Tripwire
Tripwire Pack.#
This Integration is part of theTripwire is a file integrity management (FIM), FIM monitors files and folders on systems and is triggered when they have changed. This integration was integrated and tested with v1 of Tripwire
#
Configure Tripwire in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://tripwire.com\) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
max_fetch | Maximum number of incidents per fetch | False |
first_fetch | First fetch time | False |
rule_oids | Rule ids | False |
node_oids | Node ids | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
tripwire-versions-listReturns all Element Versions that meet the search critiera.
#
Base Commandtripwire-versions-list
#
InputArgument Name | Description | Required |
---|---|---|
version_oids | Versions IDs given comma seperated. | Optional |
element_oids | Elements IDs of elements versions to fetch, comma seperated. | Optional |
element_names | Element names of elements versions to fetch. (case insensitive) .comma seperated. | Optional |
node_oids | Nodes IDs of elements versions to fetch. comma seperated. | Optional |
node_names | Nodes names of elements versions to fetch. comma seperated. | Optional |
rule_oids | Rules IDs of elements versions to fetch. comma seperated. | Optional |
rule_names | Rules names of elements versions to fetch. comma seperated. | Optional |
version_hashes | Possible Hashes value (md5, sha1, sha256, sha512) of elements versions to fetch. comma seperated. | Optional |
baseline_version_ids | Last baseline versions of elements versions to fetch. comma seperated. | Optional |
start_detected_time | Start detected time of element versions to fetch. The format can be either relative e.g. "2 days" or date time "2020-11-24T17:07:27Z". When using start time , please make sure to use end time too, if not end time will be set to current time by default. | Optional |
start_received_time | Start received time of element versions to fetch. The format can be either relative e.g. "2 days" or date time "2020-11-24T17:07:27Z". When using start time , please make sure to use end time too, if not end time will be set to current time by default. | Optional |
limit | Limit for the number of returned results. Default is 50. | Optional |
start | start index from which the results are returned. | Optional |
end_detected_time | End detected time of element versions to fetch. The format can be either relative e.g. "2 days" or date time "2020-11-24T17:07:27Z". | Optional |
end_received_time | End received time of element versions to fetch. The format can be either relative e.g. "2 days" or date time "2020-11-24T17:07:27Z". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Tripwire.Versions.approvalId | String | Approval IDs of elements versions. |
Tripwire.Versions.baselineVersion | String | Last baseline versions of elements versions. |
Tripwire.Versions.changeType | String | Change types of elements versions |
Tripwire.Versions.elementId | String | Elements IDs of elements versions. |
Tripwire.Versions.elementName | String | Element names of elements versions. |
Tripwire.Versions.exists | Boolean | Exists condition of elements versions. |
Tripwire.Versions.id | String | ID of element versions. |
Tripwire.Versions.isPromoted | Boolean | True if the element version has been promoted. |
Tripwire.Versions.md5 | String | MD5 hashes of elements versions. |
Tripwire.Versions.nodeId | String | Nodes IDs of elements versions. |
Tripwire.Versions.nodeName | String | Nodes names of elements versions. |
Tripwire.Versions.outsideMaintenanceWindow | Boolean | Outside maintenance window condition of elements versions. |
Tripwire.Versions.promotionComment | String | Promotion comments of elements versions. |
Tripwire.Versions.ruleId | String | Rules IDs of elements versions. |
Tripwire.Versions.ruleName | String | Rules names of elements versions. |
Tripwire.Versions.scanId | String | Scan IDs of elements versions. |
Tripwire.Versions.severity | Number | Severities of elements versions. |
Tripwire.Versions.sha1 | String | SHA1 hashes of elements versions. |
Tripwire.Versions.sha256 | String | SHA256 hashes of elements versions. |
Tripwire.Versions.sha512 | String | SHA512 hashes of elements versions. |
Tripwire.Versions.timeDetected | Date | Times detected of elements versions. |
Tripwire.Versions.timeReceived | Date | Times received of elements versions. |
#
Command Example``!tripwire-versions-list limit=5 start_detected_time=
30 days end_detected_time=
1 day node_names=
ip-10-128-0-12.eu-west-1.compute.internal rule_ids=
-1y2p0ij32e8ch:-1y2p0ij3233dx````
#
Context Example#
Human Readable Output#
Tripwire Versions list resultsThe number of returned results is: 5 |id|timeDetected|elementName|changeType|nodeName|ruleName| |---|---|---|---|---|---| | -1y2p0ij32e8ch:-1y2p0ij3233dx | 2020-11-10T06:39:01.000Z | /etc/gshadow | MODIFIED | ip-10-128-0-12.eu-west-1.compute.internal | Critical Configuration Files | | -1y2p0ij32e8ch:-1y2p0ij3233dw | 2020-11-10T06:39:01.000Z | /etc/passwd | MODIFIED | ip-10-128-0-12.eu-west-1.compute.internal | Critical Configuration Files | | -1y2p0ij32e8ch:-1y2p0ij3233dv | 2020-11-10T06:39:01.000Z | /etc/group | MODIFIED | ip-10-128-0-12.eu-west-1.compute.internal | Critical Configuration Files | | -1y2p0ij32e8ch:-1y2p0ij3233du | 2020-11-10T06:39:01.000Z | /etc/shadow | MODIFIED | ip-10-128-0-12.eu-west-1.compute.internal | Critical Configuration Files | | -1y2p0ij32e8ch:-1y2p0ij322lmh | 2020-11-23T05:39:46.000Z | /home/test/monitored-folder/yana.txt | BASELINE | ip-10-128-0-12.eu-west-1.compute.internal | yanas rule |
#
tripwire-rules-listReturns a list of all rules or those that match the provided filter criteria.
#
Base Commandtripwire-rules-list
#
InputArgument Name | Description | Required |
---|---|---|
rule_oids | IDs of rules to fetch. comma seperated. | Optional |
rule_names | Names of rules to fetch. comma seperated. | Optional |
rule_types | Types of rules to fetch. comma seperated. | Optional |
limit | Page limit for paging support. Default is 50. | Optional |
start | start index from which the results are returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Tripwire.Rules.command | String | Content of the rule. |
Tripwire.Rules.elementName | String | Include Command Output Capture Rules with matching element name. |
Tripwire.Rules.id | String | IDs of rules. |
Tripwire.Rules.importedTime | Date | Imported times of rules. |
Tripwire.Rules.modifiedTime | Date | Modified times of rules. |
Tripwire.Rules.name | String | Names of rules. |
Tripwire.Rules.severity | Number | Severities of rules. |
Tripwire.Rules.timeoutMillis | Number | Include Command Output Capture Rules with matching timeout in milliseconds. |
Tripwire.Rules.trackingId | String | Tracking ids of rules. |
Tripwire.Rules.type | String | Types of rules. |
#
Command Example!tripwire-rules-list limit=5
#
Context Example#
Human Readable Output#
Tripwire Rules list resultsThe number of returned results is: 5 |name|id|severity|elementName|type|command|importedTime|modifiedTime| |---|---|---|---|---|---|---|---| | Fax Service Permissions | -1y2p0ij32e7pw:-1y2p0ij32c200 | 0 | sc sdshow Fax | Command Output Capture Rule | %Windir%/system32/sc.exe sdshow Fax | 2020-09-30T17:33:23.330Z | 2020-09-30T17:33:23.330Z | | EMET Version | -1y2p0ij32e7pw:-1y2p0ij32c1zz | 0 | EMET Version | Command Output Capture Rule | (echo Set oFSO = CreateObject("Scripting.FileSystemObject"^) & echo EMET_Dll = "%SystemRooT%\AppPatch\emet.dll" & echo If oFSO.FileExists(EMET_Dll^) then & echo WScript.Echo oFSO.GetFileVersion(EMET_Dll^) & echo Else & echo WScript.Echo "EMET Is Not Installed" & echo End If) > "$(TEMP_DIR)"\EMET_Version.vbs & %SystemRoot%\system32\cscript /nologo "$(TEMP_DIR)"\EMET_Version.vbs & del "$(TEMP_DIR)"\EMET_Version.vbs | 2020-09-30T17:33:23.344Z | 2020-09-30T17:33:23.344Z | | RasAuto Service Permissions | -1y2p0ij32e7pw:-1y2p0ij32c1zy | 0 | sc sdshow RasAuto | Command Output Capture Rule | %Windir%/system32/sc.exe sdshow RasAuto | 2020-09-30T17:33:23.350Z | 2020-09-30T17:33:23.350Z | | Get the List of App Packages | -1y2p0ij32e7pw:-1y2p0ij32c1zv | 0 | List of App Packages | Command Output Capture Rule | %systemRoot%\system32\dism.exe /online /Get-ProvisionedAppxPackages /ScratchDir:"$(TEMP_DIR)" | 2020-09-30T17:33:23.360Z | 2020-09-30T17:33:23.360Z | | EMET Default Protections for Popular Software | -1y2p0ij32e7pw:-1y2p0ij32c1zu | 0 | EMET Default Protections for Popular Software | Command Output Capture Rule | (echo Const HKEY_LOCAL_MACHINE = ^&H80000002 & echo strComputer = "." & echo vers = "" & echo Set oFSO = CreateObject("Scripting.FileSystemObject"^) & echo EMET_Dll = "C:\Windows\AppPatch\emet.dll" & echo If oFSO.FileExists(EMET_Dll^) then & echo vers = Mid(oFSO.GetFileVersion(EMET_Dll^),1,1^) & echo Else & echo WScript.Echo "EMET is not installed." & echo Wscript.Quit & echo End If & echo Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" ^& strComputer ^& "\root\default:StdRegProv"^) & echo strKeyPath = "Software\Policies\Microsoft\EMET\Defaults" & echo strRegKeyPath = "SOFTWARE\Microsoft\EMET" & echo oReg.EnumValues HKEY_LOCAL_MACHINE,strKeyPath,arrValueNames,arrValueTypes & echo oReg.EnumKey HKEY_LOCAL_MACHINE, strRegKeyPath, arrRegistryValueNames & echo If (vers = "3"^) Then & echo ValueNames=Array("7z","7zFM","7zGUI","Chrome","Firefox","FirefoxPluginContainer","GoogleTalk","iTunes","Java","Javaw","Javaws","LiveMessenger","LiveSync","LiveWriter","Lync","mIRC","MOE","Opera","PhotoshopCS2","PhotoshopCS264","PhotoshopCS3","PhotoshopCS364","PhotoshopCS4","PhotoshopCS464","PhotoshopCS5","PhotoshopCS51","PhotoshopCS5164","PhotoshopCS564","Pidgin","QuickTimePlayer","RealConverter","RealPlayer","Safari","Skype","Thunderbird","ThunderbirdPluginContainer","UnRAR","VLC","Winamp","WindowsLiveSync","WindowsMediaPlayer","WinRARConsole","WinRARGUI","Winzip","Winzip64"^) & echo RegistryValueNames=Array("7z.exe","7zfm.exe","7zg.exe","chrome.exe","firefox.exe","plugin-container.exe","googletalk.exe","itunes.exe","java.exe","javaw.exe","javaws.exe","msnmsgr.exe","WLSync.exe","windowslivewriter.exe","communicator.exe","mirc.exe","MOE.exe","opera.exe","Photoshop.exe","pidgin.exe","QuickTimePlayer.exe","realconverter.exe","realplay.exe","Safari.exe","Skype.exe","thunderbird.exe","plugin-container.exe","unrar.exe","vlc.exe","winamp.exe","WindowsLiveSync.exe","wmplayer.exe","rar.exe","winrar.exe","winzip32.exe","winzip64.exe"^) & echo IsAppFound = checkSoftware(arrRegistryValueNames, RegistryValueNames^) & echo If (IsAppFound = "1"^) or (IsAppFound = ""^) Then & echo IsAppGPOFound = checkSoftware(arrValueNames, ValueNames^) & echo If IsAppGPOFound ^<^> "0" Then & echo WScript.Echo "Default Protections for other Popular Software is not configured." & echo End If & echo End if & echo Elseif (vers = "4"^) Then & echo ValueNames=Array("7z","7zFM","7zGUI","Chrome","Firefox","FirefoxPluginContainer","FoxitReader","GoogleTalk","iTunes","LiveWriter","LyncCommunicator","mIRC","Opera","PhotoGallery","Photoshop","Pidgin","QuickTimePlayer","RealConverter","RealPlayer","Safari","SkyDrive","Skype","Thunderbird","ThunderbirdPluginContainer","UnRAR","VLC","Winamp","WindowsLiveMail","WindowsMediaPlayer","WinRARConsole","WinRARGUI","Winzip","Winzip64"^) & echo RegistryValueNames=Array("7z.exe","7zfm.exe","7zg.exe","chrome.exe","firefox.exe","plugin-container.exe","foxit reader.exe","googletalk.exe","itunes.exe","windowslivewriter.exe","communicator.exe","mirc.exe","opera.exe","WLXPhotoGallery.exe","Photoshop.exe","pidgin.exe","QuickTimePlayer.exe","realconverter.exe","realplay.exe","Safari.exe","SkyDrive.exe","Skype.exe","thunderbird.exe","plugin-container.exe","unrar.exe","vlc.exe","winamp.exe","wlmail.exe","wmplayer.exe","rar.exe","winrar.exe","winzip32.exe","winzip64.exe"^) & echo IsAppFound = checkSoftware(arrRegistryValueNames, RegistryValueNames^) & echo If (IsAppFound = "1"^) or (IsAppFound = ""^) Then & echo IsAppGPOFound = checkSoftware(arrValueNames, ValueNames^) & echo If IsAppGPOFound ^<^> "0" Then & echo WScript.Echo "Default Protections for other Popular Software is not configured." & echo End If & echo End if & echo Elseif (vers = "5"^) Then & echo ValueNames=Array("7z","7zFM","7zGUI","Chrome","Firefox","FirefoxPluginContainer","FoxitReader","GoogleTalk","iTunes","LiveWriter","LyncCommunicator","mIRC","Opera","Opera_New_Versions","PhotoGallery","Photoshop","Pidgin","QuickTimePlayer","RealConverter","RealPlayer","Safari","SkyDrive","Skype","Thunderbird","ThunderbirdPluginContainer","UnRAR","VLC","Winamp","WindowsLiveMail","WindowsMediaPlayer","WinRARConsole","WinRARGUI","Winzip","Winzip64"^) & echo RegistryValueNames=Array("7z.exe","7zfm.exe","7zg.exe","chrome.exe","firefox.exe","plugin-container.exe","foxit reader.exe","googletalk.exe","itunes.exe","windowslivewriter.exe","communicator.exe","mirc.exe","opera.exe","opera.exe","WLXPhotoGallery.exe","Photoshop.exe","pidgin.exe","QuickTimePlayer.exe","realconverter.exe","realplay.exe","Safari.exe","SkyDrive.exe","Skype.exe","thunderbird.exe","plugin-container.exe","unrar.exe","vlc.exe","winamp.exe","wlmail.exe","wmplayer.exe","rar.exe","winrar.exe","winzip32.exe","winzip64.exe"^) & echo IsAppFound = checkSoftware(arrRegistryValueNames, RegistryValueNames^) & echo If (IsAppFound = "1"^) or (IsAppFound = ""^) Then & echo IsAppGPOFound = checkSoftware(arrValueNames, ValueNames^) & echo If IsAppGPOFound ^<^> "0" Then & echo WScript.Echo "Default Protections for other Popular Software is not configured." & echo End If & echo End if & echo Else & echo Wscript.Echo "EMET version is not supported: " ^& vers & echo Wscript.Quit & echo End If & echo Function checkSoftware(arrValueNames, ValueNames^) & echo Dim isFound & echo If Not IsNull(arrValueNames^) Then & echo isDiff = 0 & echo For i = 0 To UBound(ValueNames^) & echo isFound = False & echo For j = 0 To UBound(arrValueNames^) & echo If Ucase(ValueNames(i^)^) = Ucase(arrValueNames(j^)^) Then & echo isFound = True & echo End If & echo Next & echo If Not isFound Then & echo isDiff = 1 & echo End If & echo Next & echo End If & echo checkSoftware = isDiff & echo End Function) > %SystemRoot%\Temp\PopularSoftware.vbs & %SystemRoot%\system32\cscript /nologo %SystemRoot%\Temp\PopularSoftware.vbs & del %SystemRoot%\Temp\PopularSoftware.vbs | 2020-09-30T17:33:23.366Z | 2020-09-30T17:33:23.366Z |
#
tripwire-elements-listReturns a list of all elements or those that match the provided criteria.
#
Base Commandtripwire-elements-list
#
InputArgument Name | Description | Required |
---|---|---|
element_oids | Id of the element. comma seperated. | Optional |
element_names | Name of the element (case insensitive). comma seperated. | Optional |
node_oids | Id of the node for this element. comma seperated. | Optional |
rule_oids | Id of the rule for this element. comma seperated. | Optional |
baseline_version_ids | Latest baseline version Id for this element. comma seperated. | Optional |
last_version_id | Id for the latest version of this element. comma seperated. | Optional |
limit | Limit for the number of returned results. Default is 50. | Optional |
start | start index from which the results are returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Tripwire.Elements.baselineVersionId | String | Latest baseline version Id for this element. |
Tripwire.Elements.description | String | Element description. |
Tripwire.Elements.id | String | Id of the element. |
Tripwire.Elements.inScope | Boolean | False if element is no longer in scope for the rule. |
Tripwire.Elements.isRestorable | Boolean | True if this can be restored by the restore action. |
Tripwire.Elements.lastSuccessDate | Date | Timestamp of last successful run of the rule on the related node. |
Tripwire.Elements.lastVersionChangeSeverity | Number | Severity value for the latest version of this element. |
Tripwire.Elements.lastVersionChangeType | String | Change type for the latest version of this element |
Tripwire.Elements.lastVersionId | String | Id for the latest version of this element. |
Tripwire.Elements.lastVersionTime | Date | Time detected of that latest version of this element. |
Tripwire.Elements.name | String | Name of the element. |
Tripwire.Elements.nodeId | String | Id of the node for this element. |
Tripwire.Elements.ruleId | String | Id of the rule for this element. |
#
Command Example!tripwire-elements-list limit=5
#
Context Example#
Human Readable Output#
Tripwire Elements list resultsThe number of returned results is: 5 |id|name|baselineVersionId| |---|---|---| | -1y2p0ij32e8cc:-1y2p0ij323hx2 | /home/test/monitored-folder | -1y2p0ij32e8ch:-1y2p0ij3239dk | | -1y2p0ij32e8cc:-1y2p0ij323hx0 | /home/test/monitored-folder/test.txt | -1y2p0ij32e8ch:-1y2p0ij3239dj | | -1y2p0ij32e8cc:-1y2p0ij323hwk | /usr/bin/c89 | -1y2p0ij32e8ch:-1y2p0ij323hwj | | -1y2p0ij32e8cc:-1y2p0ij323hwi | /usr/bin/c99 | -1y2p0ij32e8ch:-1y2p0ij323hwh | | -1y2p0ij32e8cc:-1y2p0ij323hwg | /usr/bin/cc | -1y2p0ij32e8ch:-1y2p0ij323hwf |
#
tripwire-nodes-listReturns a list of all nodes or those that match the provided filter criteria.
#
Base Commandtripwire-nodes-list
#
InputArgument Name | Description | Required |
---|---|---|
node_oids | IDs of nodes to fetch. comma seperated. | Optional |
node_ips | IP addresses of nodes to fetch (only finds agent nodes). comma seperated. | Optional |
node_mac_adresses | MAC addresses of nodes to fetch. comma seperat. | Optional |
node_names | Support for case insensitive search for name parameter. comma seperat. | Optional |
node_os_names | Os names of nodes to fetch. comma seperated. | Optional |
tags | Tags of nodes to fetch. comma seperated. | Optional |
limit | Limit for the number of returned results. Default is 50. | Optional |
start | start index from which the results are returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Tripwire.Nodes.agentType | String | Agent Type of nodes. |
Tripwire.Nodes.agentVersion | String | Agent versions of nodes. |
Tripwire.Nodes.auditEnabled | Boolean | Audit enabled condition of nodes. |
Tripwire.Nodes.description | String | Descriptions of nodes. |
Tripwire.Nodes.elementCount | Number | Element counts of nodes. |
Tripwire.Nodes.eventGeneratorEnabled | Boolean | Event generator enabled condition of nodes. |
Tripwire.Nodes.eventGeneratorInstalled | Boolean | Event generator installed condition of nodes. |
Tripwire.Nodes.hasFailures | Boolean | Has failures condition of nodes. |
Tripwire.Nodes.id | String | IDs of nodes. |
Tripwire.Nodes.importedTime | Date | Imported times of nodes. |
Tripwire.Nodes.ipAddresses | Unknown | IP addresses of nodes (only finds agent nodes). |
Tripwire.Nodes.isDisabled | Boolean | Is disabled condition of nodes. |
Tripwire.Nodes.isSocksProxy | Boolean | Is socks proxy condition of nodes. |
Tripwire.Nodes.lastCheck | Date | Last checks of nodes. |
Tripwire.Nodes.lastRegistration | Date | Last registration dates of nodes. |
Tripwire.Nodes.licensedFeatures | Unknown | Licensed features of nodes. |
Tripwire.Nodes.make | String | Make of nodes. |
Tripwire.Nodes.maxSeverity | Number | Max severities of nodes. |
Tripwire.Nodes.model | String | Models of nodes. |
Tripwire.Nodes.modifiedTime | Date | Modified times of nodes. |
Tripwire.Nodes.name | String | Names of nodes. |
Tripwire.Nodes.realTimeEnabled | Boolean | Real time enabled condition of nodes. |
Tripwire.Nodes.rmiHost | String | RMI hosts of nodes. |
Tripwire.Nodes.rmiPort | Number | RMI ports of nodes. |
Tripwire.Nodes.tags.tag | String | Tags of nodes. |
Tripwire.Nodes.tags.tagset | String | Tags sets of nodes. |
Tripwire.Nodes.tags.type | String | Tags types of nodes. |
Tripwire.Nodes.trackingId | String | Tracking IDs of nodes. |
Tripwire.Nodes.type | String | Node type of nodes. |
Tripwire.Nodes.version | String | Versions of nodes. |
#
Command Example!tripwire-nodes-list limit=5
#
Context Example#
Human Readable Output#
Tripwire Nodes list resultsThe number of returned results is: 2 |id|name|make|ipAddresses|type|lastCheck|modifiedTime| |---|---|---|---|---|---|---| | -1y2p0ij32e8bu:-1y2p0ij32e7b3 | ip-172-31-45-155.eu-west-1.compute.internal | Red Hat | 172.31.45.155 | Linux Server | 1970-01-02T00:00:00.000Z | 2020-09-30T18:00:12.416Z | | -1y2p0ij32e8bu:-1y2p0ij323ikt | ip-10-128-0-12.eu-west-1.compute.internal | CentOS | 10.128.0.12 | Linux Server | 2020-12-01T14:01:00.000Z | 2020-10-20T14:16:01.603Z |