Icebrg
Icebrg Pack.#
This Integration is part of theICEBRG is a network security product which is used in conjunction with Cortex XSOAR to get events and reports produced in ICEBRG for queries.
The following data is fetched :
- Fetching reports which contain more than one asset.
- Events cannot be fetched.
- Flittering by published date.
- Fetching every 10 minutes.
To set up ICEBRG to work with Cortex XSOAR:
To obtain API token (on ICEBRG):
- Go to ‘Settings > Profile Settings > Tokens’.
- Click ‘Create new token’.
- Enter description.
- Click ‘Create’
- Record this token to use in the next steps.
To set up the integration on Cortex XSOAR:
- Go to ‘Settings > Integrations > Servers & Services’
- Locate ‘ICEBRG’ by searching for it using the search box on the top of the page.
-
Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
Name : A textual name for the integration instance.
Server URL for the search API : The URL appliance.
API username : ICEBRG API token.
Server URL for the reports API: The server used for the reports API.
Password : ICEBRG API password.
ICEBRG token: The token obtained in the steps above.
Fetch incidents : Select whether to automatically create Cortex XSOAR incidents from ICEBRG offenses.
Cortex XSOAR engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
For more information on Cortex XSOAR engines see:
Cortex XSOAR 6.13 - Engines
Cortex XSOAR 8 Cloud- Engines
Cortex XSOAR 8.7 On-prem - Engines - Press the ‘Test’ button to validate connection.
- After completing the test successfully, press the ‘Done’ button.
Top Use-cases:
- Search events by query.
- Get reports by UUID..
Commands:
- icebrg-search-events
Input:
Query (mandatory)
- The query string or entity for which to search.
|
Context output:
Icebrg.Events.QueryType
- Query type
Icebrg.Events.Total - Total events Icebrg.Events.OrderBy - Key to order events by Icebrg.Events.Order - Order of the events Icebrg.Events.Offset - Events offset Icebrg.Events.History - History of events Icebrg.Events.Limit - Limit number of events to show |
Raw output:
{ "total": 135359505, "offset": 0, "limit": 100, "order_by": "timestamp", "query_type": "complex", "events": [ ... ] } |
- icebrg-get-history
Input:
none |
Context output:
Icebrg.UserQueryHistory.Total
- Total user queries
|
Raw output:
{ "history": [{ "total": 3393897721, "timestamp": "2017-03-30T20:56:11.556Z", "query": "port = 80", "id": "725be4f112f5b5ae9807b7130b2cea97" }, { "total": 211313295, "timestamp": "2017-03-30T17:44:35.748Z", "query": "google.com", "id": "655765009424c447765d06773e711dd3" }], "User_id": "f3259c9f-e54a-4e93-b71d-8e995a2cd96b" Â } |
- icebrg-saved-searches
Input:
none |
Context output:
Icebrg.SavedSearches.Tags
- Query tags
Icebrg.SavedSearches.Description - Query description Icebrg.SavedSearches.Title - Query title Icebrg.SavedSearches.Timestamp - Query timestamp Icebrg.SavedSearches.Query - Called query Icebrg.SavedSearches.Id - Query ID |
Raw output:
{ "saved_queries": [{ "tags": [], "description": "", "title": "Test", "timestamp": "2017-03-17T00:48:34.359Z", "query": "ip='127.0.0.1'", "id": "AVrZvNBGl0ZSNz2usg93" }] } |
- icebrg-get-reports
Input:
Limit
- The maximum number of records to return. The default is no limit.
Offset - The number of records to skip. The default is none. Sort by - The field to sort by (created, updated, or published). The default is unsorted. Sort order - The sort order asc or desc. The default is asc if sort_by is provided. Account UUID - UUID of account to filter by. Archived - Archived status to filter by. Confidence - Confidence to filter by (low, moderate, high). Risk - Risk to filter by (low, moderate, high). Search - Text string to search the title and summary. Status - Status to filter by. Published start - Published start date to filter by (inclusive), RFC3339 format. Published end - Published end date to filter by (exclusive), RFC3339 format. |
Context output:
Icebrg.Reports.Publishes.UserUuid
- User UUID that published the report
Icebrg.Reports.Publishes.Publishe
- Timestamp of published report
Icebrg.Reports.AssetCount
- Asset count of report
Icebrg.Reports.IndicatorCount - Indicator count of report Icebrg.Reports.Archived - True if archived, else false Icebrg.Reports.Details - Report details Icebrg.Reports.Summary - Report summary Icebrg.Reports.Category - Category of the report Icebrg.Reports.Confidence - Indicator count of report Icebrg.Reports.Archived - Confidence of report Icebrg.Reports.Risk - Risk of report Icebrg.Reports.Title - Report title Icebrg.Reports.Status - Status of report Icebrg.Reports.AccountUuid - Account UUID of report Icebrg.Reports.UpdatedUserUuid - User UUID that updated the report Icebrg.Reports.CreatedUserUuid - User UUID that created the report Icebrg.Reports.Updated - Timestamp of report update Icebrg.Reports.Created - Timestamp of report creation Icebrg.Reports.Uuid - Report UUID |
Raw output:
{ "reports": [{ "publishes": [{ "user_uuid": "b3fc3df4-d3cf-4202-971c-0dcfe7cccf42", "published": "2017-01-24T10:13:13.418Z" }], "asset_count": 1, "indicator_count": 5, "archived": false, "details": "On 21 January, ...", "summary": "A host was infected with Cerber ransomware after opening a |
- icebrg-get-report-assets
Input:
Report UUID (mandatory) - Report UUID to get the indicator |
Context output:
Icebrg.ReportAssets.Asset - Assets of Report UUID |
Raw output:
{ "assets": [{ "asset" : "10.248.100.74" }] } |
Troubleshooting
This integration was integrated and tested with version 1.3 of ICEBRG.