IronDefense

IronDefense gives users the ability to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity. This integration was integrated and tested with version xx of IronDefense

Configure IronDefense on XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for IronDefense.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • IronAPI Host/IP
    • IronAPI Port
    • Username
    • Request Timeout (Sec)
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Rate an alert: irondefense-rate-alert
  2. Add a comment to an alert: irondefense-comment-alert
  3. Set the status of an alert: irondefense-set-alert-status
  4. Submit an observed bad endpoint to create Threat Intelligence Rules (TIR): irondefense-report-observed-bad-activity

1. Rate an alert


Rates an IronDefense alert.

Base Command

irondefense-rate-alert

Input
Argument Name Description Required
alert_id The ID of the IronDefense alert. Required
severity The severity rating of the alert. Can be: "Undecided", "Benign", "Suspicious", "Malicious". Required
expectation Determines whether the rating was expected. Can be: "Unknown", "Expected", "Unexpected". Use "Unknown" if the rating is undecided. Required
comments Explains the rating of the alert. Required
share_comment_with_irondome Whether to share the comment with IronDome. Required

Context Output

There are no context output for this command.

2. Add a comment to an alert


Adds a comment to an IronDefense alert.

Base Command

irondefense-comment-alert

Input
Argument Name Description Required
alert_id The ID of the IronDefense alert. Required
comment Explains the rating of the alert. Required
share_comment_with_irondome Whether to share the comment with IronDome. Required

Context Output

There are no context output for this command.

3. Set the status of an alert


Sets the status of an IronDefense alert.

Base Command

irondefense-set-alert-status

Input
Argument Name Description Required
alert_id The ID of the IronDefense alert. Required
status The alert status to set. Can be: "Awaiting Review", "Under Review", "Closed". Required
comments Explains the status of the alert. Required
share_comment_with_irondome Whether to share the comment with IronDome. Required

Context Output

There are no context output for this command.

4. Submit an observed bad endpoint to create Threat Intelligence Rules (TIR)


Submits an observed bad endpoint to IronDefense to create Threat Intelligence Rules (TIR).

Base Command

irondefense-report-observed-bad-activity

Input
Argument Name Description Required
name The name of the Threat Intelligence Rule (TIR) to be created. Required
description A description of the observed bad endpoint. Required
ip The IP address of the observed bad endpoint. Optional
domain The domain name of the observed bad endpoint. Optional
activity_start_time The start time of the observed bad activity in RFC 3339 format. Required
activity_end_time The end time of the observed bad activity in RFC 3339 format. Required

Context Output

There are no context output for this command.