Skip to main content

Covalence Managed Security

This Integration is part of the Covalence Managed Security Pack.#

Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. This integration was integrated and tested with version 1.1.10 of Covalence Managed Security.

Configure Covalence Managed Security on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Covalence Managed Security.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    CredentialsTrue
    PasswordTrue
    Use system proxy settingsFalse
    First run time rangeWhen fetching incidents for the first time, this parameter specifies in days how far the integration looks for incidents. For instance if set to "2", it will pull all alerts in Covalence for the last 2 days and will create corresponding incidents.False
    Incident typeFalse
    Fetch incidentsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Fetch Limitthe maximum number of incidents to fetchFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cov-mgsec-get-aro#


Query FES Portal for ARO.

Base Command#

cov-mgsec-get-aro

Input#

Argument NameDescriptionRequired
detailsif details=true, will return the complete response from Covalence API.Optional
queryPortal query, for example: "resolution=Unresolved&type=Recommendation"
Available Keys to filter on:
- id; eg: "id=<ARO_id>
- status; eg: "status=In Triage" or "status=Open" or "status=Closed"
- resolution; eg: "resolution=Unresolved" or "resolution=Resolved" or "resolution=Help Requested" or "resolution=Dismissed"
- type; eg: "type=Action" or "type=Recommendation" or "type=Observation"
- org; eg: "org=<organization_name>"
- since; eg: "since=2021-01-31 14:00:00"
- until; eg: "until=2021-01-31 14:00:00".
Required

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.alert_keyStringAlert_key.
FESPortal.Aro.analyst_notesStringAnalyst_notes.
FESPortal.Aro.countNumberCount.
FESPortal.Aro.creation_timeDateCreation_time.
FESPortal.Aro.detailsStringDetails.
FESPortal.Aro.details_markdownStringDetails_markdown.
FESPortal.Aro.display_urlStringDisplay_url.
FESPortal.Aro.external_bug_idStringExternal_bug_id.
FESPortal.Aro.last_updated_timeDateLast_updated_time.
FESPortal.Aro.notesStringNotes.
FESPortal.Aro.organization.IDStringID.
FESPortal.Aro.organization.emailStringEmail.
FESPortal.Aro.organization.nameStringName.
FESPortal.Aro.resolutionStringResolution.
FESPortal.Aro.serial_idStringSerial_id.
FESPortal.Aro.severityStringSeverity.
FESPortal.Aro.statusStringStatus.
FESPortal.Aro.steps.IDStringID.
FESPortal.Aro.steps.completedBooleanCompleted.
FESPortal.Aro.steps.labelStringLabel.
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time.
FESPortal.Aro.template_idStringTemplate_id.
FESPortal.Aro.titleStringTitle.
FESPortal.Aro.triage_idStringTriage_id.
FESPortal.Aro.typeStringType.

Command example#

!cov-mgsec-get-aro query="since=2023-11-30 18:00:00"

Context Example#

{
"FESPortal": {
"ARO": [
{
"organization": {
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"name": "Acme"
},
"resolution": "Unresolved",
"severity": "Critical",
"status": "Open",
"title": "test2",
"type": "Action"
},
{
"organization": {
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"name": "Capsule Corp"
},
"resolution": "Unresolved",
"severity": "High",
"status": "Open",
"title": "Vulnerable Software Detected",
"type": "Recommendation"
}
]
}
}

Human Readable Output#

AROs#

OrganizationResolutionSeverityStatusTitleType
ID: 9d4297ea-089e-42bd-884d-51744e31a471
email: foo@bar.com
name: Acme
UnresolvedCriticalOpentest2Action
ID: e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd
email: foo@bar.com
name: Capsule Corp
UnresolvedHighOpenVulnerable Software DetectedRecommendation

cov-mgsec-list-org#


List organizations.

Base Command#

cov-mgsec-list-org

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
FESPortal.Org.IDStringID.
FESPortal.Org.emailStringEmail.
FESPortal.Org.email_aro_detailsBooleanEmail_aro_details.
FESPortal.Org.nameStringName.

Command example#

!cov-mgsec-list-org

Context Example#

{
"FESPortal": {
"Org": [
{
"ID": "9d4297ea-089e-42bd-884d-51744e31a471",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Acme"
},
{
"ID": "e0e04c8b-d50c-4379-bfd6-5e0f2b1037cd",
"email": "foo@bar.com",
"email_aro_details": false,
"name": "Capsule Corp"
}
]
}
}

Human Readable Output#

Organizations#

IdEmailEmail Aro DetailsName
9d4297ea-089e-42bd-884d-51744e31a471foo@bar.comfalseAcme
e0e04c8b-d50c-4379-bfd6-5e0f2b1037cdfoo@bar.comfalseCapsule Corp

cov-mgsec-transition-aro#


Transition an ARO.

Base Command#

cov-mgsec-transition-aro

Input#

Argument NameDescriptionRequired
aro_idThis ARO ID to transition.Required
resolutionResolution to transition the ARO to. Options include: Unresolved, Help Requested, Resolved, or Dismissed.Required
commentOptional comment to leave on the ARO.Optional
is_comment_sensitiveOptionally mark the comment as sensitive.Optional

Context Output#

PathTypeDescription
FESPortal.Aro.IDStringID.
FESPortal.Aro.alert_keyStringAlert_key.
FESPortal.Aro.analyst_notesStringAnalyst_notes.
FESPortal.Aro.countNumberCount.
FESPortal.Aro.creation_timeDateCreation_time.
FESPortal.Aro.detailsStringDetails.
FESPortal.Aro.details_markdownStringDetails_markdown.
FESPortal.Aro.display_urlStringDisplay_url.
FESPortal.Aro.external_bug_idStringExternal_bug_id.
FESPortal.Aro.last_updated_timeDateLast_updated_time.
FESPortal.Aro.notesStringNotes.
FESPortal.Aro.organization.IDStringID.
FESPortal.Aro.organization.emailStringEmail.
FESPortal.Aro.organization.nameStringName.
FESPortal.Aro.resolutionStringResolution.
FESPortal.Aro.serial_idStringSerial_id.
FESPortal.Aro.severityStringSeverity.
FESPortal.Aro.statusStringStatus.
FESPortal.Aro.steps.IDStringID.
FESPortal.Aro.steps.completedBooleanCompleted.
FESPortal.Aro.steps.labelStringLabel.
FESPortal.Aro.steps.last_updated_timeDateLast_updated_time.
FESPortal.Aro.template_idStringTemplate_id.
FESPortal.Aro.titleStringTitle.
FESPortal.Aro.triage_idStringTriage_id.
FESPortal.Aro.typeStringType.

Command example#

!cov-mgsec-transition-aro aro_id="7ea9b17d-7529-4b17-b0e7-92334d6c674b" resolution="Resolved" comment="Risk mitigated."

Context Example#

{
"FESPortal": {
"Org": {
"ID": "7ea9b17d-7529-4b17-b0e7-92334d6c674b",
"alert_key": "test_alert_key",
"attachments": [],
"count": 1,
"creation_time": "2023-08-16 19:48:02",
"data": null,
"details": "ARO Details",
"details_markdown": null,
"display_url": "test_url",
"external_ticket": null,
"frameworks": [],
"insights": {},
"last_updated_time": "2023-11-30 19:01:59",
"organization": {
"ID": "test_ID",
"email": null,
"name": "test_org_id"
},
"references": [],
"resolution": "Resolved",
"resolution_duration_seconds": 9155637,
"resolution_time": "2023-11-30 19:01:59",
"serial_id": "15",
"severity": "Low",
"status": "Open",
"steps": [
{
"ID": "test_id",
"completed": true,
"label": "test_resolution_step",
"last_updated_time": "2023-10-24 20:53:45"
}
],
"template_id": null,
"title": "test_aro_title",
"triage_id": null,
"type": "Observation"
}
}
}

Human Readable Output#

ARO#

IdAlert KeyCountCreation TimeDetailsDisplay UrlLast Updated TimeOrganizationResolutionResolution Duration SecondsResolution TimeSerial IdSeverityStatusStepsTitleType
7ea9b17d-7529-4b17-b0e7-92334d6c674btest_alert_key12023-08-16 19:48:02ARO Detailstest_url2023-11-30 19:01:59ID: test_ID
email: null
name: test_org_id
Resolved91556372023-11-30 19:01:5915LowOpen{'ID': 'test_id', 'completed': True, 'label': 'test_resolution_step', 'last_updated_time': '2023-10-24 20:53:45'}test_aro_titleObservation