Skip to main content

Confluera

This Integration is part of the Confluera Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Confluera Integration#

This is Confluera Integration.

Please make sure you look at the integration source code and comments.

This integration was built to get the insights of Confluera API(Autonomouse Detetcions and Response).

This integration was tested against product version 2.2.3

Supported Product Versions: 2.2.3 and above.

Configure Confluera in Cortex#

ParameterDescriptionRequired
IQ-Hub urlServer URL (e.g. https://test.confluera.com\)True
Trust any certificateNot SecureFalse
Use system proxy settingsProxy SettingsFalse
UsernameUsernme (e.g. username@confluera.com)True
PasswordPassword (e.g. userpassword)True

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

confluera-fetch-detections#


Fetches list of detections in confluera for past x hours.

Base Command#

confluera-fetch-detections

Input#

Argument NameDescriptionRequired
hoursSpecifies the time duration for which detections need to be fetchedOptional

Context Output#

PathTypeDescription
Confluera.DetectionsUnknownDetections Response

Command Example#

!confluera-fetch-detections hours="23"

Context Example#

[
{
"agentId": "prod_0_7_.agent-7",
"allowListId": null,
"attackIdList": [
1561190
],
"iocDetail": "MODIFIES file (/var/lib/apt/periodic/download-upgradeable-stamp) ",
"iocHash": "CreateModify-d596b00c51bc196d83a1c09736067986-1618187993765144524",
"iocSummary": "modifies file (/var/lib/apt/periodic/download-upgradeable-stamp) ",
"iocTactic": "Defense Evasion",
"ruleid": 0,
"scoreContribution": 0,
"seenTime": 1618187993765144600,
"trailId": "3343680",
"trailIocInfoType": "DETECTION",
"trailList": [
"prod_0_7_.agent-7:3343680"
],
"trailStateList": [
"ACTIVE"
]
},
{
"agentId": "prod_0_7_.agent-7",
"allowListId": null,
"attackIdList": [
1561190
],
"iocDetail": "CREATES file (/tmp/fileutl.message.f9ZBRG) ",
"iocHash": "CreateModify-3a46fad59032e3456e1c5bbf4fbc139e-1618187993710159633",
"iocSummary": "creates file (/tmp/fileutl.message.f9ZBRG) ",
"iocTactic": "Defense Evasion",
"ruleid": 0,
"scoreContribution": 0,
"seenTime": 1618187993710159600,
"trailId": "3343680",
"trailIocInfoType": "DETECTION",
"trailList": [
"prod_0_7_.agent-7:3343680"
],
"trailStateList": [
"ACTIVE"
]
}
]

Human Readable Output#

Results#

agentIdallowListIdattackIdListiocDetailiocHashiocSummaryiocTacticruleidscoreContributionseenTimetrailIdtrailIocInfoTypetrailListtrailStateList
prod0_7.agent-39985860["prod0_7.agent-39:16351"]InfluencedBy-9a56be0d76fe58f2373d64c4910aa40b-1618511546260570882Uses tainted file (/var/lib/amazon/ssm/i-0736b112f2496f381/document/state/current/fd2b1a18-2c09-47f2-afc3-fe013a364250) influencerTrails ["prod0_7.agent-39:16351"]Defense Evasion02161851154626057088222016DETECTIONprod0_7.agent-39:22016ACTIVE
prod0_7.agent-39985860["prod0_7.agent-39:16351"]InfluencedBy-9a56be0d76fe58f2373d64c4910aa40b-1618511546260570882Uses tainted file (/var/lib/amazon/ssm/i-0736b112f2496f381/document/state/current/fd2b1a18-2c09-47f2-afc3-fe013a364250) influencerTrails ["prod0_7.agent-39:16351"]Defense Evasion02161851154626057088222016DETECTIONprod0_7.agent-39:22016ACTIVE
prod0_7.agent-39972763User accessing websiteEdge-ae3b3d9a3c5d4b17491d3f6d924bd3b8-1618509851233674054Long sleep executed by processLateral Movement02161851154626057088222016DETECTIONprod0_7.agent-39:22016ACTIVE
prod0_7.agent-39972763User accessing websiteInfluencedBy-9a56be0d76fe58f2373d64c4910aa40b-1618511546260570882Uses tainted file (/var/lib/amazon/ssm/i-0736b112f2496f381/document/state/current/fd2b1a18-2c09-47f2-afc3-fe013a364250) influencerTrails ["prod0_7.agent-39:16351"]Defense Evasion02161851154626057088222016DETECTIONprod0_7.agent-39:22016ACTIVE

confluera-fetch-progressions#


Fetches list of progressions in confluera for past x hours.

Base Command#

confluera-fetch-progressions

Input#

Argument NameDescriptionRequired
hoursSpecifies the time duration for which progressions need to be fetchedOptional

Context Output#

PathTypeDescription
Confluera.ProgressionsUnknownProgressions response

Command Example#

!confluera-fetch-progressions hours="72"

Context Example#

[
{
"agentId": "prod_0_17_.agent-17",
"attackId": 7124733,
"containsAnchor": false,
"fingerprint": "df8519f5bbe6a8503c4b63da7a569cb1a1d51cd2d5784301e8d6dcec1950c93f",
"hostTimeInfoMap": {
"prod_0_17_.agent-17": 1618122605017392000
},
"lastIocSeenTime": 1618125575564836600,
"lastIocSeenTimeInternal": 0,
"lastMitigatedTime": 0,
"local": true,
"mitigateTime": 1618125575564836600,
"numberOfDetections": 2,
"numberOfHosts": 1,
"numberOfLateralMovements": 0,
"riskMomentum": 0,
"riskScore": 6,
"startTime": 1618122605017392000,
"state": "ACTIVE",
"trailIdHash": "prod_0_17_.agent-17:339738705",
"trailRiskHistInfoList": [
{
"agentId": "prod_0_17_.agent-17",
"scoreContribution": 0,
"seenTime": 1618122605017392000,
"trailId": "339738705"
},
{
"agentId": "prod_0_17_.agent-17",
"scoreContribution": 5,
"seenTime": 1618125575564836600,
"trailId": "339738705"
}
],
"trailTacticSet": [
"discovery",
"exfiltration"
],
"trailTechniqueSet": [
"T1046",
"T1048"
]
},
{
"agentId": "prod_0_27_.agent-27",
"attackId": 6977718,
"containsAnchor": true,
"fingerprint": "73bb36f06ffc5917ac3399baa99b833583ba4b3b6d44fa9ce68da2ed1c374ecf",
"hostTimeInfoMap": {
"prod_0_27_.agent-27": 1617982165439958500
},
"lastIocSeenTime": 1617987480554035200,
"lastIocSeenTimeInternal": 0,
"lastMitigatedTime": 0,
"local": true,
"mitigateTime": 1617987480554035200,
"numberOfDetections": 13,
"numberOfHosts": 1,
"numberOfLateralMovements": 1,
"riskMomentum": 0,
"riskScore": 10,
"startTime": 1617982165439958500,
"state": "ACTIVE",
"trailIdHash": "prod_0_27_.agent-27:1082130441",
"trailRiskHistInfoList": [
{
"agentId": "prod_0_27_.agent-27",
"scoreContribution": 0,
"seenTime": 1617982165439958500,
"trailId": "1082130441"
},
{
"agentId": "prod_0_27_.agent-27",
"scoreContribution": 10,
"seenTime": 1617986780899034000,
"trailId": "1082130441"
}
],
"trailTacticSet": [
"execution",
"privilege_escalation",
"lateral_movement"
],
"trailTechniqueSet": [
"T1166"
]
}
]

Human Readable Output#

Progressions Log:#

Progression URLTotal Progressions
19

Successfully fetched 19 progressions.#

agentIdattackIdcontainsAnchorfingerprinthostTimeInfoMaplastIocSeenTimelastIocSeenTimeInternallastMitigatedTimelocalmitigateTimenumberOfDetectionsnumberOfHostsnumberOfLateralMovementsriskMomentumriskScorestartTimestatetrailIdHashtrailRiskHistInfoListtrailTacticSettrailTechniqueSet
prod0_26.agent-26942184true34386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618466218792013459161846621879201345900true16184662187920134591100101618466218792013459ACTIVEprod0_26.agent-26:164626437{'agentId': 'prod0_26.agent-26', 'scoreContribution': 0, 'seenTime': 1618466218792013459, 'trailId': '164626437'}command_and_controlT1219
prod0_26.agent-26559633true2fca6467a9dccd2729ace9ce1832334386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618378594837195479161837859483719547900true16183796307227391791100101618466218792013459ACTIVEprod0_26.agent-26:157286403{'agentId': 'prod0_26.agent-26', 'scoreContribution': 0, 'seenTime': 1618378594837195479, 'trailId': '157286403'}command_and_controlT1219
prod0_26.agent-26769367true34386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618417629053160077161841762905316007700true16184176290531600774100401618419753818041182ACTIVEprod0_26.agent-26:162529286{'agentId': 'prod0_26.agent-26', 'scoreContribution': 10, 'seenTime': 1618419753818041182, 'trailId': '162529286'}command_and_controlT1219

confluera-fetch-trail-details#


Fetches progression details of which provided trailId is a part of.

Base Command#

confluera-fetch-trail-details

Input#

Argument NameDescriptionRequired
trail_idId of a detection in iq-hub protal.Required

Context Output#

PathTypeDescription
Confluera.TrailDetailsUnknownProgression Details

Command Example#

!confluera-fetch-trail-details trail-id="22796349"

Context Example#

{
"attackId": 7164528,
"fingerprint": "c15ca700c08839b1b26ef8bfdb7599cb52d68307845e4317b355b080fb989170",
"hostList": [
"prod_0_3_.agent-35"
],
"influenceeList": [],
"influencerList": [],
"lastMitigatedTime": 0,
"lateralMovementEdges": [],
"markedIocs": [],
"numberOfDetections": 1,
"numberOfHosts": 1,
"numberOfLateralMovements": 0,
"riskScore": 10,
"similarTrails": [
"prod_0_3_.agent-35:10002087"
],
"startTime": 1618216658903757800,
"state": "ACTIVE",
"trailIocInfoList": [
{
"actionMap": null,
"agentId": "prod_0_3_.agent-35",
"attackIdList": [],
"containerId": null,
"iocDetail": "Incoming traffic from malicious external IP address (Greynoise)",
"iocEventsList": [
{
"agentId": "prod_0_3_.agent-35",
"artifactPath": "",
"artifactScore": 0,
"clonedPid": "8652",
"clonedPidHash": "agent-35-p-8652-1618246163438993400",
"edgeName": "TcpAcceptListenerComplete",
"edgeType": "ACCEPTS",
"exefilehash": "agent-35-f-1753326844-562949953725973-1563567751620348100",
"externalIPIntelMetadata": {
"city": "Xinpu",
"country": "CN",
"latitude": 34.5997,
"longitude": 119.1594,
"subdivision": "JS"
},
"localHost": "172.31.14.50",
"localPort": 22,
"os": "Windows",
"parentBinaryName": "",
"parentBinaryScore": 0,
"parentProcessName": "services.exe",
"parentSessionid": 0,
"parentSid": "",
"parentVertexHash": "agent-35-p-780-1614631840327003000",
"remoteHost": "218.92.0.207",
"remotePort": 16037,
"ret": 0,
"score": "HIGH",
"socketFamily": 2,
"sourceBinaryName": "/device/harddiskvolume1/windows/system32/openssh/sshd.exe",
"sourceBinaryScore": 0,
"sourceCommandLine": "/device/harddiskvolume1/windows/system32/openssh/sshd.exe",
"sourcePid": 2752,
"sourcePpid": 780,
"sourceProcessName": "sshd.exe",
"sourceSessionid": 0,
"sourceSid": "S-1-5-18",
"sourceVertexHash": "agent-35-p-2752-1614631842699633100",
"spawnedBinaryName": "/device/harddiskvolume1/windows/system32/openssh/sshd.exe",
"spawnedCommandLine": "/device/harddiskvolume1/windows/system32/openssh/sshd.exe",
"spawnedPid": 2752,
"spawnedPpid": 780,
"spawnedProcessName": "sshd.exe",
"spawnedSessionid": 0,
"taintedFile": false,
"targetSid": "S-1-5-18",
"targetVertexHash": "agent-35-p-2752-1614631842699633100",
"technique": "T1190",
"threatIntelMetadata": {
"actor": "unknown",
"classification": "malicious",
"first_seen": "2019-03-22",
"ip": "218.92.0.207",
"last_seen_timestamp": "2021-02-26 13:08:40",
"metadata": {
"asn": "AS4134",
"category": "isp",
"city": "Shanghai",
"country": "China",
"organization": "CHINANET-BACKBONE",
"os": "Linux 3.11+"
},
"seen": true,
"spoofable": "false",
"tags": [
"SSH Bruteforcer",
"SSH Scanner",
"ZMap Client"
],
"vpn": "false"
},
"timestamp": 1618216658903757800,
"trailScore": 10,
"trailScoreAndMomentum": 10
}
],
"iocHash": "Edge-33cc15406f131e0b5d5030a23de7f5af-1618216658903757800",
"iocSummary": "Incoming traffic from malicious external IP address (Greynoise)",
"iocTactic": "INITIAL_ACCESS",
"occurrence": 1,
"recommendation": [
{
"action": "kill-process@@@agent-35-p-2752-1614631842699633100",
"compatibleAgent": true,
"duplicate": false,
"index": 0,
"justification": "The process /device/harddiskvolume1/windows/system32/openssh/sshd.exe has been involved in an indicator of compromise. The process should be terminated to prevent further execution\n",
"priority": "medium",
"recommendation": "Kill process /device/harddiskvolume1/windows/system32/openssh/sshd.exe with pid 2752",
"valid": false
}
],
"trailTacticSet": [
"initial_access"
]
}
]
}

Human Readable Output#

Trail Details:#

agentIdattackIdcontainsAnchorfingerprinthostTimeInfoMaplastIocSeenTimelastIocSeenTimeInternallastMitigatedTimelocalmitigateTimenumberOfDetectionsnumberOfHostsnumberOfLateralMovementsriskMomentumriskScorestartTimestatetrailIdHashtrailRiskHistInfoListtrailTacticSettrailTechniqueSet
prod0_26.agent-26942184true34386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618466218792013459161846621879201345900true16184662187920134591100101618466218792013459ACTIVEprod0_26.agent-26:164626437{'agentId': 'prod0_26.agent-26', 'scoreContribution': 0, 'seenTime': 1618466218792013459, 'trailId': '164626437'}command_and_controlT1219
prod0_26.agent-26559633true2fca6467a9dccd2729ace9ce1832334386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618378594837195479161837859483719547900true16183796307227391791100101618466218792013459ACTIVEprod0_26.agent-26:157286403{'agentId': 'prod0_26.agent-26', 'scoreContribution': 0, 'seenTime': 1618378594837195479, 'trailId': '157286403'}command_and_controlT1219
prod0_26.agent-26769367true34386ee468f53dc45582f45ed15f204794dprod0_26.agent-26: 1618417629053160077161841762905316007700true16184176290531600774100401618419753818041182ACTIVEprod0_26.agent-26:162529286{'agentId': 'prod0_26.agent-26', 'scoreContribution': 10, 'seenTime': 1618419753818041182, 'trailId': '162529286'}command_and_controlT1219