SafeBreach (deprecated)

Deprecated

Overview

Use the SafeBreach integration to run simulations in your SafeBreach environment and send the results to Demisto.

This integration was integrated and tested with SafeBreach v2018Q2.2


Integrate Demisto on SafeBreach

  1. Log in to the SafeBreach Management platform.
  2. Type console to access the SafeBreach CLI.
  3. In the SafeBreach CLI window, type plugins add demisto --url < demistoServerUrl > --apiKey < apiKey > .
    Argument Description Required
    url Demisto server address, for example https://192.168.2.178 required
    apiKey Demisto API key / authentication token required
    help Displays all options for adding Demisto, for example [plugin add demisto -help] optional
    isAutomated Simulation results can be sent to Demisto as incidents. optional
    isAutomated true An automated incident (conatiner) is opened for each simulation that is either not-blocked, or when a blocked simulation result changes to not-blocked. For adding Demisto with automation, use: [plugins add demisto --url <demistoServerUrl> --default <apiKey> --isAutomated true]. For changing Demisto to become automated, use this command [plugins update demisto --isAutomated true] optional
    isAutomated false The user can send a simulation result to Demisto as an incident on demand, by clicking on Send to from the required simulation incident in Breach Methods. optional

After you integrate Demisto, SafeBreach Management users can drill down in a simulation and use the Send To button to send the simulation results to Demisto. For more information see the Drilling Down for More about a Simulation article on the SafeBreach support site .

NOTE : You can also use the update and show commands to change and view details about Demisto plugins.


Generate a SafeBreach API Key

  1. Log in to the SafeBreach Management platform.
  2. Type console to access the SafeBreach CLI.
  3. In the SafeBreach CLI window, type config apikeys add --name < apiKeyName >
    Type a meaningful name for the API key.
    Example output
    id key name accountID
    2 74963a8f-a3b3-4d6c-b3d4-715996cf4a31 apiKeyName 12345

Configure the SafeBreach Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for the SafeBreach integration.
  3. Click Add instance to create and configure a new integration.
  • Name : a textual name for the integration instance.
  • Account ID : SafeBreach Account (see example output above)
  • API Key : SafeBreach API key
  • SafeBreach Platform URL : URL of your SafeBreach Management environment
  • API Version : 1 (do not change the default value)
  • Demisto engine : If relevant, select the engine that acts as a proxy to the server.
  • Click Test to validate the URLs and connection.

  • Commands

    You can execute these commands from the Demisto CLI, as part of an automation, in a playbook, or from your SafeBreach environment. After you successfully execute a command, a DBot message appears in the War Room with the command details.


    Send simulation results to Demisto: Send To button in SafeBreach

    You execute this command in the SafeBreach Management platform. After you run a simulation, you can click the Send To button to send simulation results to Demisto.

    Output

    The new incident is added to the Incidents list in Demisto.


    Rerun a simulation in SafeBreach: safebreach-rerun

    Rerun a previously run simulation in SafeBreach. You execute this command from the Demisto CLI or a playbook. You can only run this command inside an incident that was fetched from SafeBreach.

    Inputs

    !safebreach-rerun

    Outputs

    ok


    Retrieve results of a rerun simulation: safebreach-get-simulation

    After you rerun a simulation, retrieve the results of that simulation. You execute this command from the Demisto CLI or a playbook. You can only run this command inside an incident that was fetched from SafeBreach.

    Inputs

    !safebreach-get-simulation

    Outputs


    Demisto-SafeBreach Demo