SCADAfence CNM

Overview


Use the SCADAfence integration to manage alerts and assets.

This integration was integrated and tested with SCADAfence CNM v.

Use cases


  1. Fetch alerts from SCADAfence

Configure the SCADAfence CNM Integration on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SCADAfence CNM.
  3. Click _ Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • API auth secret
    • API auth key
    • API url
    • Trust any certificate (not secure)
    • Fetch incidents
    • Incident type
    • Required severity levels for alerts separated by comma, from [Information,Warning,Threat,Severe,Critical]. For ex.: Warning, Threat
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


[
    {
        "createdOn": "2018-08-05T12:06:22.278Z",
        "details": "1.1.1.1 sent suspicious write command to PLC 2.2.2.2.",
        "id": "5b600cecfeb8001f1cc5d2ea",
        "ip": "2.2.2.2",
        "severity": "Critical",
        "status": "InProgress",
        "type": "Suspicious write command to PLC"
    }
]

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Query alert data: scadafence-getAlerts
  2. Get asset data: scadafence-getAsset
  3. Set the status of an alert: scadafence-setAlertStatus
  4. Get asset connection data: scadafence-getAssetConnections
  5. Get asset network activity data: scadafence-getAssetTraffic
  6. Create an alert: scadafence-createAlert
  7. Get all connections: scadafence-getAllConnections

1. Query alert data


Queries alerts data from SCADAfence CNM.

Base Command
scadafence-getAlerts
Input
Argument Name Description Required
severity Required severity level of alert Optional
ipAddress IP address to get alerts for Optional
Context Output
[
    {
        "createdOn": "2018-08-05T12:06:22.278Z",
        "details": "140.80.0.101 sent suspicious write command to PLC 2.2.2.2.",
        "id": "5b600cecfeb8001f1cc5d2ea",
        "ip": "2.2.2.2",
        "severity": "Critical",
        "status": "Resolved",
        "type": "Suspicious write command to PLC"
    }
]
Path Type Description
SCADAfence.Alert.id string Alert ID
SCADAfence.Alert.ip string Asset IP
SCADAfence.Alert.severity string Alert severity level
SCADAfence.Alert.type string Short description of the alert
SCADAfence.Alert.details string Extended description of the alert
Command Example
!scadafence-getAlerts severity=Critical
Human Readable Output

Alerts are:

status severity ip createdOn details type id
Resolved Critical 2.2.2.2 2018-08-05T12:06:22.278Z 140.80.0.101 sent suspicious write command to PLC 2.2.2.2. Suspicious write command to PLC 5b600cecfeb8001f1cc5d2ea

2. Get asset data


Fetches asset data from SCADAfence CNM.

Base Command
scadafence-getAsset
Input
Argument Name Description Required
ipAddress Asset IP address Optional
hostName Hostname Optional
assetType Asset type (from list of options) Optional
Context Output
Path Type Description
SCADAfence.Asset.ip string IP address of the suspicious asset
Command Example

!scadafence-getAsset ip=10.10.10.10

Context Example
[
    {
        "assetTypes": "hmi, server",
        "eventsCount": 0,
        "externalIpsCount": 0,
        "firstSeen": "2016-05-23T12:25:03.838Z",
        "hostname": "wmhtp25",
        "internalIpsCount": 13,
        "ip": "3.3.3.3",
        "lastSeen": "2016-05-23T12:25:03.838Z",
        "mac": "E8:39:35:BD:24:76",
        "nicType": "Ethernet",
        "operatingSystem": "Windows Server 2008 R2",
        "totalBytes": 0,
        "vendor": "Hewlett-Packard Company"
    }
]
Path Type Description
SCADAfence.Asset.ip string IP address of the suspicious asset
Command Example
scadafence-getAsset ip=10.10.10.10
Human Readable Output

Asset details:

assetTypes eventsCount vendor ip externalIpsCount hostname nicType mac lastSeen totalBytes internalIpsCount operatingSystem firstSeen
hmi, server 0 Hewlett-Packard Company 3.3.3.3 0 wmhtp25 Ethernet E8:39:35:BD:24:76 2016-05-23T12:25:03.838Z 0 13 Windows Server 2008 R2 2016-05-23T12:25:03.838Z

3. Set the status of an alert


Sets the status of a specified alert.

Base Command
scadafence-setAlertStatus
Input
Argument Name Description Required
alertId Alert ID Required
alertStatus Alert status Required
Context Output

Setting status for alert 5bcf0e1a106e0c000f5448b6 to 'Resolved':

success
true
Command Example
!scadafence-setAlertStatus alertId=5b600cecfeb8001f1cc5d2ea alertStatus=InProgress
Human Readable Output

Setting status for alert 5bcf0e1a106e0c000f5448b6 to 'Resolved':

success
true

4. Get asset connection data


Fetches asset connections data according to one or more parameters.

Base Command
scadafence-getAssetConnections
Input
Argument Name Description Required
ipAddress IP address of the asset Optional
hostName Hostname that corresponds to the asset of interest Optional
macAddress MAC address of the asset Optional
Context Output
[
    {
        "dir": "DEST",
        "hostname": "",
        "ip": "1.1.1.1",
        "mac": "08:00:06:01:00:02",
        "port": null,
        "proto": "TCP",
        "traffic": 9691680
    },
    {
        "dir": "DEST",
        "hostname": "t20102173",
        "ip": "2.2.2.2",
        "mac": "00:80:80:8E:8F:F0",
        "port": null,
        "proto": "TCP",
        "traffic": 101410609
    },
    {
        "dir": "SRC",
        "hostname": "",
        "ip": "3.3.3.3",
        "mac": "",
        "port": null,
        "proto": "UDP",
        "traffic": 24768
    },
    {
        "dir": "SRC",
        "hostname": "",
        "ip": "4.4.4.4",
        "mac": "",
        "port": 5355,
        "proto": "UDP",
        "traffic": 816
    }
]
Path Type Description
SCADAfence.Asset.Conn.ip string Another endpoint's IP address
SCADAfence.Asset.Conn.port number Another endpoint's port
SCADAfence.Asset.Conn.protocol string Protocol used for the connection
SCADAfence.Asset.Conn.traffic number Total bytes sent (both directions)
SCADAfence.Asset.Conn.hostname string Another endpoint's hostname
SCADAfence.Asset.Conn.mac string Another endpoint's MAC address
Command Example
!scadafence-getAssetConnections ipAddress=3.3.3.3
Context Example
[
    {
        "dir": "DEST",
        "hostname": "",
        "ip": "1.1.1.1",
        "mac": "08:00:06:01:00:02",
        "port": null,
        "proto": "TCP",
        "traffic": 9691680
    },
    {
        "dir": "DEST",
        "hostname": "t20102173",
        "ip": "2.2.2.2",
        "mac": "00:80:80:8E:8F:F0",
        "port": null,
        "proto": "TCP",
        "traffic": 101410609
    },
    {
        "dir": "SRC",
        "hostname": "",
        "ip": "3.3.3.3",
        "mac": "",
        "port": null,
        "proto": "UDP",
        "traffic": 24768
    },
    {
        "dir": "SRC",
        "hostname": "",
        "ip": "4.4.4.4",
        "mac": "",
        "port": 5355,
        "proto": "UDP",
        "traffic": 816
    }
]
Human Readable Output

Asset connections:

proto ip hostname mac traffic port dir
TCP 1.1.1.1 08:00:06:01:00:02 9691680 DEST
TCP 2.2.2.2 t20102173 00:80:80:8E:8F:F0 101410609 DEST
UDP 3.3.3.3 24768 SRC
UDP 4.4.4.4 816 5355 SRC

5. Get asset network activity data


Fetches asset network activity data according to one or more parameters.

Base Command
scadafence-getAssetTraffic
Input
Argument Name Description Required
ipAddress IP address of the asset Optional
macAddress MAC address of the asset Optional
hostName Hostname of the asset Optional
Context Output
{
    "TCP": {
        "Bytes received": 447191388,
        "Bytes sent": 100766536
    },
    "UDP": {
        "Bytes received": 0,
        "Bytes sent": 27560
    }
}
Path Type Description
SCADAfence.AssetTraffic.TCP_tx_bytes number Bytes sent by the asset via TCP
SCADAfence.AssetTraffic.TCP_rx_bytes number Bytes received by the asset via TCP
SCADAfence.AssetTraffic.UDP_tx_bytes number Bytes sent by the asset via UDP
SCADAfence.AssetTraffic.UDP_rx_bytes number Bytes received by the asset via UDP
Command Example
!scadafence-getAssetTraffic ipAddress=3.3.3.3
Context Example
{
    "TCP": {
        "Bytes received": 447191388,
        "Bytes sent": 100766536
    },
    "UDP": {
        "Bytes received": 0,
        "Bytes sent": 27560
    }
}
Human Readable Output

Asset network activity:

UDP_tx_bytes TCP_rx_bytes TCP_tx_bytes UDP_rx_bytes
27560 447191388 100766536 0

6. Create an alert


Creates an alert in SCADAfence CNM.

Base Command

scadafence-createAlert

Input
Argument Name Description Required
ipAddress IP address of the asset that the alert is related to Required
severity Alert severity level Required
description Human readable alert description Required
remediationText Instructions for issue remediation Optional
alertIsActive Set active=True to make the alert appear in the SCADAfence UI Required
Context Output
Path Type Description
SCADAfence.Alert.alertCreated boolean Flag defining alert creation status
SCADAfence.Alert.id string Unique ID set to a new alert
Command Example
!scadafence-createAlert alertIsActive=True description=test_alert ipAddress=10.0.0.6 severity=Information remediationText="test alert"
Context Example

Create alert:

alertCreated id
true 5bcf1925a81ed3000f831578
Human Readable Output

Create alert:

alertCreated id
true 5bcf1925a81ed3000f831578

7. Get all connections


Fetches all connections from SCADAfence CNM.

Base Command
scadafence-getAllConnections
Input

There is no input for this command.

Context Output
Path Type Description
SCADAfence.Connection.src_ip string IP address of endpoint A
SCADAfence.Connection.dest_ip string IP address of endpoint B
SCADAfence.Connection.src_port number Port of endpoint A
SCADAfence.Connection.dest_port number Port of endpoint B
SCADAfence.Connection.src_mac string Endpoint A MAC address
SCADAfence.Connection.dest_mac string Endpoint B MAC address
SCADAfence.Connection.src_cname string Endpoint A hostname
SCADAfence.Connection.dest_cname string Endpoint B hostname
SCADAfence.Connection.proto string L4 protocol
SCADAfence.Connection.traffic number Total number of bytes sent (both directions)
Command Example
!scadafence-getAllConnections
Context Example
[
  {
    "dest_hostname": "",
    "dest_ip": "1.1.1.1",
    "dest_mac": "F4:54:33:A9:13:23",
    "dest_port": 44818,
    "proto": "TCP",
    "src_hostname": "",
    "src_ip": "4.4.4.4",
    "src_mac": "00:0C:29:65:1C:29",
    "src_port": 50153,
    "traffic": 234840
  },
  {
    "dest_hostname": "",
    "dest_ip": "2.2.2.2",
    "dest_mac": "F4:54:33:A9:0E:60",
    "dest_port": 44818,
    "proto": "TCP",
    "src_hostname": "",
    "src_ip": "3.3.3.3",
    "src_mac": "00:0C:29:65:1C:29",
    "src_port": 50154,
    "traffic": 151722
  },
  {
    "dest_hostname": "",
    "dest_ip": "4.4.4.4",
    "dest_mac": "F4:54:33:A8:33:93",
    "dest_port": 44818,
    "proto": "TCP",
    "src_hostname": "",
    "src_ip": "5.5.5.5",
    "src_mac": "00:0C:29:65:1C:29",
    "src_port": 50108,
    "traffic": 23936
  }
]

Human Readable Output
src_port proto dest_hostname src_hostname src_ip traffic dest_mac dest_port src_mac dest_ip
50153 TCP 1.1.1.1 234840 F4:54:33:A9:13:23 44818 00:0C:29:65:1C:29 4.4.4.4
50154 TCP 1.1.1.1 151722 F4:54:33:A9:0E:60 44818 00:0C:29:65:1C:29 1.1.1.1
50108 TCP 1.1.1.1 23936 F4:54:33:A8:33:93 44818 00:0C:29:65:1C:29 4.4.4.4