Skip to main content

TrustwaveFusion

This Integration is part of the Trustwave Fusion Pack.#

The Trustwave Fusion platform connects your organization’s digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services including Trustwave SpiderLabs , elite team of security specialists. Your team will benefit from deep visibility and the advanced security expertise necessary for protecting assets and eradicating threats as they arise.

This integration was integrated and tested with version 1.0.68 of TrustwaveFusion

Configure TrustwaveFusion in Cortex#

ParameterDescriptionRequired
Fusion API URLTrue
API KeyThe API Key to use for connectionTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse
Maximum number of incidents per fetchFalse
First fetch timeFormat: [number] [time unit]. e.g., 12 hours, 7 days, 2 seconds etc.False
Ticket TypesTypes of tickets to fetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

trustwave-get-ticket#


Get a single ticket

Base Command#

trustwave-get-ticket

Input#

Argument NameDescriptionRequired
idTicket ID.Required

Context Output#

PathTypeDescription
Trustwave.Ticket.numberStringThe Ticket ID
Trustwave.Ticket.subjectStringThe ticket title.
Trustwave.Ticket.statusStringThe status of the ticket
Trustwave.Ticket.descriptionStringThe detailed ticket description.
Trustwave.Ticket.categoryStringTicket category
Trustwave.Ticket.createdByStringUser that created the ticket.
Trustwave.Ticket.createdOnDateThe ticket creation time.
Trustwave.Ticket.customerNameStringThe name of the customer.
Trustwave.Ticket.findings.classificationStringCategory for finding related to the ticket.
Trustwave.Ticket.findings.classificationCodeStringCategory code for finding related to the ticket.
Trustwave.Ticket.findings.findingIdStringId finding related to the ticket.
Trustwave.Ticket.formatted_notesStringHuman readable Notes for the ticket.
Trustwave.Ticket.impactStringTicket impact (HIGH, MEDIUM, LOW)
Trustwave.Ticket.notes.actorStringUser that added the note (comment)
Trustwave.Ticket.notes.textStringThe note (comment) text.
Trustwave.Ticket.notes.timestampDateTime when the note (comment) was created.
Trustwave.Ticket.priorityStringTicket priority (CRITICAL, HIGH, MEDIUM, LOW)
Trustwave.Ticket.subCategoryStringTicket sub-category.
Trustwave.Ticket.typeStringThe ticket type (CASE, INCIDENT, CHANGE)
Trustwave.Ticket.updatedOnDateWhen the ticket was last updated.
Trustwave.Ticket.urgencyStringThe ticket urgency (HIGH, MEDIUM, LOW)

Command example#

!trustwave-get-ticket id="INA1976568"

Context Example#

{
"Trustwave": {
"Ticket": {
"assetIds": [],
"category": "Threat Detection & Response",
"createdBy": "dummyuser",
"createdOn": "2021-12-08T17:16:27.000+00:00",
"customerName": "Sample Customer",
"description": "Ticket description.",
"findings": [
{
"classification": null,
"classificationCode": "UnauthorizedAccessOrIntrusionAttempt.",
"findingId": "765432:THREAT:@AXv0k6GhG2zTcaogE1vG"
}
],
"formatted_notes": "2021-12-08T17:16:27.000+00:00 Created by: dummyuser\nNOTE:\nNote A\n----------------\n2021-12-08T17:17:57.000+00:00 Created by: dummyuser\nNOTE:\nNote B\n----------------\n2021-12-09T16:43:31.000+00:00 Created by: dummy_user\nNOTE:\nNote C",
"impact": "HIGH",
"notes": [
{
"actor": "dummyuser",
"text": "Note A",
"timestamp": "2021-12-08T17:16:27.000+00:00"
},
{
"actor": "dummyuser",
"text": "Note B",
"timestamp": "2021-12-08T17:17:57.000+00:00"
},
{
"actor": "dummy_user",
"text": "Note C",
"timestamp": "2021-12-09T16:43:31.000+00:00"
}
],
"number": "INA1976568",
"priority": "HIGH",
"status": "ON_HOLD",
"subCategory": "Threat Operations",
"subject": "Test incident #354",
"type": "INCIDENT",
"updatedOn": "2021-12-09T16:43:48.000+00:00",
"urgency": "MEDIUM"
}
}
}

Human Readable Output#

fieldvalue
assetIds
categoryThreat Detection & Response
createdBydummyuser
createdOn2021-12-08T17:16:27.000+00:00
customerNameSample Customer
descriptionTicket description.
findings{'classification': None, 'classificationCode': 'UnauthorizedAccessOrIntrusionAttempt.', 'findingId': '765432:THREAT:@AXv0k6GhG2zTcaogE1vG'}
impactHIGH
notes{'actor': 'dummyuser', 'text': 'Note A', 'timestamp': '2021-12-08T17:16:27.000+00:00'},
{'actor': 'dummyuser', 'text': 'Note B', 'timestamp': '2021-12-08T17:17:57.000+00:00'},
{'actor': 'dummy_u....[Truncated]
numberINA1976568
priorityHIGH
statusON_HOLD
subCategoryThreat Operations
subjectTest incident #354
typeINCIDENT
updatedOn2021-12-09T16:43:48.000+00:00
urgencyMEDIUM
formatted_notes2021-12-08T17:16:27.000+00:00 Created by: dummyuser
NOTE:
Note A
----------------
2021-12-08T17:17:57.000+00:00 Created by: dummyuser
NOTE:
Note B
----------------
2021-12-09T1....[Truncated]

trustwave-search-tickets#


Search tickets

Base Command#

trustwave-search-tickets

Input#

Argument NameDescriptionRequired
idTicket ID.Optional
subjectTicket Subject.Optional
typeTicket type to query. Possible values are: INCIDENT, CASE, CHANGE.Optional
statusTicket status. Possible values are: NEW, OPEN, IN_PROGRESS, AWAITING_INFO, ON_HOLD, RESOLVED, CLOSED, CANCELED, SCHEDULED.Optional
priorityTicket priority. Possible values are: CRITICAL, HIGH, MEDIUM, LOW.Optional
impactTicket impact. Possible values are: HIGH, MEDIUM, LOW.Optional
urgencyTicket urgency. Possible values are: HIGH, MEDIUM, LOW.Optional

Context Output#

PathTypeDescription
Trustwave.Ticket.numberStringThe Ticket ID
Trustwave.Ticket.subjectStringThe ticket title.
Trustwave.Ticket.statusStringThe status of the ticket
Trustwave.Ticket.descriptionStringThe detailed ticket description.
Trustwave.Ticket.categoryStringTicket category.
Trustwave.Ticket.createdByStringUser that created the ticket.
Trustwave.Ticket.createdOnDateThe time when the ticket was created.
Trustwave.Ticket.customerNameStringThe name of the customer.
Trustwave.Ticket.formatted_notesStringHuman readable notes.
Trustwave.Ticket.impactStringTicket impact (HIGH, MEDIUM, LOW)
Trustwave.Ticket.notes.actorStringUser that added the note (comment)
Trustwave.Ticket.notes.textStringThe note (comment) text.
Trustwave.Ticket.notes.timestampDateTime when the note (comment) was created.
Trustwave.Ticket.priorityStringTicket priority (CRITICAL, HIGH, MEDIUM, LOW)
Trustwave.Ticket.subCategoryStringTicket sub-category.
Trustwave.Ticket.typeStringThe ticket type (CASE, INCIDENT, CHANGE)
Trustwave.Ticket.updatedOnDateWhen the ticket was last updated.
Trustwave.Ticket.urgencyStringThe ticket urgency (HIGH, MEDIUM, LOW)

Command example#

!trustwave-search-tickets limit=2 type=INCIDENT

Context Example#

{
"Trustwave": {
"Ticket": [
{
"assetIds": [
"765432:managed-device#DEVICE:AW8Qp1Bextjwd2cF57Mk"
],
"category": "Technology Management",
"createdBy": "cpe_outage_service",
"createdOn": "2021-11-29T10:56:45.000+00:00",
"customerName": "Sample Customer",
"description": "",
"findings": [],
"formatted_notes": "2021-11-29T10:56:44.000+00:00 Created by: cpe_outage_service\nNOTE:\nNOTE A",
"impact": "HIGH",
"notes": [
{
"actor": "cpe_outage_service",
"text": "NOTE A",
"timestamp": "2021-11-29T10:56:44.000+00:00"
}
],
"number": "INA1077007",
"priority": "HIGH",
"status": "CLOSED",
"subCategory": "Cellular Backup",
"subject": "Alert: device is using cellular",
"type": "INCIDENT",
"updatedOn": "2021-12-29T00:00:08.000+00:00",
"urgency": "MEDIUM"
},
{
"assetIds": [],
"category": "Threat Detection & Response",
"createdBy": "dummyuser",
"createdOn": "2021-12-08T17:16:27.000+00:00",
"customerName": "Sample Customer",
"description": "Ticket description",
"findings": [
{
"classification": null,
"classificationCode": "UnauthorizedAccessOrIntrusionAttempt.",
"findingId": "765432:THREAT:@AXv0k6GhG2zTcaogE1vG"
}
],
"formatted_notes": "2021-12-08T17:16:27.000+00:00 Created by: dummyuser\nNOTE:\nSample Note.\n----------------\n2021-12-08T17:17:57.000+00:00 Created by: dummyuser\nNOTE:\nSample note #2.\n----------------\n2021-12-09T16:43:31.000+00:00 Created by: dummy_user\nNOTE:\nSample note #3",
"impact": "HIGH",
"notes": [
{
"actor": "dummyuser",
"text": "Sample Note.",
"timestamp": "2021-12-08T17:16:27.000+00:00"
},
{
"actor": "dummyuser",
"text": "Sample note #2.",
"timestamp": "2021-12-08T17:17:57.000+00:00"
},
{
"actor": "dummy_user",
"text": "Sample note #3",
"timestamp": "2021-12-09T16:43:31.000+00:00"
}
],
"number": "INA1077535",
"priority": "HIGH",
"status": "ON_HOLD",
"subCategory": "Threat Operations",
"subject": "MCAS - Impossible travel activity",
"type": "INCIDENT",
"updatedOn": "2021-12-09T16:43:48.000+00:00",
"urgency": "MEDIUM"
}
]
}
}

Human Readable Output#

Results#

assetIdscategorycreatedBycreatedOncustomerNamedescriptionfindingsformatted_notesimpactnotesnumberprioritystatussubCategorysubjecttypeupdatedOnurgency
765432:managed-device#DEVICE:AW8Qp1Bextjwd2cF57MkTechnology Managementcpe_outage_service2021-11-29T10:56:45.000+00:00Sample Customer2021-11-29T10:56:44.000+00:00 Created by: cpe_outage_service
NOTE:
NOTE A
HIGH{'actor': 'cpe_outage_service', 'text': 'NOTE A', 'timestamp': '2021-11-29T10:56:44.000+00:00'}INA1077007HIGHCLOSEDCellular BackupAlert: device is using cellularINCIDENT2021-12-29T00:00:08.000+00:00MEDIUM
Threat Detection & Responsedummyuser2021-12-08T17:16:27.000+00:00Sample CustomerTicket description{'classification': None, 'classificationCode': 'UnauthorizedAccessOrIntrusionAttempt.', 'findingId': '765432:THREAT:@AXv0k6GhG2zTcaogE1vG'}2021-12-08T17:16:27.000+00:00 Created by: dummyuser
NOTE:
Sample Note.
----------------
2021-12-08T17:17:57.000+00:00 Created by: dummyuser
NOTE:
Sample note #2.
----------------
2021-12-09T16:43:31.000+00:00 Created by: dummy_user
NOTE:
Sample note #3
HIGH{'actor': 'dummyuser', 'text': 'Sample Note.', 'timestamp': '2021-12-08T17:16:27.000+00:00'},
{'actor': 'dummyuser', 'text': 'Sample note #2.', 'timestamp': '2021-12-08T17:17:57.000+00:00'},
{'actor': 'dummy_user', 'text': 'Sample note #3', 'timestamp': '2021-12-09T16:43:31.000+00:00'}
INA1077535HIGHON_HOLDThreat OperationsMCAS - Impossible travel activityINCIDENT2021-12-09T16:43:48.000+00:00MEDIUM

trustwave-add-ticket-comment#


Add a comment to a ticket

Base Command#

trustwave-add-ticket-comment

Input#

Argument NameDescriptionRequired
idIncident ID.Required
commentComment text.Required

Context Output#

There is no context output for this command.

Command example#

!trustwave-add-ticket-comment id=INA1051028 comment="test from xsoar"

Human Readable Output#

Success

trustwave-close-ticket#


Close a ticket

Base Command#

trustwave-close-ticket

Input#

Argument NameDescriptionRequired
idIncident ID.Required
commentComment text.Required

Context Output#

There is no context output for this command.

Command example#

!trustwave-close-ticket id="INA1051028" comment="Comment"

Human Readable Output#

Success

trustwave-get-updated-tickets#


Get updated tickets.

Base Command#

trustwave-get-updated-tickets

Input#

Argument NameDescriptionRequired
sinceAbsolute or relative date to check for updates.Required
fetch_limitMaximum number of tickets to fetch. Default is 100.Optional
ticket_typesTicket type to query. Possible values are: INCIDENT, CASE, CHANGE. Default is INCIDENT.Optional

Context Output#

PathTypeDescription
Trustwave.Ticket.numberStringThe Ticket ID
Trustwave.Ticket.subjectStringThe ticket title.
Trustwave.Ticket.statusStringThe status of the ticket
Trustwave.Ticket.descriptionStringThe detailed ticket description.
Trustwave.Ticket.categoryStringTicket category.
Trustwave.Ticket.createdByStringUser that created the ticket.
Trustwave.Ticket.createdOnDateThe time when the ticket was created.
Trustwave.Ticket.customerNameStringThe name of the customer.
Trustwave.Ticket.formatted_notesStringHuman readable notes.
Trustwave.Ticket.impactStringTicket impact (HIGH, MEDIUM, LOW)
Trustwave.Ticket.notes.actorStringUser that added the note (comment)
Trustwave.Ticket.notes.textStringThe note (comment) text.
Trustwave.Ticket.notes.timestampDateTime when the note (comment) was created.
Trustwave.Ticket.priorityStringTicket priority (CRITICAL, HIGH, MEDIUM, LOW)
Trustwave.Ticket.subCategoryStringTicket sub-category.
Trustwave.Ticket.typeStringThe ticket type (CASE, INCIDENT, CHANGE)
Trustwave.Ticket.updatedOnDateWhen the ticket was last updated.
Trustwave.Ticket.urgencyStringThe ticket urgency (HIGH, MEDIUM, LOW)

Command example#

!trustwave-get-updated-tickets fetch_limit=2 since=2021-12-09T16:43:48.000+00:00

Context Example#

{
"Trustwave": {
"Ticket": [
{
"assetIds": [
"765432:managed-device#DEVICE:AW8Qp1Bextjwd2cF57Mk"
],
"category": "Technology Management",
"createdBy": "cpe_outage_service",
"createdOn": "2021-11-29T10:56:45.000+00:00",
"customerName": "Sample Customer",
"description": "",
"findings": [],
"formatted_notes": "2021-11-29T10:56:44.000+00:00 Created by: cpe_outage_service\nNOTE:\nNOTE A",
"impact": "HIGH",
"notes": [
{
"actor": "cpe_outage_service",
"text": "NOTE A",
"timestamp": "2021-11-29T10:56:44.000+00:00"
}
],
"number": "INA1077007",
"priority": "HIGH",
"status": "CLOSED",
"subCategory": "Cellular Backup",
"subject": "Alert: device is using cellular",
"type": "INCIDENT",
"updatedOn": "2021-12-29T00:00:08.000+00:00",
"urgency": "MEDIUM"
},
{
"assetIds": [],
"category": "Threat Detection & Response",
"createdBy": "dummyuser",
"createdOn": "2021-12-08T17:16:27.000+00:00",
"customerName": "Sample Customer",
"description": "Ticket description",
"findings": [
{
"classification": null,
"classificationCode": "UnauthorizedAccessOrIntrusionAttempt.",
"findingId": "765432:THREAT:@AXv0k6GhG2zTcaogE1vG"
}
],
"formatted_notes": "2021-12-08T17:16:27.000+00:00 Created by: dummyuser\nNOTE:\nSample Note.\n----------------\n2021-12-08T17:17:57.000+00:00 Created by: dummyuser\nNOTE:\nSample note #2.\n----------------\n2021-12-09T16:43:31.000+00:00 Created by: dummy_user\nNOTE:\nSample note #3",
"impact": "HIGH",
"notes": [
{
"actor": "dummyuser",
"text": "Sample Note.",
"timestamp": "2021-12-08T17:16:27.000+00:00"
},
{
"actor": "dummyuser",
"text": "Sample note #2.",
"timestamp": "2021-12-08T17:17:57.000+00:00"
},
{
"actor": "dummy_user",
"text": "Sample note #3",
"timestamp": "2021-12-09T16:43:31.000+00:00"
}
],
"number": "INA1077535",
"priority": "HIGH",
"status": "ON_HOLD",
"subCategory": "Threat Operations",
"subject": "MCAS - Impossible travel activity",
"type": "INCIDENT",
"updatedOn": "2021-12-09T16:43:48.000+00:00",
"urgency": "MEDIUM"
}
]
}
}

Human Readable Output#

Results#

assetIdscategorycreatedBycreatedOncustomerNamedescriptionfindingsformatted_notesimpactnotesnumberprioritystatussubCategorysubjecttypeupdatedOnurgency
765432:managed-device#DEVICE:AW8Qp1Bextjwd2cF57MkTechnology Managementcpe_outage_service2021-11-29T10:56:45.000+00:00Sample Customer2021-11-29T10:56:44.000+00:00 Created by: cpe_outage_service
NOTE:
NOTE A
HIGH{'actor': 'cpe_outage_service', 'text': 'NOTE A', 'timestamp': '2021-11-29T10:56:44.000+00:00'}INA1077007HIGHCLOSEDCellular BackupAlert: device is using cellularINCIDENT2021-12-29T00:00:08.000+00:00MEDIUM
Threat Detection & Responsedummyuser2021-12-08T17:16:27.000+00:00Sample CustomerTicket description{'classification': None, 'classificationCode': 'UnauthorizedAccessOrIntrusionAttempt.', 'findingId': '765432:THREAT:@AXv0k6GhG2zTcaogE1vG'}2021-12-08T17:16:27.000+00:00 Created by: dummyuser
NOTE:
Sample Note.
----------------
2021-12-08T17:17:57.000+00:00 Created by: dummyuser
NOTE:
Sample note #2.
----------------
2021-12-09T16:43:31.000+00:00 Created by: dummy_user
NOTE:
Sample note #3
HIGH{'actor': 'dummyuser', 'text': 'Sample Note.', 'timestamp': '2021-12-08T17:16:27.000+00:00'},
{'actor': 'dummyuser', 'text': 'Sample note #2.', 'timestamp': '2021-12-08T17:17:57.000+00:00'},
{'actor': 'dummy_user', 'text': 'Sample note #3', 'timestamp': '2021-12-09T16:43:31.000+00:00'}
INA1077535HIGHON_HOLDThreat OperationsMCAS - Impossible travel activityINCIDENT2021-12-09T16:43:48.000+00:00MEDIUM

trustwave-search-findings#


Search for Findings

Base Command#

trustwave-search-findings

Input#

Argument NameDescriptionRequired
idFinding ID.Optional
limitMaximum number of Findings to return. Default is 100.Optional
nameName of the Finding.Optional
classificationFinding Classification.Optional
summaryFinding summary.Optional
detailFinding detail.Optional
priorityFinding priority. Possible values are: CRITICAL, HIGH, MEDIUM, LOW.Optional
severityFinding severity.Optional
created_sincecreated_since.Optional
updated_sinceUpdated since.Optional

Context Output#

PathTypeDescription
Trustwave.Finding.classificationStringCategory for the finding
Trustwave.Finding.createdOnDateTime when the finding was created.
Trustwave.Finding.customerNameStringCustomer name for the finding.
Trustwave.Finding.destinationStringDestination for finding.
Trustwave.Finding.detailStringDetailed description of the finding.
Trustwave.Finding.idStringThe finding ID
Trustwave.Finding.priorityNumberThe priority of the finding.
Trustwave.Finding.severityNumberThe severity of the finding.
Trustwave.Finding.sourceStringSOAR actions taken for finding.
Trustwave.Finding.status.descriptionStringCurrent status of the Finding.
Trustwave.Finding.summaryStringThe name of the finding.
Trustwave.Finding.typeStringThe type of finding (e.g. THREAT, VULNERABILITY)
Trustwave.Finding.updatedOnDateTime when the finding was last updated.

Command example#

!trustwave-search-findings limit="2" summary="MS Graph Alert Detection Rule" type=threat updatedSince=2021-12-08T17:17:56.000+00:00

Context Example#

{
"Trustwave": {
"Finding": [
{
"classification": null,
"createdOn": "2021-09-17T16:26:11.731+00:00",
"customerName": "Sample Customer",
"destination": null,
"detail": "MCAS - Impossible travel activity",
"id": "765432:THREAT:@AXv0k6GhG2zTcaogE1vG",
"priority": 4,
"severity": 4,
"source": null,
"status": {
"description": "Security Incident"
},
"summary": "MS Graph Alert Detection Rule",
"type": "THREAT",
"updatedOn": "2021-12-08T17:17:56.504+00:00"
},
{
"classification": null,
"createdOn": "2021-10-26T22:33:17.567+00:00",
"customerName": "Sample Customer",
"destination": null,
"detail": "ASC, MSTIC - Windows registry persistence method detected pqa VM_RegistryPersistencyKey",
"id": "765432:THREAT:@AXy-u5fVt3G3ZYM6G5cH",
"priority": 2,
"severity": 2,
"source": null,
"status": {
"description": "False Positive"
},
"summary": "MS Graph Alert Detection Rule",
"type": "THREAT",
"updatedOn": "2021-12-16T17:21:31.384+00:00"
}
]
}
}

Human Readable Output#

Results#

classificationcreatedOncustomerNamedestinationdetailidpriorityseveritysourcestatussummarytypeupdatedOn
2021-09-17T16:26:11.731+00:00Sample CustomerMCAS - Impossible travel activity765432:THREAT:@AXv0k6GhG2zTcaogE1vG44description: Security IncidentMS Graph Alert Detection RuleTHREAT2021-12-08T17:17:56.504+00:00
2021-10-26T22:33:17.567+00:00Sample CustomerASC, MSTIC - Windows registry persistence method detected pqa VM_RegistryPersistencyKey765432:THREAT:@AXy-u5fVt3G3ZYM6G5cH22description: False PositiveMS Graph Alert Detection RuleTHREAT2021-12-16T17:21:31.384+00:00

trustwave-get-finding#


Get a Finding

Base Command#

trustwave-get-finding

Input#

Argument NameDescriptionRequired
idFinding ID.Required

Context Output#

PathTypeDescription
Trustwave.Finding.analystNotes.actorStringUser that created the analyst note.
Trustwave.Finding.analystNotes.textStringAnalyst note text.
Trustwave.Finding.analystNotes.timestampDateTime when the note was created
Trustwave.Finding.assetsIdsStringAssets impacted by the finding
Trustwave.Finding.classificationStringCategory for the finding
Trustwave.Finding.createdOnDateTime when the finding was created.
Trustwave.Finding.customerNameStringCustomer name for the finding.
Trustwave.Finding.destinationStringDestination for finding.
Trustwave.Finding.detailStringDetailed description of the finding.
Trustwave.Finding.eventsIdsStringList of event ID associated with the finding.
Trustwave.Finding.idStringThe finding ID
Trustwave.Finding.parentIdStringThe ID of the parent of the finding.
Trustwave.Finding.priorityNumberThe priority of the finding.
Trustwave.Finding.severityNumberThe severity of the finding.
Trustwave.Finding.sourceStringSource for finding
Trustwave.Finding.status.descriptionStringCurrent status of the Finding.
Trustwave.Finding.summaryStringThe name of the finding.
Trustwave.Finding.typeStringThe type of finding (e.g. THREAT, VULNERABILITY)
Trustwave.Finding.updatedOnDateTime when the finding was last updated.

Command example#

!trustwave-get-finding id="765432:THREAT:@AXv0k6GhG2zTcaogE1vG"

Context Example#

{
"Trustwave": {
"Finding": {
"analystNotes": [
{
"actor": "dummyuser",
"text": "Note A",
"timestamp": "2021-12-08T17:17:56.790+00:00"
}
],
"assetsIds": [
"765432:PERSON:AXsNy0R8CfYgZQumlNdv"
],
"childFindingIds": [],
"classification": null,
"createdOn": "2021-09-17T16:26:11.731+00:00",
"customerName": "Sample Customer",
"destination": null,
"detail": "MCAS - Impossible travel activity",
"eventsIds": [
"34c0e1b2-96e6-4a25-be3d-80d0671a5d8f"
],
"id": "765432:THREAT:@AXv0k6GhG2zTcaogE1vG",
"parentId": null,
"priority": 4,
"severity": 4,
"source": null,
"status": {
"description": "Security Incident"
},
"summary": "MS Graph Alert Detection Rule",
"type": "THREAT",
"updatedOn": "2021-12-08T17:17:56.504+00:00"
}
}
}

Human Readable Output#

Results#

analystNotesassetsIdschildFindingIdsclassificationcreatedOncustomerNamedestinationdetaileventsIdsidparentIdpriorityseveritysourcestatussummarytypeupdatedOn
{'actor': 'dummyuser', 'text': 'Note A', 'timestamp': '2021-12-08T17:17:56.790+00:00'}765432:PERSON:AXsNy0R8CfYgZQumlNdv2021-09-17T16:26:11.731+00:00Sample CustomerMCAS - Impossible travel activity34c0e1b2-96e6-4a25-be3d-80d0671a5d8f765432:THREAT:@AXv0k6GhG2zTcaogE1vG44description: Security IncidentMS Graph Alert Detection RuleTHREAT2021-12-08T17:17:56.504+00:00

trustwave-get-asset#


Get an Asset

Base Command#

trustwave-get-asset

Input#

Argument NameDescriptionRequired
idAsset ID.Required

Context Output#

PathTypeDescription
Trustwave.Asset.cidrStringNetwork address in CIDR notation.
Trustwave.Asset.createdOnDateTime when the asset was created.
Trustwave.Asset.customerNameStringThe customer name for the asset.
Trustwave.Asset.idStringThe asset ID.
Trustwave.Asset.ipsStringList of IP addresses for the asset.
Trustwave.Asset.lastActivityDateTime of the last activity associated with the asset.
Trustwave.Asset.nameStringThe name of the asset.
Trustwave.Asset.networkInterfaces.gatewayStringGateway address for the asset network interface.
Trustwave.Asset.networkInterfaces.hostnamesStringList of hostname for the asset network interface
Trustwave.Asset.networkInterfaces.ipStringIP address for the asset network interface
Trustwave.Asset.networkInterfaces.macAddressStringMAC address for the asset network interface
Trustwave.Asset.networkInterfaces.macVendorStringVendor associated with the MAC address for the asset network interface
Trustwave.Asset.networkInterfaces.subnetStringNetwork subnet the asset network interface
Trustwave.Asset.osStringAsset operating system.
Trustwave.Asset.services.applicationNameStringService name.
Trustwave.Asset.services.applicationProtocolStringService protocol.
Trustwave.Asset.services.portNumberService port
Trustwave.Asset.services.transportProtocolStringService transport.
Trustwave.Asset.statusStringAsset status.
Trustwave.Asset.typeStringThe type of asset.
Trustwave.Asset.updatedOnDateTime when the asset was last updated.
Trustwave.Asset.uriStringURI of the asset.

Command example#

!trustwave-get-asset id="765432:DNA#DEVICE:AW2X-hCmXdgvNlcDpVGf"

Context Example#

{
"Trustwave": {
"Asset": {
"cidr": null,
"createdOn": "2019-10-04T18:13:30.941+00:00",
"customerName": "Sample Customer",
"id": "765432:DNA#DEVICE:AW2X-hCmXdgvNlcDpVGf",
"ips": [
"10.103.201.47"
],
"lastActivity": null,
"name": "host.example.com",
"networkInterfaces": [
{
"gateway": null,
"hostnames": [
"host.example.com"
],
"ip": "10.103.201.47",
"macAddress": null,
"macVendor": null,
"subnet": null
}
],
"notes": [],
"os": null,
"services": [
{
"applicationName": null,
"applicationProtocol": null,
"port": 80,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "sunrpcportmap",
"port": 111,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "sunrpcportmap",
"port": 111,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": "ntp",
"port": 123,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": "snmp",
"port": 161,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": null,
"port": 443,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "mysql",
"port": 3306,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": null,
"port": 5672,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "snmp",
"port": 16161,
"transportProtocol": "udp"
}
],
"status": null,
"tags": [],
"type": "Device",
"updatedOn": "2019-10-04T19:09:59.907+00:00",
"uri": null
}
}
}

Human Readable Output#

Results#

cidrcreatedOncustomerNameidipslastActivitynamenetworkInterfacesnotesosservicesstatustagstypeupdatedOnuri
2019-10-04T18:13:30.941+00:00Sample Customer765432:DNA#DEVICE:AW2X-hCmXdgvNlcDpVGf10.103.201.47host.example.com{'gateway': None, 'hostnames': ['host.example.com'], 'ip': '10.103.201.47', 'macAddress': None, 'macVendor': None, 'subnet': None}{'applicationName': None, 'applicationProtocol': None, 'port': 80, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'sunrpcportmap', 'port': 111, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'sunrpcportmap', 'port': 111, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': 'ntp', 'port': 123, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': 'snmp', 'port': 161, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': None, 'port': 443, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'mysql', 'port': 3306, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': None, 'port': 5672, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'snmp', 'port': 16161, 'transportProtocol': 'udp'}
Device2019-10-04T19:09:59.907+00:00

trustwave-search-assets#


Search for Assets

Base Command#

trustwave-search-assets

Input#

Argument NameDescriptionRequired
idAsset ID.Optional
limitMaximum number of Assets to return. Default is 100.Optional
nameName of the Asset.Optional
osOS for the Asset.Optional
tagsAsset Tags to search for.Optional
portport.Optional
app_protocolApplication Protocol.Optional
transportTransport Protocol.Optional
typeAsset Type.Optional
created_sincecreated_since.Optional
updated_sinceUpdated since.Optional

Context Output#

PathTypeDescription
Trustwave.Asset.cidrStringNetwork address in CIDR notation.
Trustwave.Asset.createdOnDateTime when the asset was created.
Trustwave.Asset.customerNameStringThe customer name for the asset.
Trustwave.Asset.idStringThe asset ID.
Trustwave.Asset.ipsStringList of IP addresses for the asset.
Trustwave.Asset.lastActivityDateTime of the last activity associated with the asset.
Trustwave.Asset.nameStringThe name of the asset.
Trustwave.Asset.networkInterfaces.gatewayStringGateway address for the asset network interface.
Trustwave.Asset.networkInterfaces.hostnamesStringList of hostname for the asset network interface
Trustwave.Asset.networkInterfaces.ipStringIP address for the asset network interface
Trustwave.Asset.networkInterfaces.macAddressStringMAC address for the asset network interface
Trustwave.Asset.networkInterfaces.macVendorStringVendor associated with the MAC address for the asset network interface
Trustwave.Asset.networkInterfaces.subnetStringNetwork subnet the asset network interface
Trustwave.Asset.osStringAsset operating system.
Trustwave.Asset.statusStringAsset status.
Trustwave.Asset.typeStringThe type of asset.
Trustwave.Asset.updatedOnDateTime when the asset was last updated.
Trustwave.Asset.uriStringURI of the asset.

Command example#

!trustwave-search-assets limit=2 type="DEVICE" name="host.example.com"

Context Example#

{
"Trustwave": {
"Asset": {
"cidr": null,
"createdOn": "2019-10-04T18:13:30.941+00:00",
"customerName": "Sample Customer",
"id": "765432:DNA#DEVICE:AW2X-hCmXdgvNlcDpVGf",
"ips": [
"10.103.201.47"
],
"lastActivity": null,
"name": "host.example.com",
"networkInterfaces": [
{
"gateway": null,
"hostnames": [
"host.example.com"
],
"ip": "10.103.201.47",
"macAddress": null,
"macVendor": null,
"subnet": null
}
],
"notes": [],
"os": null,
"services": [
{
"applicationName": null,
"applicationProtocol": null,
"port": 80,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "sunrpcportmap",
"port": 111,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "sunrpcportmap",
"port": 111,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": "ntp",
"port": 123,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": "snmp",
"port": 161,
"transportProtocol": "udp"
},
{
"applicationName": null,
"applicationProtocol": null,
"port": 443,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "mysql",
"port": 3306,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": null,
"port": 5672,
"transportProtocol": "tcp"
},
{
"applicationName": null,
"applicationProtocol": "snmp",
"port": 16161,
"transportProtocol": "udp"
}
],
"status": null,
"tags": [],
"type": "Device",
"updatedOn": "2019-10-04T19:09:59.907+00:00",
"uri": null
}
}
}

Human Readable Output#

Results#

cidrcreatedOncustomerNameidipslastActivitynamenetworkInterfacesnotesosservicesstatustagstypeupdatedOnuri
2019-10-04T18:13:30.941+00:00Sample Customer765432:DNA#DEVICE:AW2X-hCmXdgvNlcDpVGf10.103.201.47host.example.com{'gateway': None, 'hostnames': ['host.example.com'], 'ip': '10.103.201.47', 'macAddress': None, 'macVendor': None, 'subnet': None}{'applicationName': None, 'applicationProtocol': None, 'port': 80, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'sunrpcportmap', 'port': 111, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'sunrpcportmap', 'port': 111, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': 'ntp', 'port': 123, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': 'snmp', 'port': 161, 'transportProtocol': 'udp'},
{'applicationName': None, 'applicationProtocol': None, 'port': 443, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'mysql', 'port': 3306, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': None, 'port': 5672, 'transportProtocol': 'tcp'},
{'applicationName': None, 'applicationProtocol': 'snmp', 'port': 16161, 'transportProtocol': 'udp'}
Device2019-10-04T19:09:59.907+00:00