Skip to main content

Gigamon ThreatINSIGHT

This Integration is part of the Gigamon ThreatINSIGHT Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Gigamon ThreatINSIGHT Integration for Cortex XSOAR#

Insight Overview#

The Gigamon ThreatINSIGHT Cortex XSOAR integration enables security teams to utilize the features and functionality of the ThreatINSIGHT solution with their existing Cortex deployment. The integration leverages ThreatINSIGHT RESTful APIs to interact with the back end to introduce specific data sets into Cortex XSOAR. This document contains all the necessary information to configure, install, and use the integration.

Integration Overview#

The Gigamon ThreatINSIGHT Cortex XSOAR integration enables security teams to utilize the features and functionality of the Insight solution with their existing Cortex XSOAR deployment. The integration leverages Insight’s fully RESTful APIs to interact with the Insight backend to introduce specific data sets into Cortex XSOAR. This document contains all the necessary information to configure, install, and use the integration. For more information about the Cortex XSOAR integration visit the Insight help documentation here: https://insight.gigamon.com/help/api/apidocs-demisto

Configure Gigamon ThreatINSIGHT on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Gigamon ThreatINSIGHT.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    API TokenTrue
    First Fetch Time (Amount of day before current date)False
    Fetch incidentsFalse
    Incident typeFalse
    Incident Filter: Account UUID (Optional)False
    Maximum incidents in each fetch each runFalse
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

insight-get-sensors#


Get a list of all sensors.

Base Command#

insight-get-sensors

Input#

Argument NameDescriptionRequired
account_uuidUUID of account to filter by.Optional
account_codeAccount code to fiilter by.Optional
sensor_idID of the sensor to filter by.Optional
includeInclude additional metadata such as status, interfaces, admin.sensor, admin.zeek, admin.suricata, etc.Optional
enabledFilter by true or false. If not provided, all the sensors are returned.Optional

Context Output#

PathTypeDescription
Insight.Sensors.createddateDate when the sensor was created
Insight.Sensors.updateddateDate when the sensor was last updated
Insight.Sensors.sensor_idstringID code of the sensor
Insight.Sensors.account_codestringID code of the customer account
Insight.Sensors.locationstringLatitude and longitude where the sensor is located
Insight.Sensors.subdivisonstringState/Province where the sensor is located
Insight.Sensors.citystringCity where the sensor is located
Insight.Sensors.countrystringCountry where the sensor is located
Insight.Sensors.tagsstringLabels added for this sensor
Insight.Sensors.pcap_enabledbooleanIf PCAP is enabled on the sensor (true/false)

Command example#

!insight-get-sensors

Context Example#

{
"Insight": {
"Sensors": [
{
"account_code": "gdm",
"admin": null,
"city": null,
"country": null,
"created": "2021-12-17T20:40:54.348Z",
"disabled": "2022-03-28T18:18:46.826Z",
"interfaces": null,
"location": null,
"pcap_enabled": false,
"sensor_id": "gdm1",
"serial_number": null,
"status": null,
"subdivision": null,
"tags": [],
"updated": "2021-12-17T20:40:54.348Z"
},
{
"account_code": "gdm",
"admin": null,
"city": null,
"country": null,
"created": "2022-03-28T18:17:37.696Z",
"disabled": null,
"interfaces": null,
"location": null,
"pcap_enabled": false,
"sensor_id": "gdm2",
"serial_number": null,
"status": null,
"subdivision": null,
"tags": [],
"updated": "2022-03-28T18:17:37.696Z"
}
]
}
}

Human Readable Output#

Results#

account_codeadmincitycountrycreateddisabledinterfaceslocationpcap_enabledsensor_idserial_numberstatussubdivisiontagsupdated
gdm2021-12-17T20:40:54.348Z2022-03-28T18:18:46.826Zfalsegdm12021-12-17T20:40:54.348Z
gdm2022-03-28T18:17:37.696Zfalsegdm22022-03-28T18:17:37.696Z

Command example#

!insight-get-sensors account_code=gdm

Context Example#

{
"Insight": {
"Sensors": [
{
"account_code": "gdm",
"admin": null,
"city": null,
"country": null,
"created": "2021-12-17T20:40:54.348Z",
"disabled": "2022-03-28T18:18:46.826Z",
"interfaces": null,
"location": null,
"pcap_enabled": false,
"sensor_id": "gdm1",
"serial_number": null,
"status": null,
"subdivision": null,
"tags": [],
"updated": "2021-12-17T20:40:54.348Z"
},
{
"account_code": "gdm",
"admin": null,
"city": null,
"country": null,
"created": "2022-03-28T18:17:37.696Z",
"disabled": null,
"interfaces": null,
"location": null,
"pcap_enabled": false,
"sensor_id": "gdm2",
"serial_number": null,
"status": null,
"subdivision": null,
"tags": [],
"updated": "2022-03-28T18:17:37.696Z"
}
]
}
}

Human Readable Output#

Results#

account_codeadmincitycountrycreateddisabledinterfaceslocationpcap_enabledsensor_idserial_numberstatussubdivisiontagsupdated
gdm2021-12-17T20:40:54.348Z2022-03-28T18:18:46.826Zfalsegdm12021-12-17T20:40:54.348Z
gdm2022-03-28T18:17:37.696Zfalsegdm22022-03-28T18:17:37.696Z

insight-get-devices#


Get a list of all devices.

Base Command#

insight-get-devices

Input#

Argument NameDescriptionRequired
start_dateFilter devices based on when they were seen.Optional
end_dateFilter devices based on when they were seen.Optional
cidrFilter devices that are under a specific CIDR.Optional
sensor_idFilter devices that were observed by a specific sensor.Optional
traffic_directionFilter devices that have been noted to only have a certain directionality of traffic ("external" vs "internal").Optional
sort_bySort output by: "ip", "internal", "external".Optional
sort_directionSort direction ("asc" vs "desc").Optional

Context Output#

PathTypeDescription
Insight.Devices.datedateDate when the device was first seen
Insight.Devices.externalbooleanIf external traffic has been observed for this device
Insight.Devices.internalbooleanIf internal traffic has been observed for this device
Insight.Devices.ip_addressstringIP address of the device
Insight.Devices.sensor_idstringID code of the sensor

Command example#

!insight-get-devices cidr=21.5.0.0/16

Context Example#

{
"Insight": {
"Devices": [
{
"date": null,
"external": true,
"internal": true,
"ip_address": "21.5.31.1"
},
{
"date": null,
"external": true,
"internal": true,
"ip_address": "21.5.31.5"
},
{
"date": null,
"external": true,
"internal": true,
"ip_address": "21.5.31.101"
}
]
}
}

Human Readable Output#

Results#

dateexternalinternalip_address
truetrue21.5.31.1
truetrue21.5.31.5
truetrue21.5.31.101

insight-get-tasks#


Get a list of all the PCAP tasks.

Base Command#

insight-get-tasks

Input#

Argument NameDescriptionRequired
task_uuidFilter to a specific task.Optional

Context Output#

PathTypeDescription
Insight.Tasks.task_uuidstringUnique ID of the task
Insight.Tasks.actual_start_timedateDate when the task actually ended
Insight.Tasks.requested_start_timedateRequested date for the task start
Insight.Tasks.updated_emailstringEmail address of the user that updated the task
Insight.Tasks.created_uuidstringUnique ID of the user that created the task
Insight.Tasks.createddateDate when the task was created
Insight.Tasks.namestringName of the task
Insight.Tasks.statusstringCurrent status of the task
Insight.Tasks.created_emailstringEmail address of the user that created the task
Insight.Tasks.updated_uuidstringUnique ID of the user that updated the task
Insight.Tasks.bpfstringBerkeley Packet Filter for the task
Insight.Tasks.actual_end_timedateDate when the task actually ended
Insight.Tasks.account_codestringID code of the customer account
Insight.Tasks.requested_end_timedateRequested date for the task end
Insight.Tasks.updateddateDate when the task was updated
Insight.Tasks.descriptionstringDescription of the task
Insight.Tasks.has_filesbooleanIf this task has files (true/false)
Insight.Tasks.sensor_idsstringSensors this task is running on
Insight.Tasks.filesstringFiles captured for this task

Command example#

!insight-get-tasks task_uuid=373c9861-16cd-44cb-b768-e53ce3a9fcd4

Context Example#

{
"Insight": {
"Tasks": {
"account_code": "gdm",
"actual_end_time": "2022-08-26T07:59:00.000Z",
"actual_start_time": "2022-08-25T02:32:00.000Z",
"bpf": "dst www.discovery.com",
"created": "2022-08-24T17:46:28.457Z",
"created_email": "myemail@mycompany.com",
"created_uuid": "88f034f1-b922-4a41-8e54-9bac90a42517",
"description": "Test Description",
"files": [],
"has_files": false,
"name": "test Task1",
"requested_end_time": "2022-08-26T07:59:00.000Z",
"requested_start_time": "2022-08-25T02:32:00.000Z",
"sensor_ids": [],
"status": "active",
"task_uuid": "373c9861-16cd-44cb-b768-e53ce3a9fcd4",
"updated": "2022-08-24T17:46:28.457Z",
"updated_email": null,
"updated_uuid": null
}
}
}

Human Readable Output#

Results#

account_codeactual_end_timeactual_start_timebpfcreatedcreated_emailcreated_uuiddescriptionfileshas_filesnamerequested_end_timerequested_start_timesensor_idsstatustask_uuidupdatedupdated_emailupdated_uuid
gdm2022-08-26T07:59:00.000Z2022-08-25T02:32:00.000Zdst www.discovery.com2022-08-24T17:46:28.457Zmyemail@mycompany.com88f034f1-b922-4a41-8e54-9bac90a42517Test Descriptionfalsetest Task12022-08-26T07:59:00.000Z2022-08-25T02:32:00.000Zactive373c9861-16cd-44cb-b768-e53ce3a9fcd42022-08-24T17:46:28.457Z

insight-create-task#


Create a new PCAP task.

Base Command#

insight-create-task

Input#

Argument NameDescriptionRequired
nameThe name of the task.Required
account_uuidAccount where the task will be created.Required
descriptionA description for the task.Required
bpfThe Berkeley Packet Filter for capture filtering.Required
requested_start_dateThe date the task will become active. (2019-01-30T00:00:00.000Z).Required
requested_end_dateThe date the task will become inactive. (2019-12-31T23:59:59.000Z).Required
sensor_idsSensor IDs on which this task will run (separate multiple accounts by comma).Optional

Context Output#

There is no context output for this command.

insight-get-telemetry-events#


Get event telemetry data grouped by time.

Base Command#

insight-get-telemetry-events

Input#

Argument NameDescriptionRequired
intervalInterval to group by: hour (default) or day. Possible values are: hour, day.Optional
start_dateStart date/time to query for. The default is 1 day ago for interval=hour or 30 days ago for interval=day.Optional
end_dateEnd date/time to query for. The default is the current time.Optional
account_uuidAccount uuid to filter by.Optional
account_codeAccount code to filter by.Optional
sensor_idSensor id to filter by.Optional
event_typeThe type of event. Limited to flow, dns, http, ssl, and x509. Possible values are: flow, dns, http, ssl, x509.Optional
group_byOptionally group results by: sensor_id, event_type. Possible values are: sensor_id, event_type.Optional

Context Output#

PathTypeDescription
Insight.Telemetry.Events.timestampdateTimestamp of the grouped data
Insight.Telemetry.Events.event_countnumberNumber of events
Insight.Telemetry.Events.sensor_idstringSensor name (if grouped by sensor_id)
Insight.Telemetry.Events.event_typestringType of event (if grouped by event_type)

Command example#

!insight-get-telemetry-events start_date=2022-08-22T23:00:00.000Z end_date=2022-08-23T01:00:00.000Z

Context Example#

{
"Insight": {
"Telemetry": {
"Events": [
{
"event_count": 70185,
"event_type": null,
"sensor_id": null,
"timestamp": "2022-08-22T22:00:00.000Z"
},
{
"event_count": 70363,
"event_type": null,
"sensor_id": null,
"timestamp": "2022-08-22T23:00:00.000Z"
},
{
"event_count": 70187,
"event_type": null,
"sensor_id": null,
"timestamp": "2022-08-23T00:00:00.000Z"
}
]
}
}
}

Human Readable Output#

Results#

event_countevent_typesensor_idtimestamp
701852022-08-22T22:00:00.000Z
703632022-08-22T23:00:00.000Z
701872022-08-23T00:00:00.000Z

insight-get-telemetry-packetstats#


Get packetstats telemetry data grouped by time.

Base Command#

insight-get-telemetry-packetstats

Input#

Argument NameDescriptionRequired
sensor_idScopes the returned metrics to the interfaces of the specified sensor ID.Optional
start_dateScopes the returned metrics to dates after the given start_date. If empty returns most current packet stats.Optional
end_dateScopes the returned metrics to dates before the given end_date. If empty returns most current packet stats.Optional
intervalAggregation interval. 1 hr is not specified by default.Optional
group_byOption to group by the following fields: interface_name, sensor_id, account_code. Possible values are: interface_name, sensor_id, account_code.Optional
account_codeAccount code to filter by.Optional

Context Output#

PathTypeDescription
Insight.Telemetry.Packetstats.account_codestringAccount code the data was filtered by
Insight.Telemetry.Packetstats.timestampdateTimestamp of the grouped data
Insight.Telemetry.Packetstats.interface_namestringInterface the packet data was recorded from
Insight.Telemetry.Packetstats.rx_bits_per_secondnumberReceive throughput (bits per second)
Insight.Telemetry.Packetstats.rx_bytesnumberReceive data size (bytes)
Insight.Telemetry.Packetstats.rx_errorsnumberNumber of receive errors
Insight.Telemetry.Packetstats.rx_packetsnumberNumber of receive packets
Insight.Telemetry.Packetstats.sensor_idstringSensor ID packet data was recorded from
Insight.Telemetry.Packetstats.tx_bytesnumberTransmit data size (bytes)
Insight.Telemetry.Packetstats.tx_errorsnumberNumber of transmit errors
Insight.Telemetry.Packetstats.tx_packetsnumberNumber of transmit packets

Command example#

!insight-get-telemetry-packetstats start_date=2022-08-22T23:00:00.000Z end_date=2022-08-23T01:00:00.000Z

Context Example#

{
"Insight": {
"Telemetry": {
"Packetstats": [
{
"account_code": null,
"interface_name": null,
"rx_bits_per_second": 0,
"rx_bytes": 942662863653,
"rx_errors": 0,
"rx_packets": 1821630132,
"sensor_id": null,
"timestamp": "2022-08-22T22:00:00.000Z",
"tx_bytes": 59142067827,
"tx_errors": 0,
"tx_packets": 56381923
},
{
"account_code": null,
"interface_name": null,
"rx_bits_per_second": 1611395,
"rx_bytes": 943387991476,
"rx_errors": 0,
"rx_packets": 1823075830,
"sensor_id": null,
"timestamp": "2022-08-22T23:00:00.000Z",
"tx_bytes": 59178887675,
"tx_errors": 0,
"tx_packets": 56416169
},
{
"account_code": null,
"interface_name": null,
"rx_bits_per_second": 1620858,
"rx_bytes": 944117377617,
"rx_errors": 0,
"rx_packets": 1824526055,
"sensor_id": null,
"timestamp": "2022-08-23T00:00:00.000Z",
"tx_bytes": 59216556939,
"tx_errors": 0,
"tx_packets": 56452793
}
]
}
}
}

Human Readable Output#

Results#

account_codeinterface_namerx_bits_per_secondrx_bytesrx_errorsrx_packetssensor_idtimestamptx_bytestx_errorstx_packets
0942662863653018216301322022-08-22T22:00:00.000Z59142067827056381923
1611395943387991476018230758302022-08-22T23:00:00.000Z59178887675056416169
1620858944117377617018245260552022-08-23T00:00:00.000Z59216556939056452793

insight-get-telemetry-network#


Get network telemetry data grouped by time

Base Command#

insight-get-telemetry-network

Input#

Argument NameDescriptionRequired
account_codeAccount code to filter by.Optional
intervalThe interval to filter by (day, month_to_day). Possible values are: hour, day.Optional
latest_each_monthlatest_each_month No No Filters out all but the latest day and month_to_date for each month.Optional
sort_orderSorts by account code first, then timestamp. asc or desc. The default is desc.Optional
limitThe maximum number of records to return, default: 100, max: 1000. Default is 1000.Optional
offsetThe number of records to skip past. Default: 0.Optional
start_dateStart date to filter by.Optional
end_dateEnd date to filter by.Optional

Context Output#

PathTypeDescription
Insight.Telemetry.NetworkUsage.account_codestringThe account code for the network usage.
Insight.Telemetry.NetworkUsage.percentile_bpslongThe top percentile BPS value across sensors.
Insight.Telemetry.NetworkUsage.percentileintPercentile of BPS records to calculate for percentile_bps.
Insight.Telemetry.NetworkUsage.intervalunknownTime span the calculation was performed over (day, month_to_day).
Insight.Telemetry.Packetstats.timestampdateThe date the calculation was performed until.

Command example#

!insight-get-telemetry-network start_date=2022-08-21T00:00:00.000Z end_date=2022-08-23T01:00:00.000Z interval=day

Context Example#

{
"Insight": {
"Telemetry": {
"NetworkUsage": [
{
"account_code": "gdm",
"interval": "day",
"percentile": 95,
"percentile_bps": 5768519,
"timestamp": "2022-08-23T00:00:00.000000Z"
},
{
"account_code": "gdm",
"interval": "day",
"percentile": 95,
"percentile_bps": 5402040,
"timestamp": "2022-08-22T00:00:00.000000Z"
},
{
"account_code": "gdm",
"interval": "day",
"percentile": 95,
"percentile_bps": 685898,
"timestamp": "2022-08-21T00:00:00.000000Z"
}
]
}
}
}

Human Readable Output#

Results#

account_codeintervalpercentilepercentile_bpstimestamp
gdmday9557685192022-08-23T00:00:00.000000Z
gdmday9554020402022-08-22T00:00:00.000000Z
gdmday956858982022-08-21T00:00:00.000000Z

insight-get-entity-summary#


Get summary information about an IP or domain.

Base Command#

insight-get-entity-summary

Input#

Argument NameDescriptionRequired
entityIP or Domain to get entity data for.Required

Context Output#

PathTypeDescription
Insight.Entity.Summary.entitystringEntity identifier
Insight.Entity.Summary.first_seendateFirst seen date for this entity
Insight.Entity.Summary.last_seendateLast seen date for this entity
Insight.Entity.Summary.prevalence_count_internalnumberPrevalence for this entity within the environment

Command example#

!insight-get-entity-summary entity=8.8.8.8

Context Example#

{
"Insight": {
"Entity": {
"Summary": {
"entity": "8.8.8.8",
"first_seen": "2021-12-17T21:30:02.000Z",
"last_seen": "2022-08-24T19:19:52.711Z",
"prevalence_count_internal": 1,
"tags": []
}
}
}
}

Human Readable Output#

Results#

entityfirst_seenlast_seenprevalence_count_internaltags
8.8.8.82021-12-17T21:30:02.000Z2022-08-24T19:19:52.711Z1

insight-get-entity-pdns#


Get passive DNS information about an IP or domain.

Base Command#

insight-get-entity-pdns

Input#

Argument NameDescriptionRequired
entityIP or Domain to get passive DNS data for.Required
record_typeLimit results to the specified DNS query type(s).Optional
sourceLimit the results to the specified data source(s).Optional
resolve_externalWhen true, the service will query non-ICEBRG data sources. false by default.Optional
start_dateThe earliest date before which to exclude results. Day granularity, inclusive.Optional
end_dateThe latest date after which to exclude results. Day granularity, inclusive.Optional
account_uuidLimit results to the specified account UUID(s). Defaults to all accounts for which the user has permission.Optional
limitMaximum number of records to be returned. Default 1000.Optional

Context Output#

PathTypeDescription
Insight.Entity.PDNS.account_uuidstringUnique ID for the customer account
Insight.Entity.PDNS.first_seendateFirst seen date for matching dns information
Insight.Entity.PDNS.last_seendateLast seen date for matching dns information
Insight.Entity.PDNS.record_typestringDNS record type
Insight.Entity.PDNS.resolvedstringDomain name resolved from the DNS record
Insight.Entity.PDNS.sensor_idstringID code of the sensor
Insight.Entity.PDNS.sourcestringSource of the DNS record

Command example#

!insight-get-entity-pdns entity=google.com limit=3

Context Example#

{
"Insight": {
"Entity": {
"PDNS": [
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"first_seen": "2022-04-06T00:00:00.000Z",
"last_seen": "2022-08-24T00:00:00.000Z",
"record_type": "a",
"resolved": "132.215.12.206",
"sensor_id": "gdm2",
"source": "icebrg_dns"
},
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"first_seen": "2022-04-03T00:00:00.000Z",
"last_seen": "2022-08-21T00:00:00.000Z",
"record_type": "a",
"resolved": "132.215.5.238",
"sensor_id": "gdm2",
"source": "icebrg_dns"
},
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"first_seen": "2022-03-30T00:00:00.000Z",
"last_seen": "2022-08-24T00:00:00.000Z",
"record_type": "a",
"resolved": "132.215.7.238",
"sensor_id": "gdm2",
"source": "icebrg_dns"
}
]
}
}
}

Human Readable Output#

Results#

account_uuidfirst_seenlast_seenrecord_typeresolvedsensor_idsource
dc9ab97f-9cdf-46af-8ca2-e71e8e8243c82022-04-06T00:00:00.000Z2022-08-24T00:00:00.000Za132.215.12.206gdm2icebrg_dns
dc9ab97f-9cdf-46af-8ca2-e71e8e8243c82022-04-03T00:00:00.000Z2022-08-21T00:00:00.000Za132.215.5.238gdm2icebrg_dns
dc9ab97f-9cdf-46af-8ca2-e71e8e8243c82022-03-30T00:00:00.000Z2022-08-24T00:00:00.000Za132.215.7.238gdm2icebrg_dns

insight-get-entity-dhcp#


Get DHCP information about an IP address.

Base Command#

insight-get-entity-dhcp

Input#

Argument NameDescriptionRequired
entityIP or Domain to get passive DNS data for.Required
start_dateThe earliest date before which to exclude results. Day granularity, inclusive.Optional
end_dateThe latest date after which to exclude results. Day granularity, inclusive.Optional
account_uuidLimit results to the specified account UUID(s). Defaults to all accounts for which the user has permission.Optional

Context Output#

PathTypeDescription
Insight.Entity.DHCP.customer_idstringID code of the customer account
Insight.Entity.DHCP.hostnamesstringHostname of the entity
Insight.Entity.DHCP.ipstringIP Address of the entity
Insight.Entity.DHCP.lease_enddateDHCP lease end date
Insight.Entity.DHCP.lease_startdateDHCP lease start date
Insight.Entity.DHCP.macstringMAC address of the entity
Insight.Entity.DHCP.sensor_idstringSensor ID that recorded the entity data
Insight.Entity.DHCP.start_lease_as_longnumberStart Date as a long value

Command example#

!insight-get-entity-dhcp entity=21.1.70.100 start_date=2021-01-01T00:00:00.000Z

Context Example#

{
"Insight": {
"Entity": {
"DHCP": {
"customer_id": "gdm",
"hostnames": [
"FinanceWks008"
],
"ip": "21.1.70.100",
"lease_end": null,
"lease_start": "2021-12-18T09:02:24.104Z",
"mac": "00:15:5d:00:04:0e",
"sensor_id": null,
"start_lease_as_long": 1639818144104
}
}
}
}

Human Readable Output#

Results#

customer_idhostnamesiplease_endlease_startmacsensor_idstart_lease_as_long
gdmFinanceWks00821.1.70.1002021-12-18T09:02:24.104Z00:15:5d:00:04:0e1639818144104

insight-get-entity-file#


Get information about a file.

Base Command#

insight-get-entity-file

Input#

Argument NameDescriptionRequired
hashFile hash. Can be an MD5, SHA1, or SHA256 hash of the file.Required

Context Output#

PathTypeDescription
Insight.Entity.File.entitystringThe entity identifier
Insight.Entity.File.sha1stringThe entity SHA1 hash
Insight.Entity.File.sha256stringThe entity SHA256 hash
Insight.Entity.File.md5stringThe entity MD5 hash
Insight.Entity.File.customer_idstringID code of the customer account
Insight.Entity.File.namesstringFile names for the entity
Insight.Entity.File.prevalence_count_internalnumberPrevalence for this file within the environment
Insight.Entity.File.last_seendateLast seen date for this file
Insight.Entity.File.mime_typestringFile MIME type
Insight.Entity.File.first_seendateFirst seen date for this file
Insight.Entity.File.bytesnumberFile size
Insight.Entity.File.pestringFile Portable Executable attributes

Command example#

!insight-get-entity-file hash=2b7a609371b2a844181c2f79f1b45cf7

Human Readable Output#

We could not find any result for Get Entity File.

insight-get-detections#


Get a list of detections.

Base Command#

insight-get-detections

Input#

Argument NameDescriptionRequired
rule_uuidFilter to a specific rule.Optional
account_uuidFor those with access to multiple accounts, specify a single account to return results from.Optional
statusFilter by detection status: active, resolved.Optional
device_ipDevice IP to filter by.Optional
sensor_idSensor ID to filter by.Optional
mutedList detections that a user muted: true / false.Optional
muted_deviceList detections for muted devices: true / false.Optional
muted_ruleList detections for muted rules.Optional
includeInclude additional information in the response (rules). Possible values are: rules.Optional
sort_bySort output by: "ip", "internal", "external".Optional
sort_orderSort direction ("asc" vs "desc").Optional
offsetThe number of records to skip past.Optional
limitThe number of records to return, default: 100, max: 1000. Default is 1000.Optional
created_start_dateCreated start date to filter by (inclusive).Optional
created_end_dateCreated end date to filter by (exclusive).Optional
created_or_shared_start_dateCreated or shared start date to filter by (inclusive).Optional
created_or_shared_end_dateCreated or shared end date to filter by (exclusive).Optional
active_start_dateActive start date to filter by (inclusive).Optional
active_end_dateActive end date to filter by (exclusive).Optional

Context Output#

PathTypeDescription
Insight.Detections.muted_rulebooleanIs this rule muted (true/false)
Insight.Detections.createddateDate when the detection was created
Insight.Detections.account_uuidunknownUnique ID of the account for this detection
Insight.Detections.resolution_timestampdateDate when the detection was resolved
Insight.Detections.first_seendateDate when the detection was first seen
Insight.Detections.mutedbooleanIf the detection is muted or not (true/false)
Insight.Detections.resolutionstringResolution type
Insight.Detections.muted_user_uuidstringUnique ID of the user that muted the detection
Insight.Detections.last_seendateDate when the detection was last seen
Insight.Detections.statusstringCurrent status of the detection
Insight.Detections.resolution_user_uuidstringUnique identifier of the user that resolved the detection
Insight.Detections.resolution_commentstringComment entered when detection was resolved
Insight.Detections.muted_commentstringComment entered when detection was muted
Insight.Detections.sensor_idstringID code of the sensor
Insight.Detections.rule_uuidstringUnique ID of the rule for this detection
Insight.Detections.updateddateDate when the detection was last updated
Insight.Detections.uuidstringUnique ID of the detection
Insight.Detections.muted_device_uuidstringUnique ID of the muted device
Insight.Detections.device_ipstringIP address of the detection

Command example#

!insight-get-detections status=active include=rules created_or_shared_start_date=2022-08-23T22:00:00.000Z created_or_shared_end_date=2022-08-24T22:00:00.000Z

Context Example#

{
"Insight": {
"Detections": [
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"created": "2022-08-24T21:20:19.801089Z",
"device_ip": "156.112.0.100",
"event_count": 1,
"first_seen": "2022-08-24T08:04:36.535000Z",
"hostname": null,
"indicators": null,
"last_seen": "2022-08-24T08:04:36.535000Z",
"muted": false,
"muted_comment": null,
"muted_device_uuid": null,
"muted_rule": false,
"muted_timestamp": null,
"muted_user_uuid": null,
"resolution": null,
"resolution_comment": null,
"resolution_timestamp": null,
"resolution_user_uuid": null,
"rule_category": "Attack:Discovery",
"rule_confidence": "moderate",
"rule_description": "This rule is designed to use the TCP Device Enumeration Observation event generated from a DMZ host that is not a scanner. This would indicate a potentially compromised DMZ host scanning for other assets within the environment. \n",
"rule_name": "TCP Device Enumeration from DMZ host",
"rule_severity": "moderate",
"rule_uuid": "2d719a2b-4efb-4ba6-8555-0cd0f9636729",
"sensor_id": "gdm2",
"status": "active",
"updated": "2022-08-24T21:20:19.801089Z",
"username": null,
"uuid": "bb65c150-46be-4ba8-870d-b5feee01f06e"
},
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"created": "2022-08-24T09:03:14.430538Z",
"device_ip": "156.112.0.100",
"event_count": 9,
"first_seen": "2022-08-24T08:03:31.755000Z",
"hostname": null,
"indicators": null,
"last_seen": "2022-08-24T08:06:14.965000Z",
"muted": false,
"muted_comment": null,
"muted_device_uuid": null,
"muted_rule": false,
"muted_timestamp": null,
"muted_user_uuid": null,
"resolution": null,
"resolution_comment": null,
"resolution_timestamp": null,
"resolution_user_uuid": null,
"rule_category": "Attack:Command and Control",
"rule_confidence": "moderate",
"rule_description": "This detection is intended to detect the CKnife Java client interacting with a CKnife Webshell backdoor. CKnife Webshell is commonly used by attackers to establish backdoors on external-facing web servers with unpatched vulnerabilities. CKnife is typically inserted as a PHP or ASPX page on the impacted asset, and accessed via a Java client.\n\nGigamon ATR considers this detection high severity, as it is indicative of successful malicious code execution on an external-facing server. This detection is considered moderate confidence, as it may coincidentally match similar traffic from uncommon devices or scanners.\n\n### Next Steps\n1. Determine if this detection is a true positive by:\n 1. Validating that the webpage in the detection exists, is unauthorized, and contains webshell functionality.\n 2. Validating that the external entity interacting with the device is unknown or unauthorized.\n 3. Inspecting traffic or logs to see if interaction with this webpage is uncommon and recent.\n3. Quarantine the impacted device.\n4. Begin incident response procedures on the impacted device.\n5. Block traffic from attacker infrastructure.\n6. Search traffic or logs from the infected web server to identify potential lateral movement by the attackers.",
"rule_name": "CKnife Webshell Activity",
"rule_severity": "high",
"rule_uuid": "e9008859-c038-4bd5-a805-21efffd58355",
"sensor_id": "gdm2",
"status": "active",
"updated": "2022-08-24T09:03:14.430538Z",
"username": null,
"uuid": "6d0d7c2d-33a1-458d-a5e5-461fe7b03409"
}
]
}
}

Human Readable Output#

Results#

account_uuidcreateddevice_ipevent_countfirst_seenhostnameindicatorslast_seenmutedmuted_commentmuted_device_uuidmuted_rulemuted_timestampmuted_user_uuidresolutionresolution_commentresolution_timestampresolution_user_uuidrule_categoryrule_confidencerule_descriptionrule_namerule_severityrule_uuidsensor_idstatusupdatedusernameuuid
dc9ab97f-9cdf-46af-8ca2-e71e8e8243c82022-08-24T21:20:19.801089Z156.112.0.10012022-08-24T08:04:36.535000Z2022-08-24T08:04:36.535000ZfalsefalseAttack:DiscoverymoderateThis rule is designed to use the TCP Device Enumeration Observation event generated from a DMZ host that is not a scanner. This would indicate a potentially compromised DMZ host scanning for other assets within the environment.
TCP Device Enumeration from DMZ hostmoderate2d719a2b-4efb-4ba6-8555-0cd0f9636729gdm2active2022-08-24T21:20:19.801089Zbb65c150-46be-4ba8-870d-b5feee01f06e
dc9ab97f-9cdf-46af-8ca2-e71e8e8243c82022-08-24T09:03:14.430538Z156.112.0.10092022-08-24T08:03:31.755000Z2022-08-24T08:06:14.965000ZfalsefalseAttack:Command and ControlmoderateThis detection is intended to detect the CKnife Java client interacting with a CKnife Webshell backdoor. CKnife Webshell is commonly used by attackers to establish backdoors on external-facing web servers with unpatched vulnerabilities. CKnife is typically inserted as a PHP or ASPX page on the impacted asset, and accessed via a Java client.

Gigamon ATR considers this detection high severity, as it is indicative of successful malicious code execution on an external-facing server. This detection is considered moderate confidence, as it may coincidentally match similar traffic from uncommon devices or scanners.

### Next Steps
1. Determine if this detection is a true positive by:
1. Validating that the webpage in the detection exists, is unauthorized, and contains webshell functionality.
2. Validating that the external entity interacting with the device is unknown or unauthorized.
3. Inspecting traffic or logs to see if interaction with this webpage is uncommon and recent.
3. Quarantine the impacted device.
4. Begin incident response procedures on the impacted device.
5. Block traffic from attacker infrastructure.
6. Search traffic or logs from the infected web server to identify potential lateral movement by the attackers.
CKnife Webshell Activityhighe9008859-c038-4bd5-a805-21efffd58355gdm2active2022-08-24T09:03:14.430538Z6d0d7c2d-33a1-458d-a5e5-461fe7b03409

insight-get-detection-rules#


Get a list of detection rules.

Base Command#

insight-get-detection-rules

Input#

Argument NameDescriptionRequired
account_uuidFor those with access to multiple accounts, specify a single account to return results from.Optional
searchFilter name or category.Optional
has_detectionsInclude rules that have unmuted, unresolved detections. Possible values are: true, false.Optional
severityFilter by severity: high, moderate, low. Possible values are: low, moderate, high.Optional
confidenceFilter by confidence: high, moderate, low. Possible values are: low, moderate, high.Optional
categoryCategory to filter by. Possible values are: Attack:Command and Control, Attack:Exploitation, Attack:Exfiltration, Attack:Installation, Attack:Lateral Movement, Attack:Infection Vector, Attack:Miscellaneous, Miscellaneous, Posture:Anomalous Activity, Posture:Insecure Configuration, Posture:Potentially Unauthorized Software or Device, Posture:Miscellaneous, PUA:Adware, PUA:Spyware, PUA:Unauthorized Resource Use, PUA:Miscellaneous.Optional
rule_account_mutedInclude muted rules: true / false. Possible values are: true, false.Optional
enabledEnabled rules only. Possible values are: true, false.Optional
sort_bySort output by: "ip", "internal", "external". Possible values are: ip, internal, external.Optional
sort_orderSort direction ("asc" vs "desc"). Possible values are: asc, desc.Optional
offsetThe number of records to skip past.Optional
limitThe number of records to return, default: 100, max: 1000.Optional

Context Output#

PathTypeDescription
Insight.Rules.enabledbooleanStatus of the rule: If true it is enabled, if false it is disabled.
Insight.Rules.updated_user_uuidstringUser ID that updated the rule
Insight.Rules.rule_accountsstringAccounts which have seen detections for this rule
Insight.Rules.auto_resolution_minutesnumberLength of time (in minutes) the rule will auto-resolve detections
Insight.Rules.createddateDate the rule was created
Insight.Rules.account_uuidstringAccount ID the rule was created under
Insight.Rules.confidencestringConfidence level of the rule
Insight.Rules.namestringName of the rule
Insight.Rules.created_user_uuidstringUser ID that created the rule
Insight.Rules.query_signaturestringIQL signature of the rule
Insight.Rules.shared_account_uuidsstringAccount IDs the rule is visible to
Insight.Rules.run_account_uuidsstringAccount IDs the rule runs on
Insight.Rules.updateddateDate the rule was updated
Insight.Rules.uuidstringUnique ID of the rule
Insight.Rules.descriptionstringDescription of the rule
Insight.Rules.severitystringSeverity level of the rule
Insight.Rules.categorystringCategory of the rule

Command example#

!insight-get-detection-rules confidence=high category=Attack:Installation

Context Example#

{
"Insight": {
"Rules": [
{
"account_uuid": "b1f533b5-6360-494a-9f8b-9d90f1ad0207",
"auto_resolution_minutes": 20160,
"category": "Attack:Installation",
"confidence": "high",
"created": "2019-05-06T13:00:29.165000Z",
"created_user_uuid": "cd3ea8eb-e014-4f62-905d-78a021c768b2",
"critical_updated": "2021-01-16T00:27:43.540000Z",
"description": "This logic is intended to detect executable binaries and scripts downloaded from a Python SimpleHTTPServer. SimpleHTTPServer is part of Python's standard library and allows users to quickly setup a basic HTTP server. It is typically used for prototyping and not commonly used in production systems.\r\n\r\nGigamon ATR considers this activity moderate severity, as an executable or script is not inherently malicious simply because it is hosted on a Python SimpleHTTPServer, but it is unlikely that a legitimate service would host executable binaries or scripts on a Python SimpleHTTPServer. Gigamon ATR considers this detection high confidence because the server field in the HTTP response header is highly unique to Python SimpleHTTPServer.\r\n\r\n## Next Steps\r\n1. Determine if this detection is a true positive by:\r\n 1. Checking that the event is not downloading a benign file from a reputable domain. If the domain is reputable, and the resource name is thematically consistent, the detection could be a false positive or a well concealed attack using a compromised domain.\r\n 2. Verifying that the file is malicious in nature.\r\n2. Quarantine the impacted device.\r\n3. Begin incident response procedures on the impacted device.\r\n4. Block traffic to attacker infrastructure.\r\n5. Search for other impacted devices.",
"device_ip_fields": [
"src.ip"
],
"enabled": true,
"indicator_fields": [
"dst.ip",
"http:host",
"http:uri.uri",
"http:user_agent",
"http:files.sha256"
],
"name": "Executable or Script Download From External Python SimpleHTTPServer",
"primary_attack_id": "T1105",
"query_signature": "http:headers.server LIKE \"SimpleHTTP/% Python/%\"\r\n// Filter for plain executable binary MIME types\r\nAND (\r\n response_mime LIKE \"%executable%\"\r\n OR response_mime LIKE \"%application/x-dosexec%\"\r\n OR response_mime LIKE \"%application/x-macbinary%\"\r\n\r\n // Commonly malicious\r\n OR response_mime LIKE \"%application/x-ms-shortcut%\"\r\n OR response_mime LIKE \"%application/vnd.ms-htmlhelp%\"\r\n\r\n // System-level scripts\r\n OR response_mime LIKE \"%text/x-msdos-batch%\"\r\n OR response_mime LIKE \"%x-shellscript%\"\r\n)\r\n\r\n// Outbound traffic\r\nAND src.internal = true\r\nAND (\r\n dst.internal = false\r\n OR (\r\n // Not internal IP address\r\n host.internal != true\r\n // Proxied traffic\r\n AND uri.scheme != null\r\n )\r\n)",
"rule_accounts": [
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"detection_count": 4,
"detection_muted_count": 0,
"detection_resolved_count": 12,
"first_seen": "2022-02-01T09:35:58.269000Z",
"last_seen": "2022-08-23T08:36:02.794000Z",
"muted": false,
"muted_comment": null,
"muted_timestamp": null,
"muted_user_uuid": null,
"query_filter": null
}
],
"run_account_uuids": null,
"secondary_attack_id": null,
"severity": "moderate",
"shared_account_uuids": null,
"source_excludes": [
"Zscaler"
],
"specificity": "procedure",
"updated": "2022-04-27T16:26:03.115153Z",
"updated_user_uuid": "cd3ea8eb-e014-4f62-905d-78a021c768b2",
"uuid": "fe4d55b4-7293-425a-b549-43a22472923d"
},
{
"account_uuid": "b1f533b5-6360-494a-9f8b-9d90f1ad0207",
"auto_resolution_minutes": 30240,
"category": "Attack:Installation",
"confidence": "high",
"created": "2018-04-24T23:39:13.382000Z",
"created_user_uuid": "cd3ea8eb-e014-4f62-905d-78a021c768b2",
"critical_updated": "2020-12-10T00:04:21.861000Z",
"description": "This logic is intended to detect the Trickbot banking trojan downloading separate executable files to update or extend the functionality of the main trojan. Trickbot is generally delivered by spam campaigns via malicious Microsoft Office documents. Trickbot attempts to harvest credentials for web sites, primarily for financial institutions. As well as gathering credentials for any user accounts used on affected hosts, it can also be used as a backdoor which enables access to the network. \n\nGigamon ATR considers this detection to be high severity, as it is indicative of successful malicious code execution and allows for unauthorized access to the network. Gigamon ATR considers this detection to be high confidence due to the uniqueness of the user agent used in HTTP requests by the trojan. \n\n## Next Steps \n1. Determine if this is a true positive by: \n 1. Investigating for connections outbound to ports 447 and 449 from the affected host.\n 2. Checking the affected host for earlier executable downloads with no user agent set, or connectivity checks such as public IP lookups (e.g. HTTP requests to checkip.amazonaws.com).\n 3. Checking the impacted asset for other indicators of compromise. Persistence is generally achieved via a scheduled task. \n3. Quarantine the impacted device. \n4. Begin incident response procedures on the impacted device. \n5. Block traffic to attacker infrastructure. \n6. Search for other impacted devices.",
"device_ip_fields": [
"src.ip"
],
"enabled": true,
"indicator_fields": [
"dst.ip",
"http:host",
"http:uri.uri",
"http:user_agent",
"http:files.sha256"
],
"name": "Trickbot Staging Download",
"primary_attack_id": "T1105",
"query_signature": "http:user_agent = \"WinHTTP loader/1.0\"\r\nAND response_mime = \"application/x-dosexec\"",
"rule_accounts": [
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"detection_count": 2,
"detection_muted_count": 0,
"detection_resolved_count": 2,
"first_seen": "2021-12-20T09:06:10.558000Z",
"last_seen": "2022-08-22T08:09:10.243000Z",
"muted": true,
"muted_comment": null,
"muted_timestamp": "2022-01-05T18:39:07.352000Z",
"muted_user_uuid": "2964a059-e470-4622-929e-2cadcccf98f4",
"query_filter": null
}
],
"run_account_uuids": null,
"secondary_attack_id": null,
"severity": "high",
"shared_account_uuids": null,
"source_excludes": [
"Zscaler"
],
"specificity": "tool_implementation",
"updated": "2021-03-19T19:32:19.685000Z",
"updated_user_uuid": "cd3ea8eb-e014-4f62-905d-78a021c768b2",
"uuid": "aadb155e-712f-481f-9680-482bab5a238d"
},
{
"account_uuid": "b1f533b5-6360-494a-9f8b-9d90f1ad0207",
"auto_resolution_minutes": 10080,
"category": "Attack:Installation",
"confidence": "high",
"created": "2018-05-15T18:08:55.511000Z",
"created_user_uuid": "cd3ea8eb-e014-4f62-905d-78a021c768b2",
"critical_updated": "2020-07-08T21:59:20.870000Z",
"description": "This logic is intended to detect Pony or Hancitor second stage downloads. Hancitor and Pony are banking trojans that attempt to harvest credentials for web sites, primarily for financial institutions. As well as harvesting credentials for any user accounts used on affected hosts, they can also be used as a remote access tool that enables access to the network. \n\nGigamon ATR considers this detection to be high severity, as it is indicative of successful malicious code execution, and allows for unauthorized access to the network. Gigamon ATR considers this detection high confidence, as these requests are unlikely to be the result of legitimate activity. \n\n## Next Steps\n1. Determine if this detection is a true positive by checking the host for signs of compromise. \n2. Quarantine the impacted device. \n3. Begin incident response procedures on the impacted device.\n4. Block traffic to attacker infrastructure. \n5. Search for other impacted devices. ",
"device_ip_fields": [
"src.ip"
],
"enabled": true,
"indicator_fields": [
"dst.ip",
"http:host",
"http:uri.uri",
"http:user_agent"
],
"name": "Pony or Hancitor Second Stage Download",
"primary_attack_id": "T1105",
"query_signature": "http:method = \"POST\"\r\nAND uri.path LIKE \"%/gate.php\"\r\nAND (\r\n response_len > 1MB\r\n OR user_agent LIKE \"%Windows 98%\"\r\n)",
"rule_accounts": [
{
"account_uuid": "dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8",
"detection_count": 1,
"detection_muted_count": 0,
"detection_resolved_count": 17,
"first_seen": "2022-02-06T16:22:18.923000Z",
"last_seen": "2022-08-21T15:22:21.518000Z",
"muted": false,
"muted_comment": null,
"muted_timestamp": null,
"muted_user_uuid": null,
"query_filter": null
}
],
"run_account_uuids": null,
"secondary_attack_id": "T1104",
"severity": "high",
"shared_account_uuids": null,
"source_excludes": [],
"specificity": "tool_implementation",
"updated": "2021-03-17T23:36:35.422000Z",
"updated_user_uuid": "9128e5ed-4ee4-4b29-a7f4-ea9f9f092dc3",
"uuid": "2d06c01f-5ae4-4346-8d6a-99926dcac4f1"
}
]
}
}

Human Readable Output#

Results#

account_uuidauto_resolution_minutescategoryconfidencecreatedcreated_user_uuidcritical_updateddescriptiondevice_ip_fieldsenabledindicator_fieldsnameprimary_attack_idquery_signaturerule_accountsrun_account_uuidssecondary_attack_idseverityshared_account_uuidssource_excludesspecificityupdatedupdated_user_uuiduuid
b1f533b5-6360-494a-9f8b-9d90f1ad020720160Attack:Installationhigh2019-05-06T13:00:29.165000Zcd3ea8eb-e014-4f62-905d-78a021c768b22021-01-16T00:27:43.540000ZThis logic is intended to detect executable binaries and scripts downloaded from a Python SimpleHTTPServer. SimpleHTTPServer is part of Python's standard library and allows users to quickly setup a basic HTTP server. It is typically used for prototyping and not commonly used in production systems.

Gigamon ATR considers this activity moderate severity, as an executable or script is not inherently malicious simply because it is hosted on a Python SimpleHTTPServer, but it is unlikely that a legitimate service would host executable binaries or scripts on a Python SimpleHTTPServer. Gigamon ATR considers this detection high confidence because the server field in the HTTP response header is highly unique to Python SimpleHTTPServer.

## Next Steps
1. Determine if this detection is a true positive by:
1. Checking that the event is not downloading a benign file from a reputable domain. If the domain is reputable, and the resource name is thematically consistent, the detection could be a false positive or a well concealed attack using a compromised domain.
2. Verifying that the file is malicious in nature.
2. Quarantine the impacted device.
3. Begin incident response procedures on the impacted device.
4. Block traffic to attacker infrastructure.
5. Search for other impacted devices.
src.iptruedst.ip,
http:host,
http:uri.uri,
http:user_agent,
http:files.sha256
Executable or Script Download From External Python SimpleHTTPServerT1105http:headers.server LIKE "SimpleHTTP/% Python/%"
// Filter for plain executable binary MIME types
AND (
response_mime LIKE "%executable%"
OR response_mime LIKE "%application/x-dosexec%"
OR response_mime LIKE "%application/x-macbinary%"

// Commonly malicious
OR response_mime LIKE "%application/x-ms-shortcut%"
OR response_mime LIKE "%application/vnd.ms-htmlhelp%"

// System-level scripts
OR response_mime LIKE "%text/x-msdos-batch%"
OR response_mime LIKE "%x-shellscript%"
)

// Outbound traffic
AND src.internal = true
AND (
dst.internal = false
OR (
// Not internal IP address
host.internal != true
// Proxied traffic
AND uri.scheme != null
)
)
{'account_uuid': 'dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8', 'query_filter': None, 'muted': False, 'muted_comment': None, 'muted_user_uuid': None, 'muted_timestamp': None, 'detection_count': 4, 'detection_muted_count': 0, 'detection_resolved_count': 12, 'first_seen': '2022-02-01T09:35:58.269000Z', 'last_seen': '2022-08-23T08:36:02.794000Z'}moderateZscalerprocedure2022-04-27T16:26:03.115153Zcd3ea8eb-e014-4f62-905d-78a021c768b2fe4d55b4-7293-425a-b549-43a22472923d
b1f533b5-6360-494a-9f8b-9d90f1ad020730240Attack:Installationhigh2018-04-24T23:39:13.382000Zcd3ea8eb-e014-4f62-905d-78a021c768b22020-12-10T00:04:21.861000ZThis logic is intended to detect the Trickbot banking trojan downloading separate executable files to update or extend the functionality of the main trojan. Trickbot is generally delivered by spam campaigns via malicious Microsoft Office documents. Trickbot attempts to harvest credentials for web sites, primarily for financial institutions. As well as gathering credentials for any user accounts used on affected hosts, it can also be used as a backdoor which enables access to the network.

Gigamon ATR considers this detection to be high severity, as it is indicative of successful malicious code execution and allows for unauthorized access to the network. Gigamon ATR considers this detection to be high confidence due to the uniqueness of the user agent used in HTTP requests by the trojan.

## Next Steps
1. Determine if this is a true positive by:
1. Investigating for connections outbound to ports 447 and 449 from the affected host.
2. Checking the affected host for earlier executable downloads with no user agent set, or connectivity checks such as public IP lookups (e.g. HTTP requests to checkip.amazonaws.com).
3. Checking the impacted asset for other indicators of compromise. Persistence is generally achieved via a scheduled task.
3. Quarantine the impacted device.
4. Begin incident response procedures on the impacted device.
5. Block traffic to attacker infrastructure.
6. Search for other impacted devices.
src.iptruedst.ip,
http:host,
http:uri.uri,
http:user_agent,
http:files.sha256
Trickbot Staging DownloadT1105http:user_agent = "WinHTTP loader/1.0"
AND response_mime = "application/x-dosexec"
{'account_uuid': 'dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8', 'query_filter': None, 'muted': True, 'muted_comment': None, 'muted_user_uuid': '2964a059-e470-4622-929e-2cadcccf98f4', 'muted_timestamp': '2022-01-05T18:39:07.352000Z', 'detection_count': 2, 'detection_muted_count': 0, 'detection_resolved_count': 2, 'first_seen': '2021-12-20T09:06:10.558000Z', 'last_seen': '2022-08-22T08:09:10.243000Z'}highZscalertool_implementation2021-03-19T19:32:19.685000Zcd3ea8eb-e014-4f62-905d-78a021c768b2aadb155e-712f-481f-9680-482bab5a238d
b1f533b5-6360-494a-9f8b-9d90f1ad020710080Attack:Installationhigh2018-05-15T18:08:55.511000Zcd3ea8eb-e014-4f62-905d-78a021c768b22020-07-08T21:59:20.870000ZThis logic is intended to detect Pony or Hancitor second stage downloads. Hancitor and Pony are banking trojans that attempt to harvest credentials for web sites, primarily for financial institutions. As well as harvesting credentials for any user accounts used on affected hosts, they can also be used as a remote access tool that enables access to the network.

Gigamon ATR considers this detection to be high severity, as it is indicative of successful malicious code execution, and allows for unauthorized access to the network. Gigamon ATR considers this detection high confidence, as these requests are unlikely to be the result of legitimate activity.

## Next Steps
1. Determine if this detection is a true positive by checking the host for signs of compromise.
2. Quarantine the impacted device.
3. Begin incident response procedures on the impacted device.
4. Block traffic to attacker infrastructure.
5. Search for other impacted devices.
src.iptruedst.ip,
http:host,
http:uri.uri,
http:user_agent
Pony or Hancitor Second Stage DownloadT1105http:method = "POST"
AND uri.path LIKE "%/gate.php"
AND (
response_len > 1MB
OR user_agent LIKE "%Windows 98%"
)
{'account_uuid': 'dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8', 'query_filter': None, 'muted': False, 'muted_comment': None, 'muted_user_uuid': None, 'muted_timestamp': None, 'detection_count': 1, 'detection_muted_count': 0, 'detection_resolved_count': 17, 'first_seen': '2022-02-06T16:22:18.923000Z', 'last_seen': '2022-08-21T15:22:21.518000Z'}T1104hightool_implementation2021-03-17T23:36:35.422000Z9128e5ed-4ee4-4b29-a7f4-ea9f9f092dc32d06c01f-5ae4-4346-8d6a-99926dcac4f1

insight-resolve-detection#


Resolve a specific detection.

Base Command#

insight-resolve-detection

Input#

Argument NameDescriptionRequired
detection_uuidDetection UUID to resolve.Required
resolutionResolution state. Options: true_positive_mitigated, true_posititve_no_action, false_positive, unknown. Possible values are: true_positive_mitigated, true_positive_no_action, false_positive, unknown.Required
resolution_commentOptional comment for the resolution.Optional

Context Output#

There is no context output for this command.

insight-get-detection-rule-events#


Get a list of the events that matched on a specific rule.

Base Command#

insight-get-detection-rule-events

Input#

Argument NameDescriptionRequired
rule_uuidRule UUID to get events for.Required
account_uuidAccount uuid to filter by.Optional
offsetThe number of records to skip past.Optional
limitThe number of records to return, default: 100, max: 1000.Optional

Context Output#

PathTypeDescription
Insight.Events.src_ipstringSource IP address
Insight.Events.dst_ipstringDestination IP address
Insight.Events.src_portnumberSource port number
Insight.Events.dst_portnumberDestination port number
Insight.Events.host_domainstringDomain name
Insight.Events.flow_idstringUnique ID of the flow record
Insight.Events.event_typestringEvent type
Insight.Events.sensor_idstringID code of the sensor
Insight.Events.timestampdateDate the event occurred
Insight.Events.customer_idstringID code of the customer account
Insight.Events.uuidstringUnique ID for the event

Command example#

!insight-get-detection-rule-events rule_uuid=aadb155e-712f-481f-9680-482bab5a238d limit=3

Context Example#

{
"Insight": {
"Detections": [
{
"customer_id": "gdm",
"dst": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": 80
},
"event_type": "http",
"files": [
{
"bytes": 503808,
"md5": "725d4b987107aa0f797f2aad4daaf8cd",
"mime_type": null,
"name": null,
"sha1": "44b8b2a5a79ed223dadb612728661824430fe793",
"sha256": "c9075805b3d43e3d0231216662068850cbde533bc7f0f4c7486f5a89224c524c"
}
],
"flow_id": "C8fsbW3SBCuWYNaUse",
"geo_distance": null,
"headers": {
"accept": null,
"content_md5": null,
"content_type": "image/png",
"cookie_length": null,
"location": null,
"origin": null,
"proxied_client_ips": null,
"refresh": null,
"server": "nginx/1.10.3",
"x_powered_by": null
},
"host": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": null
},
"info_msg": null,
"intel": null,
"method": "GET",
"proxied": null,
"referrer": null,
"request_len": 0,
"request_mime": null,
"request_mimes": null,
"response_len": 503808,
"response_mime": "application/x-dosexec",
"response_mimes": [
"application/x-dosexec"
],
"sensor_id": "gdm2",
"source": "Zeek",
"src": {
"asn": null,
"geo": null,
"internal": true,
"ip": "21.5.31.5",
"ip_bytes": null,
"pkts": null,
"port": 51520
},
"status_code": 200,
"status_msg": "OK",
"timestamp": "2022-08-22T08:09:10.243Z",
"trans_depth": 2,
"uri": {
"fragment": null,
"host": null,
"path": "/scrimet.png",
"port": -1,
"query": null,
"scheme": null,
"uri": "/scrimet.png"
},
"user_agent": "WinHTTP loader/1.0",
"username": null,
"uuid": "343c26aa-21f3-11ed-9d7b-0a1766ad1b93"
},
{
"customer_id": "gdm",
"dst": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": 80
},
"event_type": "http",
"files": [
{
"bytes": 472706,
"md5": null,
"mime_type": null,
"name": null,
"sha1": null,
"sha256": null
}
],
"flow_id": "C8fsbW3SBCuWYNaUse",
"geo_distance": null,
"headers": {
"accept": null,
"content_md5": null,
"content_type": "image/png",
"cookie_length": null,
"location": null,
"origin": null,
"proxied_client_ips": null,
"refresh": null,
"server": "nginx/1.10.3",
"x_powered_by": null
},
"host": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": null
},
"info_msg": null,
"intel": null,
"method": "GET",
"proxied": null,
"referrer": null,
"request_len": 0,
"request_mime": null,
"request_mimes": null,
"response_len": 472706,
"response_mime": "application/x-dosexec",
"response_mimes": [
"application/x-dosexec"
],
"sensor_id": "gdm2",
"source": "Zeek",
"src": {
"asn": null,
"geo": null,
"internal": true,
"ip": "21.5.31.5",
"ip_bytes": null,
"pkts": null,
"port": 51520
},
"status_code": 200,
"status_msg": "OK",
"timestamp": "2022-08-22T08:09:04.693Z",
"trans_depth": 1,
"uri": {
"fragment": null,
"host": null,
"path": "/tablone.png",
"port": -1,
"query": null,
"scheme": null,
"uri": "/tablone.png"
},
"user_agent": "WinHTTP loader/1.0",
"username": null,
"uuid": "3439dbfc-21f3-11ed-9d7b-0a1766ad1b93"
},
{
"customer_id": "gdm",
"dst": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": 80
},
"event_type": "http",
"files": [
{
"bytes": 503808,
"md5": "725d4b987107aa0f797f2aad4daaf8cd",
"mime_type": null,
"name": null,
"sha1": "44b8b2a5a79ed223dadb612728661824430fe793",
"sha256": "c9075805b3d43e3d0231216662068850cbde533bc7f0f4c7486f5a89224c524c"
}
],
"flow_id": "CRcO6G4eqlWvo7gjia",
"geo_distance": null,
"headers": {
"accept": null,
"content_md5": null,
"content_type": "image/png",
"cookie_length": null,
"location": null,
"origin": null,
"proxied_client_ips": null,
"refresh": null,
"server": "nginx/1.10.3",
"x_powered_by": null
},
"host": {
"asn": {
"asn": 46562,
"asn_org": "PERFORMIVE",
"isp": "Performive",
"org": "Performive"
},
"geo": {
"city": "Richardson",
"country": "US",
"location": {
"lat": 32.9636,
"lon": -96.7468
},
"subdivision": "TX"
},
"internal": false,
"ip": "101.25.175.118",
"ip_bytes": null,
"pkts": null,
"port": null
},
"info_msg": null,
"intel": null,
"method": "GET",
"proxied": null,
"referrer": null,
"request_len": 0,
"request_mime": null,
"request_mimes": null,
"response_len": 503808,
"response_mime": "application/x-dosexec",
"response_mimes": [
"application/x-dosexec"
],
"sensor_id": "gdm2",
"source": "Zeek",
"src": {
"asn": null,
"geo": null,
"internal": true,
"ip": "21.5.31.101",
"ip_bytes": null,
"pkts": null,
"port": 58761
},
"status_code": 200,
"status_msg": "OK",
"timestamp": "2022-08-22T08:06:40.603Z",
"trans_depth": 2,
"uri": {
"fragment": null,
"host": null,
"path": "/scrimet.png",
"port": -1,
"query": null,
"scheme": null,
"uri": "/scrimet.png"
},
"user_agent": "WinHTTP loader/1.0",
"username": null,
"uuid": "343177d6-21f3-11ed-9d7b-0a1766ad1b93"
}
]
}
}

Human Readable Output#

Results#

customer_iddstevent_typefilesflow_idgeo_distanceheadershostinfo_msgintelmethodproxiedreferrerrequest_lenrequest_mimerequest_mimesresponse_lenresponse_mimeresponse_mimessensor_idsourcesrcstatus_codestatus_msgtimestamptrans_depthuriuser_agentusernameuuid
gdmip: 101.25.175.118
port: 80
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
http{'name': None, 'md5': '725d4b987107aa0f797f2aad4daaf8cd', 'sha1': '44b8b2a5a79ed223dadb612728661824430fe793', 'sha256': 'c9075805b3d43e3d0231216662068850cbde533bc7f0f4c7486f5a89224c524c', 'bytes': 503808, 'mime_type': None}C8fsbW3SBCuWYNaUseaccept: null
content_md5: null
content_type: image/png
cookie_length: null
location: null
origin: null
proxied_client_ips: null
refresh: null
server: nginx/1.10.3
x_powered_by: null
ip: 101.25.175.118
port: null
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
GET0503808application/x-dosexecapplication/x-dosexecgdm2Zeekip: 21.5.31.5
port: 51520
ip_bytes: null
pkts: null
geo: null
asn: null
internal: true
200OK2022-08-22T08:09:10.243Z2uri: /scrimet.png
scheme: null
host: null
port: -1
path: /scrimet.png
query: null
fragment: null
WinHTTP loader/1.0343c26aa-21f3-11ed-9d7b-0a1766ad1b93
gdmip: 101.25.175.118
port: 80
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
http{'name': None, 'md5': None, 'sha1': None, 'sha256': None, 'bytes': 472706, 'mime_type': None}C8fsbW3SBCuWYNaUseaccept: null
content_md5: null
content_type: image/png
cookie_length: null
location: null
origin: null
proxied_client_ips: null
refresh: null
server: nginx/1.10.3
x_powered_by: null
ip: 101.25.175.118
port: null
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
GET0472706application/x-dosexecapplication/x-dosexecgdm2Zeekip: 21.5.31.5
port: 51520
ip_bytes: null
pkts: null
geo: null
asn: null
internal: true
200OK2022-08-22T08:09:04.693Z1uri: /tablone.png
scheme: null
host: null
port: -1
path: /tablone.png
query: null
fragment: null
WinHTTP loader/1.03439dbfc-21f3-11ed-9d7b-0a1766ad1b93
gdmip: 101.25.175.118
port: 80
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
http{'name': None, 'md5': '725d4b987107aa0f797f2aad4daaf8cd', 'sha1': '44b8b2a5a79ed223dadb612728661824430fe793', 'sha256': 'c9075805b3d43e3d0231216662068850cbde533bc7f0f4c7486f5a89224c524c', 'bytes': 503808, 'mime_type': None}CRcO6G4eqlWvo7gjiaaccept: null
content_md5: null
content_type: image/png
cookie_length: null
location: null
origin: null
proxied_client_ips: null
refresh: null
server: nginx/1.10.3
x_powered_by: null
ip: 101.25.175.118
port: null
ip_bytes: null
pkts: null
geo: {"location": {"lat": 32.9636, "lon": -96.7468}, "country": "US", "subdivision": "TX", "city": "Richardson"}
asn: {"asn": 46562, "org": "Performive", "isp": "Performive", "asn_org": "PERFORMIVE"}
internal: false
GET0503808application/x-dosexecapplication/x-dosexecgdm2Zeekip: 21.5.31.101
port: 58761
ip_bytes: null
pkts: null
geo: null
asn: null
internal: true
200OK2022-08-22T08:06:40.603Z2uri: /scrimet.png
scheme: null
host: null
port: -1
path: /scrimet.png
query: null
fragment: null
WinHTTP loader/1.0343177d6-21f3-11ed-9d7b-0a1766ad1b93

insight-create-detection-rule#


Create a new detection rule.

Base Command#

insight-create-detection-rule

Input#

Argument NameDescriptionRequired
account_uuidAccount where the rule will be created.Required
nameThe name of the rule.Required
categoryThe category of the rule. Possible values are: Attack:Command and Control, Attack:Exploitation, Attack:Exfiltration, Attack:Installation, Attack:Lateral Movement, Attack:Infection Vector, Attack:Miscellaneous, Miscellaneous, Posture:Anomalous Activity, Posture:Insecure Configuration, Posture:Potentially Unauthorized Software or Device, Posture:Miscellaneous, PUA:Adware, PUA:Spyware, PUA:Unauthorized Resource Use, PUA:Miscellaneous.Required
query_signatureThe IQL query for the rule.Required
descriptionA description for the rule.Required
severityThe severity of the rule. Possible values are: low, moderate, high.Required
confidenceThe confidence of the rule. Possible values are: low, moderate, high.Required
run_account_uuidsAccount UUIDs on which this rule will run. This will usually be just your own account UUID. (separate multiple accounts by comma).Required
auto_resolution_minutesThe number of minutes after which detections will be auto-resolved. If 0 then detections have to be manually resolved.Optional
device_ip_fieldsList of event fields to check for impacted devices. Possible values are: DEFAULT, src.ip, dst.ip, dhcp:assignment.ip, dns:answers.ip, http:host.ip, http:uri.host.ip, http:referrer.host.ip, http:headers.location.host.ip, http:headers.origin.host.ip, http:headers.proxied_client_ips.ip, http:headers.refresh.uri.host.ip, smtp:helo.ip, smtp:x_originating_ip.ip, smtp:path.ip, software:host.ip, ssl:server_name_indication.ip, suricata:http.host.ip, x509:san_dns.ip, x509:san_ip.ip.Required

Context Output#

There is no context output for this command.