Sepio

Get Agent, Switches and Events from your Sepio Prime

This integration was integrated and tested with version 20.07.22.0958 of Sepio Prime

Configure Sepio on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Sepio.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://sepio-prime.com)True
credentialsUsernameTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
fetch_timeInitial time to start fetching incidents. In days.True
min_severityAlert severity to retrieve. Values are: Warning, Error, CriticalFalse
categoryAlert category to retrieve. Values are:USB, NetworkTrue
max_alertsMaximum number of alerts to fetch at a timeFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. For the commands sepio-set-agent-mode, sepio-set-peripherals-mode you need user with Manager profile, other commands need user with User profile.

sepio-query-agents


Get Agents

Base Command

sepio-query-agents

Input

Argument NameDescriptionRequired
host_identifierFilter results based on Host Identifier.Optional
ip_addressFilter results based on IP Address.Optional
uuidFilter results based on Agent’s UUID.Optional
has_unapproved_peripheralsFilter only agents that have unapproved peripherals that are attached.Optional
has_vulnerable_peripheralsFilter only agents that have vulnerable peripherals that are attached.Optional
has_known_attack_toolsFilter only agents that have identified attack tools that attached.Optional
limitMaximum number of Agent entries to return.Optional

Context Output

PathTypeDescription
Sepio.Agent.HostIdentifierstringSepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance.
Sepio.Agent.IpAddressstringSepio Agent IP Address.
Sepio.Agent.UUIDstringSepio Agent’s instance unique identifier.
Sepio.Agent.OsVersionstringVersion of the Operation System of the host running Sepio Agent.
Sepio.Agent.HardwareModelstringThe hardware model of the host running Sepio Agent.
Sepio.Agent.NicInfostringA list of the network interfaces of the host running Sepio Agent.
Sepio.Agent.LastUpdatedateLast update time. Format YYYY-MM-DDThh:mm:ss.sTZD
Sepio.Agent.StatusstringCurrent status of Sepio Agent.
Sepio.Agent.HasUnapprovedPeripheralsbooleanTrue if the Agent has at least one approved peripheral device that is attached.
Sepio.Agent.HasVulnerablePeripheralsbooleanTrue if the Agent has at least one vulnerable peripheral that is attached.
Sepio.Agent.HasKnownAttackToolsbooleanTrue if the Agent has at least one peripheral that is identified as a known attack tool.
Sepio.Agent.LastConfigurationdateLast configuration time. Format YYYY-MM-DDThh:mm:ss.sTZD
Sepio.Agent.VersionstringVersion of Sepio Agent.
Sepio.Agent.LicensestringAgent’s license status (Pending/Expired/Invalid/Activated).

Command Example

!sepio-query-agents uuid=BFEBFBFF000806EAL1HF8C4003Z ip_address=192.168.10.107 host_identifier=DESKTOP-ANTONY has_known_attack_tools=False has_unapproved_peripherals=False has_vulnerable_peripherals=False limit=1000

Context Example

{
"Sepio": {
"Agent": {
"HardwareModel": "LENOVO 20KS0039IV||2||",
"HasKnownAttackTools": false,
"HasUnapprovedPeripherals": false,
"HasVulnerablePeripherals": false,
"HostIdentifier": "DESKTOP-ANTONY",
"IpAddress": "192.168.10.107",
"LastConfiguration": "2020-07-21T17:56:52.75193",
"LastUpdate": "2020-07-21T17:56:52.751994",
"License": "Activated",
"NicInfo": [
"E8:6A:64:72:C2:BF||Realtek||Realtek PCIe GbE Family Controller",
"A0:A4:C5:14:DA:CF||Intel Corporation||Intel(R) Dual Band Wireless-AC 3165"
],
"OsVersion": "Windows 10 Pro 64-bit",
"Status": "Free",
"UUID": "BFEBFBFF000806EAL1HF8C4003Z",
"Version": "3.0.18.0"
}
}
}

Human Readable Output

Agents

UUIDIpAddressHostIdentifierHasUnapprovedPeripheralsHasVulnerablePeripheralsHasKnownAttackTools
BFEBFBFF000806EAL1HF8C4003Z192.168.10.107DESKTOP-ANTONYfalsefalsefalse

sepio-query-peripherals


Get Peripherals

Base Command

sepio-query-peripherals

Input

Argument NameDescriptionRequired
host_identifierFilter results based on Host Identifier.Optional
host_uuidFilter results based on the UUID of the Agent.Optional
vendor_nameFilter peripheral devices that contain a certain textual name (partial or full, "contains") in the vendor name.Optional
product_nameFilter peripheral devices that contain a certain textual name (partial or full, "contains") in the product name.Optional
serial_numberFilter peripheral devices that contain a certain text value (partial or full, "contains") in the serial number.Optional
is_unapproved_peripheralFilter only unapproved peripheral devices that are attached.Optional
is_vulnerable_peripheralFilter only vulnerable peripheral devices that are attached.Optional
is_known_attack_toolFilter only peripheral devices that are identified as known attack tools.Optional
limitMaximum number of peripheral device entries to return.Optional

Context Output

PathTypeDescription
Sepio.Peripheral.HostIdentifierstringSepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance.
Sepio.Peripheral.HostUUIDstringSepio Agent’s instance unique identifier.
Sepio.Peripheral.DeviceIDstringSepio device unique identifier.
Sepio.Peripheral.DeviceIconstringIndication of the device type.
Sepio.Peripheral.DeviceTypestringTextual text indication of the device type.
Sepio.Peripheral.VIDstringPeripheral device VendorID.
Sepio.Peripheral.VendorNamestringPeripheral device vendor Name.
Sepio.Peripheral.PIDstringPeripheral device ProductID.
Sepio.Peripheral.ProductNamestringPeripheral device product Name.
Sepio.Peripheral.SerialNumberstringPeripheral device serial number (when applicable).
Sepio.Peripheral.StatusstringCurrent status of the peripheral device.
Sepio.Peripheral.IsUnapprovedPeripheralbooleanTrue if the Agent has at least one unapproved peripheral device that is attached.
Sepio.Peripheral.IsVulnerablePeripheralbooleanTrue if the Agent has at least one vulnerable peripheral that is attached.
Sepio.Peripheral.IsKnownAttackToolbooleanTrue if the Agent has at least one peripheral that is identified as a known attack tool.

Command Example

!sepio-query-peripherals host_uuid=BFEBFBFF000806EAL1HF8C4003Z vendor_name="Logitech, Inc." product_name="Keyboard K120" limit=20

Context Example

{
"Sepio": {
"Peripheral": [
{
"DeviceID": "USB\\VID_046D&PID_C31C\\5&20DBD6CE&0&1",
"DeviceIcon": 0,
"DeviceType": "NO_DEV",
"HostIdentifier": "DESKTOP-ANTONY",
"HostUUID": "BFEBFBFF000806EAL1HF8C4003Z",
"IsKnownAttackTool": false,
"IsUnapprovedPeripheral": false,
"IsVulnerablePeripheral": false,
"PID": "C31C",
"ProductName": "Keyboard K120",
"SerialNumber": null,
"Status": "OK",
"VID": "046D",
"VendorName": "Logitech, Inc."
},
{
"DeviceID": "USB\\VID_046D&PID_C31C&MI_00\\6&284FE535&0&0000",
"DeviceIcon": 1,
"DeviceType": "Keyboard",
"HostIdentifier": "DESKTOP-ANTONY",
"HostUUID": "BFEBFBFF000806EAL1HF8C4003Z",
"IsKnownAttackTool": false,
"IsUnapprovedPeripheral": false,
"IsVulnerablePeripheral": false,
"PID": "C31C",
"ProductName": "Keyboard K120",
"SerialNumber": null,
"Status": "OK",
"VID": "046D",
"VendorName": "Logitech, Inc."
},
{
"DeviceID": "USB\\VID_046D&PID_C31C&MI_01\\6&284FE535&0&0001",
"DeviceIcon": 14,
"DeviceType": "HID",
"HostIdentifier": "DESKTOP-ANTONY",
"HostUUID": "BFEBFBFF000806EAL1HF8C4003Z",
"IsKnownAttackTool": false,
"IsUnapprovedPeripheral": false,
"IsVulnerablePeripheral": false,
"PID": "C31C",
"ProductName": "Keyboard K120",
"SerialNumber": null,
"Status": "OK",
"VID": "046D",
"VendorName": "Logitech, Inc."
}
]
}
}

Human Readable Output

Peripherals

HostUUIDDeviceIDStatusIsUnapprovedPeripheralIsVulnerablePeripheralIsKnownAttackTool
BFEBFBFF000806EAL1HF8C4003ZUSB\VID_046D&PID_C31C\5&20DBD6CE&0&1OKfalsefalsefalse
BFEBFBFF000806EAL1HF8C4003ZUSB\VID_046D&PID_C31C&MI_00\6&284FE535&0&0000OKfalsefalsefalse
BFEBFBFF000806EAL1HF8C4003ZUSB\VID_046D&PID_C31C&MI_01\6&284FE535&0&0001OKfalsefalsefalse

sepio-query-switches


Get Switches

Base Command

sepio-query-switches

Input

Argument NameDescriptionRequired
ip_addressFilter results based on IP Address.Optional
switch_nameFilter results based on switch name.Optional
modelFilter only switches that are of the specified model (partial or full, "begins with").Optional
ios_versionFilter only switches that run a certain iosVersion (partial or full, "contains").Optional
is_alarmedFilter only switches that are alarmed.Optional
limitMaximum number of switch entries to return.Optional

Context Output

PathTypeDescription
Sepio.Switch.SwitchIDstringSwitch unique identifier.
Sepio.Switch.IpAddressstringIP Address of the switch.
Sepio.Switch.NamestringAssigned name of the switch.
Sepio.Switch.ModelstringThe specific switch model.
Sepio.Switch.IosVersionstringThe IOS version the switch is running.
Sepio.Switch.LastUpdatestringLast update time. Format yyyy-MM-dd hh:ss:mm.
Sepio.Switch.NumberOfPortsnumberThe total number of switch ports.
Sepio.Switch.StatusstringCurrent status of the switch port.
Sepio.Switch.IsAlarmedbooleanTrue if the switch port is alarmed.

Command Example

!sepio-query-switches switch_name=sepio2960g ios_version=12.2(52)SE ip_address=192.168.100.25 model=WS-C2960G-24TC-L

Context Example

{
"Sepio": {
"Switch": {
"IosVersion": "12.2(52)SE",
"IpAddress": "192.168.100.25",
"IsAlarmed": false,
"LastUpdate": "07/21/2020 17:34:26",
"Model": "WS-C2960G-24TC-L",
"Name": "sepio2960g",
"NumberOfPorts": 24,
"Status": "Normal",
"SwitchID": "DC:7B:94:96:17:80_FOC1428V67S"
}
}
}

Human Readable Output

Switches

SwitchIDStatusIsAlarmed
DC:7B:94:96:17:80_FOC1428V67SNormalfalse

sepio-query-switch-ports


Get Switch Ports

Base Command

sepio-query-switch-ports

Input

Argument NameDescriptionRequired
switch_ip_addressFilter results based on switch IP Address.Optional
switch_nameFilter results based on switch name.Optional
port_idFilter results based on port id.Optional
port_nameFilter results based on port name.Optional
link_partner_data_containsFilter only switch ports that contain the specified address (partial or full, "contains").Optional
is_alarmedFilter only switch ports that are alarmed.Optional
limitMaximum number of switch port entries to return.Optional

Context Output

PathTypeDescription
Sepio.Port.SwitchIDstringPort Switch unique identifier.
Sepio.Port.SwitchIpAddressstringIP Address of the switch.
Sepio.Port.SwitchNamestringAssigned name of the switch.
Sepio.Port.PortIDstringPort unique identifier inside the switch.
Sepio.Port.NamestringAssigned name of the switch port.
Sepio.Port.LastUpdatestringLast update time.
Sepio.Port.NumberOfMacAddressesnumberThe number of MAC addresses detected on the switch port.
Sepio.Port.LinkPartnersstringList of the MAC addresses detected on the switch port (limited to maximum of 10)
Sepio.Port.StatusstringCurrent status of the switch port.
Sepio.Port.IsAlarmedbooleanTrue if the switch port is alarmed.
Sepio.Port.AlarmInfostringDetails about the cause of alarm (only if alarmed).

Command Example

!sepio-query-switch-ports switch_name=sepio2960g switch_ip_address=192.168.100.25 port_id=Gi0/17 link_partner_data_contains=042AE2D31AC0,04D590D51701

Context Example

{
"Sepio": {
"Port": {
"AlarmInfo": "",
"IsAlarmed": false,
"LastUpdate": "2020-07-21T17:34:12.396607",
"LinkPartners": [
"0004F24ADCC5",
"042AE2D31AC0",
"04D590D51701"
],
"Name": "HondaCB500X",
"NumberOfMacAddresses": 4,
"PortID": "Gi0/17",
"Status": "connected",
"SwitchID": "DC:7B:94:96:17:80_FOC1428V67S",
"SwitchIpAddress": "192.168.100.25",
"SwitchName": "sepio2960g"
}
}
}

Human Readable Output

Ports

SwitchIDPortIDStatusIsAlarmedAlarmInfo
DC:7B:94:96:17:80_FOC1428V67SGi0/17connectedfalse

sepio-query-system-events


Get Events

Base Command

sepio-query-system-events

Input

Argument NameDescriptionRequired
start_datetimeFilter results based on event timestamp.Optional
end_datetimeFilter results based on event timestamp.Optional
min_severityFilter only events of specific or higher severity than (>=).Optional
categoryFilter results based on event category.Optional
sourceFilter results based on source entity of the event (partial or full, "contains").Optional
peripheral_typeFilter only events (in the case of Peripheral events) that match a certain peripheral type. can contain multiple peripheral types separated with comma, i.e '1,2,3,4' or single type, i.e '1'Optional
limitMaximum number of event entries to return.Optional

Context Output

PathTypeDescription
Sepio.Event.CreationDatetimestringTimestamp of the event.
Sepio.Event.SeveritystringSeverity level of the event.
Sepio.Event.CategorystringCategory of the event.
Sepio.Event.SourcestringSource entity.
Sepio.Event.DescriptionstringEvent Description.
Sepio.Event.PeripheralTypestringType of peripheral device (in the case of Peripheral Security events).
Sepio.Event.DetailsstringAdditional details that contain textual description of the event.

Command Example

!sepio-query-system-events start_datetime=2020-07-16T16:50:00Z end_datetime=2020-07-21T11:02:00Z min_severity=Warning peripheral_type=1,2,3,4

Context Example

{
"Sepio": {
"Event": [
{
"Category": "USB",
"CreationDatetime": "2020-07-16T16:53:29.240559",
"Description": "New USB peripheral detected",
"Details": "[Agent] Vulnerable Device VID/PID are 046D/C534 (Logitech, Inc. Unifying Receiver 00)",
"EventID": 1067,
"PeripheralType": "1",
"Severity": "Warning",
"Source": "DESKTOP-ANTONY (192.168.10.107)"
},
{
"Category": "USB",
"CreationDatetime": "2020-07-16T16:53:29.240606",
"Description": "New USB peripheral detected",
"Details": "[Agent] Vulnerable Device VID/PID are 046D/C534 (Logitech, Inc. Unifying Receiver 01)",
"EventID": 1068,
"PeripheralType": "2",
"Severity": "Warning",
"Source": "DESKTOP-ANTONY (192.168.10.107)"
}
]
}
}

Human Readable Output

Events

EventIDCreationDatetimeCategorySourceDescription
10672020-07-16T16:53:29.240559USBDESKTOP-ANTONY (192.168.10.107)New USB peripheral detected
10682020-07-16T16:53:29.240606USBDESKTOP-ANTONY (192.168.10.107)New USB peripheral detected

sepio-set-agent-mode


Set Agent Mode

Base Command

sepio-set-agent-mode

Input

Argument NameDescriptionRequired
uuidUUID of the Agent to set.Optional
host_identifierHost identifier of the Agent to set.Optional
ip_addressIP Address of the Agent to set.Optional
modeNew mode to apply – "Free" or "Armed".Required

Context Output

There is no context output for this command.

Command Example

!sepio-set-agent-mode mode=Free uuid=BFEBFBFF000806EAL1HF8C4003Z

Human Readable Output

Agent ['BFEBFBFF000806EAL1HF8C4003Z'] mode has been changed successfully to 'Free'

sepio-set-peripherals-mode


Set Agent Peripherals Mode

Base Command

sepio-set-peripherals-mode

Input

Argument NameDescriptionRequired
uuidUUID of the Agent to set.Optional
host_identifierHost identifier of the Agent to set.Optional
ip_addressIP Address of the Agent to set.Optional
vidVendorID of the peripheral to set.Required
pidProductID of the peripheral to set.Required
modeNew mode to apply – "Approve" or "Disapprove".Required

Context Output

There is no context output for this command.

Command Example

!sepio-set-peripherals-mode mode=Approve uuid=BFEBFBFF000806EAL1HF8C4003Z vid=046D pid=C31C

Human Readable Output

Peripherals of ['BFEBFBFF000806EAL1HF8C4003Z'] with vid '046D' and pid 'C31C' mode changed successfully to 'Approve'