Skip to main content

Icebrg

This Integration is part of the Icebrg Pack.#

ICEBRG is a network security product which is used in conjunction with Cortex XSOAR to get events and reports produced in ICEBRG for queries.

The following data is fetched :

  • Fetching reports which contain more than one asset.
  • Events cannot be fetched.
  • Flittering by published date.
  • Fetching every 10 minutes.

To set up ICEBRG to work with Cortex XSOAR:

To obtain API token (on ICEBRG):

  1. Go to ‘Settings > Profile Settings > Tokens’.
  2. Click ‘Create new token’.
  3. Enter description.
  4. Click ‘Create’
  5. Record this token to use in the next steps.

To set up the integration on Cortex XSOAR:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate ‘ICEBRG’ by searching for it using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
    Name : A textual name for the integration instance.
    Server URL for the search API : The URL appliance.
    API username : ICEBRG API token.
    Server URL for the reports API: The server used for the reports API.
    Password : ICEBRG API password.
    ICEBRG token: The token obtained in the steps above.
    Fetch incidents : Select whether to automatically create Cortex XSOAR incidents from ICEBRG offenses.
    Cortex XSOAR engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
    For more information on Cortex XSOAR engines see:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/engines
  4. Press the ‘Test’ button to validate connection.
  5. After completing the test successfully, press the ‘Done’ button.

Top Use-cases:

  • Search events by query.
  • Get reports by UUID..

Commands:

  • icebrg-search-events

Input:

Query (mandatory) - The query string or entity for which to search.
Start date - The beginning of the temporal extent by which to restrict filter results, inclusive (in RFC3339 format).
End date - The end of the temporal extent by which to restrict filter results, exclusive (in RFC3339 format).
Order by - The event property by which to order results. Default: timestamp.
Order - The order of results, either "asc" or "desc". Default: desc.
Customer ID - The customer ID by which to restrict filter results. Default: user's account.
History - When true, save this query in user's Query History and include up to the last 50 queries from user's Query History. Default: false.
Service traffic - When true, the service will include the service_traffic aggregation. Default: false.

Context output:

Icebrg.Events.QueryType - Query type
Icebrg.Events.Total - Total events
Icebrg.Events.OrderBy - Key to order events by
Icebrg.Events.Order - Order of the events
Icebrg.Events.Offset - Events offset
Icebrg.Events.History - History of events
Icebrg.Events.Limit - Limit number of events to show

Raw output:

{
	"total": 135359505,
	"offset": 0,
	"limit": 100,
	"order_by": "timestamp",
	"query_type": "complex",
	"events": [ ... ]
}
  • icebrg-get-history

Input:

none

Context output:

Icebrg.UserQueryHistory.Total - Total user queries
Icebrg.UserQueryHistory.Timestamp - Timestamp of user query
Icebrg.UserQueryHistory.Query - Called query
Icebrg.UserQueryHistory.QueryId - ID of query
Icebrg.UserQueryHistory.UserId - User ID

Raw output:

{
 	"history": [{
    			"total": 3393897721,
    			"timestamp": "2017-03-30T20:56:11.556Z",
    			"query": "port = 80",
    			"id": "725be4f112f5b5ae9807b7130b2cea97"
	 },
		{
    			"total": 211313295,
    			"timestamp": "2017-03-30T17:44:35.748Z",
    			"query": "google.com",
 			"id": "655765009424c447765d06773e711dd3"
	}],
	"User_id": "f3259c9f-e54a-4e93-b71d-8e995a2cd96b"
 }
  • icebrg-saved-searches

Input:

none

Context output:

Icebrg.SavedSearches.Tags - Query tags
Icebrg.SavedSearches.Description - Query description
Icebrg.SavedSearches.Title - Query title
Icebrg.SavedSearches.Timestamp - Query timestamp
Icebrg.SavedSearches.Query - Called query
Icebrg.SavedSearches.Id - Query ID

Raw output:

{
	"saved_queries": [{
   			 "tags": [],
    			"description": "",
    			"title": "Test",
    			"timestamp": "2017-03-17T00:48:34.359Z",
    			"query": "ip='127.0.0.1'",
    			"id": "AVrZvNBGl0ZSNz2usg93"
		}]
}
  • icebrg-get-reports

Input:

Limit - The maximum number of records to return. The default is no limit.
Offset - The number of records to skip. The default is none.
Sort by - The field to sort by (created, updated, or published). The default is unsorted.
Sort order - The sort order asc or desc. The default is asc if sort_by is provided.
Account UUID - UUID of account to filter by.
Archived - Archived status to filter by.
Confidence - Confidence to filter by (low, moderate, high).
Risk - Risk to filter by (low, moderate, high).
Search - Text string to search the title and summary.
Status - Status to filter by.
Published start - Published start date to filter by (inclusive), RFC3339 format.
Published end - Published end date to filter by (exclusive), RFC3339 format.

Context output:

Icebrg.Reports.Publishes.UserUuid - User UUID that published the report Icebrg.Reports.Publishes.Publishe - Timestamp of published report Icebrg.Reports.AssetCount - Asset count of report
Icebrg.Reports.IndicatorCount - Indicator count of report
Icebrg.Reports.Archived - True if archived, else false
Icebrg.Reports.Details - Report details
Icebrg.Reports.Summary - Report summary
Icebrg.Reports.Category - Category of the report
Icebrg.Reports.Confidence - Indicator count of report
Icebrg.Reports.Archived - Confidence of report
Icebrg.Reports.Risk - Risk of report
Icebrg.Reports.Title - Report title
Icebrg.Reports.Status - Status of report
Icebrg.Reports.AccountUuid - Account UUID of report
Icebrg.Reports.UpdatedUserUuid - User UUID that updated the report Icebrg.Reports.CreatedUserUuid - User UUID that created the report Icebrg.Reports.Updated - Timestamp of report update
Icebrg.Reports.Created - Timestamp of report creation
Icebrg.Reports.Uuid - Report UUID

Raw output:

{
    "reports": [{
		 "publishes": [{
   			     "user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42",
     			     "published": "2017-01-24T10:13:13.418Z"
  		   }],
  		 "asset_count": 1,
 		 "indicator_count": 5,
  		"archived": false,
  		"details": "On 21 January, ...",
  		"summary": "A host was infected with Cerber ransomware after opening a
malicious Word document received via email.", "category": "Ransomware", "confidence": "high", "risk": "moderate", "title": "Cerber Malware Infection", "status": "published", "account_uuid": "6bc3d2f1-af77-4236-a9db-17dacd06e4d9", "updated_user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "created_user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "updated": "2017-01-24T10:12:32.534Z", "created": "2017-01-24T07:25:36.363Z", "uuid": "2d35734f-5b16-41ff-a482-b08a7c74202a" }], }
  • icebrg-get-report-assets

Input:

Report UUID (mandatory) - Report UUID to get the indicator

Context output:

Icebrg.ReportAssets.Asset - Assets of Report UUID

Raw output:

{
	"assets": [{
    			"asset" : "10.248.100.74"
		}]
}

Troubleshooting

This integration was integrated and tested with version 1.3 of ICEBRG.