SecBI

The SecBI solution is designed for a transformation of the security operation, enabled by automation of the detection and investigation, to the response, including remediation and prevention policy enforcements on all integrated appliances. This integration was integrated and tested with version 3.2.x of SecBI

Use Cases

  • secbi-get-incidents-list : Get all of the incidents related to a specific hunting query (Elasticsearch), return (if matched) the list of IDs of relevant incidents inside the SecBI system.
  • secbi-get-incident : Get all of the details of a specific incident by its ID (could be used as the next step after GetIncidents), returns all the details of the specific incident, including all involved users, destinations and the detailed detections made by the SecBI system.
  • secbi-get-incident-by-host : Get all of the details of a specific incident by searching for a specific destination (could be used for IOC match or as a broader scope detection request), returns all the details of the specific incident involving the specific host, including all involved users, and all destinations (possibly implicating other destinations aside from the one in the request), and the detailed detections made by the SecBI system.

Detailed Description

With attacks growing exponentially in volume and complexity, organizations face an almost insurmountable challenge to implement effective security programs at a time when security resources are severely limited. They struggle with inadequate time, funds, skillsets and headcount.

SecBI makes detection and response quick, accurate and simple, with its proprietary underlined technology, AI-based Autonomous Investigation™, mimicking an expert analyst at machine speed.

SecBI’s Autonomous Investigation amplifies the alert prioritization and incident investigation skills of security analyst teams, allowing them to efficiently prioritize alerts from other systems, and easily investigate and triage incidents through analytics-driven visibility.

SecBI builds behavioral profiles for users and hosts by applying Autonomous Investigation techniques, including supervised and unsupervised machine learning, on data from the network and security infrastructure, enriched with threat intelligence.

The security insights generated by SecBI analytics are oriented around a user or host and make it easy for automated response, as well as allowing analysts to conduct their incident investigation efforts and the hunting for the unknown threats.

The SecBI solution is designed for a transformation of the security operation, enabled by automation of the detection and investigation, to the response, including remediation and prevention policy enforcements on all integrated appliances.

Configure SecBI on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SecBI.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • SecBI API URL (e.g. https://demisto.secbi.com)
    • SecBI API key
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. SecBI Get All Incident IDs: secbi-get-incidents-list
  2. Get a specific SecBI Incident by SecBI Incident ID: secbi-get-incident
  3. Get a specific SecBI Incident by Host: secbi-get-incident-by-host

1. secbi-get-incidents-list


SecBI Get All Incident IDs

Base Command

secbi-get-incidents-list

Required Permissions

No special permissions required.

Input
Argument Name Description Required
query The Query by which to filter the Incident IDs Optional
limit Limit amount of IDs to return ( -1 ) for all. Default is 100 Optional

Context Output
Path Type Description
SecBI.IncidentsList String SecBI Incident IDs List

Command Example

!secbi-get-incidents-list query="severity:[60 TO 100]" limit="3"

Human Readable Output

### List of SecBI Incidents |ID| |---| | 7899b0ff-810b-4df4-a0e3-806557aecc2e | | 3de12111-3b09-45b7-8ac8-6ab88be48b52 | | 0e83beac-b374-4f89-b2ab-ecc851414ec9 |

2. secbi-get-incident


Get a specific SecBI Incident by SecBI Incident ID

Base Command

secbi-get-incident

Required Permissions

No special permissions required.

Input
Argument Name Description Required
incident_id SecBI incident ID Required

Context Output
Path Type Description
SecBI.Incident.ID String SecBI incident ID
SecBI.Incident.Host String SecBI incident host names
SecBI.Incident.Identity String SecBI incident identities
SecBI.Incident.InternalIp String SecBI incident client internal IP addresses
SecBI.Incident.SIp String SecBI incident client IP addresses
SecBI.Incident.FirstAppearance Date SecBI incident first appearance of data
SecBI.Incident.LastAppearance Date SecBI incident last appearance of data

Command Example

!secbi-get-incident incident_id=7899b0ff-810b-4df4-a0e3-806557aecc2e

Human Readable Output

### SecBI incident ID "7899b0ff-810b-4df4-a0e3-806557aecc2e" |FirstAppearance|Host|ID|Identity|InternalIp|LastAppearance|SIp| |---|---|---|---|---|---|---| | 2017-07-31 06:46:14 | pix.crp.education,
solutions.sante-corps-esprit.com,
tracking.notizie.it,
editions.biosante-editions.fr,
www.nikon.fr,
www.mailant.it,
static.biosante-editions.com,
static.pubfac.com,
moodle.ead-online.be,
img1.gtv.digimondo.net,
static.snieditions.com,
www.trgmedia.it,
ws.atomikad.com,
www.ead-online.be,
www.smooto.com,
www.cronacaeugubina.it,
www.elfri.be | 7899b0ff-810b-4df4-a0e3-806557aecc2e | joe@acme.com | 172.23.152.25,
172.23.152.26 | 2017-08-04 08:22:43 | 141.101.61.31,
37.187.151.239,
52.85.180.13,
52.85.180.203,
151.80.18.159,
94.23.64.3,
134.213.72.175,
46.37.22.52,
95.85.13.99,
46.37.22.123,
54.72.0.177,
23.253.140.198,
0.0.0.0,
176.62.160.38,
52.85.180.177 |

3. secbi-get-incident-by-host


Get a specific SecBI Incident by Host

Base Command

secbi-get-incident-by-host

Required Permissions

No special permissions required.

Input
Argument Name Description Required
host The host by which to get a SecBI Incident Required

Context Output
Path Type Description
SecBI.Incident.ID String SecBI incident ID
SecBI.Incident.Host String SecBI incident host names
SecBI.Incident.Identity String SecBI incident identities
SecBI.Incident.InternalIp String SecBI incident client internal IP addresses
SecBI.Incident.SIp String SecBI incident client IP addresses
SecBI.Incident.FirstAppearance Date SecBI incident first appearance of data
SecBI.Incident.LastAppearance Date SecBI incident last appearance of data

Command Example

!secbi-get-incident-by-host host=www.smooto.com

Human Readable Output

### SecBI incident by host "www.smooto.com" |FirstAppearance|Host|ID|Identity|InternalIp|LastAppearance|SIp| |---|---|---|---|---|---|---| | 2017-07-31 06:46:14 | pix.crp.education,
solutions.sante-corps-esprit.com,
tracking.notizie.it,
editions.biosante-editions.fr,
www.nikon.fr,
www.mailant.it,
static.biosante-editions.com,
static.pubfac.com,
moodle.ead-online.be,
img1.gtv.digimondo.net,
static.snieditions.com,
www.trgmedia.it,
ws.atomikad.com,
www.ead-online.be,
www.smooto.com,
www.cronacaeugubina.it,
www.elfri.be | 7899b0ff-810b-4df4-a0e3-806557aecc2e | joe@acme.com | 172.23.152.25,
172.23.152.26 | 2017-08-04 08:22:43 | 141.101.61.31,
37.187.151.239,
52.85.180.13,
52.85.180.203,
151.80.18.159,
94.23.64.3,
134.213.72.175,
46.37.22.52,
95.85.13.99,
46.37.22.123,
54.72.0.177,
23.253.140.198,
0.0.0.0,
176.62.160.38,
52.85.180.177 |