Preempt (Deprecated)
This Integration is part of the Preempt (Deprecated) Pack.#
Deprecated
No available replacement.
Overview
Deprecated. No available replacement.
Use the Preempt integration to eliminate security breaches and internal threats. Preempt is an Adaptive Threat Prevention platform based on identity, behavior, and risk.
This integration was integrated and tested with Preempt v2.3.1086.
Use Cases
- Enable multi-factor authentication (MFA)
- Retrieve user activities and the endpoints used by users
- Retrieve alerts from the Preempt platform.
Prerequisites
You need to obtain the following Preempt information.
- Server address
- API key
Get Your Preempt API Key
- Log in to the Preempt platform.
- Navigate to Administration > System > Settings > API Keys .
- Enable the API Token option.
- Create a token for Cortex XSOAR if one was not already created.
-
Click the link icon on the row for the token.
The API key is copied to your clipboard. You will paste this when configuring the integration in Cortex XSOAR.
Configure the Preempt Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Preempt.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Preempt server address : for example, https://192.168.0.1
- API key : paste the token that you copied.
- Days to look back
- Client Secret
- Refresh Token
- Click Test to validate the URLs and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Add an account to the watch list: preempt-add-to-watch-list
- Remove an account from the watch list: preempt-remove-from-watch-list
- Retrieve User Activities: preempt-get-activities
- Retrieve User Endpoints: preempt-get-user-endpoints
- Retrieve User Alerts: preempt-get-alerts
Add an account to the watch list: preempt-add-to-watch-list
Add a user account to the Preempt watch list.
Input
accountObjectGuid: preempt-get-activities
Ouput
There is no output for this command.
Remove an account from the watch list: preempt-add-to-watch-list
Remove a user account from the Preempt watch list.
Input
accountObjectGuid: preempt-get-activities
Ouput
There is no output for this command.
Retrieve User Activities: preempt-get-activities
Retrieve the activities and the activity data for a specific user.
Command Example
!preempt-get-activities sourceUserId="
userID
" types="LOGIN" numOfHours="48"
Input
| Parameter | Description |
| sourceUserId | ID of user that you want to retrieve the activities for |
| types | List of specific incident types (comma delimited) |
| endTime | For example: 2012-03-04 12:08:12.354 |
| numOfHours | Number of hours to search back (from the endTime) |
Context Output
| Parameter | Description |
| Preempt.Activities.EndpointHostName | Hostname of the activity's endpoint |
| Preempt.Activities.EventType | Activity type |
| Preempt.Activities.AuthenticationType | Authentication type |
| Preempt.Activities.Timestamp | Activity's date and time |
| Preempt.Activities.Cursor | Cursor of last retrieved activity for pagination |
Human Readable Output
Raw Output
{
"Preeempt":{
"Activities":[
{
"AuthenticationType":"DOMAIN_LOGIN",
"EndpointHostName":"xxxxxx.xxxxx.xxx",
"EventType":"SUCCESSFUL_AUTHENTICATION",
"Timestamp":"2018-03-11T12:41:00.000Z"
}
]
}
}
Retrieve User Endpoints: preempt-get-user-endpoints
Retrieve the endpoints used by a spefic user.
Input
| Parameter | Description |
| sourceUserId | ID of user that you want to retrieve the endpoints for |
Context Output
| Parameter | Description |
| Endpoint.Hostname | Hostname of the endpoint |
| Endpoint.ID | Object GUID of the computer account |
| Endpoint.PrimaryDisplayName | Computer's display name in Active Directory (AD) |
| Endpoint.IsOwnedByUser | Indicates if the user owns this endpoint (boolean) |
| Endpoint.IPAddress | Last IP address associated with the endpoint, detected by the system |
| Endpoint.StaticIpAddresses | Static IP address that has been associated with the endpoint |
Raw Output
{
"Preempt":{
"Endpoint":[
{
"HostName":"xxxxxx.xx.xxx",
"Id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"IsOwnedByUser":T/F,
"LastIpAddress":"xxx.xxx.xxx.xxx",
"PrimaryDisplayName":"xxx-xxxx",
"StaticIpAddresses":[
"xxx.xxx.x.xxx"
]
}
Retrieve User Alerts: preempt-get-alerts
Retrieve the alerts for a specific user.
Command Example
!preempt-get-alerts sourceUserId="
userID
" numOfHours="48"
Input
| Parameter | Description |
| sourceUserId | ID of user that you want to retrieve the activities for |
| endTime | For example: 2012-03-04 12:08:12.354 |
| numOfHours | Number of hours to search back (from the endTime) |
Context Output
| Parameter | Description |
| Preempt.Alerts.AlertType | Alert type |
| Preempt.Alerts.Timestamp | Alert's date and time |
| Preempt.Alerts.startTime | Date and time the alert started |
| Preempt.Alerts.EndTime | Date and time the alert ended |
| Preempt.Alerts.eventLabel | Alert label |
| Preempt.Alerts.Cursor | Cursor of the last retrieved activity for pagination |
Human Readable Output
Raw Output
{
"Alerts":[
{
"alertType":"AbnormalServiceAccessAlert",
"cursor":"xxxxxxxxxx",
"endTime":"2018-03-27T19:43:00.000Z",
"endpointEntity":{
"_id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"hostName":null
},
"eventId":"xxxxxx",
"eventLabel":"Unusual Access to Service",
"incident":{
"_id":"INC-43",
"severity":"INFO",
"state":{
"lifeCycleStage":"NEW"
}
},
"relatedEvents":[
{
"eventType":"SERVICE_ACCESS",
"geoLocation":null,
"ipAddress":"xxx.xxx.xxx.xxx",
"timestamp":"2018-03-27T19:43:00.000Z"
}
]
}
Demisto-Preempt Demo