Skip to main content

Covalence Managed Security

Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. This integration was integrated and tested with version 3.0 of Covalence Managed Security

Configure Covalence Managed Security on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Covalence Managed Security.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    CredentialsTrue
    PasswordTrue
    Use system proxy settingsFalse
    First run time rangeWhen fetching incidents for the first time, this parameter specifies in days how far the integration looks for incidents. For instance if set to "2", it will pull all alerts in Covalence for the last 2 days and will create corresponding incidents.False
    Incident typeFalse
    Fetch incidentsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    NoneFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cov-mgsec-get-aro#


Query FES Portal for ARO

Base Command#

cov-mgsec-get-aro

Input#

Argument NameDescriptionRequired
detailsif details=true, will return the complete response from Covalence API.Optional
queryPortal query, for example: "resolution=Unresolved&type=Recommendation"
Available Keys to filter on:
- id; eg: "id=<ARO_id>
- status; eg: "status=In Triage" or "status=Open" or "status=Closed"
- resolution; eg: "resolution=Unresolved" or "resolution=Resolved" or "resolution=Help Requested" or "resolution=Dismissed"
- type; eg: "type=Action" or "type=Recommendation" or "type=Observation"
- org; eg: "org=<organization_name>"
- since; eg: "since=2021-01-31 14:00:00"
- until; eg: "until=2021-01-31 14:00:00".
Required

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID
FESPortal.Aro.alert_keyStringAlert_key
FESPortal.Aro.analyst_notesStringAnalyst_notes
FESPortal.Aro.countNumberCount
FESPortal.Aro.creation_timeDateCreation_time
FESPortal.Aro.detailsStringDetails
FESPortal.Aro.details_markdownStringDetails_markdown
FESPortal.Aro.display_urlStringDisplay_url
FESPortal.Aro.external_bug_idStringExternal_bug_id
FESPortal.Aro.last_updated_timeDateLast_updated_time
FESPortal.Aro.notesStringNotes
FESPortal.Aro.organization.IDStringID
FESPortal.Aro.organization.emailStringEmail
FESPortal.Aro.organization.nameStringName
FESPortal.Aro.resolutionStringResolution
FESPortal.Aro.serial_idStringSerial_id
FESPortal.Aro.severityStringSeverity
FESPortal.Aro.statusStringStatus
FESPortal.Aro.steps.IDStringID
FESPortal.Aro.steps.completedBooleanCompleted
FESPortal.Aro.steps.labelStringLabel
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time
FESPortal.Aro.template_idStringTemplate_id
FESPortal.Aro.titleStringTitle
FESPortal.Aro.triage_idStringTriage_id
FESPortal.Aro.typeStringType

Command Example#

!cov-mgsec-get-aro query="resolution=Unresolved"

Context Example#

{
"FESPortal": {
"ARO": [
{
"organization": {
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"name": "Acme"
},
"resolution": "Unresolved",
"severity": "Critical",
"status": "Open",
"title": "test2",
"type": "Action"
},
{
"organization": {
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"name": "Capsule Corp"
},
"resolution": "Unresolved",
"severity": "High",
"status": "Open",
"title": "Vulnerable Software Detected",
"type": "Recommendation"
}
]
}
}

Human Readable Output#

AROs#

OrganizationResolutionSeverityStatusTitleType
ID: 9d4297ea-089e-42bd-884d-51744e31a471
email: foo@bar.com
name: Acme
UnresolvedCriticalOpentest2Action
ID: e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd
email: foo@bar.com
name: Capsule Corp
UnresolvedHighOpenVulnerable Software DetectedRecommendation

cov-mgsec-list-org#


List organizations

Base Command#

cov-mgsec-list-org

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
FESPortal.Org.IDStringID
FESPortal.Org.emailStringEmail
FESPortal.Org.email_aro_detailsBooleanEmail_aro_details
FESPortal.Org.nameStringName

Command Example#

!cov-mgsec-list-org

Context Example#

{
"FESPortal": {
"Org": [
{
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Acme"
},
{
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Capsule Corp"
}
]
}
}

Human Readable Output#

Organizations#

IdEmailEmail Aro DetailsName
9d4297ea-089e-42bd-884d-51744e31a471foo@bar.comfalseAcme
e0e04c8b-d50c-4379-bfd6-5e0f2b1037cdfoo@bar.comfalseCapsule Corp