Skip to main content

Picus Security

This Integration is part of the PicusAutomation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Run commands on Picus and automate security validation with playbooks. This integration was integrated and tested with version 3976 of Picus

Configure Picus on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Picus.

image

  1. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Picus Manager URLTrue
    Picus Refresh TokenThe refresh token will be used to generate access token.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  2. Click Test to validate the URLs, token, and connection.

image

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

picus-get-access-token#


Generates an access token for API usage. This function used for other functions inner authentication mechanism. Looks for X-Refresh-Token on the header or refresh-token cookie.

Base Command#

picus-get-access-token

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

picus-get-vector-list#


Returns the vector list from PICUS. These vectors can be used for automation processes.

Base Command#

picus-get-vector-list

Input#

Argument NameDescriptionRequired
add_user_detailsAdd vectors' assigned user details to the response.Optional
pageRequested page number.Optional
sizeRequested data size.Optional

Context Output#

PathTypeDescription
Picus.vectorlist.descriptionStringDescription info of the vector
Picus.vectorlist.heartbeat_results.is_successfulBooleanWas the heartbeat end successfully?
Picus.vectorlist.heartbeat_results.moduleStringOn which module did the heartbeat executed?
Picus.vectorlist.heartbeat_results.result_timeDateWhen the heartbeat is executed? (End time)
Picus.vectorlist.heartbeat_results.variantStringOn which variant did the heartbeat executed?
Picus.vectorlist.is_disabledBooleanIs the vector status disabled?
Picus.vectorlist.nameStringName of the vector
Picus.vectorlist.trustedStringTrusted peer name
Picus.vectorlist.typeStringType of the vector, if error is encountered, "Unknown" is returned. Other valid values are: "Network", "Email, "Endpoint"
Picus.vectorlist.untrustedStringUntrusted peer name
Picus.vectorlist.usersUnknownUsers assigned to this vector

Command Example#

!picus-get-vector-list

Human Readable Output#

NameTrustedUntrustedIs DisabledType
Picus_Attacker_1 - Win10-Det1Win10-Det1Picus_Attacker_1trueEndpoint
Picus_Attacker_2 - Win10-Det2Win10-Det2Picus_Attacker_2trueEndpoint

picus-get-peer-list#


Returns the peer list with current statuses. These peers also can be seen on the PICUS Panel ->Settings-> Peers.

image

Base Command#

picus-get-peer-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Picus.peerlist.is_aliveBooleanIs Peer Alive?
Picus.peerlist.latest_attackDateLatest Attack Time of the Peer
Picus.peerlist.nameStringPeer Name
Picus.peerlist.registered_ipStringIP of the peer
Picus.peerlist.typeStringPeer's Type

Command Example#

!picus-get-peer-list

Human Readable Output#

NameRegistered IpTypeIs Alive
Picus_Attacker_1x.x.x.xNetworktrue
Picus_Attacker_2x.x.x.xNetworktrue
Win10-Det2x.x.x.xEndpointtrue

picus-get-attack-results#


In the Picus, all attacks are carried out with the logic of the attacker and the victim. This command returns the list of the attack results on specified peers. Time range and result status can be given.

Base Command#

picus-get-attack-results

Input#

Argument NameDescriptionRequired
attacker_peerUntrusted peer name.Required
victim_peerTrusted peer name.Required
daysSet days parameter. Default is 3.Optional
resultThis setting can only be insecure,secure and all. Default is all.Optional

Context Output#

PathTypeDescription
Picus.attackresults.results.threat_idsStringThreat ID List
Picus.attackresults.results.begin_timeDatebegin time of the attack
Picus.attackresults.results.destination_portNumberValue "0" indicates it is not applicable such as all vector types except network
Picus.attackresults.results.end_timeDateend time of the attack
Picus.attackresults.results.idNumberid
Picus.attackresults.results.l1_category_nameStringLevel 1 Category Name of the attack
Picus.attackresults.results.scenario_details.action_idNumberAction ID of the threat scenario action
Picus.attackresults.results.scenario_details.action_nameStringAction Name of the threat scenario action
Picus.attackresults.results.scenario_details.endDateThe time attack ended
Picus.attackresults.results.scenario_details.idNumberPrimary key
Picus.attackresults.results.scenario_details.process_resultsUnknownProcess Results(play and rewind)
Picus.attackresults.results.scenario_details.resultStringFinal result of the scenario action
Picus.attackresults.results.scenario_details.technique_idStringTechnique ID of the threat scenario action
Picus.attackresults.results.source_portNumberValue "0" indicates it is not applicable such as all vector types except network and wats attacks
Picus.attackresults.results.stringStringAttack Result
Picus.attackresults.results.threat_idNumberThreat ID of the attack
Picus.attackresults.results.threat_nameStringThreat Name of the attack
Picus.attackresults.results.trustedStringTrusted peer name
Picus.attackresults.results.untrustedStringUntrusted peer name
Picus.attackresults.results.variantStringVariant info

Command Example#

!picus-get-attack-results attacker_peer="Picus_Attacker_1" victim_peer="net1-det1" days=1 result="insecure"

Human Readable Output#

Begin TimeEnd TimeStringThreat IdThreat Name
2021-09-16T23:59:54.738644627Z2021-09-16T23:59:54.753408649ZInsecure206450HTML5 Web Storage Sensitive Data Exposure
2021-09-16T23:52:52.022470123Z2021-09-16T23:52:52.077736344ZInsecure206111Zeus PandaBanker Trojan .EXE File Download Variant-11

picus-run-attacks#


In the Picus, all attacks are carried out with the logic of the attacker and the victim. This command schedules a single attack on the requested vector.

Base Command#

picus-run-attacks

Input#

Argument NameDescriptionRequired
threat_idsThreat ID list ("111,222,333,...") or single threat ID can be given.Required
attacker_peerUntrusted peer name.Required
victim_peerTrusted peer name.Required
variantThis parameter can be HTTP or HTTPS. Example variant=HTTPRequired

Context Output#

PathTypeDescription
Picus.runattacksStringIDs of the assessed attacks

Command Example#

!picus-run-attacks attacker_peer="Picus_Attacker_1" victim_peer="net1-det1" threat_ids="881728,879812,798283" variant="HTTP"

Human Readable Output#

Threat IdResult
881728success
879812success
798283success

picus-get-threat-results#


Returns the list of the attack results of a single threat have optional parameters for filtration.

Base Command#

picus-get-threat-results

Input#

Argument NameDescriptionRequired
threat_idsThreat ID list ("111,222,333,...") or single threat ID can be given.Required
attacker_peerUntrusted peer name.Required
victim_peerTrusted peer name.Required
variantThis parameter can be HTTP or HTTPS. Example variant=HTTPRequired

Context Output#

PathTypeDescription
Picus.threatresults.results.threat_resultsStringThreat Results(ID and result combination)
Picus.threatresults.results.l1_categoryStringLevel 1 Category Name of the attack
Picus.threatresults.results.last_timeDateLast Threat Result Time
Picus.threatresults.results.resultStringThreat Result
Picus.threatresults.results.statusStringStatus
Picus.threatresults.results.threat_idNumberThreat ID of the attack

Command Example#

!picus-get-threat-results attacker_peer="Picus_Attacker_1" victim_peer="net1-det1" variant="HTTP" threat_ids="562172"

Human Readable Output#

Threat IdResultL1 CategoryLast TimeStatus
562172SecureVulnerability Exploitation2021-09-16T13:26:00.932298Zsuccess

picus-set-paramPB#


Set parameter on the playbook. (This command is only used on playbook)

Base Command#

picus-set-paramPB

Input#

Argument NameDescriptionRequired
attacker_peerUntrusted peer name.Required
victim_peerTrusted peer name.Required
variantThis parameter can be HTTP or HTTPS. Example variant=HTTPRequired
mitigation_productProducts info of the mitigation. This parameter can be Check Point NGFW, ForcepointNGFW, McAfee IPS, PaloAlto IPS, SourceFire IPS, TippingPoint, F5 BIG-IP, Fortigate WAF, FortiWeb, Fortigate IPS, Snort, CitrixWAF, and ModSecurity.Required
daysSet days parameter. Default is 3.Optional

Context Output#

PathTypeDescription
Picus.param.attacker_peerStringUntrusted peer name
Picus.param.daysNumberdays
Picus.param.mitigation_productStringProducts info of the mitigation
Picus.param.variantStringThis parameter can be HTTP or HTTPS. Example variant=HTTP
Picus.param.victim_peerStringTrusted peer name

filter-insecure-attacks#


Filter insecure attacks on the playbook. (This command is only used on playbook)

Base Command#

picus-filter-insecure-attacks

Input#

Argument NameDescriptionRequired
threatinfoThreat id and result combine. Used for playbook.Required

Context Output#

PathTypeDescription
Picus.filterinsecureStringInsecure Attack List

picus-get-mitigation-list#


Returns the list of the mitigations of threats have optional parameters for filtration, this route may not be used associated with your license.

Base Command#

picus-get-mitigation-list

Input#

Argument NameDescriptionRequired
threat_idsThreat ID list ("111,222,333,...") or single threat ID can be given.Required
productProducts info of the mitigation. This parameter can be Check Point NGFW, ForcepointNGFW, McAfee IPS, PaloAlto IPS, SourceFire IPS, TippingPoint, F5 BIG-IP, Fortigate WAF, FortiWeb, Fortigate IPS, Snort, CitrixWAF, and ModSecurity.Required

Context Output#

PathTypeDescription
Picus.mitigationresults.signature_idStringID of the signature
Picus.mitigationresults.signature_nameStringName of the signature
Picus.mitigationresults.threat_idNumberThreat ID of Picus Attack
Picus.mitigationresults.vendorStringProduct name of the mitigation

Command Example#

!picus-get-mitigation-list threat_ids="103847" product="Snort"

Human Readable Output#

Threat DdSignature IdSignature Name
1038471.2025644.1ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)
1038471.44728.3INDICATOR-COMPROMISE Meterpreter payload download attempt

picus-get-vector-compare#


Makes a comparison of the given vector's results.

Base Command#

picus-get-vector-compare

Input#

Argument NameDescriptionRequired
attacker_peerUntrusted peer name.Required
victim_peerTrusted peer name.Required
daysSet days parameter. Default is 3.Optional

Context Output#

PathTypeDescription
Picus.vectorresults.nameStringName of Picus Attack
Picus.vectorresults.statusStringCompare Result
Picus.vectorresults.threat_idStringThreat ID of Picus Attack

Command Example#

!picus-get-vector-compare attacker_peer="Picus_Attacker_1" victim_peer="net1-det1"

Human Readable Output#

StatusThreat IdName
secure204923XSS Evasion via HTML Encoding Variant-4
insecurenullnull
secure_to_insecuresnullnull
insecure_to_securesnullnull

picus-version#


Returns the current Picus version and the update time config.

Base Command#

picus-version

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Picus.versioninfo.last_update_dateDateWhen was the last update?
Picus.versioninfo.update_timeNumberWhen to update?
Picus.versioninfo.versionNumberCurrent version

Command Example#

!picus-version

Human Readable Output#

VersionUpdate TimeLast Update Date
4025020.10.2021

picus-trigger-update#


Triggers the Picus product update mechanism manually.

Base Command#

picus-trigger-update

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Picus.triggerupdate.dataBooleanCollected data that will be returned
Picus.triggerupdate.successBooleanIs the operation Succeed?

Command Example#

!picus-trigger-update

Human Readable Output#

DataSuccess
truetrue