Pentera
Overview
Integration with Pcysys. This integration was integrated and tested with version 3.3.2 of Pentera by Pcysys
Pcysys Playbook
Use Cases
Integration Use Cases:
- Integrate PenTera’s Automated Penetration Testing findings within Demisto for playbook-driven enrichment and response
- Address penetration testing findings, prioritize, and automate response tasks
- Leverage Demisto’s third-party product integrations
Use Case #1: Automate Dynamic Vulnerability Alerts - Password Policy Challenge: Password policies are a continuous undertaking that organizations need to review regularly. Solution: With the Demisto-PenTera integration, PenTera can continuously validate the effectiveness of enterprise passwords and take action on easily crackable passwords with focus on high privileged accounts. Once PenTera flags a password that doesn’t meet the standard, automated playbooks through Demisto take action and remediate the vulnerability based on corporate policy.
Use Case #2: Automated real-time validation for critical vulnerabilities Challenge: Continuous security validation is critical for the ongoing cyber hygiene of an organization’s network. However, critical vulnerabilities require on-demand testing as they influence many components of the network. Security teams struggle with prioritizing remediation and understanding the true impact vulnerabilities have on their specific network. Solution: After running automated single-action tests for critical vulnerabilities, the Demisto integration allows security teams to automate the response process based on the findings. For example, PenTera discovers the vulnerability of different components of the network, e.g a server or an endpoint. The latter is a simpler fix that should go through one workflow, perhaps even be automatically remediated, while the first, a much more complex process, will create a high-risk task in the relevant workflow, automatically prioritizing the response tasks based on business impact severity.
Configure Pentera on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for Pentera.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Server URL (e.g. https://192.168.64.128)
- Pentera API port
- TGT (The token from Pentera UI in Administration -> API Clients)
- Client Id
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- pentera-run-template-by-name
- pentera-get-task-run-status
- pentera-get-task-run-full-action-report
1. pentera-run-template-by-name
Run a specific template by its name. Please add the template name in the parameters
Required Permissions
Operator and admin users
Base Command
pentera-run-template-by-name
Input
Argument Name | Description | Required |
---|---|---|
template_name | The name of the template that you want to run | Required |
Context Output
Path | Type | Description |
---|---|---|
Pentera.TaskRun.TemplateName | String | Returns the name of the template |
Pentera.TaskRun.ID | String | The task run id |
Pentera.TaskRun.StartTime | Date | The date when the task run started |
Pentera.TaskRun.EndTime | Date | The date when the task run ended |
Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
Command Example
!pentera-run-template-by-name template_name="Test Template for Playbook"
Context Example
Human Readable Output
Test Template for Playbook
ID | StartTime | Status | TemplateName |
---|---|---|---|
2020-02-13 17:32:45Z | 5e45883d1deb8eda82b1eed5 | '2020-02-13T17:32:45Z' | Running |
Integration log: Full Integration Log: Got command: pentera-run-template-by-name result is JSON Parsed JSON Response: {'ID': '5e45883d1deb8eda82b1eed5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:32:45Z', 'EndTime': None, 'Status': 'Running'} Parsed JSON Response: {'ID': '5e45883d1deb8eda82b1eed5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:32:45Z', 'EndTime': None, 'Status': 'Running'}
2. pentera-get-task-run-status
Get the status of a task run by its task run id
Required Permissions
Operator and admin users
Base Command
pentera-get-task-run-status
Input
Argument Name | Description | Required |
---|---|---|
task_run_id | The ID of the task run | Required |
Context Output
Path | Type | Description |
---|---|---|
Pentera.TaskRun.ID | String | The task run id |
Pentera.TaskRun.TemplateName | String | Returns the name of the template |
Pentera.TaskRun.StartTime | Date | The date when the task run started |
Pentera.TaskRun.EndTime | Date | The date when the task run ended |
Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
Command Example
Context Example
Human Readable Output
Test Template for Playbook: Done
EndTime | ID | StartTime | Status | TemplateName |
---|---|---|---|---|
2020-02-13 17:10:58Z | 1581614052321.0 | 5e4583221deb8eda82b195c5 | 1581613858961.0 | Done |
Integration log: Full Integration Log: Got command: pentera-get-task-run-status result is JSON Parsed JSON Response: {'ID': '5e4583221deb8eda82b195c5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:10:58Z', 'EndTime': '2020-02-13T19:14:12Z', 'Status': 'Done'}
3. pentera-get-task-run-full-action-report
Get the full action report of a task run
Fieldnames: 'Severity', 'Time', 'Duration', 'Operation Type', 'Techniques', 'Parameters', 'Status'
Severity:
- Low: [0: 2.5)
- Medium: [2.5: 5)
- High: [5: 7.5)
- Critical: [7.5: 10]
Duration:
In milliseconds
Status:
'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'.
Required Permissions
User view, operator and admin users
Base Command
pentera-get-task-run-full-action-report
Input
Argument Name | Description | Required |
---|---|---|
task_run_id | The ID of the task run | Required |
Context Output
Path | Type | Description |
---|---|---|
Pentera.TaskRun.ID | String | The task run id |
Pentera.TaskRun.TemplateName | String | Returns the name of the template |
Pentera.TaskRun.StartTime | Date | The date when the task run started |
Pentera.TaskRun.EndTime | Date | The date when the task run ended |
Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
Pentera.TaskRun.FullActionReport | String | The full action report of the task run |
Command Example
Context Example
Human Readable Output
Pentera Report for TaskRun ID 5e4583221deb8eda82b195c5### # Pentera Report for TaskRun ID 5e4583221deb8eda82b195c5
Duration | Operation Type | Parameters | Severity | Status | Techniques | Time |
---|---|---|---|---|---|---|
31578 | BlueKeep (CVE-2019-0708) Vulnerability Discovery | Host: 192.168.1.2 | no results | Network Service Scanning(T1046) | 13/02/2020, 17:11:59 | |
31618 | BlueKeep (CVE-2019-0708) Vulnerability Discovery | Host: 192.168.1.1 | no results | Network Service Scanning(T1046) | 13/02/2020, 17:12:01 |
Integration log: Full Integration Log: Got command: pentera-get-task-run-full-action-report result is TEXT