Skip to main content

Covalence For Security Providers

This Integration is part of the Covalence For Security Providers Pack.#

Triggers by any alert from endpoint, cloud, and network security monitoring, with mitigation steps where applicable. Query Covalence for more detail. This integration was integrated and tested with version 3.0 of Covalence For Security Providers

Configure Covalence For Security Providers in Cortex#

ParameterDescriptionRequired
BrokerSet to true if connections are made through a brokerFalse
HostCovalence's host (IP or domain) or broker's socket (ip:port) if using brokerTrue
CredentialsTrue
PasswordTrue
Verify SSLIf set to false, will trust any certificate (not secure)False
TimeoutTimeout in secondsFalse
First run time rangeWhen fetching incidents for the first time, this parameter specifies in days how far the integration looks for incidents. For instance if set to "2", it will pull all alerts in Covalence for the last 2 days and will create corresponding incidents.False
Fetch limitMaximum number of alerts to be fetch per fetch command. It is advised to not fetch more than 200 alerts.False
Use system proxy settingsFalse
Fetch incidentsFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
NoneFalse
Incident typeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cov-secpr-list-alerts#


Lists Covalence alerts

Base Command#

cov-secpr-list-alerts

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
max_countMaximum number of alerts to be returned, if none provided will be set to 1000.Optional
initial_indexInitial index where to start listing alerts.Optional
alert_typeAlert type to be listed.Optional
alert_time_minMinimal alert time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
alert_time_maxMaximal alert time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.Alert.acknowledgedStatusStringAcknowledged Status
Covalence.Alert.alertCountNumberAlert Count
Covalence.Alert.alertHashStringAlert Hash
Covalence.Alert.analystDescriptionStringAnalyst Description
Covalence.Alert.analystTitleStringAnalyst Title
Covalence.Alert.assigneeStringAssignee
Covalence.Alert.blacklistDetails.blacklistedEntityStringBlacklisted Entity
Covalence.Alert.blacklistDetails.bytesInNumberBytes In
Covalence.Alert.blacklistDetails.bytesOutNumberBytes Out
Covalence.Alert.blacklistDetails.listLabelsStringList Labels
Covalence.Alert.blacklistDetails.listUuidsStringList Uuids
Covalence.Alert.createdTimeNumberCreated Time
Covalence.Alert.destCiscoUmbrellaRankingNumberDest Cisco Umbrella Ranking
Covalence.Alert.destCiscoUmbrellaTopLevelDomainRankingNumberDest Cisco Umbrella Top Level Domain Ranking
Covalence.Alert.destCityNameStringDest City Name
Covalence.Alert.destCountryNameunknownDest Country Name
Covalence.Alert.destDomainNameStringDest Domain Name
Covalence.Alert.destGeoXNumberDest Geo X
Covalence.Alert.destGeoYNumberDest Geo Y
Covalence.Alert.destIpStringDest Ip
Covalence.Alert.destIpAttributes.kStringKey
Covalence.Alert.destIpAttributes.tNumberType
Covalence.Alert.destIpAttributes.vStringValue
Covalence.Alert.destMajesticMillionRankingNumberDest Majestic Million Ranking
Covalence.Alert.destMajesticMillionTopLevelDomainRankingNumberDest Majestic Million Top Level Domain Ranking
Covalence.Alert.destPortStringDest Port
Covalence.Alert.endpointAgentUuidStringEndpoint Agent Uuid
Covalence.Alert.facilityStringFacility
Covalence.Alert.idStringId
Covalence.Alert.isFavoriteBooleanIs Favorite
Covalence.Alert.lastAlertedTimeNumberLast Alerted Time
Covalence.Alert.notesStringNotes
Covalence.Alert.organizationIdStringOrganization Id
Covalence.Alert.pcapResourceUuidStringPcap Resource Uuid
Covalence.Alert.priorityunknownPriority
Covalence.Alert.protocolStringProtocol
Covalence.Alert.sensorIdStringSensor Id
Covalence.Alert.severityStringSeverity
Covalence.Alert.sigEvalDetails.idNumberId
Covalence.Alert.sigEvalDetails.messageStringMessage
Covalence.Alert.sourceCiscoUmbrellaRankingNumberSource Cisco Umbrella Ranking
Covalence.Alert.sourceCiscoUmbrellaTopLevelDomainRankingNumberSource Cisco Umbrella Top Level Domain Ranking
Covalence.Alert.sourceCityNameStringSource City Name
Covalence.Alert.sourceCountryNameStringSource Country Name
Covalence.Alert.sourceDomainNameStringSource Domain Name
Covalence.Alert.sourceGeoXNumberSource Geo X
Covalence.Alert.sourceGeoYNumberSource Geo Y
Covalence.Alert.sourceIpStringSource Ip
Covalence.Alert.sourceIpAttributes.kStringKey
Covalence.Alert.sourceIpAttributes.tNumberType
Covalence.Alert.sourceIpAttributes.vStringValue
Covalence.Alert.sourceMajesticMillionRankingNumberSource Majestic Million Ranking
Covalence.Alert.sourceMajesticMillionTopLevelDomainRankingNumberSource Majestic Million Top Level Domain Ranking
Covalence.Alert.sourcePortStringSource Port
Covalence.Alert.subTypeStringSub Type
Covalence.Alert.titleStringTitle
Covalence.Alert.typeStringType

Command Example#

!cov-secpr-list-alerts

Context Example#

{
"Covalence": {
"Alert": [
{
"acknowledgedStatus": "None",
"analystDescription": "We've detected suspicious persistent software, C:\\\\test.ps1, on the following system: DESKTOP-1.",
"analystTitle": "Suspicious persistent software detected",
"destIp": null,
"sourceIp": null,
"subType": "Analytic",
"title": "Analyst alert",
"type": "ANALYST GENERIC"
}
]
}
}

Human Readable Output#

Alerts#

AcknowledgedstatusAnalystdescriptionAnalysttitleSubtypeTitleType
NoneWe've detected suspicious persistent software, C:\test.ps1, on the following system: DESKTOP-1Suspicious persistent software detectedAnalyticAnalyst alertANALYST GENERIC

cov-secpr-list-sensors#


Lists Covalence sensors

Base Command#

cov-secpr-list-sensors

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.Sensors.idStringId
Covalence.Sensors.nameStringName
Covalence.Sensors.isAuthorizedBooleanIs Authorized
Covalence.Sensors.isNetflowGeneratorBooleanIs Netflow Generator
Covalence.Sensors.bytesInNumberBytes In
Covalence.Sensors.bytesOutNumberBytes Out
Covalence.Sensors.lastActiveStringLast Active
Covalence.Sensors.listeningInterfacesStringListening Interfaces

Command Example#

!cov-secpr-list-sensors

Context Example#

{
"Covalence": {
"Sensors": [
{
"isAuthorized": false,
"isNetflowGenerator": true,
"name": "External Sources"
},
{
"isAuthorized": true,
"isNetflowGenerator": false,
"name": "1.1.1.1"
}
]
}
}

Human Readable Output#

Sensors#

IsauthorizedIsnetflowgeneratorName
falsetrueExternal Sources
truefalse1.1.1.1

cov-secpr-get-sensor#


Get sensor details when provided with the sensor id

Base Command#

cov-secpr-get-sensor

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
sensor_idSensor id.Required

Context Output#

PathTypeDescription
Covalence.Sensor.idStringId
Covalence.Sensor.nameStringName
Covalence.Sensor.isAuthorizedBooleanIs Authorized
Covalence.Sensor.listeningInterfacesStringListening Interfaces
Covalence.Sensor.isNetflowGeneratorBooleanIs Netflow Generator
Covalence.Sensor.bytesInNumberBytes In
Covalence.Sensor.bytesOutNumberBytes Out
Covalence.Sensor.lastActiveStringLast Active

Command Example#

!cov-secpr-get-sensor sensor_id=94397407-5577-4d14-8f21-9a65ad5ac7fe

Context Example#

{
"Covalence": {
"Sensor": {
"bytesIn": null,
"bytesOut": null,
"id": "94397407-5577-4d14-8f21-9a65ad5ac7fe",
"isAuthorized": true,
"isNetflowGenerator": false,
"listeningInterfaces": [
"eth0",
"eth1"
],
"name": "1.1.1.1"
}
}
}

Human Readable Output#

Sensor#

IdIsauthorizedIsnetflowgeneratorListeninginterfacesName
94397407-5577-4d14-8f21-9a65ad5ac7fetruefalseeth0,
eth1
1.1.1.1

cov-secpr-connections-summary-ip#


List summarized connections details by IP Address

Base Command#

cov-secpr-connections-summary-ip

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
max_countMaximum number of connection summary by ip to be returned, if none provided will be set to 100.Optional
initial_indexInitial index where to start listing connection summaries.Optional
source_ipsource ip filter, if used only connections related to the specified source ip will be returned.Optional
start_timeMinimal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
end_timeMaximal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
clients_onlyif "clients_only=true", only connections labeled as client connections will be returned.Optional
internal_onlyif "internal_only=true", only internal connections will be returned.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.Connections.averageDurationNumberAverage Duration
Covalence.Connections.bytesInNumberBytes In
Covalence.Connections.bytesOutNumberBytes Out
Covalence.Connections.clientServerRelationshipStringClient Server Relationship
Covalence.Connections.continuingConnectionCountNumberContinuing Connection Count
Covalence.Connections.destinationCityStringDestination City
Covalence.Connections.destinationCountryStringDestination Country
Covalence.Connections.destinationIdStringDestination Id
Covalence.Connections.destinationIpAddressStringDestination Ip Address
Covalence.Connections.destinationMacAddressStringDestination Mac Address
Covalence.Connections.dstDomainNameStringDst Domain Name
Covalence.Connections.idStringId
Covalence.Connections.packetsInNumberPackets In
Covalence.Connections.packetsOutNumberPackets Out
Covalence.Connections.serverPortCountNumberServer Port Count
Covalence.Connections.serverPortsStringServer Ports
Covalence.Connections.sourceCityStringSource City
Covalence.Connections.sourceCountryStringSource Country
Covalence.Connections.sourceDomainNameStringSource Domain Name
Covalence.Connections.sourceIdStringSource Id
Covalence.Connections.sourceIpAddressStringSource Ip Address
Covalence.Connections.sourceMacAddressStringSource Mac Address
Covalence.Connections.terminatedConnectionCountNumberTerminated Connection Count
Covalence.Connections.totalDurationNumberTotal Duration

Command Example#

!cov-secpr-connections-summary-ip source_ip=1.1.1.1 max_count=10

Context Example#

{
"Covalence": {
"Connections": [
{
"averageDuration": 0,
"bytesIn": 13360769,
"bytesOut": 8645498,
"clientServerRelationship": "CLIENT",
"destinationIpAddress": "8.8.8.8",
"dstDomainName": "dns.google",
"serverPorts": "0,53,443",
"sourceDomainName": null,
"sourceIpAddress": "1.1.1.1"
}
]
}
}

Human Readable Output#

Connections#

AveragedurationBytesinBytesoutClientserverrelationshipDestinationipaddressDstdomainnameServerportsSourceipaddress
0133607698645498CLIENT8.8.8.8dns.google0,53,4431.1.1.1

cov-secpr-connections-summary-port#


List summarized connections details by Port

Base Command#

cov-secpr-connections-summary-port

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
max_countMaximum number of connection summary by port to be returned, if none provided will be set to 100.Optional
initial_indexInitial index where to start listing connection summaries.Optional
source_ipsource ip filter, only connections related to the specified source ip will be returned.Required
start_timeMinimal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
end_timeMaximal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
clients_onlyif "clients_only=true", only connections labeled as client connections will be returned.Optional
internal_onlyif "internal_only=true", only internal connections will be returned.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.Connections.averageDurationNumberAverage Duration
Covalence.Connections.bytesInNumberBytes In
Covalence.Connections.bytesOutNumberBytes Out
Covalence.Connections.continuingConnectionCountNumberContinuing Connection Count
Covalence.Connections.destinationCityStringDestination City
Covalence.Connections.destinationCountryStringDestination Country
Covalence.Connections.destinationIdStringDestination Id
Covalence.Connections.destinationIpAddressStringDestination Ip Address
Covalence.Connections.destinationMacAddressStringDestination Mac Address
Covalence.Connections.dstDomainNameStringDst Domain Name
Covalence.Connections.endTimeDateEnd Time
Covalence.Connections.idStringId
Covalence.Connections.packetsInNumberPackets In
Covalence.Connections.packetsOutNumberPackets Out
Covalence.Connections.protocolStringProtocol
Covalence.Connections.serverPortNumberServer Port
Covalence.Connections.sourceCityStringSource City
Covalence.Connections.sourceCountryStringSource Country
Covalence.Connections.sourceDomainNameStringSource Domain Name
Covalence.Connections.sourceIdStringSource Id
Covalence.Connections.sourceIpAddressStringSource Ip Address
Covalence.Connections.sourceMacAddressStringSource Mac Address
Covalence.Connections.startTimeDateStart Time
Covalence.Connections.terminatedConnectionCountNumberTerminated Connection Count
Covalence.Connections.totalDurationNumberTotal Duration

Command Example#

!cov-secpr-connections-summary-port source_ip=1.1.1.1 max_count=10

Context Example#

{
"Covalence": {
"Connections": [
{
"averageDuration": 44,
"bytesIn": 0,
"bytesOut": 305837,
"destinationIpAddress": "8.8.8.8",
"dstDomainName": "dns.google",
"serverPort": 0,
"sourceDomainName": null,
"sourceIpAddress": "1.1.1.1"
}
]
}
}

Human Readable Output#

Connections#

AveragedurationBytesinBytesoutDestinationipaddressDstdomainnameServerportSourceipaddress
4403058378.8.8.8dns.google01.1.1.1

cov-secpr-list-dns-resolutions#


List summarized connections details by Port

Base Command#

cov-secpr-list-dns-resolutions

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
max_countMaximum number of DNS resolutions to be returned, if none provided will be set to 100.Optional
initial_indexInitial index where to start listing DNS resolutions.Optional
request_time_afterMinimal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
request_time_beforeMaximal time in %Y-%m-%dT%H:%M:%S format and UTC time zone.Optional
domain_nameDomain name filter, if used will only return DNS resolutions from the specified domain name.Optional
resolved_ipIP filter, if used will only return DNS resolutions to the specified IP.Optional
request_origin_ipSource IP filter, if used will only return DNS resolutions originating from the specified IP.Optional
nameserver_ipNameserver IP filter, if used will only return DNS resolutions involving the specified nameserver IP.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.DNSResolutions.idStringId
Covalence.DNSResolutions.domainNameStringDomain Name
Covalence.DNSResolutions.resolvedIpStringResolved Ip
Covalence.DNSResolutions.requestOriginIpStringRequest Origin Ip
Covalence.DNSResolutions.nameserverIpStringNameserver Ip
Covalence.DNSResolutions.nodeLabelStringNode Label
Covalence.DNSResolutions.requestTimeNumberRequest Time
Covalence.DNSResolutions.byteCountNumberByte Count
Covalence.DNSResolutions.pktCountNumberPkt Count

Command Example#

!cov-secpr-list-dns-resolutions max_count=10

Context Example#

{
"Covalence": {
"DNSResolutions": [
{
"domainName": "ntp.ubuntu.com",
"requestOriginIp": "1.1.1.1",
"requestTime": 1625752183,
"resolvedIp": "2001:67c:1560:8003::c7"
}
]
}
}

Human Readable Output#

DNS Resolutions#

DomainnameRequestoriginipRequesttimeResolvedip
ntp.ubuntu.com1.1.1.116257521832001:67c:1560:8003::c7

cov-secpr-list-internal-networks#


List internal networks

Base Command#

cov-secpr-list-internal-networks

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional

Context Output#

PathTypeDescription
Covalence.InternalNetworks.cidrStringCidr
Covalence.InternalNetworks.notesStringNotes

Command Example#

!cov-secpr-list-internal-networks

Context Example#

{
"Covalence": {
"InternalNetworks": {
"cidr": "'1.1.1.1/24'",
"notes": "'update'"
}
}
}

Human Readable Output#

Internal Networks#

CidrNotes
'1.1.1.1/24''update'

cov-secpr-set-internal-networks#


Set internal networks

Base Command#

cov-secpr-set-internal-networks

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
cidrThe network to be set as internal in CIDR notation.Required
notesComment notes associated with the network, notes must be inside quotes.Required

Context Output#

PathTypeDescription
Covalence.InternalNetworks.cidrStringCidr
Covalence.InternalNetworks.notesStringNotes

Command Example#

!cov-secpr-set-internal-networks cidr='1.2.1.1/24' notes=update

Context Example#

{
"Covalence": {
"InternalNetworks": [
"'1.2.1.1/24'",
"update"
]
}
}

Human Readable Output#

Internal network set as '1.2.1.1/24' with notes "update"

cov-secpr-list-endpoint-agents#


List endpoint agents

Base Command#

cov-secpr-list-endpoint-agents

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
advanced_filterAdvanced filter query, if used any other parameters provided to the command will be ignored.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.EndpointAgents.agentUuidStringAgent Uuid
Covalence.EndpointAgents.agentVersionStringAgent Version
Covalence.EndpointAgents.firstSeenTimeDateFirst Seen Time
Covalence.EndpointAgents.lastSeenTimeDateLast Seen Time
Covalence.EndpointAgents.lastSessionUserStringLast Session User
Covalence.EndpointAgents.isMobileBooleanIs Mobile
Covalence.EndpointAgents.isConnectedBooleanIs Connected
Covalence.EndpointAgents.coreVersionStringCore Version
Covalence.EndpointAgents.coreArchitectureStringCore Architecture
Covalence.EndpointAgents.coreOsStringCore Os
Covalence.EndpointAgents.operatingSystemStringOperating System
Covalence.EndpointAgents.hostNameStringHost Name
Covalence.EndpointAgents.hardwareVendorStringHardware Vendor
Covalence.EndpointAgents.hardwareModelStringHardware Model
Covalence.EndpointAgents.archStringArch
Covalence.EndpointAgents.osDistroStringOs Distro
Covalence.EndpointAgents.osVersionStringOs Version
Covalence.EndpointAgents.kernelVersionStringKernel Version
Covalence.EndpointAgents.operatingSystemReleaseIdStringOperating System Release Id
Covalence.EndpointAgents.ipAddressStringIp Address
Covalence.EndpointAgents.secondaryIpAddressStringSecondary Ip Address
Covalence.EndpointAgents.ipAddressesStringIp Addresses
Covalence.EndpointAgents.serialNumberStringSerial Number
Covalence.EndpointAgents.deviceIdentifierStringDevice Identifier
Covalence.EndpointAgents.cpuArchitectureEnumStringCpu Architecture Enum

Command Example#

!cov-secpr-list-endpoint-agents

Context Example#

{
"Covalence": {
"EndpointAgents": [
{
"hardwareVendor": "VMware, Inc.",
"hostName": "DESKTOP-0EENF9N",
"ipAddress": "192.168.223.132",
"isConnected": false,
"lastSessionUser": "jsmith",
"operatingSystem": "Windows 10 Home",
"serialNumber": "VMware-56 4d 6d cd 58 53 49 e4-73 20 4b 2d b2 15 ca 36"
},
{
"hardwareVendor": "VMware, Inc.",
"hostName": "DESKTOP-N0E5EN6",
"ipAddress": "192.168.223.130",
"isConnected": false,
"lastSessionUser": "jdoe",
"operatingSystem": "Windows 10 Pro",
"serialNumber": "VMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91"
}
]
}
}

Human Readable Output#

Endpoint Agents#

HardwarevendorHostnameIpaddressIsconnectedLastsessionuserOperatingsystemSerialnumber
VMware, Inc.DESKTOP-0EENF9N192.168.223.132falsejsmithWindows 10 HomeVMware-56 4d 6d cd 58 53 49 e4-73 20 4b 2d b2 15 ca 36
VMware, Inc.DESKTOP-N0E5EN6192.168.223.130falsejdoeWindows 10 ProVMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91

cov-secpr-find-endpoint-agents-by-user#


List endpoint agents where the last session user is the one provided as parameter

Base Command#

cov-secpr-find-endpoint-agents-by-user

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
userUser filter.Required

Context Output#

PathTypeDescription
Covalence.EndpointAgents.agentUuidStringAgent Uuid
Covalence.EndpointAgents.agentVersionStringAgent Version
Covalence.EndpointAgents.firstSeenTimeDateFirst Seen Time
Covalence.EndpointAgents.lastSeenTimeDateLast Seen Time
Covalence.EndpointAgents.lastSessionUserStringLast Session User
Covalence.EndpointAgents.isMobileBooleanIs Mobile
Covalence.EndpointAgents.isConnectedBooleanIs Connected
Covalence.EndpointAgents.coreVersionStringCore Version
Covalence.EndpointAgents.coreArchitectureStringCore Architecture
Covalence.EndpointAgents.coreOsStringCore Os
Covalence.EndpointAgents.operatingSystemStringOperating System
Covalence.EndpointAgents.hostNameStringHost Name
Covalence.EndpointAgents.hardwareVendorStringHardware Vendor
Covalence.EndpointAgents.hardwareModelStringHardware Model
Covalence.EndpointAgents.archStringArch
Covalence.EndpointAgents.osDistroStringOs Distro
Covalence.EndpointAgents.osVersionStringOs Version
Covalence.EndpointAgents.kernelVersionStringKernel Version
Covalence.EndpointAgents.operatingSystemReleaseIdStringOperating System Release Id
Covalence.EndpointAgents.ipAddressStringIp Address
Covalence.EndpointAgents.secondaryIpAddressStringSecondary Ip Address
Covalence.EndpointAgents.ipAddressesStringIp Addresses
Covalence.EndpointAgents.serialNumberStringSerial Number
Covalence.EndpointAgents.deviceIdentifierStringDevice Identifier
Covalence.EndpointAgents.cpuArchitectureEnumStringCpu Architecture Enum

Command Example#

!cov-secpr-find-endpoint-agents-by-user user=jdoe

Context Example#

{
"Covalence": {
"EndpointAgents": {
"agentUuid": "4dda9c12-b9ec-498b-8e89-1b2bc9078643",
"agentVersion": "2.0.1.5",
"arch": "X64",
"coreArchitecture": "X64",
"coreOs": "Windows",
"coreVersion": "2.0.1.5",
"cpuArchitectureEnum": "X64",
"deviceIdentifier": "dff207a9-57e0-417d-b72f-667d1c310a65",
"firstSeenTime": "2021-03-08 13:57:39",
"hardwareModel": "VMware7,1",
"hardwareVendor": "VMware, Inc.",
"hostName": "DESKTOP-N0E5EN6",
"ipAddress": "192.168.223.130",
"ipAddresses": "192.168.223.130",
"isConnected": false,
"isMobile": false,
"kernelVersion": "0.0.0.0",
"lastSeenTime": "2021-07-07 14:14:58",
"lastSessionUser": "jdoe",
"operatingSystem": "Windows 10 Pro",
"operatingSystemReleaseId": "2009",
"osDistro": "Professional",
"osVersion": "10.0.0.19042",
"secondaryIpAddress": "",
"serialNumber": "VMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91"
}
}
}

Human Readable Output#

Endpoint Agents#

AgentuuidAgentversionArchCorearchitectureCoreosCoreversionCpuarchitectureenumDeviceidentifierFirstseentimeHardwaremodelHardwarevendorHostnameIpaddressIpaddressesIsconnectedIsmobileKernelversionLastseentimeLastsessionuserOperatingsystemOperatingsystemreleaseidOsdistroOsversionSerialnumber
4dda9c12-b9ec-498b-8e89-1b2bc90786432.0.1.5X64X64Windows2.0.1.5X64dff207a9-57e0-417d-b72f-667d1c310a652021-03-08 13:57:39VMware7,1VMware, Inc.DESKTOP-N0E5EN6192.168.223.130192.168.223.130falsefalse0.0.0.02021-07-07 14:14:58jdoeWindows 10 Pro2009Professional10.0.0.19042VMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91

cov-secpr-find-endpoint-agents-by-uuid#


Find the endpoint agent with the UUID provided as parameter

Base Command#

cov-secpr-find-endpoint-agents-by-uuid

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
uuidEndpoint agent UUID.Required

Context Output#

PathTypeDescription
Covalence.EndpointAgents.agentUuidStringAgent Uuid
Covalence.EndpointAgents.agentVersionStringAgent Version
Covalence.EndpointAgents.firstSeenTimeDateFirst Seen Time
Covalence.EndpointAgents.lastSeenTimeDateLast Seen Time
Covalence.EndpointAgents.lastSessionUserStringLast Session User
Covalence.EndpointAgents.isMobileBooleanIs Mobile
Covalence.EndpointAgents.isConnectedBooleanIs Connected
Covalence.EndpointAgents.coreVersionStringCore Version
Covalence.EndpointAgents.coreArchitectureStringCore Architecture
Covalence.EndpointAgents.coreOsStringCore Os
Covalence.EndpointAgents.operatingSystemStringOperating System
Covalence.EndpointAgents.hostNameStringHost Name
Covalence.EndpointAgents.hardwareVendorStringHardware Vendor
Covalence.EndpointAgents.hardwareModelStringHardware Model
Covalence.EndpointAgents.archStringArch
Covalence.EndpointAgents.osDistroStringOs Distro
Covalence.EndpointAgents.osVersionStringOs Version
Covalence.EndpointAgents.kernelVersionStringKernel Version
Covalence.EndpointAgents.operatingSystemReleaseIdStringOperating System Release Id
Covalence.EndpointAgents.ipAddressStringIp Address
Covalence.EndpointAgents.secondaryIpAddressStringSecondary Ip Address
Covalence.EndpointAgents.ipAddressesStringIp Addresses
Covalence.EndpointAgents.serialNumberStringSerial Number
Covalence.EndpointAgents.deviceIdentifierStringDevice Identifier
Covalence.EndpointAgents.cpuArchitectureEnumStringCpu Architecture Enum

Command Example#

!cov-secpr-find-endpoint-agents-by-uuid uuid=4dda9c12-b9ec-498b-8e89-1b2bc9078643

Context Example#

{
"Covalence": {
"EndpointAgents": {
"agentUuid": "4dda9c12-b9ec-498b-8e89-1b2bc9078643",
"agentVersion": "2.0.1.5",
"arch": "X64",
"coreArchitecture": "X64",
"coreOs": "Windows",
"coreVersion": "2.0.1.5",
"cpuArchitectureEnum": "X64",
"deviceIdentifier": "dff207a9-57e0-417d-b72f-667d1c310a65",
"firstSeenTime": "2021-03-08 13:57:39",
"hardwareModel": "VMware7,1",
"hardwareVendor": "VMware, Inc.",
"hostName": "DESKTOP-N0E5EN6",
"ipAddress": "192.168.223.130",
"ipAddresses": "192.168.223.130",
"isConnected": false,
"isMobile": false,
"kernelVersion": "0.0.0.0",
"lastSeenTime": "2021-07-07 14:14:58",
"lastSessionUser": "jdoe",
"operatingSystem": "Windows 10 Pro",
"operatingSystemReleaseId": "2009",
"osDistro": "Professional",
"osVersion": "10.0.0.19042",
"secondaryIpAddress": "",
"serialNumber": "VMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91"
}
}
}

Human Readable Output#

Endpoint Agents#

AgentuuidAgentversionArchCorearchitectureCoreosCoreversionCpuarchitectureenumDeviceidentifierFirstseentimeHardwaremodelHardwarevendorHostnameIpaddressIpaddressesIsconnectedIsmobileKernelversionLastseentimeLastsessionuserOperatingsystemOperatingsystemreleaseidOsdistroOsversionSerialnumber
4dda9c12-b9ec-498b-8e89-1b2bc90786432.0.1.5X64X64Windows2.0.1.5X64dff207a9-57e0-417d-b72f-667d1c310a652021-03-08 13:57:39VMware7,1VMware, Inc.DESKTOP-N0E5EN6192.168.223.130192.168.223.130falsefalse0.0.0.02021-07-07 14:14:58jdoeWindows 10 Pro2009Professional10.0.0.19042VMware-56 4d 77 78 de 75 22 df-6a c9 62 b2 72 e9 6b 91

cov-secpr-search-endpoint-process#


Search processes by name or advanced filter, at least one parameter is required

Base Command#

cov-secpr-search-endpoint-process

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
nameProcess name.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.EndpointProcess.idNumberId
Covalence.EndpointProcess.agentUuidStringAgent Uuid
Covalence.EndpointProcess.processNameStringProcess Name
Covalence.EndpointProcess.processPathStringProcess Path
Covalence.EndpointProcess.parentProcessNameStringParent Process Name
Covalence.EndpointProcess.parentProcessPathStringParent Process Path
Covalence.EndpointProcess.commandLineStringCommand Line
Covalence.EndpointProcess.usernameStringUsername
Covalence.EndpointProcess.firstSeenTimeDateFirst Seen Time
Covalence.EndpointProcess.lastSeenTimeDateLast Seen Time
Covalence.EndpointProcess.lastEndTimeDateLast End Time
Covalence.EndpointProcess.seenCountNumberSeen Count
Covalence.EndpointProcess.activeCountNumberActive Count

Command Example#

!cov-secpr-search-endpoint-process name=explorer.exe

Context Example#

{
"Covalence": {
"EndpointProcess": [
{
"commandLine": "C:\\Windows\\Explorer.EXE",
"firstSeenTime": "2021-03-08T12:25:54.100Z",
"lastSeenTime": "2021-04-08T15:23:10.069Z",
"processPath": "C:\\Windows\\explorer.exe",
"username": "jdoe"
},
{
"commandLine": "C:\\Windows\\Explorer.EXE",
"firstSeenTime": "2021-04-23T07:24:25.570Z",
"lastSeenTime": "2021-07-07T09:52:17.352Z",
"processPath": "C:\\Windows\\explorer.exe",
"username": "jsmith"
}
]
}
}

Human Readable Output#

Endpoint Process#

CommandlineFirstseentimeLastseentimeProcesspathUsername
C:\Windows\Explorer.EXE2021-03-08T12:25:54.100Z2021-04-08T15:23:10.069ZC:\Windows\explorer.exejdoe
C:\Windows\Explorer.EXE2021-04-23T07:24:25.570Z2021-07-07T09:52:17.352ZC:\Windows\explorer.exejsmith

cov-secpr-search-endpoint-installed-software#


Search for endpoint installed software

Base Command#

cov-secpr-search-endpoint-installed-software

Input#

Argument NameDescriptionRequired
target_orgOnly required in broker mode, used to target a specific organization: target_org="Acme Corporation".Optional
nameThe name of installed software, quotes are required is space character is used. At least one parameter is required.Required
versionThe version of installed software.Optional
advanced_filterAdvanced filter query.Optional
detailsif details=true, will return the complete response from Covalence API.Optional

Context Output#

PathTypeDescription
Covalence.EndpointSoftware.archNumberArch
Covalence.EndpointSoftware.typeNumberType
Covalence.EndpointSoftware.packageManagerNumberPackage Manager
Covalence.EndpointSoftware.installTimestampDateInstall Timestamp
Covalence.EndpointSoftware.uninstallTimestampDateUninstall Timestamp
Covalence.EndpointSoftware.nameStringName
Covalence.EndpointSoftware.versionStringVersion
Covalence.EndpointSoftware.vendorStringVendor
Covalence.EndpointSoftware.installPathStringInstall Path
Covalence.EndpointSoftware.appDataPathStringApp Data Path
Covalence.EndpointSoftware.sharedDataPathStringShared Data Path
Covalence.EndpointSoftware.installedForUserStringInstalled For User
Covalence.EndpointSoftware.installSourceStringInstall Source
Covalence.EndpointSoftware.idNumberId
Covalence.EndpointSoftware.agentUuidStringAgent Uuid
Covalence.EndpointSoftware.softwareNotifyActionStringSoftware Notify Action

Command Example#

!cov-secpr-search-endpoint-installed-software name=firefox

Context Example#

{
"Covalence": {
"EndpointSoftware": {
"installTimestamp": "1970-01-01T00:00:00.000Z",
"name": "Mozilla Firefox 88.0 (x86 fr)",
"uninstallTimestamp": null,
"vendor": "Mozilla",
"version": "88.0"
}
}
}

Human Readable Output#

Endpoint Software#

InstalltimestampNameVendorVersion
1970-01-01T00:00:00.000ZMozilla Firefox 88.0 (x86 fr)Mozilla88.0

cov-secpr-list-organizations#


List monitored organizations, only available in broker mode

Base Command#

cov-secpr-list-organizations

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Covalence.Organization.org_nameStringOrg_name

Command Example#

!cov-secpr-list-organizations

Human Readable Output#

No organizations found