ProtectWise

When integrating Protectwise with Demisto, event data is received in a continues stream of data which can be handled by Demisto.

To set up the integration on Demisto:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate the Protectwise integration by searching for ‘Protectwise’ using the search box on the top of the page.
    1. Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Demisto-specific settings:

      Name : A textual name for the integration instance.

URL : The hostname or IP address of the application. Make sure it is reachable with respect to IP address and port.

Email & Password: the credentials for accessing the API.

Do not validate certificate (insecure): Select to avoid server certification validation. You may want to do this in case Demisto cannot validate the integration server certificate (due to missing CA certificate).

Only fetch events with this text in the name: To only pull events with a specific name, specify it here. Demisto will look for one of the filter values in the Event name (comparison is case insensitive).
Separate multiple names with a comma. For example: Progression,Lateral Movement

Filter by threat category : To pull threats according to threat category.

Filter by killchain stage : To pull threats according to threat killchain stage.

Filter by LOW , MEDIUM , or HIGH threatLevel : To pull threats according to Threat Level.

Fetch incidents: Select whether to automatically create Demisto incidents from the integration's events.
If this option is checked, the first fetch will search for events 10 minutes back from the moment you turn on Fetching. Subsequently, new offences will be fetched as soon as they are generated. Use the "Query to fetch offences" option to pull older offences as incidents.
The next fetch interval depends on the systemwide interval (default 1 min).

Incident type: Specify the Demisto incident type that will be set for incidents from this integration.

Use system proxy settings : Select whether to communicate via the system proxy server or not.

Demisto engine: If relevant, select the engine that acts as a proxy to the server.

Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.

For more information on Demisto engines see:
https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines

  1. Press the ‘Test’ button to validate connection.
    If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com
  2. After completing the test successfully, press the ‘Done’ button.

Commands:

protectwise-event-info - Lookup a single event and its associated observations for ProtectWise.
protectwise-event-pcap-download - Event Pcap Download.
protectwise-event-pcap-info - Get ProtectWise Event Pcap info.
protectwise-observation-info - Lookup a single observation for ProtectWise.
protectwise-observation-pcap-download - Observation Pcap Download.
protectwise-observation-pcap-info - Get ProtectWise Observation Pcap info.
protectwise-search-events - search Events ,Events are resources that describe a threat and contains a collection of observations.
protectwise-search-observations - search observations in ProtectWise.
protectwise-show-sensors - Collection of all available sensors.

Example:

The following shows how fields provided by the API are mapped as labels in fetched Events.

[killChainStage] Fortification
[observedAt] 2017-08-04T13:00:03.436Z
[isUpdate] true
[type] MaliciousFlow
[threatLevel] High
[category] Suspicious
[observationCount] 2
[sensorId] 1849
[cid] 1820
[message] Critical Lateral Movement Activity on Hosts: 192.168.2.81,192.168.2.170
[confidence] 100
[endedAt] 2017-08-04T12:59:49.156Z
[threatScore] 70
[id] 000555ed127a1ca0b771fc0e4270cfcc24510b32d7ff9b9d66dfedcf
[startedAt] 2017-08-04T12:59:49.156Z
[threatSubCategory] None
[priority] false
[agentId] 1849
[observedStage] Realtime
[netflowCount] 1
[sensorIds] 1849
[Brand] ProtectWise
[Instance] ProtectWise_instance_1

image

image

image
image

image