Skip to main content

Covalence Managed Security

This Integration is part of the Covalence Managed Security Pack.#

Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. This integration was integrated and tested with version 1.1.10 of Covalence Managed Security.

Configure Covalence Managed Security in Cortex#

ParameterDescriptionRequired
CredentialsTrue
PasswordTrue
Use system proxy settingsFalse
First run time rangeWhen fetching incidents for the first time, this parameter specifies in days how far the integration looks for incidents. For instance if set to "2", it will pull all alerts in Covalence for the last 2 days and will create corresponding incidents.False
Incident typeFalse
Fetch incidentsFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Fetch LimitThe maximum number of incidents to fetchFalse
Broker Server URLBroker Server URL (Optional). Required to use Broker commands.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cov-mgsec-get-aro#


Query FES Portal for ARO.

Base Command#

cov-mgsec-get-aro

Input#

Argument NameDescriptionRequired
detailsif details=true, will return the complete response from Covalence API.Optional
queryPortal query, for example: "resolution=Unresolved&type=Recommendation"
Available Keys to filter on:
- id; eg: "id=<ARO_id>
- status; eg: "status=In Triage" or "status=Open" or "status=Closed"
- resolution; eg: "resolution=Unresolved" or "resolution=Resolved" or "resolution=Help Requested" or "resolution=Dismissed"
- type; eg: "type=Action" or "type=Recommendation" or "type=Observation"
- org; eg: "org=<organization_name>"
- since; eg: "since=2021-01-31 14:00:00"
- until; eg: "until=2021-01-31 14:00:00".
Required

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.alert_keyStringAlert_key.
FESPortal.Aro.analyst_notesStringAnalyst_notes.
FESPortal.Aro.countNumberCount.
FESPortal.Aro.creation_timeDateCreation_time.
FESPortal.Aro.detailsStringDetails.
FESPortal.Aro.details_markdownStringDetails_markdown.
FESPortal.Aro.display_urlStringDisplay_url.
FESPortal.Aro.external_bug_idStringExternal_bug_id.
FESPortal.Aro.last_updated_timeDateLast_updated_time.
FESPortal.Aro.notesStringNotes.
FESPortal.Aro.organization.IDStringID.
FESPortal.Aro.organization.emailStringEmail.
FESPortal.Aro.organization.nameStringName.
FESPortal.Aro.resolutionStringResolution.
FESPortal.Aro.serial_idStringSerial_id.
FESPortal.Aro.severityStringSeverity.
FESPortal.Aro.statusStringStatus.
FESPortal.Aro.steps.IDStringID.
FESPortal.Aro.steps.completedBooleanCompleted.
FESPortal.Aro.steps.labelStringLabel.
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time.
FESPortal.Aro.template_idStringTemplate_id.
FESPortal.Aro.titleStringTitle.
FESPortal.Aro.triage_idStringTriage_id.
FESPortal.Aro.typeStringType.

Command example#

!cov-mgsec-get-aro query="since=2023-11-30 18:00:00"

Context Example#

{
"FESPortal": {
"ARO": [
{
"organization": {
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"name": "Acme"
},
"resolution": "Unresolved",
"severity": "Critical",
"status": "Open",
"title": "test2",
"type": "Action"
},
{
"organization": {
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"name": "Capsule Corp"
},
"resolution": "Unresolved",
"severity": "High",
"status": "Open",
"title": "Vulnerable Software Detected",
"type": "Recommendation"
}
]
}
}

Human Readable Output#

AROs#

OrganizationResolutionSeverityStatusTitleType
ID: 9d4297ea-089e-42bd-884d-51744e31a471
email: foo@bar.com
name: Acme
UnresolvedCriticalOpentest2Action
ID: e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd
email: foo@bar.com
name: Capsule Corp
UnresolvedHighOpenVulnerable Software DetectedRecommendation

cov-mgsec-list-org#


List organizations.

Base Command#

cov-mgsec-list-org

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
FESPortal.Org.IDStringID.
FESPortal.Org.emailStringEmail.
FESPortal.Org.email_aro_detailsBooleanEmail_aro_details.
FESPortal.Org.nameStringName.

Command example#

!cov-mgsec-list-org

Context Example#

{
"FESPortal": {
"Org": [
{
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Acme"
},
{
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Capsule Corp"
}
]
}
}

Human Readable Output#

Organizations#

IdEmailEmail Aro DetailsName
9d4297ea-089e-42bd-884d-51744e31a471foo@bar.comfalseAcme
e0e04c8b-d50c-4379-bfd6-5e0f2b1037cdfoo@bar.comfalseCapsule Corp

cov-mgsec-transition-aro#


Transition an ARO.

Base Command#

cov-mgsec-transition-aro

Input#

Argument NameDescriptionRequired
aro_idThis ARO ID to transition.Required
resolutionResolution to transition the ARO to. Possible values are: Unresolved, Help Requested, Resolved, Dismissed.Required
commentOptional comment to leave on the ARO.Optional
is_comment_sensitiveOptionally mark the comment as sensitive.Optional

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.alert_keyStringAlert_key.
FESPortal.Aro.analyst_notesStringAnalyst_notes.
FESPortal.Aro.countNumberCount.
FESPortal.Aro.creation_timeDateCreation_time.
FESPortal.Aro.detailsStringDetails.
FESPortal.Aro.details_markdownStringDetails_markdown.
FESPortal.Aro.display_urlStringDisplay_url.
FESPortal.Aro.external_bug_idStringExternal_bug_id.
FESPortal.Aro.last_updated_timeDateLast_updated_time.
FESPortal.Aro.notesStringNotes.
FESPortal.Aro.organization.IDStringID.
FESPortal.Aro.organization.emailStringEmail.
FESPortal.Aro.organization.nameStringName.
FESPortal.Aro.resolutionStringResolution.
FESPortal.Aro.serial_idStringSerial_id.
FESPortal.Aro.severityStringSeverity.
FESPortal.Aro.statusStringStatus.
FESPortal.Aro.steps.IDStringID.
FESPortal.Aro.steps.completedBooleanCompleted.
FESPortal.Aro.steps.labelStringLabel.
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time.
FESPortal.Aro.template_idStringTemplate_id.
FESPortal.Aro.titleStringTitle.
FESPortal.Aro.triage_idStringTriage_id.
FESPortal.Aro.typeStringType.

cov-mgsec-transition-aro#


Transition an ARO.

Base Command#

cov-mgsec-transition-aro

Input#

Argument NameDescriptionRequired
aro_idThis ARO ID to transition.Required
resolutionResolution to transition the ARO to. Options include: Unresolved, Help Requested, Resolved, or Dismissed.Required
commentOptional comment to leave on the ARO.Optional
is_comment_sensitiveOptionally mark the comment as sensitive.Optional

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.alert_keyStringAlert_key.
FESPortal.Aro.analyst_notesStringAnalyst_notes.
FESPortal.Aro.countNumberCount.
FESPortal.Aro.creation_timeDateCreation_time.
FESPortal.Aro.detailsStringDetails.
FESPortal.Aro.details_markdownStringDetails_markdown.
FESPortal.Aro.display_urlStringDisplay_url.
FESPortal.Aro.external_bug_idStringExternal_bug_id.
FESPortal.Aro.last_updated_timeDateLast_updated_time.
FESPortal.Aro.notesStringNotes.
FESPortal.Aro.organization.IDStringID.
FESPortal.Aro.organization.emailStringEmail.
FESPortal.Aro.organization.nameStringName.
FESPortal.Aro.resolutionStringResolution.
FESPortal.Aro.serial_idStringSerial_id.
FESPortal.Aro.severityStringSeverity.
FESPortal.Aro.statusStringStatus.
FESPortal.Aro.steps.IDStringID.
FESPortal.Aro.steps.completedBooleanCompleted.
FESPortal.Aro.steps.labelStringLabel.
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time.
FESPortal.Aro.template_idStringTemplate_id.
FESPortal.Aro.titleStringTitle.
FESPortal.Aro.triage_idStringTriage_id.
FESPortal.Aro.typeStringType.

Command example#

!cov-mgsec-transition-aro aro_id="7ea9b17d-7529-4b17-b0e7-92334d6c674b" resolution="Resolved" comment="Risk mitigated."

Context Example#

{
"FESPortal": {
"Org": {
"ID": "7ea9b17d-7529-4b17-b0e7-92334d6c674b",
"alert_key": "test_alert_key",
"attachments": [],
"count": 1,
"creation_time": "2023-08-16 19:48:02",
"data": null,
"details": "ARO Details",
"details_markdown": null,
"display_url": "test_url",
"external_ticket": null,
"frameworks": [],
"insights": {},
"last_updated_time": "2023-11-30 19:01:59",
"organization": {
"ID": "test_ID",
"email": null,
"name": "test_org_id"
},
"references": [],
"resolution": "Resolved",
"resolution_duration_seconds": 9155637,
"resolution_time": "2023-11-30 19:01:59",
"serial_id": "15",
"severity": "Low",
"status": "Open",
"steps": [
{
"ID": "test_id",
"completed": true,
"label": "test_resolution_step",
"last_updated_time": "2023-10-24 20:53:45"
}
],
"template_id": null,
"title": "test_aro_title",
"triage_id": null,
"type": "Observation"
}
}
}

Human Readable Output#

ARO#

IdAlert KeyCountCreation TimeDetailsDisplay UrlLast Updated TimeOrganizationResolutionResolution Duration SecondsResolution TimeSerial IdSeverityStatusStepsTitleType
7ea9b17d-7529-4b17-b0e7-92334d6c674btest_alert_key12023-08-16 19:48:02ARO Detailstest_url2023-11-30 19:01:59ID: test_ID
email: null
name: test_org_id
Resolved91556372023-11-30 19:01:5915LowOpen{'ID': 'test_id', 'completed': True, 'label': 'test_resolution_step', 'last_updated_time': '2023-10-24 20:53:45'}test_aro_titleObservation

cov-mgsec-broker-cloud-action-by-aro#


Broker - Cloud Action By ARO.

Base Command#

cov-mgsec-broker-cloud-action-by-aro

Input#

Argument NameDescriptionRequired
action_typeAction to perform. Possible values are: DISABLE_USER, ENABLE_USER, REVOKE_SESSIONS.Required
aro_idARO ID (eg. "00000000-1111-2222-3333-444444444444").Required

Context Output#

PathTypeDescription
FESBroker.action_idStringAction ID
FESBroker.action_typeStringAction Type
FESBroker.action_paramsUnknownAction Parameters
FESBroker.created_timeStringCreated Time
FESBroker.statusStringStatus
FESBroker.resultStringResult

Command example#

!cov-mgsec-broker-cloud-action-by-aro action_type=DISABLE_USER aro_id=00000000-1111-2222-3333-444444444444

Context Example#

{
"FESBroker": {
"Action": {
"action_id": "00000000-1111-2222-3333-444444444444",
"action_params": {
"user": "azure credential configuration endpoint service"
},
"action_type": "disable_user",
"created_time": "2024-02-22T01:27:04.344179Z",
"result": "SUCCESS",
"status": "COMPLETE"
}
}
}

Human Readable Output#

Command Result#

action_idaction_paramsaction_typecreated_timeresultstatus
00000000-1111-2222-3333-444444444444user: azure credential configuration endpoint servicedisable_user2024-02-22T01:27:04.344179ZSUCCESSCOMPLETE

cov-mgsec-broker-endpoint-action-by-aro#


Broker - Endpoint Action By ARO.

Base Command#

cov-mgsec-broker-endpoint-action-by-aro

Input#

Argument NameDescriptionRequired
action_typeAction to send to Host. Possible values are: ISOLATE, UNISOLATE, SHUTDOWN, RESTART, DEFENDER_QUICK_SCAN, DEFENDER_FULL_SCAN, DEFENDER_SIGNATURE_UPDATE.Required
aro_idARO ID (eg. "00000000-1111-2222-3333-444444444444").Required

Context Output#

PathTypeDescription
FESBroker.host_identifierStringHost Identifier
FESBroker.agent_uuidStringAgent UUID
FESBroker.covalence_applianceStringCovalence Appliance ID
FESBroker.task_idNumberEndpoint Action Task ID

Command example#

!cov-mgsec-broker-endpoint-action-by-aro action_type=DEFENDER_QUICK_SCAN aro_id=00000000-1111-2222-3333-444444444444

Context Example#

{
"FESBroker": {
"Action": {
"agent_uuid": "00000000-1111-2222-3333-444444444444",
"covalence_appliance": "2000-001-XX-0",
"host_identifier": "00000000-1111-2222-3333-444444444444",
"task_id": 26876
}
}
}

Human Readable Output#

Command Result - Success#

agent_uuidcovalence_appliancehost_identifiertask_id
00000000-1111-2222-3333-4444444444442000-001-XX-000000000-1111-2222-3333-44444444444426876

cov-mgsec-broker-ping#


Broker - Ping.

Base Command#

cov-mgsec-broker-ping

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
FESBroker.APIStatusStringAPI Status

Command example#

!cov-mgsec-broker-ping

Context Example#

{
"FESBroker": {
"APIStatus": "pong"
}
}

Human Readable Output#

Success#

cov-mgsec-broker-endpoint-action-by-host#


Broker - Endpoint Action By Host.

Base Command#

cov-mgsec-broker-endpoint-action-by-host

Input#

Argument NameDescriptionRequired
action_typeAction to send to Host. Possible values are: ISOLATE, UNISOLATE, SHUTDOWN, RESTART, DEFENDER_QUICK_SCAN, DEFENDER_FULL_SCAN, DEFENDER_SIGNATURE_UPDATE.Required
org_idOrganization ID (eg. "00000000-1111-2222-3333-444444444444").Required
host_identifierHostname.Required

Context Output#

PathTypeDescription
FESBroker.host_identifierStringHost Identifier
FESBroker.agent_uuidStringAgent UUID
FESBroker.covalence_applianceStringCovalence Appliance ID
FESBroker.task_idNumberEndpoint Action Task ID

Command example#

!cov-mgsec-broker-endpoint-action-by-host action_type=DEFENDER_QUICK_SCAN host_identifier=test-hostname org_id=00000000-1111-2222-3333-444444444444

Context Example#

{
"FESBroker": {
"Action": {
"agent_uuid": "00000000-1111-2222-3333-444444444444",
"covalence_appliance": "2000-001-XX-0",
"host_identifier": "test-hostname",
"task_id": 24773
}
}
}

Human Readable Output#

Command Result - Success#

agent_uuidcovalence_appliancehost_identifiertask_id
00000000-1111-2222-3333-4444444444442000-001-XX-0test-hostname24773

cov-mgsec-broker-list-org#


Broker - List organizations.

Base Command#

cov-mgsec-broker-list-org

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
FESBroker.IDStringOrganization ID
FESBroker.nameStringOrganization Name
FESBroker.client_idStringClient ID

Command example#

!cov-mgsec-broker-list-org

Context Example#

{
"FESBroker": {
"Org": [
{
"ID": "00000000-1111-2222-3333-444444444444",
"client_id": "2000-001-XX-0",
"name": "Test Company"
}
]
}
}

Human Readable Output#

Organizations#

IDclient_idname
00000000-1111-2222-3333-4444444444442024-1384-SAN110 Sand Company

cov-mgsec-comment-aro#


Comment on an ARO.

Base Command#

cov-mgsec-comment-aro

Input#

Argument NameDescriptionRequired
aro_idThis ARO ID to transition.Required
commentComment to leave on the ARO.Required
is_comment_sensitiveOptionally mark the comment as sensitive.Optional

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.acknowledgedBooleanAcknowledged
FESPortal.Aro.acknowledged_by.IDStringAcknowledged By ID
FESPortal.Aro.acknowledged_by.avatar_file_urlStringAcknowledged By
FESPortal.Aro.acknowledged_by.emailStringAcknowledged By Email
FESPortal.Aro.acknowledged_by.first_nameStringAcknowledged By First Name
FESPortal.Aro.acknowledged_by.last_nameStringAcknowledged By Last Name
FESPortal.Aro.acknowledged_timeDateAcknowledged Time
FESPortal.Aro.aro_idStringARO ID
FESPortal.Aro.author.IDStringAuthor ID
FESPortal.Aro.author.avatar_file_urlStringAuthor Avatar File URL
FESPortal.Aro.author.emailStringAuthor Email
FESPortal.Aro.author.first_nameStringAuthor First Name
FESPortal.Aro.author.last_nameStringAuthor Last Name
FESPortal.Aro.author_organization.IDStringAuthor Organization ID
FESPortal.Aro.author_organization.emailStringAuthor Organization Email
FESPortal.Aro.author_organization.nameStringAuthor Organization Name
FESPortal.Aro.author_organization_typeStringAuthor Organization Type
FESPortal.Aro.available_only_to_organization_idStringARO Comment Available Only to Organization ID
FESPortal.Aro.available_only_to_provider_idStringARO Comment Available Only to Provider ID
FESPortal.Aro.created_timeDateARO Created Time
FESPortal.Aro.idStringARO Comment ID
FESPortal.Aro.last_updated_timeDateARO Comment Last Updated Time
FESPortal.Aro.sensitiveBooleanARO Comment Sensitive
FESPortal.Aro.sourceStringARO Comment Source
FESPortal.Aro.textStringARO Comment Text
FESPortal.Aro.typeStringARO Comment Type
FESPortal.Aro.visible_to.IDStringARO Comment Visible to ID
FESPortal.Aro.visible_to.emailStringARO Comment Visible to Email
FESPortal.Aro.visible_to.nameStringARO Comment Visible to Name

Command example#

!cov-mgsec-comment-aro aro_id="b25e461e-75e9-415b-a631-6d0f4516f33a" comment="Risk mitigated."

Context Example#

{
"FESPortal": {
"Org": {
"acknowledged": true,
"acknowledged_by": {
"ID": "abcdefghijklmnopqrstuvwxyzabd1",
"avatar_file_url": null,
"email": "foo@bar.com",
"first_name": "John",
"last_name": "Smith"
},
"acknowledged_time": "2024-04-12 17:01:25",
"aro_id": "b25e461e-75e9-415b-a631-6d0f4516f33a",
"author": {
"ID": "abcdefghijklmnopqrstuvwxyzabd1",
"avatar_file_url": null,
"email": "foo@bar.com",
"first_name": "John",
"last_name": "Smith"
},
"author_organization": {
"ID": "00000000-1111-2222-3333-444444444444",
"email": "foo@bar.com",
"name": "Field Effect"
},
"author_organization_type": "Field Effect",
"available_only_to_organization_id": null,
"available_only_to_provider_id": null,
"created_time": "2024-04-12 17:01:25",
"id": "b14a53a4-23ac-488d-b992-dbc1d5ef5361",
"last_updated_time": "2024-04-12 17:01:25",
"sensitive": false,
"source": "Portal",
"text": "Risk mitigated.",
"type": "Comment",
"visible_to": [
{
"ID": "00000000-1111-2222-3333-444444444444",
"email": null,
"name": "Tradecraft Test & Development (Do Not Delete)"
},
{
"ID": "00000000-1111-2222-3333-444444444444",
"email": "foo@bar.com",
"name": "Field Effect"
}
]
}
}
}

Human Readable Output#

ARO#

AcknowledgedAcknowledged ByAcknowledged TimeAro IdAuthorAuthor OrganizationAuthor Organization TypeCreated TimeIdLast Updated TimeSensitiveSourceTextTypeVisible To
trueID: abcdefghijklmnopqrstuvwxyzabd1
avatar_file_url: null
email: foo@bar.com
first_name: John
last_name: Smith
2024-04-12 17:01:25b25e461e-75e9-415b-a631-6d0f4516f33aID: abcdefghijklmnopqrstuvwxyzabd1
avatar_file_url: null
email: foo@bar.com
first_name: John
last_name: Smith
ID: 00000000-1111-2222-3333-444444444444
email: foo@bar.com
name: Field Effect
Field Effect2024-04-12 17:01:25b14a53a4-23ac-488d-b992-dbc1d5ef53612024-04-12 17:01:25falsePortalRisk mitigated.Comment{'ID': '00000000-1111-2222-3333-444444444444', 'email': None, 'name': 'Tradecraft Test & Development (Do Not Delete)'},
{'ID': '00000000-1111-2222-3333-444444444444', 'email': 'foo@bar.com', 'name': 'Field Effect'}