IronDefense
IronDefense gives users the ability to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity. This integration was integrated and tested with version xx of IronDefense
Configure IronDefense on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for IronDefense.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- IronAPI Host/IP
- IronAPI Port
- Username
- Request Timeout (Sec)
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Rate an alert: irondefense-rate-alert
- Add a comment to an alert: irondefense-comment-alert
- Set the status of an alert: irondefense-set-alert-status
- Submit an observed bad endpoint to create Threat Intelligence Rules (TIR): irondefense-report-observed-bad-activity
1. Rate an alert
Rates an IronDefense alert.
Base Command
irondefense-rate-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The ID of the IronDefense alert. | Required |
| severity | The severity rating of the alert. Can be: "Undecided", "Benign", "Suspicious", "Malicious". | Required |
| expectation | Determines whether the rating was expected. Can be: "Unknown", "Expected", "Unexpected". Use "Unknown" if the rating is undecided. | Required |
| comments | Explains the rating of the alert. | Required |
| share_comment_with_irondome | Whether to share the comment with IronDome. | Required |
Context Output
There are no context output for this command.
2. Add a comment to an alert
Adds a comment to an IronDefense alert.
Base Command
irondefense-comment-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The ID of the IronDefense alert. | Required |
| comment | Explains the rating of the alert. | Required |
| share_comment_with_irondome | Whether to share the comment with IronDome. | Required |
Context Output
There are no context output for this command.
3. Set the status of an alert
Sets the status of an IronDefense alert.
Base Command
irondefense-set-alert-status
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The ID of the IronDefense alert. | Required |
| status | The alert status to set. Can be: "Awaiting Review", "Under Review", "Closed". | Required |
| comments | Explains the status of the alert. | Required |
| share_comment_with_irondome | Whether to share the comment with IronDome. | Required |
Context Output
There are no context output for this command.
4. Submit an observed bad endpoint to create Threat Intelligence Rules (TIR)
Submits an observed bad endpoint to IronDefense to create Threat Intelligence Rules (TIR).
Base Command
irondefense-report-observed-bad-activity
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the Threat Intelligence Rule (TIR) to be created. | Required |
| description | A description of the observed bad endpoint. | Required |
| ip | The IP address of the observed bad endpoint. | Optional |
| domain | The domain name of the observed bad endpoint. | Optional |
| activity_start_time | The start time of the observed bad activity in RFC 3339 format. | Required |
| activity_end_time | The end time of the observed bad activity in RFC 3339 format. | Required |
Context Output
There are no context output for this command.