SafeBreach v2

SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses. This integration was integrated and tested with version xx of SafeBreach v2

Configure SafeBreach for Cortex XSOAR Integration

  1. Open the Navigation bar → … → CLI Console
  2. Type config accounts to find out the account id
  3. Use the id as the accountId parameter in Cortex XSOAR configuration
  4. Type config apikeys to list existing API keys \ OR \ Add a new one by typing: config apikeys add --name <key_name>
  5. Use the generated API token as apiKey parameter in Cortex XSOAR configuration
  6. Use your SafeBreach Management URL as the url parameter in Cortex XSOAR configuration

Configure SafeBreach on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for SafeBreach v2.
  3. Click Add instance to create and configure a new integration instance.
  4. Click Test to validate the URLs, token, and connection.
ParameterDescriptionRequired
SafeBreach Managment URLFor example, https://yourorg.safebreach.comTrue
Account IDObtained with "config accounts" SafeBreach commandTrue
API KeyGenerated with "config apikeys add" SafeBreach commandTrue
Insight CategoryNetwork Access,Network Inspection,Endpoint,Email,Web,Data LeakFalse
Insight Data TypeHash,Domain,URI,Command,Port,ProtocolFalse
Indicators LimitAmount of indicators to generate. Default = 1000False
feedFetch indicatorsFalse
feedReputationIndicator ReputationFalse
behavioralReputationBehavioral Indicator ReputationFalse
feedReliabilitySource ReliabilityTrue
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
feedExpirationIntervalFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

SafeBreach Insights

Table below summaries all available SafeBreach insights and their relative ids that should be used when calling the related commands. Every customer environment might have some of the insights depending on the simulation results that were not blocked in the environment.

Insight IdCategoryData TypeDescription
1Network AccessPortOutbound traffic over non-standard ports
2Network AccessProtocolOutbound traffic over non-standard protocols
3Network AccessPortOutbound traffic over non-SSL protocols using secured ports
4Network AccessPortOutbound traffic over not matching ports and protocols
19Network AccessPortInbound traffic over non-standard ports
20Network AccessProtocolInbound traffic over non-standard protocols
21Network AccessPortInbound traffic over non-SSL protocols using secured ports
22Network AccessPortInbound traffic over not matching ports and protocols
5WebDomainMalicious domain resolution
6WebURIMalicious URL requests
7Network InspectionHashMalware transfer over standard ports
10Network InspectionProtocolBrute force
11Network InspectionOtherInbound C&C communication
12Network InspectionOtherOutbound C&C communication
8EndpointOtherExecution of malware or code
9EndpointHashMalware drop to disk
13EndpointOtherMalicious host actions
14EndpointCommandData and host information gathering
16Data LeakOtherExfiltration of sensitive data assets
15EmailHashEmail with encrypted malicious attachments
24EmailHashEmail with non-encrypted malicious attachment

Playbooks

SafeBreach - Process Non-Behavioral Insights Feed

  • This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated. A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator.

SafeBreach - Process Behavioral Insights Feed (Premium)

  • This playbook processes all SafeBreach behavioral indicators. It creates an incident for each SafeBreach Insight, enriched with all the related indicators and additional SafeBreach contextual information. A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator.

SafeBreach - Rerun Insights

  • This is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed".

SafeBreach - Rerun Single Insight

  • This playbook uses the following sub-playbooks, integrations, and scripts.

SafeBreach - Compare and Validate Insight Indicators

  • This playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated.

SafeBreach - SafeBreach Create Incidents per Insight and Associate Indicators

  • This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed".

SafeBreach - Handle Insight Incident (Premium)

  • This playbook is triggered automatically for each SafeBreach Insight incident:
    1. Adding insight information (including suggested remediation actions);
    2. Assigning it to an analyst to remediate and either “ignore” or “validate.” Validated incidents are rerun with the related SafeBreach Insight and the results are compared to the previous indicator results. The incident is closed once all the indicators are resolved or the analyst “ignores” the incident. Unresolved indicators wait for handling by the analyst.

Dashboard (Premium)

SafeBreach Insights dashboard summarizes the current status of actionable insights and related indicators. SafeBreach Dashboard

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

safebreach-get-insights


Gets SafeBreach Insights for all security control categories.

Base Command

safebreach-get-insights

Input

Argument NameDescriptionRequired
insightIdsArray of insight IDs to fetch.Optional

Context Output

PathTypeDescription
SafeBreach.Insight.NameStringInsight name representing the action required to be taken.
SafeBreach.Insight.IdNumberInsight unique ID number.
SafeBreach.Insight.DataTypeStringInsight data type. Options are Hash, Domain, URI, Command, Port, or Protocol.
SafeBreach.Insight.CategoryStringSecurity control category name.
SafeBreach.Insight.LatestSimulationDateTime of the latest simulation from the insight.
SafeBreach.Insight.SimulationsCountNumberNumber of the related simulations.
SafeBreach.Insight.RiskImpactNumberRisk impact of the insight on the environment total risk score.
SafeBreach.Insight.AffectedTargetsCountNumberNumber of affected targets.
SafeBreach.Insight.SeverityScoreNumberInsight severity numeric value
SafeBreach.Insight.SeverityStringInsight severity mapped to low/medium/high.
SafeBreach.Insight.RemediationDataCountNumberNumber of the remediation data points.
SafeBreach.Insight.RemediationDataTypeStringType of the remediation data.
SafeBreach.Insight.ThreatGroupsArrayArray of APT names that are mapped to the insight.
SafeBreach.Insight.NetworkDirectionStringCommunication direction of Insight, relative to the target (inbound/outbound).
SafeBreach.Insight.AttacksCountNumberList of all insight related SafeBreach attack IDs.
SafeBreach.Insight.AffectedTargetsArrayList of the affected targets including name, IP and number of the remediation points
SafeBreach.Insight.RemediationActionStringDescription of an action to take for the remediation
SafeBreach.Insight.ResultsLinkStringLink to the SafeBreach platform Results page filtered for the relevant simulation results
SafeBreach.Insight.AttackIdsArraySafeBreach Attack Ids
Command Example

!safebreach-get-insights insightIds=[5,9]

Context Example
{
"SafeBreach": {
"Insight": [
{
"AffectedTargetsCount": 2,
"AttacksCount": 36,
"Category": "Web",
"DataType": "Domain",
"EarliestSimulation": "2020-04-07T14:34:15.807Z",
"Id": 5,
"LatestSimulation": "2020-04-07T15:54:01.256Z",
"Name": "Blacklist malicious domains",
"NetworkDirection": "outbound",
"RemediationDataCount": 71,
"RemediationDataType": "FQDN/IP",
"RiskImpact": 0.42,
"Severity": "Medium",
"SeverityScore": 10,
"SimulationsCount": 399,
"ThreatGroups": [
"APT32",
"APT37",
"BRONZE BUTLER",
"Lazarus Group",
"OilRig",
"PLATINUM",
"APT18",
"APT19",
"APT29",
"APT3",
"APT33",
"Dragonfly 2.0",
"FIN7",
"FIN8",
"Magic Hound",
"Night Dragon",
"TEMP.Veles",
"Threat Group-3390",
"Tropic Trooper",
"N/A"
]
},
{
"AffectedTargetsCount": 3,
"AttacksCount": 97,
"Category": "Endpoint",
"DataType": "Hash",
"EarliestSimulation": "2020-04-06T11:17:04.253Z",
"Id": 9,
"LatestSimulation": "2020-04-06T12:02:09.109Z",
"Name": "Prevent malware to be written to disk",
"NetworkDirection": null,
"RemediationDataCount": 97,
"RemediationDataType": "Attack",
"RiskImpact": 0.36,
"Severity": "Medium",
"SeverityScore": 10,
"SimulationsCount": 229,
"ThreatGroups": [
"APT28",
"Lazarus Group",
"APT32",
"APT34",
"APT37",
"BRONZE BUTLER",
"Dark Caracal",
"FIN7",
"Leviathan",
"N/A",
"Naikon",
"OilRig",
"PittyTiger",
"Scarlet Mimic",
"Turla",
"Winnti Group",
"menuPass"
]
}
]
}
}

safebreach-get-remediation-data


Gets remediation data for a specific SafeBreach Insight.

Base Command

safebreach-get-remediation-data

Input

Argument NameDescriptionRequired
insightIdThe ID of the insight for which to fetch remediation data.Required

Context Output

PathTypeDescription
SafeBreach.Insight.IdNumberInsight unique ID number.
SafeBreach.Insight.SHA256StringMalware SHA256 hash.
SafeBreach.Insight.DomainStringMalicious domains.
SafeBreach.Insight.IPStringMalicious IP addresses.
SafeBreach.Insight.PortNumberPorts used during the attack.
SafeBreach.Insight.ProtocolStringProtocols used during the attack.
SafeBreach.Insight.ProxyStringProxies used during the attack.
SafeBreach.Insight.URIStringMalicious URIs.
SafeBreach.Insight.DropPathStringMalware drop paths.
SafeBreach.Insight.UserStringImpersonated users running the attacks.
SafeBreach.Insight.CommandStringAttack executed commands.
SafeBreach.Insight.RegistryStringAttack read/changed registry paths.
SafeBreach.Insight.ClientHeaderStringClient HTTP headers used in the attacks.
SafeBreach.Insight.ServerHeaderStringServer HTTP headers used in the attacks.
URL.DataStringMalicious domains, URLs, or IP addresses.
File.SHA256StringMalicious SHA256 file hashes.
Process.CommandLineStringSuspicious commands.
DBotScore.IndicatorStringIndicator value. Options are IP, SHA1, MD5, SHA256, Email, or Url.
DBotScore.TypeStringIndicator type. Options are ip, file, email, or url.
DBotScore.VendorStringSafeBreach. This is the vendor reporting the score of the indicator.
DBotScore.ScoreNumber3 (Bad). The score of the indicator.
SafeBreach.Insight.RemediationData.SplunkStringRemediation data in a form of a Splunk query
Command Example

!safebreach-get-remediation-data insightId=5

Context Example
{
"DBotScore": [
{
"Indicator": "codeluxsoftware.com.",
"Score": 3,
"Type": "url",
"Vendor": "SafeBreach"
},
{
"Indicator": "866448.com.",
"Score": 3,
"Type": "url",
"Vendor": "SafeBreach"
},
{
"Indicator": "a1.weilwords2.com.br.",
"Score": 3,
"Type": "url",
"Vendor": "SafeBreach"
}
],
"Domain": [
{
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
},
"Name": "codeluxsoftware.com."
},
{
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
},
"Name": "866448.com."
},
{
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
},
"Name": "a1.weilwords2.com.br."
}
],
"SafeBreach": {
"Insight": {
"FQDN/IP": [
"codeluxsoftware.com.",
"866448.com.",
"a1.weilwords2.com.br."
],
"Id": "5"
}
},
"URL": [
{
"Data": "codeluxsoftware.com.",
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
}
},
{
"Data": "866448.com.",
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
}
},
{
"Data": "a1.weilwords2.com.br.",
"Malicious": {
"Description": "SafeBreach Insights - (5)Blacklist malicious domains",
"Vendor": "SafeBreach"
}
},
]
}

safebreach-rerun-insight


Reruns a specific SafeBreach Insight related simulations in your environment.

Base Command

safebreach-rerun-insight

Input

Argument NameDescriptionRequired
insightIdsThe IDs of the insight to rerun.Required

Context Output

PathTypeDescription
SafeBreach.Insight.IdNumberInsight unique ID.
SafeBreach.Insight.Rerun.NameStringInsight rerun test name.
SafeBreach.Insight.Rerun.IdStringID of the rerun insight test.
SafeBreach.Insight.Rerun.AttacksCountNumberCount of the attacks executed in the insight rerun test.
SafeBreach.Test.IdStringID of the test.
SafeBreach.Test.NameStringName of the test.
SafeBreach.Test.AttacksCountNumberThe number of attacks executed in the insight rerun test.
SafeBreach.Test.StatusStringTest run status. For insight rerun, starts from PENDING.
SafeBreach.Test.ScheduledTimeDateTime when the test was triggered.
Command Example

!safebreach-rerun-insight insightIds=5

Context Example
{
"SafeBreach": {
"Insight": {
"Id": "5",
"Rerun": [
{
"AttacksCount": 36,
"Id": "1586684450523.75",
"Name": "Insight (Demisto) - Blacklist malicious domains",
"ScheduledTime": "2020-04-12T09:40:50.533398"
}
]
},
"Test": {
"AttacksCount": 36,
"Id": "1586684450523.75",
"Name": "Insight (Demisto) - Blacklist malicious domains",
"ScheduledTime": "2020-04-12T09:40:50.533414",
"Status": "Pending"
}
}
}
Human Readable Output

Rerun SafeBreach Insight

# AttacksInsight IdNameTest Id
365Insight (Demisto) - Blacklist malicious domains1586684450523.75

safebreach-get-test-status


Gets the status of a SafeBreach test for tracking progress of a run.

Base Command

safebreach-get-test-status

Input

Argument NameDescriptionRequired
testIdThe ID of the test to track.Required

Context Output

PathTypeDescription
SafeBreach.Test.IdStringID of the test.
SafeBreach.Test.NameStringName of the test.
SafeBreach.Test.StatusStringTest run status. Options are PENDING, RUNNING, CANCELED, or COMPLETED.
SafeBreach.Test.StartTimeDateStarting time of the test.
SafeBreach.Test.EndTimeDateEnding time of the test.
SafeBreach.Test.TotalSimulationNumberNumberNumber of simulations for the test.
Command Example

!safebreach-get-test-status testId=1585757174467.23

Context Example
{
"SafeBreach": {
"Test": {
"EndTime": "2020-04-01T16:10:36.389Z",
"Id": "1585757174467.23",
"Name": "Rerun (Demisto) - #(2122) Write SamSam Malware (AA18-337A) to Disk",
"StartTime": "2020-04-01T16:06:14.471Z",
"Status": "CANCELED",
"TotalSimulationNumber": 9
}
}
}
Human Readable Output

Test Status

Test IdNameStatusStart TimeEnd TimeTotal Simulation Number
1585757174467.23Rerun (Demisto) - #(2122) Write SamSam Malware (AA18-337A) to DiskCANCELED2020-04-01T16:06:14.471Z2020-04-01T16:10:36.389Z9

safebreach-get-simulation


Get SafeBreach simulation

Base Command

safebreach-get-simulation

Input

Argument NameDescriptionRequired
simulationIdThe ID of the simulation. By default, taken from the incident.Required

Context Output

PathTypeDescription
SafeBreach.Simulation.IdStringID of the simulation result.
SafeBreach.Simulation.FinalStatusStringSimulation final status. Options are Missed, Detected, Stopped, Prevented, or Inconsistent.
SafeBreach.Simulation.ResultStringIndicates whether the simulation was blocked.
SafeBreach.Simulation.DetectedActionStringIndicates the overall detected action taken by security controls.
SafeBreach.Simulation.SimulationRunIdNumberThe unique simulation run ID (changes between simulation runs).
SafeBreach.Simulation.TimeDatetimeLatest simulation run time.
SafeBreach.Simulation.LastChangeTimeDatetimeTime when the simulation result was changed.
SafeBreach.Simulation.LabelsArrayArray of labels applied on the simulation.
SafeBreach.Simulation.Attack.IdStringID of the simulated attack.
SafeBreach.Simulation.Attack.NameStringName of the simulated attack.
SafeBreach.Simulation.Attack.DescriptionStringDescription of the attack flow.
SafeBreach.Simulation.Attack.PhaseStringThe phase of the attack. Option are Infiltration, Exfiltration ,Lateral Movement, or Host Level.
SafeBreach.Simulation.Attack.TypeStringThe type of the attack. For example, Real C2 Communication, Malware Transfer, or Malware Write to Disk.
SafeBreach.Simulation.Attack.SecurityControlStringRelated security control category.
SafeBreach.Simulation.Attack.IndicatorBasedBoolTrue if this attack is based on an indicator. False if this is behavioral non-indicator based.
SafeBreach.Simulation.Attacker.NameStringName of the attacker simulator.
SafeBreach.Simulation.Attacker.OSStringOS of the attacker simulator.
SafeBreach.Simulation.Attacker.InternalIpStringInternal IP address of the attacker simulator.
SafeBreach.Simulation.Attacker.ExternalIpStringExternal IP address of the attacker simulator.
SafeBreach.Simulation.Attacker.SimulationDetailsJSONSimulation run detailed logs from the attacker simulator.
SafeBreach.Simulation.Target.NameStringName of the target simulator.
SafeBreach.Simulation.Target.OSStringOS of the target simulator.
SafeBreach.Simulation.Target.InternalIpStringInternal IP address of the target simulator.
SafeBreach.Simulation.Target.ExternalIpStringExternal IP address of the target simulator.
SafeBreach.Simulation.Target.SimulationDetailsJSONSimulation run detailed logs from the target simulator.
SafeBreach.Simulation.Network.DirectionStringAttack network direction relative to the target - inbound/outbound.
SafeBreach.Simulation.Network.SourceIpStringThe IP address that initiated the network communication.
SafeBreach.Simulation.Network.DestinationIpStringThe IP address that received the network communication.
SafeBreach.Simulation.Network.SourcePortStringThe source port of the network communication.
SafeBreach.Simulation.Network.DestinationPortStringThe destination port of the network communication.
SafeBreach.Simulation.Network.ProtocolStringThe top-level protocol of the network communication.
SafeBreach.Simulation.Network.ProxyStringThe proxy name used in the network communication.
SafeBreach.Simulation.Classifications.MITRETechniquesArrayList of attack related MITRE techniques.
SafeBreach.Simulation.Classifications.MITREGroupsArrayList of attack related MITRE threat groups.
SafeBreach.Simulation.Classifications.MITRESoftwareArrayList of attack related MITRE software and tools.
SafeBreach.Simulation.ParametersJSONParameters of the simulation.
Command Example

!safebreach-get-simulation simulationId=d937cd0e5fd4e2c9266801b7bd17e097

Context Example
{
"SafeBreach": {
"Simulation": {
"Attack": {
"Description": "**Goal**\n\n1. Verify whether the malware can be written to disk.\n\n**Actions**\n\n1. **Malware Drop** \n **Action:** [wannacry](https://attack.mitre.org/software/S0366) malware is written to disk on the target simulator. \n **Expected behavior:** The malware written to disk is identified and removed after a pre-defined time period. \n\n**More Info** \n",
"Id": 3055,
"IndicatorBased": "False",
"Name": "Write wannacry malware to disk",
"Phase": "Host Level",
"SecurityControl": [
"Endpoint"
],
"Type": [
"Malware Drop"
]
},
"Attacker": {
"ExternalIp": "172.31.42.76",
"InternalIp": "172.31.42.76",
"Name": "Win10 - Cylance",
"OS": "WINDOWS",
"SimulationDetails": {
"DETAILS": "Task finished running because of an exception. Traceback: \r\nTraceback (most recent call last):\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\task_action_runner.py\", line 89, in run\n pythonect_result_object = pythonect_runner(full_pythonect_string, self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\runners\\runner_classes.py\", line 187, in __call__\n return pythonect.eval(self.pythonect_string, locals_=self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 938, in eval\n result = _run(graph, root_nodes[0], globals_, locals_, {}, pool, False)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 734, in _run\n result = runner(__node_main, args=(input_value, last_value, globals_, locals_))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 629, in __apply_current\n return func(*args, **kwds)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 440, in __node_main\n return_value = python.eval(current_value, globals_, locals_)\n File \"<string>\", line 1, in <module>\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\__init__.py\", line 285, in wrapper\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\endpoint\\utils\\file_utils.py\", line 121, in open_or_die\nSBFileNotFoundException: ('File (%s) was removed', 'c:\\\\windows\\\\temp\\\\sb-sim-temp-jvu_fk\\\\sb_107985_bs_9vrn0e\\\\bdata.bin')\n",
"ERROR": "",
"METADATA": {
"executable": [
"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\python.exe",
"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\safebreach_simulation.py"
],
"hostname": "Cylance-Win10-Demisto",
"pid": 5584,
"ret_code": 0
},
"OUTPUT": "",
"SIMULATION_STEPS": [
{
"level": "INFO",
"message": "File opened",
"params": {
"mode": "wb",
"path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin"
},
"time": "2020-04-02T09:47:01.500000"
},
{
"level": "INFO",
"message": "File written",
"params": {
"path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin"
},
"time": "2020-04-02T09:47:01.500000"
}
]
}
},
"Classifications": {
"MITREGroups": [
"Lazarus Group"
],
"MITRESoftware": [
"(S0366) wannacry"
],
"MITRETechniques": [
"(T1107) File Deletion"
]
},
"DetectedAction": "Prevent",
"FinalStatus": "Prevented",
"Id": "d937cd0e5fd4e2c9266801b7bd17e097",
"Labels": [],
"LastChangeTime": "2020-03-10T15:13:51.900Z",
"Network": {
"DestinationIp": "",
"DestinationPort": null,
"Direction": null,
"Protocol": "N/A",
"Proxy": null,
"SourceIp": "",
"SourcePort": []
},
"Parameters": {
"BINARY": [
{
"displayName": "Sample binaries",
"displayType": "Hash",
"displayValue": "sha256",
"md5": "246c2781b88f58bc6b0da24ec71dd028",
"name": "buffer",
"sha256": "16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab",
"value": "16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab"
}
],
"NOT_CLASSIFIED": [
{
"displayName": "Simulation wait",
"displayType": "Not Classified",
"displayValue": "10 seconds",
"name": "timeout",
"value": "10"
}
],
"PATH": [
{
"displayName": "Drop paths",
"displayType": "Path",
"displayValue": "Temporary folder",
"name": "drop_path",
"value": "%temp%\\\\\\\\bdata.bin"
}
],
"SIMULATION_USER_DESTINATION": [
{
"displayName": "Impersonated User - Target",
"displayValue": "SYSTEM",
"name": "Impersonated User - Target",
"value": "SYSTEM"
}
]
},
"Result": "Blocked",
"SimulationRunId": 107985,
"Target": {
"ExternalIp": "172.31.42.76",
"InternalIp": "172.31.42.76",
"Name": "Win10 - Cylance",
"OS": "WINDOWS",
"SimulationDetails": {
"DETAILS": "Task finished running because of an exception. Traceback: \r\nTraceback (most recent call last):\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\task_action_runner.py\", line 89, in run\n pythonect_result_object = pythonect_runner(full_pythonect_string, self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\runners\\runner_classes.py\", line 187, in __call__\n return pythonect.eval(self.pythonect_string, locals_=self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 938, in eval\n result = _run(graph, root_nodes[0], globals_, locals_, {}, pool, False)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 734, in _run\n result = runner(__node_main, args=(input_value, last_value, globals_, locals_))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 629, in __apply_current\n return func(*args, **kwds)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 440, in __node_main\n return_value = python.eval(current_value, globals_, locals_)\n File \"<string>\", line 1, in <module>\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\__init__.py\", line 285, in wrapper\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\endpoint\\utils\\file_utils.py\", line 121, in open_or_die\nSBFileNotFoundException: ('File (%s) was removed', 'c:\\\\windows\\\\temp\\\\sb-sim-temp-jvu_fk\\\\sb_107985_bs_9vrn0e\\\\bdata.bin')\n",
"ERROR": "",
"METADATA": {
"executable": [
"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\python.exe",
"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\safebreach_simulation.py"
],
"hostname": "Cylance-Win10-Demisto",
"pid": 5584,
"ret_code": 0
},
"OUTPUT": "",
"SIMULATION_STEPS": [
{
"level": "INFO",
"message": "File opened",
"params": {
"mode": "wb",
"path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin"
},
"time": "2020-04-02T09:47:01.500000"
},
{
"level": "INFO",
"message": "File written",
"params": {
"path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin"
},
"time": "2020-04-02T09:47:01.500000"
}
]
}
},
"Time": "2020-04-02T09:47:12.506Z"
}
}
}
Human Readable Output

SafeBreach Simulation

IdNameStatusResultDetected ActionAttackerTarget
d937cd0e5fd4e2c9266801b7bd17e097(#3055) Write wannacry malware to diskPreventedFailPreventWin10 - Cylance (172.31.42.76,172.31.42.76)Win10 - Cylance (172.31.42.76,172.31.42.76)

safebreach-rerun-simulation


Reruns a specific SafeBreach simulation in your environment.

Base Command

safebreach-rerun-simulation

Input

Argument NameDescriptionRequired
simulationIdThe ID of the simulation to rerun.Required

Context Output

PathTypeDescription
SafeBreach.Simulation.IdNumberSimulation unique ID.
SafeBreach.Simulation.Rerun.NameStringSimulation rerun test name.
SafeBreach.Simulation.Rerun.IdStringID of the rerun test.
SafeBreach.Simulation.Rerun.ScheduledTimeDatetimeTime when the rerun was triggered.
SafeBreach.Test.IdStringID of the test.
SafeBreach.Test.NameStringName of the test.
SafeBreach.Test.AttacksCountNumberThe number of the attacks executed in the insight rerun test.
SafeBreach.Test.StatusStringTest run status. For insight rerun - “PENDING”
SafeBreach.Test.ScheduledTimeDatetimeTime when the test was triggered.
Command Example

!safebreach-rerun-simulation simulationId=d937cd0e5fd4e2c9266801b7bd17e097

Context Example
{
"SafeBreach": {
"Simulation": {
"Id": "d937cd0e5fd4e2c9266801b7bd17e097",
"Rerun": {
"Id": "1586684466634.76",
"Name": "Rerun (Demisto) - #(3055) Write wannacry malware to disk",
"ScheduledTime": "2020-04-12T09:41:06.643609"
}
},
"Test": {
"AttacksCount": 1,
"Id": "1586684466634.76",
"Name": "Rerun (Demisto) - #(3055) Write wannacry malware to disk",
"Status": "PENDING"
}
}
}
Human Readable Output

SafeBreach Rerun Simualtion

Simulation IdTest IdName
d937cd0e5fd4e2c9266801b7bd17e0971586684466634.76Rerun (Demisto) - #(3055) Write wannacry malware to disk

safebreach-get-indicators


Fetches SafeBreach Insights from which indicators are extracted, creating new indicators or updating existing indicators.

Base Command

safebreach-get-indicators

Input
Argument NameDescriptionRequired
limitThe maximum number of indicators to generate. The default is 1000.Optional
insightCategoryMulti-select option for the category of the insights to get remediation data for:
Network Access, Network Inspection, Endpoint, Email, Web, Data Leak
Optional
insightDataTypeMulti-select option for the remediation data type to get:
Hash, Domain, URI, Command, Port, Protocol, Registry
Optional
Context Output

There is no context output for this command.

Command Example

!safebreach-get-indicators limit=10

Context Example
None
Human Readable Output

Indicators:

FieldsRawjsonScoreTypeValue
description: SafeBreach Insight - Prevent malware network transfer
sha256: 0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f
tags: SafeBreachInsightId: 7
value: 0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f
description: SafeBreach Insight - Prevent malware network transfer
sha256: 0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1
tags: SafeBreachInsightId: 7
value: 0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1
description: SafeBreach Insight - Prevent malware network transfer
sha256: f456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730
tags: SafeBreachInsightId: 7
value: f456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3Filef456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730
description: SafeBreach Insight - Prevent malware network transfer
sha256: e3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f
tags: SafeBreachInsightId: 7
value: e3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3Filee3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f
description: SafeBreach Insight - Prevent malware network transfer
sha256: 327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03
tags: SafeBreachInsightId: 7
value: 327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03
description: SafeBreach Insight - Prevent malware network transfer
sha256: 566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60
tags: SafeBreachInsightId: 7
value: 566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60
description: SafeBreach Insight - Prevent malware network transfer
sha256: 620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596
tags: SafeBreachInsightId: 7
value: 620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596
description: SafeBreach Insight - Prevent malware network transfer
sha256: 500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f
tags: SafeBreachInsightId: 7
value: 500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f
description: SafeBreach Insight - Prevent malware network transfer
sha256: 5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19
tags: SafeBreachInsightId: 7
value: 5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19
description: SafeBreach Insight - Prevent malware network transfer
sha256: 1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d
tags: SafeBreachInsightId: 7
value: 1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z
3File1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d