Bluecat Address Manager
Bluecat Address Manager Pack.#
This Integration is part of theThis integration supports Bluecat Address Manager version 9.2, Newer versions might fail to run.
Use the BlueCat integration to enrich IP addresses and manage response policies.
Configure BluecatAddressManager on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for BluecatAddressManager.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Incident type
- Server URL (e.g., https://192.168.0.1 )
- Username
- Trust any certificate (insecure)
- Use system proxy
- Configuration Name
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Enrich an IP address: bluecat-am-query-ip
- Get all response policies: bluecat-am-get-response-policies
- Search response policies by domain: bluecat-am-search-response-policies-by-domain
- Add a domain to a response policy: bluecat-am-response-policy-add-domain
- Remove a domain from a response policy: bluecat-am-response-policy-remove-domain
- Get an IPv4 block containing an IPv4 address: bluecat-am-get-range-by-ip
1. Enrich an IP address
Enriches an IP address with data about IP networks and blocks to which it belongs, linked IPs, MAC addresses, and so on.
Base Command
bluecat-am-query-ip
Input
Argument Name | Description | Required |
---|---|---|
ip | The IP to get data for. | Required |
Context Output
Path | Type | Description |
---|---|---|
BlueCat.AddressManager.IP.ID | Number | The address manager ID of the IP address. |
BlueCat.AddressManager.IP.Name | String | Name of the IP address. |
BlueCat.AddressManager.IP.MacAddress | String | Corresponding MAC address. |
BlueCat.AddressManager.IP.Parents.ID | String | ID of the parent IP address. |
BlueCat.AddressManager.IP.Parents.Type | String | Type of the parent IP address. |
BlueCat.AddressManager.IP.Parents.Name | String | Name of the parent IP address. |
BlueCat.AddressManager.IP.Parents.CIDR | String | Classless Inter-Domain Routing. |
BlueCat.AddressManager.IP.Type | String | Type of IP address. |
IP.Address | String | Address of IP. |
BlueCat.AddressManager.IP.Parents.Prefix | String | Prefix of the IP address. |
Command Example
bluecat-am-query-ip ip="10.0.0.10"
Context Example
{ "IP": { "Address": "10.0.0.10" }, "BlueCat.AddressManager.IP": { "Name": null, "LocationInherited": "true", "State": "STATIC", "Parents": [ { "InheritPingBeforeAssign": "true", "InheritDNSRestrictions": "true", "LocationInherited": "true", "PingBeforeAssign": "disable", "AllowDuplicateHost": "disable", "ID": 100913, "InheritAllowDuplicateHost": "true", "InheritDefaultView": "true", "CIDR": "10.0.0.0/24", "DefaultView": "100907", "Type": "IP4Network", "Gateway": "10.0.0.1", "InheritDefaultDomains": "true", "Name": "East Office" }, { "InheritPingBeforeAssign": "true", "InheritDNSRestrictions": "true", "LocationInherited": "true", "PingBeforeAssign": "disable", "AllowDuplicateHost": "disable", "InheritAllowDuplicateHost": "true", "InheritDefaultView": "true", "CIDR": "10.0.0.0/21", "DefaultView": "100907", "Type": "IP4Block", "ID": 100912, "InheritDefaultDomains": "true", "Name": "Tampa" }, { "InheritPingBeforeAssign": "true", "InheritDNSRestrictions": "true", "LocationInherited": "true", "PingBeforeAssign": "disable", "AllowDuplicateHost": "disable", "InheritAllowDuplicateHost": "true", "InheritDefaultView": "true", "CIDR": "10.0.0.0/19", "DefaultView": "100907", "Type": "IP4Block", "ID": 100911, "InheritDefaultDomains": "true", "Name": "Florida" }, { "InheritPingBeforeAssign": "true", "InheritDNSRestrictions": "true", "LocationInherited": "true", "PingBeforeAssign": "disable", "AllowDuplicateHost": "disable", "InheritAllowDuplicateHost": "true", "InheritDefaultView": "true", "CIDR": "10.0.0.0/16", "DefaultView": "100907", "Type": "IP4Block", "ID": 100910, "InheritDefaultDomains": "true", "Name": "North America" }, { "InheritPingBeforeAssign": "false", "InheritDNSRestrictions": "true", "LocationInherited": "true", "PingBeforeAssign": "disable", "AllowDuplicateHost": "disable", "InheritAllowDuplicateHost": "false", "InheritDefaultView": "false", "CIDR": "10.0.0.0/8", "DefaultView": "100907", "Type": "IP4Block", "ID": 100909, "InheritDefaultDomains": "true", "Name": "global" } ], "Address": "10.0.0.10", "Type": "IPv4", "ID": 100923 } }
Human Readable Output
10.0.0.10 IP Result:
ID | Name | Type | Address | State | Location Inherited |
---|---|---|---|---|---|
100923 | IPv4 | 10.0.0.10 | STATIC | true |
Parents Details:
ID | Type | Name | CIDR | Allow Duplicate Host | Inherit Allow Duplicate Host | Ping Before Assign | Inherit Ping Before Assign | Location Inherited | Inherit Default Domains | Default View | Inherit Default View | Inherit DNS Restrictions |
---|---|---|---|---|---|---|---|---|---|---|---|---|
100909 | IP4Block | global | 10.0.0.0/8 | disable | false | disable | false | true | true | 100907 | false | true |
100910 | IP4Block | North America | 10.0.0.0/16 | disable | true | disable | true | true | true | 100907 | true | true |
100911 | IP4Block | Florida | 10.0.0.0/19 | disable | true | disable | true | true | true | 100907 | true | true |
100912 | IP4Block | Tampa | 10.0.0.0/21 | disable | true | disable | true | true | true | 100907 | true | true |
100913 | IP4Network | East Office | 10.0.0.0/24 | disable | true | disable | true | true | true | 100907 | true | true |
2. Get all response policies
Returns all response policies.
Base Command
bluecat-am-get-response-policies
Input
Argument Name | Description | Required |
---|---|---|
start | Start index from which to get the response policies. Default is 0. | Optional |
count | Maximum number of response policies to return. | Optional |
Context Output
Path | Type | Description |
---|---|---|
BlueCat.AddressManager.ResponsePolicies.ID | Number | ID of the response policy. |
BlueCat.AddressManager.ResponsePolicies.Name | String | Name of the response policy. |
BlueCat.AddressManager.ResponsePolicies.Ttl | Unknown | Time to live (TTL) of the response policy. |
BlueCat.AddressManager.ResponsePolicies.Type | String | Type of the response policy (BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT). |
BlueCat.AddressManager.ResponsePolicies.RedirectTarget | String | Target of redirect, in case of REDIRECT policy type. |
Command Example
bluecat-am-get-response-policies start="0" count="30"
Context Example
{ "BlueCat.AddressManager.ResponsePolicies": [ { "RedirectTarget": "foo.com", "ResponsePolicyType": "REDIRECT", "Ttl": "30", "Type": "ResponsePolicy", "ID": 100930, "Name": "Malware Trap" } ] }
Human Readable Output
Response Policies:
Malware Trap
ID | Name | Type | Ttl | ResponsePolicyType | RedirectTarget |
---|---|---|---|---|---|
100930 | Malware Trap | ResponsePolicy | 30 | REDIRECT | foo.com |
3. Search response policies by domain
Searches all response policies in which the given domain is included.
Base Command
bluecat-am-search-response-policies-by-domain
Input
Argument Name | Description | Required |
---|---|---|
domain | Domain name by which to search. | Required |
Context Output
Path | Type | Description |
---|---|---|
BlueCat.AddressManager.ResponsePolicies.ID | Number | ID of the response policy. |
BlueCat.AddressManager.ResponsePolicies.Name | String | Name of the response policy. |
BlueCat.AddressManager.ResponsePolicies.Ttl | Unknown | Time to live (TTL) of the response policy |
BlueCat.AddressManager.ResponsePolicies.Type | String | Type of the responce policy ( BLACKLIST, BLACKHOLE, WHITELIST, or REDIRECT). |
BlueCat.AddressManager.ResponsePolicies.RedirectTarget | String | Target of redirect, in case of REDIRECT policy type. |
Command Example
bluecat-am-search-response-policies-by-domain domain="demisto.com"
Human Readable Output
Could not find any response policy
4. Add a domain to a response policy
Adds a domain to the given response policy.
Base Command
bluecat-am-response-policy-add-domain
Input
Argument Name | Description | Required |
---|---|---|
policy_id | ID of the response policy to edit. | Required |
domain | Domain to add to the response policy. | Required |
Context Output
There is no context output for this command.
Command Example
bluecat-am-response-policy-add-domain policy_id="100930" domain="demisto.com"
Human Readable Output
Successfully added demisto.com to response policy 100930
5. Remove a domain from a response policy
Removes a domain from the given response policy.
Base Command
bluecat-am-response-policy-remove-domain
Input
Argument Name | Description | Required |
---|---|---|
policy_id | ID of the response policy to edit. | Required |
domain | Domain to remove from the response policy. | Required |
Context Output
There is no context output for this command.
Command Example
bluecat-am-response-policy-remove-domain policy_id="100930" domain="demisto.com"
Human Readable Output
Successfully removed demisto.com from response policy 100930
6. Get an IPv4 block containing an IPv4 address
Gets an IPv4 block, which contains a specified IPv4 address.
Base Command
bluecat-am-get-range-by-ip
Input
Argument Name | Description | Required |
---|---|---|
ip | The IP address for which to get the range. | Required |
Context Output
Path | Type | Description |
---|---|---|
BlueCat.AddressManager.Range.ID | String | The address manager ID of the Range. |
BlueCat.AddressManager.Range.Name | String | Name of the Range. |
BlueCat.AddressManager.Range.Type | String | Type of the Range. |
BlueCat.AddressManager.Range.Parents.ID | String | ID of the parent Range. |
BlueCat.AddressManager.Range.Parents.Type | String | Type of the parent Range. |
BlueCat.AddressManager.Range.Parents.Name | String | Name of the parent Range. |
BlueCat.AddressManager.Range.Parents.CIDR | String | Classless Inter-Domain Routing. |
Command Example
!bluecat-am-get-range-by-ip ip=10.0.0.11