When integrating Protectwise with Demisto, event data is received in a continues stream of data which can be handled by Demisto.
To set up the integration on Demisto:
- Go to ‘Settings > Integrations > Servers & Services’
Locate the Protectwise integration by searching for ‘Protectwise’ using the search box on the top of the page.
Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Demisto-specific settings:
Name : A textual name for the integration instance.
- Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Demisto-specific settings:
URL : The hostname or IP address of the application. Make sure it is reachable with respect to IP address and port.
Email & Password: the credentials for accessing the API.
Do not validate certificate (insecure): Select to avoid server certification validation. You may want to do this in case Demisto cannot validate the integration server certificate (due to missing CA certificate).
Only fetch events with this text in the name:
To only pull events with a specific name, specify it here. Demisto will look for one of the filter values in the Event name (comparison is case insensitive).
Separate multiple names with a comma. For example: Progression,Lateral Movement
Filter by threat category : To pull threats according to threat category.
Filter by killchain stage : To pull threats according to threat killchain stage.
Filter by LOW , MEDIUM , or HIGH threatLevel : To pull threats according to Threat Level.
Select whether to automatically create Demisto incidents from the integration's events.
If this option is checked, the first fetch will search for events 10 minutes back from the moment you turn on Fetching. Subsequently, new offences will be fetched as soon as they are generated. Use the "Query to fetch offences" option to pull older offences as incidents.
The next fetch interval depends on the systemwide interval (default 1 min).
Incident type: Specify the Demisto incident type that will be set for incidents from this integration.
Use system proxy settings : Select whether to communicate via the system proxy server or not.
Demisto engine: If relevant, select the engine that acts as a proxy to the server.
Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
For more information on Demisto engines see:
Press the ‘Test’ button to validate connection.
If you are experiencing issues with the service configuration, please contact Demisto support at email@example.com
- After completing the test successfully, press the ‘Done’ button.
The following shows how fields provided by the API are mapped as labels in fetched Events.
[killChainStage] Fortification [observedAt] 2017-08-04T13:00:03.436Z [isUpdate] true [type] MaliciousFlow [threatLevel] High [category] Suspicious [observationCount] 2 [sensorId] 1849 [cid] 1820 [message] Critical Lateral Movement Activity on Hosts: 192.168.2.81,192.168.2.170 [confidence] 100 [endedAt] 2017-08-04T12:59:49.156Z [threatScore] 70 [id] 000555ed127a1ca0b771fc0e4270cfcc24510b32d7ff9b9d66dfedcf [startedAt] 2017-08-04T12:59:49.156Z [threatSubCategory] None [priority] false [agentId] 1849 [observedStage] Realtime [netflowCount] 1 [sensorIds] 1849 [Brand] ProtectWise [Instance] ProtectWise_instance_1