Skip to main content

CounterTack

This Integration is part of the CounterTack Pack.#

CounterTack empowers endpoint security teams to assure endpoint protection for Identifying Cyber Threats. Integrating a predictive endpoint protection platform

Configure CounterTack in Cortex#

ParameterRequired
Server URL (e.g. https://democloud.countertack.com)True
User NameTrue
PasswordTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Fetch incidentsFalse
Incident typeFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
Fetch notifications incidentsFalse
Fetch behviors incidentsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

countertack-get-endpoints#


Returns information for endpoints.

Base Command#

countertack-get-endpoints

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CounterTack.Endpoint.IsQuarantinedbooleanIs the endpoint currently quarantined
CounterTack.Endpoint.MaxImpactnumberImpact of the highest scoring behavior
CounterTack.Endpoint.MemorynumberThe RAM of the endpoint (in megabytes).
CounterTack.Endpoint.DriverVersionstringEndpoint sensor version
CounterTack.Endpoint.ProfileVersionstringVersion of the current profile used for collection
CounterTack.Endpoint.BehaviorCountnumberNumber of behaviors detected
CounterTack.Endpoint.CurrentProfilestringCurrently active analysis profile
CounterTack.Endpoint.DomainstringDNS suffix for the endpoint
CounterTack.Endpoint.NumCpusnumberNumber of CPUs
CounterTack.Endpoint.MacsstringMAC addresses associated with the endpoint
CounterTack.Endpoint.WinRdpPortnumberRDP port used by the endpoint
CounterTack.Endpoint.IpstringIP address used to connect to the analysis cluster
CounterTack.Endpoint.ClusterHostsstringThe list of hosts that the endpoint tries to connect through (in order).
CounterTack.Endpoint.VendorstringOS vendor
CounterTack.Endpoint.SensorModestringSpecifies the sensor mode of the driver
CounterTack.Endpoint.IdentifierstringOS identifier
CounterTack.Endpoint.CurrentResponsePolicystringCurrently active response policy
CounterTack.Endpoint.TenantstringTenant ID set at the time of KM installation
CounterTack.Endpoint.NamestringProduct name of the endpoint OS
CounterTack.Endpoint.ImpactLevelstringThreat level of the endpoint.(LOW, MEDIUM, HIGH, CRITICAL)
CounterTack.Endpoint.IpsstringIP addresses associated with the endpoint
CounterTack.Endpoint.ClusterConnectionRoutestringList of hosts the endpoint is currently connected through
CounterTack.Endpoint.LastActivedateTime of last event captured on the endpoint
CounterTack.Endpoint.TimeStarteddateTime kernel module collection last engaged
CounterTack.Endpoint.MacstringThe endpoint MAC address
CounterTack.Endpoint.EventStartTimedateThe time that the event was captured
CounterTack.Endpoint.CpuTypestringBit length of the CPU architecture.
CounterTack.Endpoint.StatusstringCollection status of the endpoint (ON, PAUSE, OFF, INIT)
CounterTack.Endpoint.OsTypenumberThe OS type.
CounterTack.Endpoint.VersionstringOS version
CounterTack.Endpoint.TagsstringList of user assigned tags
CounterTack.Endpoint.ThreatstringThreat level associated with the endpoint
CounterTack.Endpoint.IdstringEndpoints ID
CounterTack.Endpoint.ProductNamestringProduct name of the endpoint OS
Endpoint.MemorynumberEndpoint RAM (megabytes)
Endpoint.ProcessorsnumberNumber of CPUs
Endpoint.DomainstringDNS suffix for the endpoint
Endpoint.OSstringProduct name of the endpoint OS
Endpoint.MACAddressstringThe MAC address of the endpoint.
Endpoint.ModelstringThe analysis profile that is currently active.
Endpoint.IPAddressstringThe IP addresses that are associated with the endpoint.
Endpoint.OSVersionstringThe endpoint sensor version.
Endpoint.IDstringThe ID of the Endpoints.

countertack-get-behaviors#


Returns information for all behaviors.

Base Command#

countertack-get-behaviors

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CounterTack.Behavior.MaxImpactnumberThe impact of the highest scoring event (0-100)
CounterTack.Behavior.EndpointIdstringThe ID of the endpoint, based on the UUID of the last installed endpoint sensor
CounterTack.Behavior.TenantstringThe tenant of the behavior.
CounterTack.Behavior.EventCountnumberThe number of events detected.
CounterTack.Behavior.NamestringThe name of the condition that triggered the behavior.
CounterTack.Behavior.ImpactLevelstringThe threat level of the behavior (LOW, MEDIUM, HIGH, CRITICAL).
CounterTack.Behavior.LastActivedateThe time that the behavior was last active.
CounterTack.Behavior.FirstEventIddateThe ID of the first event.
CounterTack.Behavior.TimeStampdateThe start time for the behavior.
CounterTack.Behavior.TypestringThe type of behavior (CLASSIFICATION, TRACE)
CounterTack.Behavior.IdstringThe ID of the behaviors.
CounterTack.Behavior.LastReporteddateThe time that the behavior was last seen.

countertack-get-endpoint#


Get information on specific endpoint

Base Command#

countertack-get-endpoint

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint. To get the "endpoint_id", run the get-endpoints command.Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.MaxImpactnumberThe impact of the highest scoring behavior.
CounterTack.Endpoint.MemorynumberThe RAM of the endpoint (in megabytes)
CounterTack.Endpoint.DriverVersionstringThe sensor version of the endpoint.
CounterTack.Endpoint.ProfileVersionstringThe version of the current profile used for collection.
CounterTack.Endpoint.BehaviorCountnumberThe number of behaviors that were detected.
CounterTack.Endpoint.CurrentProfilestringThe analysis profile that is currently active.
CounterTack.Endpoint.DomainstringDNS suffix for the endpoint.
CounterTack.Endpoint.NumCpusnumberThe number of CPUs for the endpoint.
CounterTack.Endpoint.WinRdpPortnumberThe RDP port used by the endpoint.
CounterTack.Endpoint.MacsstringThe MAC addresses associated with the endpoint.
CounterTack.Endpoint.IpstringThe IP address used to connect to the analysis cluster.
CounterTack.Endpoint.ClusterHostsstringThe list of hosts that the endpoint tries to connect through (in order).
CounterTack.Endpoint.VendorstringThe OS vendor.
CounterTack.Endpoint.SensorModestringThe sensor mode of the driver.
CounterTack.Endpoint.IdentifierstringThe identifier of the OS.
CounterTack.Endpoint.TenantstringThe tenant ID that was set at the time of KM installation.
CounterTack.Endpoint.NamestringThe machine name of the endpoint.
CounterTack.Endpoint.ImpactLevelstringThe threat level of the endpoint.
CounterTack.Endpoint.IpsstringThe IP addresses associated with the endpoint.
CounterTack.Endpoint.ClusterConnectionRoutestringThe list of hosts that the endpoint is currently connected through.
CounterTack.Endpoint.LastActivedateThe time of the last event that was captured on the endpoint.
CounterTack.Endpoint.TimeStarteddateThe first time that the endpoint started to work.
CounterTack.Endpoint.MacstringThe MAC address of the endpoint.
CounterTack.Endpoint.EventStartTimedateThe time that the event was captured.
CounterTack.Endpoint.CpuTypenumberThe bit length of the CPU architecture.
CounterTack.Endpoint.StatusstringThe collection status of the endpoint (ON, PAUSE, OFF, INIT).
CounterTack.Endpoint.OsTypenumberThe OS type.
CounterTack.Endpoint.VersionstringThe version of the endpoint.
CounterTack.Endpoint.ThreatstringThe threat level associated with the endpoint.
CounterTack.Endpoint.IdstringThe ID of the endpoint.
CounterTack.Endpoint.ProductNamestringThe product name of the endpoint OS.
CounterTack.Endpoint.TagsstringThe list of user assigned tags.
CounterTack.Endpoint.IsQuarantinedbooleanWhether the endpoint is currently quarantined.
Endpoint.MemorynumberThe RAM of the endpoint (in megabytes).
Endpoint.ProcessorsnumberThe number of CPUs.
Endpoint.DomainstringThe DNS suffix for the endpoint.
Endpoint.OSstringThe product name of the endpoint OS.
Endpoint.MACAddressstringThe MAC address of the endpoint.
Endpoint.ModelstringThe analysis profile that is currently active.
Endpoint.IPAddressstringThe IP addresses associated with the endpoint.
Endpoint.OSVersionstringThe version of the endpoint sensor.

countertack-get-behavior#


Gets information of a given behavior.

Base Command#

countertack-get-behavior

Input#

Argument NameDescriptionRequired
behavior_idThe ID of the behavior.Required

Context Output#

PathTypeDescription
CounterTack.Behavior.MaxImpactnumberThe maximum impact of the behavior.
CounterTack.Behavior.EndpointIdstringThe ID of the endpoint.
CounterTack.Behavior.TenantstringThe tenant of the behavior.
CounterTack.Behavior.EventCountnumberThe event count of the behavior.
CounterTack.Behavior.ReportedOndateThe time that the behavior was first seen.
CounterTack.Behavior.NamestringThe name of the behavior.
CounterTack.Behavior.ImpactLevelstringThe impact level of the behavior.
CounterTack.Behavior.LastActivedateThe last time that the behavior was active.
CounterTack.Behavior.TimeStampdateThe time stamp of the behavior.
CounterTack.Behavior.FirstEventIdstringThe ID of the first event.
CounterTack.Behavior.TypestringThe type of behavior.
CounterTack.Behavior.IdstringThe ID of the behavior.
CounterTack.Behavior.LastReporteddateThe time that the behavior was last seen.

countertack-get-endpoint-tags#


Gets the tags of a given endpoint.

Base Command#

countertack-get-endpoint-tags

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint to get tags for.Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.TagsstringThe list of user assigned tags.
CounterTack.Endpoint.EndpointIdstringThe ID of the endpoints.

countertack-add-tags#


Adds tags to a given endpoint.

Base Command#

countertack-add-tags

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint. To get the "endpoint_id", run the get-endpoints command.Required
tagsA CSV list of tags you want to add to the endpoint, for example, "test1,test2".Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.EndpointIdstringThe ID of the endpoint.
CounterTack.Endpoint.TagsstringThe tags that were added to the endpoint.

countertack-delete-tags#


Deletes the supplied tags from a given endpoint.

Base Command#

countertack-delete-tags

Input#

Argument NameDescriptionRequired
tagsThe tags to be deleted from specified endpoint. To delete more then one, separate the tags with a comma. (e.g test1,test2).Required
endpoint_idThe endpoint ID. Get the ID from the "get-endpoints" command.Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.IdstringThe ID of the endpoint
CounterTack.Endpoint.TagsstringThe tags of the specified endpoint

countertack-add-behavior-tags#


Adds tags to a given behavior.

Base Command#

countertack-add-behavior-tags

Input#

Argument NameDescriptionRequired
behaviour_idThe ID of the behavior.Required
tagsA CSV list of tags to add to the behavior, for example, "test1,test2".Required

Context Output#

PathTypeDescription
CounterTack.Behavior.IdstringThe ID of the behavior.
CounterTack.Behavior.TagsstringThe tags of the behavior.

countertack-delete-behavior-tags#


Deletes the supplied tags from a given behavior.

Base Command#

countertack-delete-behavior-tags

Input#

Argument NameDescriptionRequired
behaviour_idThe behavior ID.Required
tagsTags to delete from a behavior. To delete more then one, separate the tags with a comma. (e.g test1,test2).Required

Context Output#

PathTypeDescription
CounterTack.Behavior.IdstringThe ID of the behavior.
CounterTack.Behavior.TagsUnknownThe tags of the behavior.

countertack-endpoint-quarantine#


Quarantines a given endpoint.

Base Command#

countertack-endpoint-quarantine

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint to quarantine.Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.IdstringThe ID of the endpoint.
CounterTack.Endpoint.IsQuarantinebooleanIs the endpoint currently quarantined.

countertack-disable-quarantine#


Removes a given endpoint from quarantine.

Base Command#

countertack-disable-quarantine

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint to remove from quarantine.Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.IdstringThe ID of the endpoint that was removed from quarantine.
CounterTack.Endpoint.IsQuarantinestringIs the endpoint is currently quarantined.

countertack-extract-file#


Extracts a file from given endpoint.

Base Command#

countertack-extract-file

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint to extract a file from.Required
file_pathThe path of the file to extract, for example, "C:\test1.txt".Required

Context Output#

PathTypeDescription
CounterTack.File.CommandArg.contentsbooleanThe contents of the extracted file.
CounterTack.File.CommandArg.extracted_idsstringThe IDs of the extracted file.
CounterTack.File.CommandArg.md5booleanThe MD5 hash of the extracted file.
CounterTack.File.CommandArg.pathsstringThe path of the extracted file.
CounterTack.File.CommandArg.sha256booleanThe SHA-256 has of teh extracted file.
CounterTack.File.CommandArg.ssdeepbooleanThe ssdeep hash of the extracted file.
CounterTack.File.CommandArgUnknownThe command arguments.
CounterTack.File.CommandNamestringThe name of the command that is sent.
CounterTack.File.UsernamestringThe username of the user that requested the command.
CounterTack.File.TargetTypestringThe type of resource or collection this command is being sent to.
CounterTack.File.StatusstringThe status of the command (initial, pending, complete, error).
CounterTack.File.RequestTimedateThe time at which the client requested the command.
CounterTack.File.IdstringThe ID of the commands.
CounterTack.File.EndpointIdsstringThe ID of the source this command is being sent to.

countertack-delete-file#


Deletes a file from the given endpoint.

Base Command#

countertack-delete-file

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint to delete a file from.Required
file_pathThe path of the file to delete.Required

Context Output#

There is no context output for this command.

countertack-get-all-files#


Gets all extracted files for all endpoints.

Base Command#

countertack-get-all-files

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CounterTack.File.SizenumberThe size of the extracted file (in bytes).
CounterTack.File.EndpointIdstringThe ID of the endpoint that contains the extracted file.
CounterTack.File.ExtractionTimedateThe time that the file was extracted.
CounterTack.File.PathstringThe full file system path of the extracted file, including the filename, as seen on the endpoint.
CounterTack.File.Sha256stringThe SHA-256 digest of the file contents.
CounterTack.File.TenantstringThe tenant ID for the endpoint.
CounterTack.File.UserstringThe name of the user requesting the file.
CounterTack.File.SsdeepstringThe ssdeep digest of the file contents.
CounterTack.File.EndpointIpstringThe IP address of the endpoint with the extracted file.
CounterTack.File.AvCoveragenumberThe percentage of AV engines that determined that the hash is malicious.
CounterTack.File.StatusstringThe status of the contents.
CounterTack.File.VtStatusstringThe Virus Total report status.
CounterTack.File.EndpointNamestringThe name of the endpoint with the extracted file.
CounterTack.File.IdstringThe file ID of the extracted file.
CounterTack.File.Md5stringThe MD5 digest of the file contents.
CounterTack.File.VtReportLocationstringThe VirusTotal report location path.
File.MD5stringThe MD5 digest of the file contents.
File.PathstringThe full file system path of the extracted file, including the filename, as seen on the endpoint.
File.SHA256stringThe SHA-256 digest of the file contents.
File.SSDeepstringThe ssdeep digest of the file contents.
File.SizenumberThe size of the extracted file (in bytes).

countertack-get-endpoint-files#


Returns all extracted files from a given endpoint.

Base Command#

countertack-get-endpoint-files

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint. To get the endpoint_id, run the get-endpoints command.Required

Context Output#

PathTypeDescription
CounterTack.File.IdstringThe file ID of the extracted file.
CounterTack.File.StatusstringThe status of the contents.
CounterTack.File.EndpointIdstringThe ID of the endpoint with the extracted file.
CounterTack.File.ExtractionTimedateThe time that the file was extracted.
CounterTack.File.TenantstringThe tenant ID for the endpoint.
CounterTack.File.UserstringThe name of the user requesting the file.
CounterTack.File.PathstringThe full file system path of the extracted file, including the filename, as seen on the endpoint.
CounterTack.File.Sha256stringThe SHA-256 digest of the file contents.
CounterTack.File.SsdeepstringThe ssdeep digest of the file contents.
CounterTack.File.EndpointIpstringThe IP address of the endpoint with the extracted file.
CounterTack.File.VtStatusstringThe VirusTotal report status.
CounterTack.File.VtReportLocationstringThe location path of the VirusTotal report.
CounterTack.File.SizenumberThe size of the extracted file (in bytes).
CounterTack.File.EndpointNamestringThe name of the endpoint with the extracted file.
CounterTack.File.Md5stringThe MD5 digest of the file contents.
File.MD5stringThe MD5 digest of the file contents.
File.PathstringThe full file system path of the extracted file, including the filename, as seen on the endpoint.
File.SHA256stringThe SHA-256 digest of the file contents.
File.SSDeepstringThe ssdeep digest of the file contents.
File.SizenumberThe size of the extracted file (bytes).

countertack-get-file-information#


Gets the information of a given file.

Base Command#

countertack-get-file-information

Input#

Argument NameDescriptionRequired
file_idThe ID of the requested file. To get the "file_id"m run the get-all-files command.Required

Context Output#

PathTypeDescription
CounterTack.File.SizenumberThe size of the extracted file (in bytes).
CounterTack.File.EndpointIdstringThe ID of the endpoint with the extracted file.
CounterTack.File.ExtractionTimedateThe time that the file was extracted.
CounterTack.File.PathstringFull file system path of the extracted file, including the filename, as seen on the endpoint.
CounterTack.File.Sha256stringThe SHA-256 digest of the file contents.
CounterTack.File.TenantstringThe tenant ID for the endpoint.
CounterTack.File.UserstringThe name of the user requesting the file.
CounterTack.File.SsdeepstringThe ssdeep digest of the file contents.
CounterTack.File.EndpointIpstringThe IP address of the endpoint with the extracted file.
CounterTack.File.AvCoveragenumberThe percentage of AV engines that determined that the hash is malicious.
CounterTack.File.StatusstringThe status of the contents.
CounterTack.File.VtStatusstringThe status of the VirusTotal report.
CounterTack.File.EndpointNamestringThe name of the endpoint with the extracted file.
CounterTack.File.IdstringThe ID of the extracted file.
CounterTack.File.Md5stringThe MD5 digest of the file contents.
CounterTack.File.VtReportLocationstringThe location path of the VirusTotal report.
File.MD5stringThe MD5 digest of the file contents.
File.PathstringThe full file system path of the extracted file, including the filename, as seen on the endpoint.
File.SHA256stringThe SHA-256 digest of the file contents.
File.SSDeepstringThe ssdeep digest of the file contents.
File.SizenumberThe size of the extracted file (in bytes).

countertack-download-file#


Downloads an extracted file in ZIP format. The password to unlock the ZIP file is sentinel.

Base Command#

countertack-download-file

Input#

Argument NameDescriptionRequired
file_idThe ID of the extracted file. To get the "file_id", run the get-all-files command.Required

Context Output#

PathTypeDescription
File.SizenumberThe size of the extracted file (in bytes).
File.SHA1stringThe SHA-1 digest of the file contents.
File.SHA256stringThe SHA-256 digest of the file contents.
File.NamestringThe name of the file.
File.SSDeepstringThe ssdeep digest of the file contents.
File.EntryIDstringThe EntryID of the file.
File.InfostringThe file information.
File.TypestringThe file type.
File.MD5stringThe MD5 digest of the file contents.
File.ExtensionstringThe extension of the file (.zip).

countertack-search-events#


Searches for events, using CQL expression.

Base Command#

countertack-search-events

Input#

Argument NameDescriptionRequired
expressionThe CQL expression to be used for the search, for example, "events.event_type=basic".Required

Context Output#

PathTypeDescription
CounterTack.Event.SourceProcessTimeStarteddateThe start time for the source process.
CounterTack.Event.SourceThreadProcessPidnumberThe process PID of the source thread.
CounterTack.Event.IsTaintTransferbooleanIs the event a malignant transfer.
CounterTack.Event.IsBasicbooleanIs the event a basic event.
CounterTack.Event.SourceThreadTimeFinisheddateThe exit time of the source thread.
CounterTack.Event.SourceThreadTidnumberThe TID of the source thread.
CounterTack.Event.TenantstringThe tenant of the event.
CounterTack.Event.SourceThreadProcessTimeStarteddateThe start time of the parent process for the source thread.
CounterTack.Event.TargetTypestringThe system object type that was target of the event (PROCESS, THREAD, REGISTRY, DRIVER, TCPIP,FILE, MUTEX, MEMORY_REGION).
CounterTack.Event.ConditionNamesUnknownThe names of the condition triggered by the event.
CounterTack.Event.IsOriginbooleanIs the event an origin for a trace.
CounterTack.Event.endpoint_idstringThe endpoint ID, based on the UUID of the last installed endpoint sensor.
CounterTack.Event.TargetFilePathstringThe path of the target file.
CounterTack.Events.SourceThreadProcessBackingFilePathstringThe backing file of the source thread.
CounterTack.Event.EventTypestringThe type of event.
CounterTack.Event.IsKeybooleanIs the event a key event in a trace.
CounterTack.Event.SourceTypestringThe system object that was the source of the event.
CounterTack.Event.SourceThreadProcessNamestringThe name of the parent process for the source thread.
CounterTack.Event.SourceThreadProcessUserstringThe user associated with the process of the thread.
CounterTack.Event.TimeStampdateThe time that the event was collected.
CounterTack.Event.ActionstringThe system interaction that characterizes the event.
CounterTack.Event.IsTaintedbooleanAre the objects in the event tainted.
CounterTack.Event.SourceThreadProcessParentPidnumberThe parent PID of the source thread process.
CounterTack.Event.SourceProcessPidnumberThe PID of the source process.
CounterTack.Event.SourceThreadStartAddressnumberThe start address of the thread.
CounterTack.Event.SourceProcessSidnumberThe user SIDs associated with the process.
CounterTack.Event.IdstringThe ID of the event.
CounterTack.Event.ConditionIdsUnknownThe IDs of the condition triggered by the event.
CounterTack.Event.SourceProcessNamestringThe name of the process that was the source of the event.
CounterTack.Event.SourceProcessUserstringThe user associated with the process

countertack-kill-process#


Terminates all instances of the process identified in the command. Processes can be identified by the PID or process name.

Base Command#

countertack-kill-process

Input#

Argument NameDescriptionRequired
endpoint_idThe ID of the endpoint. To get the "endpoint_id", run the get-endpoints command.Required
process_idThe process PID. To get the "process_id", run the search-events command.Optional
process_nameThe name of the process. To get the "process_name", run the search-events command.Optional

Context Output#

PathTypeDescription
CounterTack.Endpoint.EndpointIdsstringThe ID of the source this command is being sent to.
CounterTack.Endpoint.TargetTypestringThe type of resource or collection this command is being sent to.
CounterTack.Endpoint.CommandArg.namestringThe name of the process that was terminated.
CounterTack.Endpoint.CommandArg.pidnumberThe PID of the process that was terminated.
CounterTack.Endpoint.CommandArgstringThe command arguments.
CounterTack.Endpoint.StatusstringThe status of the command (initial, pending, complete, error).
CounterTack.Endpoint.CommandNamestringThe name of the command that is sent.
CounterTack.Endpoint.UsernamestringThe username of the user that requested the command.
CounterTack.Endpoint.IdstringThe ID of the commands.
CounterTack.Endpoint.RequestTimedateThe time at which the client requested the command.

countertack-search-hashes#


Searches for hashes using CQL expressions (Contextual Query Language) to represent queries.

Base Command#

countertack-search-hashes

Input#

Argument NameDescriptionRequired
expressionThe CQL expression to be used for the search (e.g hashes.type = md5).Required

Context Output#

PathTypeDescription
CounterTack.Hash.AvCoveragenumberThe percentage of AV engines that determined that the hash is malicious.
CounterTack.Hash.IdstringThe ID of the hashes.
CounterTack.Hash.ImpactnumberThe impact score for the event in the hash (1-100).
CounterTack.Hash.TypestringThe type of hash (sha256, md5, or ssdeep).
CounterTack.Hash.VtReportLocationstringThe report location for VirusTotal report.
File.MD5stringThe MD5 of the file
File.SHA256stringThe SHA-256 of the file.
File.SSDeepstringThe ssdeep of the file.

countertack-search-endpoints#


Request for endpoints search using CQL expression (Contextual Query Language) to represent queries.

Base Command#

countertack-search-endpoints

Input#

Argument NameDescriptionRequired
expressionThe CQL expression to be used for the search. (e.g endpoints.status=on).Required

Context Output#

PathTypeDescription
CounterTack.Endpoint.MemoryNumberThe RAM of the endpoint (in megabytes).
CounterTack.Endpoint.CpuTypeNumberBit length of the CPU architecture.
CounterTack.Endpoint.WinRdpPortNumberRDP port used by the endpoint
CounterTack.Endpoint.MacsStringMAC addresses associated with the endpoint
CounterTack.Endpoint.IpStringIP address used to connect to the analysis cluster
CounterTack.Endpoint.VendorStringOS vendor
CounterTack.Endpoint.IdentifierStringOS identifier
CounterTack.Endpoint.TenantStringTenant ID set at the time of KM installation
CounterTack.Endpoint.MaxImpactNumberImpact of the highest scoring behavior
CounterTack.Endpoint.NameStringProduct name of the endpoint OS
CounterTack.Endpoint.IpsStringIP addresses associated with the endpoint
CounterTack.Endpoint.CurrentResponsePolicyStringCurrently active response policy
CounterTack.Endpoint.ProfileVersionStringVersion of the current profile used for collection
CounterTack.Endpoint.CurrentProfileStringCurrently active analysis profile
CounterTack.Endpoint.DriverVersionStringEndpoint sensor version
CounterTack.Endpoint.NumCpusNumberNumber of CPUs
CounterTack.Endpoint.ClusterConnectionRouteStringList of hosts the endpoint is currently connected through
CounterTack.Endpoint.ClusterHostsStringThe list of hosts that the endpoint tries to connect through (in order).
CounterTack.Endpoint.StatusStringCollection status of the endpoint (ON, PAUSE, OFF, INIT)
CounterTack.Endpoint.TimeStartedDateTime kernel module collection last engaged
CounterTack.Endpoint.EventStartTimeDateThe time that the event was captured
CounterTack.Endpoint.VersionStringOS version
CounterTack.Endpoint.ThreatStringThreat level associated with the endpoint
CounterTack.Endpoint.ProductNameStringProduct name of the endpoint OS
CounterTack.Endpoint.IdStringEndpoints ID
CounterTack.Endpoint.LastActiveDateTime of last event captured on the endpoint
CounterTack.Endpoint.SensorModeStringSpecifies the sensor mode of the driver
CounterTack.Endpoint.BehaviorCountNumberNumber of behaviors detected
CounterTack.Endpoint.ImpactLevelStringThreat level of the endpoint.(LOW, MEDIUM, HIGH, CRITICAL)
CounterTack.Endpoint.OsTypeNumberThe OS type.
Endpoint.MemoryNumberEndpoint RAM (megabytes)
Endpoint.ProcessorsNumberNumber of CPUs
Endpoint.DomainStringDNS suffix for the endpoint
Endpoint.OSStringProduct name of the endpoint OS
Endpoint.MACAddressStringThe MAC address of the endpoint.
Endpoint.ModelStringThe analysis profile that is currently active.
Endpoint.IPAddressStringThe IP addresses that are associated with the endpoint.
Endpoint.OSVersionStringThe endpoint sensor version.
Endpoint.IdStringThe ID of the Endpoints.

countertack-search-behaviors#


Request for behaviors search using CQL expression (Contextual Query Language) to represent queries.

Base Command#

countertack-search-behaviors

Input#

Argument NameDescriptionRequired
expressionThe CQL expression to be used for the search(e.g behaviors.event_count<60).Required

Context Output#

PathTypeDescription
CounterTack.Behavior.FirstEventIdStringThe ID of the first event.
CounterTack.Behavior.LastReportedDateThe time that the behavior was last seen.
CounterTack.Behavior.TenantStringThe tenant of the behavior.
CounterTack.Behavior.MaxImpactNumberThe impact of the highest scoring event (0-100)
CounterTack.Behavior.NameStringThe name of the condition that triggered the behavior.
CounterTack.Behavior.EndpointIdStringThe ID of the endpoint, based on the UUID of the last installed endpoint sensor
CounterTack.Behavior.ReportedOnDateThe time that the behavior was first seen.
CounterTack.Behavior.EventCountNumberThe number of events detected.
CounterTack.Behavior.TimeStampDateThe start time for the behavior.
CounterTack.Behavior.TypeStringThe type of behavior (CLASSIFICATION, TRACE)
CounterTack.Behavior.IdStringThe ID of the behaviors.
CounterTack.Behavior.LastActiveDateThe time that the behavior was last active.
CounterTack.Behavior.ImpactLevelStringThe threat level of the behavior (LOW, MEDIUM, HIGH, CRITICAL).