Skip to main content

Stellar Cyber

This Integration is part of the Stellar Cyber Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Fetches and mirrors in Cases from Stellar Cyber to XSOAR. In addition, provides a command to update Case severity/status/assignee/tags, and a command to query an Alert. This integration was integrated and tested with version >= 4.3.7/5.0.4 of StellarCyber.

Configure Stellar Cyber in Cortex#

ParameterDescriptionRequired
Fetch incidents
Incident type
Mirroring DirectionIf set to Incoming, will mirror Cases from Stellar Cyber to XSOAR. If set to None, will not mirror Cases from Stellar Cyber to XSOAR. Default is None.False
Stellar Cyber Host (e.g. example.stellarcyber.cloud)Your Stellar Cyber Host FQDN.True
API User (Email Address)True
API KeyTrue
First fetch timeThe period of time to look back for initial pull of cases. (<number> <time unit>, i.e. 1 day, 5 hours, 30 minutes, etc.)False
Trust any certificate (not secure)False
Use system proxy settingsIf set to true, will use the system proxy settings.False
Incidents Fetch IntervalThe interval in minutes for fetching incidents from Stellar Cyber.False
Optional - Tenant IDSupply a Tenant ID to restrict Fetch and Mirror operations to a specific Tenant. If not supplied, all Tenants will be included.False
Maximum number of incidents per fetchThe maximum number of incidents to fetch per fetch.False

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and Stellar Cyber corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

  1. Enable Fetching incidents in your instance configuration.

  2. In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:

    OptionDescription
    NoneTurns off incident mirroring.
    IncomingAny changes in Stellar Cyber events (mirroring incoming fields) will be reflected in Cortex XSOAR incidents.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents. Important Note: To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and Stellar Cyber.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

stellar-get-alert#


Retrieve an alert from Stellar Cyber.

Base Command#

stellar-get-alert

Input#

Argument NameDescriptionRequired
alert_idThe ID of the alert to retrieve.Required

Context Output#

PathTypeDescription
StellarCyber.Alert.alert_idStringID of the Stellar Cyber Alert.
StellarCyber.Alert.alert_indexStringIndex of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.descriptionStringDescription of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.display_nameStringDisplay Name of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.framework_versionStringFramework Version of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.nameStringName of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.scopeStringScope of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.tactic.idStringTactic ID of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.tactic.nameStringTactic Name of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.tagsStringTags of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.technique.idStringTechnique ID of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.technique.nameStringTechnique Name of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.ttps.tactic.idStringTactic ID of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.ttps.tactic.nameStringTactic Name of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.ttps.technique.idStringTechnique ID of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.ttps.technique.nameStringTechnique Name of the Stellar Cyber Alert.
StellarCyber.Alert.alert_metadata.xdr_killchain_stageStringXDR Killchain Stage.
StellarCyber.Alert.alert_metadata.xdr_killchain_versionStringXDR Killchain Version.
StellarCyber.Alert.alert_urlStringURL to the Stellar Cyber Alert.
StellarCyber.Alert.descriptionStringDescription of the Stellar Cyber Alert.
StellarCyber.Alert.detected_fieldStringDetected Field(s) of the Stellar Cyber Alert.
StellarCyber.Alert.detected_valueStringDetected Value(s) of the Stellar Cyber Alert.
StellarCyber.Alert.display_nameStringDisplay Name of the Stellar Cyber Alert.
StellarCyber.Alert.tenant_idStringTenant ID of the Stellar Cyber Alert.
StellarCyber.Alert.tenant_nameStringTenant Name of the Stellar Cyber Alert.
StellarCyber.Alert.xdr_tactic_idStringXDR Tactic ID of the Stellar Cyber Alert.
StellarCyber.Alert.xdr_tactic_nameStringXDR Tactic Name of the Stellar Cyber Alert.
StellarCyber.Alert.xdr_technique_idStringXDR Technique ID of the Stellar Cyber Alert.
StellarCyber.Alert.xdr_technique_nameStringXDR Technique Name of the Stellar Cyber Alert.

stellar-update-case#


Update the severity, status, assignee, or tags of a Case in Stellar Cyber.

Base Command#

stellar-update-case

Input#

Argument NameDescriptionRequired
stellar_case_idThe ID of the Case to update.Required
stellar_case_severityThe severity to set the Case to in Stellar Cyber. Possible values are: Low, Medium, High, Critical.Optional
stellar_case_statusThe status to set the Case to. Possible values are: New, In Progress, Resolved, Cancelled.Optional
stellar_case_assigneeThe email or username in to assign to Case in Stellar Cyber.Optional
stellar_case_tags_addList of tags to add to Case in Stellar Cyber.Optional
stellar_case_tags_removeList of tags to add remove from Case in Stellar Cyber.Optional

Context Output#

PathTypeDescription
StellarCyber.Case.Update._idStringCase ID.
StellarCyber.Case.Update.assigneeStringCase Assignee.
StellarCyber.Case.Update.created_atDateCase Created Timestamp.
StellarCyber.Case.Update.created_byStringCase Created By.
StellarCyber.Case.Update.cust_idStringCase Tenant ID.
StellarCyber.Case.Update.modified_atDateCase Modified Timestamp.
StellarCyber.Case.Update.modified_byStringCase Modified By.
StellarCyber.Case.Update.nameStringCase Name.
StellarCyber.Case.Update.sizeNumberCase Size (Number of Alerts).
StellarCyber.Case.Update.statusStringCase Status.
StellarCyber.Case.Update.tagsUnknownCase Tags.
StellarCyber.Case.Update.ticket_idNumberCase Ticket ID.
StellarCyber.Case.Update.versionNumberCase Version.
StellarCyber.Case.Update.priorityStringCase Priority.
StellarCyber.Case.Update.incident_scoreNumberCase Score.
StellarCyber.Case.Update.assignee_nameStringCase Assignee Name.

get-remote-data#


Gets remote data from a remote incident. This method is only used for debugging purposes and will not update the current incident.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe remote incident ID.Required
lastUpdateUTC timestamp in seconds. The incident is only updated if it was modified after the last update time. Default is 0.Optional

Context Output#

There is no context output for this command.

get-modified-remote-data#


Available from Cortex XSOAR version 6.1.0. This command queries for incidents that were modified since the last update. This method is only used for debugging purposes.

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
lastUpdateUTC timestamp in seconds. The incident is only updated if it was modified after the last update time.Required

Context Output#

There is no context output for this command.