Sepio
Sepio Pack.#
This Integration is part of the#
Get Agent, Switches and Events from your Sepio Prime#
This integration was integrated and tested with version 20.07.22.0958 of Sepio Prime#
Configure Sepio in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://sepio-prime.com) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
fetch_time | Initial time to start fetching incidents. In days. | True |
min_severity | Alert severity to retrieve. Values are: Warning, Error, Critical | False |
category | Alert category to retrieve. Values are:USB, Network | True |
max_alerts | Maximum number of alerts to fetch at a time | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. For the commands sepio-set-agent-mode, sepio-set-peripherals-mode you need user with Manager profile, other commands need user with User profile.
#
sepio-query-agentsGet Agents
#
Base Commandsepio-query-agents
#
InputArgument Name | Description | Required |
---|---|---|
host_identifier | Filter results based on Host Identifier. | Optional |
ip_address | Filter results based on IP Address. | Optional |
uuid | Filter results based on Agent’s UUID. | Optional |
has_unapproved_peripherals | Filter only agents that have unapproved peripherals that are attached. | Optional |
has_vulnerable_peripherals | Filter only agents that have vulnerable peripherals that are attached. | Optional |
has_known_attack_tools | Filter only agents that have identified attack tools that attached. | Optional |
limit | Maximum number of Agent entries to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Sepio.Agent.HostIdentifier | string | Sepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance. |
Sepio.Agent.IpAddress | string | Sepio Agent IP Address. |
Sepio.Agent.UUID | string | Sepio Agent’s instance unique identifier. |
Sepio.Agent.OsVersion | string | Version of the Operation System of the host running Sepio Agent. |
Sepio.Agent.HardwareModel | string | The hardware model of the host running Sepio Agent. |
Sepio.Agent.NicInfo | string | A list of the network interfaces of the host running Sepio Agent. |
Sepio.Agent.LastUpdate | date | Last update time. Format YYYY-MM-DDThh:mm:ss.sTZD |
Sepio.Agent.Status | string | Current status of Sepio Agent. |
Sepio.Agent.HasUnapprovedPeripherals | boolean | True if the Agent has at least one approved peripheral device that is attached. |
Sepio.Agent.HasVulnerablePeripherals | boolean | True if the Agent has at least one vulnerable peripheral that is attached. |
Sepio.Agent.HasKnownAttackTools | boolean | True if the Agent has at least one peripheral that is identified as a known attack tool. |
Sepio.Agent.LastConfiguration | date | Last configuration time. Format YYYY-MM-DDThh:mm:ss.sTZD |
Sepio.Agent.Version | string | Version of Sepio Agent. |
Sepio.Agent.License | string | Agent’s license status (Pending/Expired/Invalid/Activated). |
#
Command Example!sepio-query-agents uuid=BFEBFBFF000806EAL1HF8C4003Z ip_address=192.168.10.107 host_identifier=DESKTOP-ANTONY has_known_attack_tools=False has_unapproved_peripherals=False has_vulnerable_peripherals=False limit=1000
#
Context Example#
Human Readable Output#
Agents
UUID IpAddress HostIdentifier HasUnapprovedPeripherals HasVulnerablePeripherals HasKnownAttackTools BFEBFBFF000806EAL1HF8C4003Z 192.168.10.107 DESKTOP-ANTONY false false false
#
sepio-query-peripheralsGet Peripherals
#
Base Commandsepio-query-peripherals
#
InputArgument Name | Description | Required |
---|---|---|
host_identifier | Filter results based on Host Identifier. | Optional |
host_uuid | Filter results based on the UUID of the Agent. | Optional |
vendor_name | Filter peripheral devices that contain a certain textual name (partial or full, "contains") in the vendor name. | Optional |
product_name | Filter peripheral devices that contain a certain textual name (partial or full, "contains") in the product name. | Optional |
serial_number | Filter peripheral devices that contain a certain text value (partial or full, "contains") in the serial number. | Optional |
is_unapproved_peripheral | Filter only unapproved peripheral devices that are attached. | Optional |
is_vulnerable_peripheral | Filter only vulnerable peripheral devices that are attached. | Optional |
is_known_attack_tool | Filter only peripheral devices that are identified as known attack tools. | Optional |
limit | Maximum number of peripheral device entries to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Sepio.Peripheral.HostIdentifier | string | Sepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance. |
Sepio.Peripheral.HostUUID | string | Sepio Agent’s instance unique identifier. |
Sepio.Peripheral.DeviceID | string | Sepio device unique identifier. |
Sepio.Peripheral.DeviceIcon | string | Indication of the device type. |
Sepio.Peripheral.DeviceType | string | Textual text indication of the device type. |
Sepio.Peripheral.VID | string | Peripheral device VendorID. |
Sepio.Peripheral.VendorName | string | Peripheral device vendor Name. |
Sepio.Peripheral.PID | string | Peripheral device ProductID. |
Sepio.Peripheral.ProductName | string | Peripheral device product Name. |
Sepio.Peripheral.SerialNumber | string | Peripheral device serial number (when applicable). |
Sepio.Peripheral.Status | string | Current status of the peripheral device. |
Sepio.Peripheral.IsUnapprovedPeripheral | boolean | True if the Agent has at least one unapproved peripheral device that is attached. |
Sepio.Peripheral.IsVulnerablePeripheral | boolean | True if the Agent has at least one vulnerable peripheral that is attached. |
Sepio.Peripheral.IsKnownAttackTool | boolean | True if the Agent has at least one peripheral that is identified as a known attack tool. |
#
Command Example!sepio-query-peripherals host_uuid=BFEBFBFF000806EAL1HF8C4003Z vendor_name="Logitech, Inc." product_name="Keyboard K120" limit=20
#
Context Example#
Human Readable Output#
Peripherals
HostUUID DeviceID Status IsUnapprovedPeripheral IsVulnerablePeripheral IsKnownAttackTool BFEBFBFF000806EAL1HF8C4003Z USB\VID_046D&PID_C31C\5&20DBD6CE&0&1 OK false false false BFEBFBFF000806EAL1HF8C4003Z USB\VID_046D&PID_C31C&MI_00\6&284FE535&0&0000 OK false false false BFEBFBFF000806EAL1HF8C4003Z USB\VID_046D&PID_C31C&MI_01\6&284FE535&0&0001 OK false false false
#
sepio-query-switchesGet Switches
#
Base Commandsepio-query-switches
#
InputArgument Name | Description | Required |
---|---|---|
ip_address | Filter results based on IP Address. | Optional |
switch_name | Filter results based on switch name. | Optional |
model | Filter only switches that are of the specified model (partial or full, "begins with"). | Optional |
ios_version | Filter only switches that run a certain iosVersion (partial or full, "contains"). | Optional |
is_alarmed | Filter only switches that are alarmed. | Optional |
limit | Maximum number of switch entries to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Sepio.Switch.SwitchID | string | Switch unique identifier. |
Sepio.Switch.IpAddress | string | IP Address of the switch. |
Sepio.Switch.Name | string | Assigned name of the switch. |
Sepio.Switch.Model | string | The specific switch model. |
Sepio.Switch.IosVersion | string | The IOS version the switch is running. |
Sepio.Switch.LastUpdate | string | Last update time. Format yyyy-MM-dd hh:ss:mm. |
Sepio.Switch.NumberOfPorts | number | The total number of switch ports. |
Sepio.Switch.Status | string | Current status of the switch port. |
Sepio.Switch.IsAlarmed | boolean | True if the switch port is alarmed. |
#
Command Example!sepio-query-switches switch_name=sepio2960g ios_version=12.2(52)SE ip_address=192.168.100.25 model=WS-C2960G-24TC-L
#
Context Example#
Human Readable Output#
Switches
SwitchID Status IsAlarmed DC:7B:94:96:17:80_FOC1428V67S Normal false
#
sepio-query-switch-portsGet Switch Ports
#
Base Commandsepio-query-switch-ports
#
InputArgument Name | Description | Required |
---|---|---|
switch_ip_address | Filter results based on switch IP Address. | Optional |
switch_name | Filter results based on switch name. | Optional |
port_id | Filter results based on port id. | Optional |
port_name | Filter results based on port name. | Optional |
link_partner_data_contains | Filter only switch ports that contain the specified address (partial or full, "contains"). | Optional |
is_alarmed | Filter only switch ports that are alarmed. | Optional |
limit | Maximum number of switch port entries to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Sepio.Port.SwitchID | string | Port Switch unique identifier. |
Sepio.Port.SwitchIpAddress | string | IP Address of the switch. |
Sepio.Port.SwitchName | string | Assigned name of the switch. |
Sepio.Port.PortID | string | Port unique identifier inside the switch. |
Sepio.Port.Name | string | Assigned name of the switch port. |
Sepio.Port.LastUpdate | string | Last update time. |
Sepio.Port.NumberOfMacAddresses | number | The number of MAC addresses detected on the switch port. |
Sepio.Port.LinkPartners | string | List of the MAC addresses detected on the switch port (limited to maximum of 10) |
Sepio.Port.Status | string | Current status of the switch port. |
Sepio.Port.IsAlarmed | boolean | True if the switch port is alarmed. |
Sepio.Port.AlarmInfo | string | Details about the cause of alarm (only if alarmed). |
#
Command Example!sepio-query-switch-ports switch_name=sepio2960g switch_ip_address=192.168.100.25 port_id=Gi0/17 link_partner_data_contains=042AE2D31AC0,04D590D51701
#
Context Example#
Human Readable Output#
Ports
SwitchID PortID Status IsAlarmed AlarmInfo DC:7B:94:96:17:80_FOC1428V67S Gi0/17 connected false
#
sepio-query-system-eventsGet Events
#
Base Commandsepio-query-system-events
#
InputArgument Name | Description | Required |
---|---|---|
start_datetime | Filter results based on event timestamp. | Optional |
end_datetime | Filter results based on event timestamp. | Optional |
min_severity | Filter only events of specific or higher severity than (>=). | Optional |
category | Filter results based on event category. | Optional |
source | Filter results based on source entity of the event (partial or full, "contains"). | Optional |
peripheral_type | Filter only events (in the case of Peripheral events) that match a certain peripheral type. can contain multiple peripheral types separated with comma, i.e '1,2,3,4' or single type, i.e '1' | Optional |
limit | Maximum number of event entries to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Sepio.Event.CreationDatetime | string | Timestamp of the event. |
Sepio.Event.Severity | string | Severity level of the event. |
Sepio.Event.Category | string | Category of the event. |
Sepio.Event.Source | string | Source entity. |
Sepio.Event.Description | string | Event Description. |
Sepio.Event.PeripheralType | string | Type of peripheral device (in the case of Peripheral Security events). |
Sepio.Event.Details | string | Additional details that contain textual description of the event. |
#
Command Example!sepio-query-system-events start_datetime=2020-07-16T16:50:00Z end_datetime=2020-07-21T11:02:00Z min_severity=Warning peripheral_type=1,2,3,4
#
Context Example#
Human Readable Output#
Events
EventID CreationDatetime Category Source Description 1067 2020-07-16T16:53:29.240559 USB DESKTOP-ANTONY (192.168.10.107) New USB peripheral detected 1068 2020-07-16T16:53:29.240606 USB DESKTOP-ANTONY (192.168.10.107) New USB peripheral detected
#
sepio-set-agent-modeSet Agent Mode
#
Base Commandsepio-set-agent-mode
#
InputArgument Name | Description | Required |
---|---|---|
uuid | UUID of the Agent to set. | Optional |
host_identifier | Host identifier of the Agent to set. | Optional |
ip_address | IP Address of the Agent to set. | Optional |
mode | New mode to apply – "Free" or "Armed". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!sepio-set-agent-mode mode=Free uuid=BFEBFBFF000806EAL1HF8C4003Z
#
Human Readable OutputAgent ['BFEBFBFF000806EAL1HF8C4003Z'] mode has been changed successfully to 'Free'
#
sepio-set-peripherals-modeSet Agent Peripherals Mode
#
Base Commandsepio-set-peripherals-mode
#
InputArgument Name | Description | Required |
---|---|---|
uuid | UUID of the Agent to set. | Optional |
host_identifier | Host identifier of the Agent to set. | Optional |
ip_address | IP Address of the Agent to set. | Optional |
vid | VendorID of the peripheral to set. | Required |
pid | ProductID of the peripheral to set. | Required |
mode | New mode to apply – "Approve" or "Disapprove". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!sepio-set-peripherals-mode mode=Approve uuid=BFEBFBFF000806EAL1HF8C4003Z vid=046D pid=C31C
#
Human Readable OutputPeripherals of ['BFEBFBFF000806EAL1HF8C4003Z'] with vid '046D' and pid 'C31C' mode changed successfully to 'Approve'