Bluecat Address Manager
This Integration is part of the Bluecat Address Manager Pack.#
This integration supports Bluecat Address Manager version 9.5.
Use the BlueCat integration to enrich IP addresses and manage response policies.
Configure BluecatAddressManager on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for BluecatAddressManager.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Incident type
- Server URL (e.g., https://192.168.0.1 )
- Username
- Trust any certificate (insecure)
- Use system proxy
- Configuration Name
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Enrich an IP address: bluecat-am-query-ip
- Get all response policies: bluecat-am-get-response-policies
- Search response policies by domain: bluecat-am-search-response-policies-by-domain
- Add a domain to a response policy: bluecat-am-response-policy-add-domain
- Remove a domain from a response policy: bluecat-am-response-policy-remove-domain
- Get an IPv4 block containing an IPv4 address: bluecat-am-get-range-by-ip
1. Enrich an IP address
Enriches an IP address with data about IP networks and blocks to which it belongs, linked IPs, MAC addresses, and so on.
Base Command
bluecat-am-query-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP to get data for. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| BlueCat.AddressManager.IP.ID | Number | The address manager ID of the IP address. |
| BlueCat.AddressManager.IP.Name | String | Name of the IP address. |
| BlueCat.AddressManager.IP.MacAddress | String | Corresponding MAC address. |
| BlueCat.AddressManager.IP.Parents.ID | String | ID of the parent IP address. |
| BlueCat.AddressManager.IP.Parents.Type | String | Type of the parent IP address. |
| BlueCat.AddressManager.IP.Parents.Name | String | Name of the parent IP address. |
| BlueCat.AddressManager.IP.Parents.CIDR | String | Classless Inter-Domain Routing. |
| BlueCat.AddressManager.IP.Type | String | Type of IP address. |
| IP.Address | String | Address of IP. |
| BlueCat.AddressManager.IP.Parents.Prefix | String | Prefix of the IP address. |
Command Example
bluecat-am-query-ip ip="10.0.0.10"
Context Example
{
"IP": {
"Address": "10.0.0.10"
},
"BlueCat.AddressManager.IP": {
"Name": null,
"LocationInherited": "true",
"State": "STATIC",
"Parents": [
{
"InheritPingBeforeAssign": "true",
"InheritDNSRestrictions": "true",
"LocationInherited": "true",
"PingBeforeAssign": "disable",
"AllowDuplicateHost": "disable",
"ID": 100913,
"InheritAllowDuplicateHost": "true",
"InheritDefaultView": "true",
"CIDR": "10.0.0.0/24",
"DefaultView": "100907",
"Type": "IP4Network",
"Gateway": "10.0.0.1",
"InheritDefaultDomains": "true",
"Name": "East Office"
},
{
"InheritPingBeforeAssign": "true",
"InheritDNSRestrictions": "true",
"LocationInherited": "true",
"PingBeforeAssign": "disable",
"AllowDuplicateHost": "disable",
"InheritAllowDuplicateHost": "true",
"InheritDefaultView": "true",
"CIDR": "10.0.0.0/21",
"DefaultView": "100907",
"Type": "IP4Block",
"ID": 100912,
"InheritDefaultDomains": "true",
"Name": "Tampa"
},
{
"InheritPingBeforeAssign": "true",
"InheritDNSRestrictions": "true",
"LocationInherited": "true",
"PingBeforeAssign": "disable",
"AllowDuplicateHost": "disable",
"InheritAllowDuplicateHost": "true",
"InheritDefaultView": "true",
"CIDR": "10.0.0.0/19",
"DefaultView": "100907",
"Type": "IP4Block",
"ID": 100911,
"InheritDefaultDomains": "true",
"Name": "Florida"
},
{
"InheritPingBeforeAssign": "true",
"InheritDNSRestrictions": "true",
"LocationInherited": "true",
"PingBeforeAssign": "disable",
"AllowDuplicateHost": "disable",
"InheritAllowDuplicateHost": "true",
"InheritDefaultView": "true",
"CIDR": "10.0.0.0/16",
"DefaultView": "100907",
"Type": "IP4Block",
"ID": 100910,
"InheritDefaultDomains": "true",
"Name": "North America"
},
{
"InheritPingBeforeAssign": "false",
"InheritDNSRestrictions": "true",
"LocationInherited": "true",
"PingBeforeAssign": "disable",
"AllowDuplicateHost": "disable",
"InheritAllowDuplicateHost": "false",
"InheritDefaultView": "false",
"CIDR": "10.0.0.0/8",
"DefaultView": "100907",
"Type": "IP4Block",
"ID": 100909,
"InheritDefaultDomains": "true",
"Name": "global"
}
],
"Address": "10.0.0.10",
"Type": "IPv4",
"ID": 100923
}
}
Human Readable Output
10.0.0.10 IP Result:
| ID | Name | Type | Address | State | Location Inherited |
|---|---|---|---|---|---|
| 100923 | IPv4 | 10.0.0.10 | STATIC | true |
Parents Details:
| ID | Type | Name | CIDR | Allow Duplicate Host | Inherit Allow Duplicate Host | Ping Before Assign | Inherit Ping Before Assign | Location Inherited | Inherit Default Domains | Default View | Inherit Default View | Inherit DNS Restrictions |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 100909 | IP4Block | global | 10.0.0.0/8 | disable | false | disable | false | true | true | 100907 | false | true |
| 100910 | IP4Block | North America | 10.0.0.0/16 | disable | true | disable | true | true | true | 100907 | true | true |
| 100911 | IP4Block | Florida | 10.0.0.0/19 | disable | true | disable | true | true | true | 100907 | true | true |
| 100912 | IP4Block | Tampa | 10.0.0.0/21 | disable | true | disable | true | true | true | 100907 | true | true |
| 100913 | IP4Network | East Office | 10.0.0.0/24 | disable | true | disable | true | true | true | 100907 | true | true |
2. Get all response policies
Returns all response policies.
Base Command
bluecat-am-get-response-policies
Input
| Argument Name | Description | Required |
|---|---|---|
| start | Start index from which to get the response policies. Default is 0. | Optional |
| count | Maximum number of response policies to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| BlueCat.AddressManager.ResponsePolicies.ID | Number | ID of the response policy. |
| BlueCat.AddressManager.ResponsePolicies.Name | String | Name of the response policy. |
| BlueCat.AddressManager.ResponsePolicies.Ttl | Unknown | Time to live (TTL) of the response policy. |
| BlueCat.AddressManager.ResponsePolicies.Type | String | Type of the response policy (BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT). |
| BlueCat.AddressManager.ResponsePolicies.RedirectTarget | String | Target of redirect, in case of REDIRECT policy type. |
Command Example
bluecat-am-get-response-policies start="0" count="30"
Context Example
{
"BlueCat.AddressManager.ResponsePolicies": [
{
"RedirectTarget": "foo.com",
"ResponsePolicyType": "REDIRECT",
"Ttl": "30",
"Type": "ResponsePolicy",
"ID": 100930,
"Name": "Malware Trap"
}
]
}
Human Readable Output
Response Policies:
Malware Trap
| ID | Name | Type | Ttl | ResponsePolicyType | RedirectTarget |
|---|---|---|---|---|---|
| 100930 | Malware Trap | ResponsePolicy | 30 | REDIRECT | foo.com |
3. Search response policies by domain
Searches all response policies in which the given domain is included.
Base Command
bluecat-am-search-response-policies-by-domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | Domain name by which to search. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| BlueCat.AddressManager.ResponsePolicies.ID | Number | ID of the response policy. |
| BlueCat.AddressManager.ResponsePolicies.Name | String | Name of the response policy. |
| BlueCat.AddressManager.ResponsePolicies.Ttl | Unknown | Time to live (TTL) of the response policy |
| BlueCat.AddressManager.ResponsePolicies.Type | String | Type of the responce policy ( BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT). |
| BlueCat.AddressManager.ResponsePolicies.RedirectTarget | String | Target of redirect, in case of REDIRECT policy type. |
Command Example
bluecat-am-search-response-policies-by-domain domain="demisto.com"
Human Readable Output
Could not find any response policy
4. Add a domain to a response policy
Adds a domain to the given response policy.
Base Command
bluecat-am-response-policy-add-domain
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_id | ID of the response policy to edit. | Required |
| domain | Domain to add to the response policy. | Required |
Context Output
There is no context output for this command.
Command Example
bluecat-am-response-policy-add-domain policy_id="100930" domain="demisto.com"
Human Readable Output
Successfully added demisto.com to response policy 100930
5. Remove a domain from a response policy
Removes a domain from the given response policy.
Base Command
bluecat-am-response-policy-remove-domain
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_id | ID of the response policy to edit. | Required |
| domain | Domain to remove from the response policy. | Required |
Context Output
There is no context output for this command.
Command Example
bluecat-am-response-policy-remove-domain policy_id="100930" domain="demisto.com"
Human Readable Output
Successfully removed demisto.com from response policy 100930
6. Get an IPv4 block containing an IPv4 address
Gets an IPv4 block, which contains a specified IPv4 address.
Base Command
bluecat-am-get-range-by-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address for which to get the range. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| BlueCat.AddressManager.Range.ID | String | The address manager ID of the Range. |
| BlueCat.AddressManager.Range.Name | String | Name of the Range. |
| BlueCat.AddressManager.Range.Type | String | Type of the Range. |
| BlueCat.AddressManager.Range.Parents.ID | String | ID of the parent Range. |
| BlueCat.AddressManager.Range.Parents.Type | String | Type of the parent Range. |
| BlueCat.AddressManager.Range.Parents.Name | String | Name of the parent Range. |
| BlueCat.AddressManager.Range.Parents.CIDR | String | Classless Inter-Domain Routing. |
Command Example
!bluecat-am-get-range-by-ip ip=10.0.0.11
Human Readable Output
