Skip to main content

Silverfort

This Integration is part of the Silverfort Pack.#

Silverfort protects organizations from data breaches by delivering strong authentication across entire corporate networks and cloud environments, without requiring any modifications to endpoints or servers. Using patent-pending technology, Silverfort's agentless approach enables multi-factor authentication and AI-driven adaptive authentication even for systems that don’t support it today, including proprietary systems, critical infrastructure, shared folders, IoT devices, and more.

Use Silverfort integration to get & update Silverfort risk severity.

This integration was integrated and tested with Silverfort version 5.2.

Silverfort Playbook#


  • Get risk information and block the user if the risk is 'high' or 'critical'
  • Update the Silverfort user risk level

Use Cases#


  • Consume Silverfort user and server risk levels
  • Enrich the Silverfort risk engine and trigger MFA on risky entities

Configure Silverfort in Cortex#

ParameterDescriptionRequired
Namea textual name for the integration instanceTrue
urlServer URLTrue
apikeyAPIKEYTrue
insecureTrust any certificate (not secure)False
  • To generate an API token for external access:
    1. On the Silverfort Admin Console, navigate to the **SETTINGS** page, and then select **Silverfort API**.
    2. Enable the **Allow 3rd party risk updates** switch.
    3. Copy the **Risk API Key (External Access)** value - this will be your API key.
    4. For the URL, use one of the following based on your Silverfort region:
    - Global region: https://raven.silverfort.io
    - EU region: https://eu.raven.silverfort.io
    - Singapore region: https://sg.raven.silverfort.io
    // End of Selection

For more information, see the Silverfort documentation.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. DBot messages provide a structured summary of the command execution, including the inputs, outputs, and any relevant indicators of compromise (IOCs) or risk levels.

silverfort-get-user-risk#


User risk commands - get the user entity risk.

Base Command#

silverfort-get-user-risk

Input#

Argument NameDescriptionRequired
upnThe user principal name.Optional
emailThe email address.Optional
sam_accountThe sam account.Optional
domainThe domain.Optional

Specify one of the following:

  • upn
  • email address and domain
  • sam account and domain

Context Output#

PathTypeDescription
Silverfort.UserRisk.RiskStringThe risk level.
Silverfort.UserRisk.ReasonsUnknownThe reasons for the risk.
Silverfort.UserRisk.UPNStringThe user principal name.

Command Example#

!silverfort-get-user-risk upn="sfuser@silverfort.io"

Human Readable Output#

Silverfort User Risk#

UPNRiskReasons
sfuser@silverfort.ioMediumSuspicious activity, Password never expires

silverfort-get-resource-risk#


Gets the resource entity risk information.

Base Command#

silverfort-get-resource-risk

Input#

Argument NameDescriptionRequired
resource_nameThe hostname.Required
domain_nameThe domain.Required

Command Example#

!silverfort-get-resource-risk resource_name="SF-DC-1" domain_name="silverfort.io"

Human Readable Output#

Silverfort Resource Risk#

ResourceNameRiskReasons
SF-DC-1LowUnconstrained Delegation

silverfort-update-user-risk#


Updates the user entity risk.

Base Command#

silverfort-update-user-risk

Input#

Argument NameDescriptionRequired
upnThe user principal name.Optional
risk_nameThe risk name.Required
severityThe severity.Required
valid_forThe number of hours that the risk will be valid for.Required
descriptionThe risk description.Required

Command Example#

!silverfort-update-user-risk upn="sfuser@silverfort.io" risk_name="activity_risk" severity=medium valid_for=1 description="Suspicious activity"

Human Readable Output#

ok

silverfort-update-resource-risk#


Update the resource entity risk.

Base Command#

silverfort-update-resource-risk

Input#

Argument NameDescriptionRequired
resource_nameThe hostname.Required
domain_nameThe domain name.Required
risk_nameThe risk name.Required
severityThe severity.Required
valid_forThe number of hours the severity will be relevant for.Required
descriptionA short description about the risk.Required

Command Example#

!silverfort-update-resource-risk resource_name="SF-DC-1" domain_name="silverfort.io" risk_name="malware_risk" severity="high" valid_for=1 description="Malware detected"

Human Readable Output#

ok