number of hours to search back (from the endTime)

Context Output

Parameter Description
Preempt.Alerts.AlertType Alert type
Preempt.Alerts.Timestamp Alert's date and time
Preempt.Alerts.startTime Date and time the alert started
Preempt.Alerts.EndTime Date and time the alert ended
Preempt.Alerts.eventLabel Alert label
Preempt.Alerts.Cursor Cursor of the last retrieved activity for pagination

Human Readable Output

Raw Output

{  
   "Alerts":[  
      {  
         "alertType":"AbnormalServiceAccessAlert",
         "cursor":"xxxxxxxxxx",
         "endTime":"2018-03-27T19:43:00.000Z",
         "endpointEntity":{  
            "_id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "hostName":null
         },
         "eventId":"xxxxxx",
         "eventLabel":"Unusual Access to Service",
         "incident":{  
            "_id":"INC-43",
            "severity":"INFO",
            "state":{  
               "lifeCycleStage":"NEW"
            }
         },
         "relatedEvents":[  
            {  
               "eventType":"SERVICE_ACCESS",
               "geoLocation":null,
               "ipAddress":"xxx.xxx.xxx.xxx",
               "timestamp":"2018-03-27T19:43:00.000Z"
            }
         ]
      }

Demisto-Preempt Demo