Covalence Managed Security
Covalence Managed Security Pack.#
This Integration is part of theTriggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. This integration was integrated and tested with version 1.1.10 of Covalence Managed Security.
#
Configure Covalence Managed Security in CortexParameter | Description | Required |
---|---|---|
Credentials | True | |
Password | True | |
Use system proxy settings | False | |
First run time range | When fetching incidents for the first time, this parameter specifies in days how far the integration looks for incidents. For instance if set to "2", it will pull all alerts in Covalence for the last 2 days and will create corresponding incidents. | False |
Incident type | False | |
Fetch incidents | False | |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False | |
Fetch Limit | The maximum number of incidents to fetch | False |
Broker Server URL | Broker Server URL (Optional). Required to use Broker commands. | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cov-mgsec-get-aroQuery FES Portal for ARO.
#
Base Commandcov-mgsec-get-aro
#
InputArgument Name | Description | Required |
---|---|---|
details | if details=true, will return the complete response from Covalence API. | Optional |
query | Portal query, for example: "resolution=Unresolved&type=Recommendation" Available Keys to filter on: - id; eg: "id=<ARO_id> - status; eg: "status=In Triage" or "status=Open" or "status=Closed" - resolution; eg: "resolution=Unresolved" or "resolution=Resolved" or "resolution=Help Requested" or "resolution=Dismissed" - type; eg: "type=Action" or "type=Recommendation" or "type=Observation" - org; eg: "org=<organization_name>" - since; eg: "since=2021-01-31 14:00:00" - until; eg: "until=2021-01-31 14:00:00". | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FESPortal.Aro.ID | String | ID. |
FESPortal.Aro.alert_key | String | Alert_key. |
FESPortal.Aro.analyst_notes | String | Analyst_notes. |
FESPortal.Aro.count | Number | Count. |
FESPortal.Aro.creation_time | Date | Creation_time. |
FESPortal.Aro.details | String | Details. |
FESPortal.Aro.details_markdown | String | Details_markdown. |
FESPortal.Aro.display_url | String | Display_url. |
FESPortal.Aro.external_bug_id | String | External_bug_id. |
FESPortal.Aro.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.notes | String | Notes. |
FESPortal.Aro.organization.ID | String | ID. |
FESPortal.Aro.organization.email | String | Email. |
FESPortal.Aro.organization.name | String | Name. |
FESPortal.Aro.resolution | String | Resolution. |
FESPortal.Aro.serial_id | String | Serial_id. |
FESPortal.Aro.severity | String | Severity. |
FESPortal.Aro.status | String | Status. |
FESPortal.Aro.steps.ID | String | ID. |
FESPortal.Aro.steps.completed | Boolean | Completed. |
FESPortal.Aro.steps.label | String | Label. |
FESPortal.Aro.steps.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.template_id | String | Template_id. |
FESPortal.Aro.title | String | Title. |
FESPortal.Aro.triage_id | String | Triage_id. |
FESPortal.Aro.type | String | Type. |
#
Command example!cov-mgsec-get-aro query="since=2023-11-30 18:00:00"
#
Context Example#
Human Readable Output#
AROs
Organization Resolution Severity Status Title Type ID: 9d4297ea-089e-42bd-884d-51744e31a471
email: foo@bar.com
name: AcmeUnresolved Critical Open test2 Action ID: e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd
email: foo@bar.com
name: Capsule CorpUnresolved High Open Vulnerable Software Detected Recommendation
#
cov-mgsec-list-orgList organizations.
#
Base Commandcov-mgsec-list-org
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
FESPortal.Org.ID | String | ID. |
FESPortal.Org.email | String | Email. |
FESPortal.Org.email_aro_details | Boolean | Email_aro_details. |
FESPortal.Org.name | String | Name. |
#
Command example!cov-mgsec-list-org
#
Context Example#
Human Readable Output#
Organizations
Id Email Aro Details Name 9d4297ea-089e-42bd-884d-51744e31a471 foo@bar.com false Acme e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd foo@bar.com false Capsule Corp
#
cov-mgsec-transition-aroTransition an ARO.
#
Base Commandcov-mgsec-transition-aro
#
InputArgument Name | Description | Required |
---|---|---|
aro_id | This ARO ID to transition. | Required |
resolution | Resolution to transition the ARO to. Possible values are: Unresolved, Help Requested, Resolved, Dismissed. | Required |
comment | Optional comment to leave on the ARO. | Optional |
is_comment_sensitive | Optionally mark the comment as sensitive. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FESPortal.Aro.ID | String | ID. |
FESPortal.Aro.alert_key | String | Alert_key. |
FESPortal.Aro.analyst_notes | String | Analyst_notes. |
FESPortal.Aro.count | Number | Count. |
FESPortal.Aro.creation_time | Date | Creation_time. |
FESPortal.Aro.details | String | Details. |
FESPortal.Aro.details_markdown | String | Details_markdown. |
FESPortal.Aro.display_url | String | Display_url. |
FESPortal.Aro.external_bug_id | String | External_bug_id. |
FESPortal.Aro.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.notes | String | Notes. |
FESPortal.Aro.organization.ID | String | ID. |
FESPortal.Aro.organization.email | String | Email. |
FESPortal.Aro.organization.name | String | Name. |
FESPortal.Aro.resolution | String | Resolution. |
FESPortal.Aro.serial_id | String | Serial_id. |
FESPortal.Aro.severity | String | Severity. |
FESPortal.Aro.status | String | Status. |
FESPortal.Aro.steps.ID | String | ID. |
FESPortal.Aro.steps.completed | Boolean | Completed. |
FESPortal.Aro.steps.label | String | Label. |
FESPortal.Aro.steps.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.template_id | String | Template_id. |
FESPortal.Aro.title | String | Title. |
FESPortal.Aro.triage_id | String | Triage_id. |
FESPortal.Aro.type | String | Type. |
#
cov-mgsec-transition-aroTransition an ARO.
#
Base Commandcov-mgsec-transition-aro
#
InputArgument Name | Description | Required |
---|---|---|
aro_id | This ARO ID to transition. | Required |
resolution | Resolution to transition the ARO to. Options include: Unresolved, Help Requested, Resolved, or Dismissed. | Required |
comment | Optional comment to leave on the ARO. | Optional |
is_comment_sensitive | Optionally mark the comment as sensitive. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FESPortal.Aro.ID | String | ID. |
FESPortal.Aro.alert_key | String | Alert_key. |
FESPortal.Aro.analyst_notes | String | Analyst_notes. |
FESPortal.Aro.count | Number | Count. |
FESPortal.Aro.creation_time | Date | Creation_time. |
FESPortal.Aro.details | String | Details. |
FESPortal.Aro.details_markdown | String | Details_markdown. |
FESPortal.Aro.display_url | String | Display_url. |
FESPortal.Aro.external_bug_id | String | External_bug_id. |
FESPortal.Aro.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.notes | String | Notes. |
FESPortal.Aro.organization.ID | String | ID. |
FESPortal.Aro.organization.email | String | Email. |
FESPortal.Aro.organization.name | String | Name. |
FESPortal.Aro.resolution | String | Resolution. |
FESPortal.Aro.serial_id | String | Serial_id. |
FESPortal.Aro.severity | String | Severity. |
FESPortal.Aro.status | String | Status. |
FESPortal.Aro.steps.ID | String | ID. |
FESPortal.Aro.steps.completed | Boolean | Completed. |
FESPortal.Aro.steps.label | String | Label. |
FESPortal.Aro.steps.last_updated_time | Date | Last_updated_time. |
FESPortal.Aro.template_id | String | Template_id. |
FESPortal.Aro.title | String | Title. |
FESPortal.Aro.triage_id | String | Triage_id. |
FESPortal.Aro.type | String | Type. |
#
Command example!cov-mgsec-transition-aro aro_id="7ea9b17d-7529-4b17-b0e7-92334d6c674b" resolution="Resolved" comment="Risk mitigated."
#
Context Example#
Human Readable Output#
ARO
Id Alert Key Count Creation Time Details Display Url Last Updated Time Organization Resolution Resolution Duration Seconds Resolution Time Serial Id Severity Status Steps Title Type 7ea9b17d-7529-4b17-b0e7-92334d6c674b test_alert_key 1 2023-08-16 19:48:02 ARO Details test_url 2023-11-30 19:01:59 ID: test_ID
email: null
name: test_org_idResolved 9155637 2023-11-30 19:01:59 15 Low Open {'ID': 'test_id', 'completed': True, 'label': 'test_resolution_step', 'last_updated_time': '2023-10-24 20:53:45'} test_aro_title Observation #
cov-mgsec-broker-cloud-action-by-aro
Broker - Cloud Action By ARO.
#
Base Commandcov-mgsec-broker-cloud-action-by-aro
#
InputArgument Name | Description | Required |
---|---|---|
action_type | Action to perform. Possible values are: DISABLE_USER, ENABLE_USER, REVOKE_SESSIONS. | Required |
aro_id | ARO ID (eg. "00000000-1111-2222-3333-444444444444"). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FESBroker.action_id | String | Action ID |
FESBroker.action_type | String | Action Type |
FESBroker.action_params | Unknown | Action Parameters |
FESBroker.created_time | String | Created Time |
FESBroker.status | String | Status |
FESBroker.result | String | Result |
#
Command example!cov-mgsec-broker-cloud-action-by-aro action_type=DISABLE_USER aro_id=00000000-1111-2222-3333-444444444444
#
Context Example#
Human Readable Output#
Command Result
action_id action_params action_type created_time result status 00000000-1111-2222-3333-444444444444 user: azure credential configuration endpoint service disable_user 2024-02-22T01:27:04.344179Z SUCCESS COMPLETE
#
cov-mgsec-broker-endpoint-action-by-aroBroker - Endpoint Action By ARO.
#
Base Commandcov-mgsec-broker-endpoint-action-by-aro
#
InputArgument Name | Description | Required |
---|---|---|
action_type | Action to send to Host. Possible values are: ISOLATE, UNISOLATE, SHUTDOWN, RESTART, DEFENDER_QUICK_SCAN, DEFENDER_FULL_SCAN, DEFENDER_SIGNATURE_UPDATE. | Required |
aro_id | ARO ID (eg. "00000000-1111-2222-3333-444444444444"). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FESBroker.host_identifier | String | Host Identifier |
FESBroker.agent_uuid | String | Agent UUID |
FESBroker.covalence_appliance | String | Covalence Appliance ID |
FESBroker.task_id | Number | Endpoint Action Task ID |
#
Command example!cov-mgsec-broker-endpoint-action-by-aro action_type=DEFENDER_QUICK_SCAN aro_id=00000000-1111-2222-3333-444444444444
#
Context Example#
Human Readable Output#
Command Result - Success
agent_uuid covalence_appliance host_identifier task_id 00000000-1111-2222-3333-444444444444 2000-001-XX-0 00000000-1111-2222-3333-444444444444 26876
#
cov-mgsec-broker-pingBroker - Ping.
#
Base Commandcov-mgsec-broker-ping
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
FESBroker.APIStatus | String | API Status |
#
Command example!cov-mgsec-broker-ping
#
Context Example#
Human Readable Output#
Success
#
cov-mgsec-broker-endpoint-action-by-hostBroker - Endpoint Action By Host.
#
Base Commandcov-mgsec-broker-endpoint-action-by-host
#
InputArgument Name | Description | Required |
---|---|---|
action_type | Action to send to Host. Possible values are: ISOLATE, UNISOLATE, SHUTDOWN, RESTART, DEFENDER_QUICK_SCAN, DEFENDER_FULL_SCAN, DEFENDER_SIGNATURE_UPDATE. | Required |
org_id | Organization ID (eg. "00000000-1111-2222-3333-444444444444"). | Required |
host_identifier | Hostname. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FESBroker.host_identifier | String | Host Identifier |
FESBroker.agent_uuid | String | Agent UUID |
FESBroker.covalence_appliance | String | Covalence Appliance ID |
FESBroker.task_id | Number | Endpoint Action Task ID |
#
Command example!cov-mgsec-broker-endpoint-action-by-host action_type=DEFENDER_QUICK_SCAN host_identifier=test-hostname org_id=00000000-1111-2222-3333-444444444444
#
Context Example#
Human Readable Output#
Command Result - Success
agent_uuid covalence_appliance host_identifier task_id 00000000-1111-2222-3333-444444444444 2000-001-XX-0 test-hostname 24773
#
cov-mgsec-broker-list-orgBroker - List organizations.
#
Base Commandcov-mgsec-broker-list-org
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
FESBroker.ID | String | Organization ID |
FESBroker.name | String | Organization Name |
FESBroker.client_id | String | Client ID |
#
Command example!cov-mgsec-broker-list-org
#
Context Example#
Human Readable Output#
Organizations
ID client_id name 00000000-1111-2222-3333-444444444444 2024-1384-SAN 110 Sand Company
#
cov-mgsec-comment-aroComment on an ARO.
#
Base Commandcov-mgsec-comment-aro
#
InputArgument Name | Description | Required |
---|---|---|
aro_id | This ARO ID to transition. | Required |
comment | Comment to leave on the ARO. | Required |
is_comment_sensitive | Optionally mark the comment as sensitive. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FESPortal.Aro.ID | String | ID. |
FESPortal.Aro.acknowledged | Boolean | Acknowledged |
FESPortal.Aro.acknowledged_by.ID | String | Acknowledged By ID |
FESPortal.Aro.acknowledged_by.avatar_file_url | String | Acknowledged By |
FESPortal.Aro.acknowledged_by.email | String | Acknowledged By Email |
FESPortal.Aro.acknowledged_by.first_name | String | Acknowledged By First Name |
FESPortal.Aro.acknowledged_by.last_name | String | Acknowledged By Last Name |
FESPortal.Aro.acknowledged_time | Date | Acknowledged Time |
FESPortal.Aro.aro_id | String | ARO ID |
FESPortal.Aro.author.ID | String | Author ID |
FESPortal.Aro.author.avatar_file_url | String | Author Avatar File URL |
FESPortal.Aro.author.email | String | Author Email |
FESPortal.Aro.author.first_name | String | Author First Name |
FESPortal.Aro.author.last_name | String | Author Last Name |
FESPortal.Aro.author_organization.ID | String | Author Organization ID |
FESPortal.Aro.author_organization.email | String | Author Organization Email |
FESPortal.Aro.author_organization.name | String | Author Organization Name |
FESPortal.Aro.author_organization_type | String | Author Organization Type |
FESPortal.Aro.available_only_to_organization_id | String | ARO Comment Available Only to Organization ID |
FESPortal.Aro.available_only_to_provider_id | String | ARO Comment Available Only to Provider ID |
FESPortal.Aro.created_time | Date | ARO Created Time |
FESPortal.Aro.id | String | ARO Comment ID |
FESPortal.Aro.last_updated_time | Date | ARO Comment Last Updated Time |
FESPortal.Aro.sensitive | Boolean | ARO Comment Sensitive |
FESPortal.Aro.source | String | ARO Comment Source |
FESPortal.Aro.text | String | ARO Comment Text |
FESPortal.Aro.type | String | ARO Comment Type |
FESPortal.Aro.visible_to.ID | String | ARO Comment Visible to ID |
FESPortal.Aro.visible_to.email | String | ARO Comment Visible to Email |
FESPortal.Aro.visible_to.name | String | ARO Comment Visible to Name |
#
Command example!cov-mgsec-comment-aro aro_id="b25e461e-75e9-415b-a631-6d0f4516f33a" comment="Risk mitigated."
#
Context Example#
Human Readable Output#
ARO
Acknowledged Acknowledged By Acknowledged Time Aro Id Author Author Organization Author Organization Type Created Time Id Last Updated Time Sensitive Source Text Type Visible To true ID: abcdefghijklmnopqrstuvwxyzabd1
avatar_file_url: null
email: foo@bar.com
first_name: John
last_name: Smith2024-04-12 17:01:25 b25e461e-75e9-415b-a631-6d0f4516f33a ID: abcdefghijklmnopqrstuvwxyzabd1
avatar_file_url: null
email: foo@bar.com
first_name: John
last_name: SmithID: 00000000-1111-2222-3333-444444444444
email: foo@bar.com
name: Field EffectField Effect 2024-04-12 17:01:25 b14a53a4-23ac-488d-b992-dbc1d5ef5361 2024-04-12 17:01:25 false Portal Risk mitigated. Comment {'ID': '00000000-1111-2222-3333-444444444444', 'email': None, 'name': 'Tradecraft Test & Development (Do Not Delete)'},
{'ID': '00000000-1111-2222-3333-444444444444', 'email': 'foo@bar.com', 'name': 'Field Effect'}