Uptycs
Overview
Uptycs combines the open source universal agent, osquery, with a scalable security analytics platform for fleet visibility, intrusion detection, vulnerability monitoring and compliance. Uptycs deploys osquery to your entire infrastructure, regardless of operating system mix or hosting environment, collects, and stores system state data. Uptycs will stream that data over secure TLS protocol, storing it in your unique instance, and continuously monitoring for suspicious activity. Integrated third party feeds of known malware, threats and over 170,000 indicators of compromise (IOCs) further enhance threat visibility. Finally, take action with real-time alerts, dashboards and reports packaged for multiple security protocols.
The Demisto-Uptycs integration connects to the Uptycs backend via the Uptycs API. The integration allows the use of Uptycs data in existing workflows. Features include fetching and handling alerts, threat investigation, posting new threat sources, setting tags on assets, and the ability to run arbitrary SQL queries against your Uptycs database or in real-time against registered endpoints.
Uptycs Playbook
- Uptycs - Bad IP Incident and Uptycs - Outbound Connection to Threat IOC Incident Get details about connections which have been opened to known bad IP addresses, including process and parent process information, IP addresses, ports, sockets, and the source of the threat intelligence.
Use Cases
- Incident investigation
- Fetch and handle alerts
- Monitor asset activity
- Audit and compliance
- Vulnerability management
- Mac EDR
Configure Uptycs on Demisto
How to get an API Key and API Secret
In order to create an instance of the integration, you need to download a user API key and secret from your Uptycs account.
- Go to your Uptycs environment.
- Navigate to Configuration > Users.
- In the User API key section, click download.
The downloaded file will have all the information necessary to create the instance.
Parameters
- Navigate to Settings > Integrations > Servers & Services.
- Search for Uptycs.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- API key
- API secret
- API domain: the domain found in your API key file as well as the Top Level Domain for your Uptycs stack (example: if your Uptycs' stack URL is "mystack.uptycs.io" then your API key file will say "mystack" in the domain field. You would then put "mystack.uptycs.io" in the API domain field when configuring your integration instance).
- API customer_id
- Fetch incidents
- Incident type
- Trust any certificate (unsecure)
- Use system proxy
- First fetch since
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data
The Demisto-Uptycs integration creates incients from Uptycs alerts using the Uptycs API
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- uptycs-get-assets
- uptycs-run-query
- uptycs-get-alerts
- uptycs-get-alert-rules
- uptycs-get-event-rules
- uptycs-get-events
- uptycs-get-process-open-sockets
- uptycs-get-process-information
- uptycs-get-process-child-processes
- uptycs-get-processes
- uptycs-get-process-open-files
- uptycs-set-alert-status
- uptycs-set-asset-tag
- uptycs-get-user-information
- uptycs-get-threat-indicators
- uptycs-get-threat-sources
- uptycs-get-threat-vendors
- uptycs-get-parent-information
- uptycs-post-threat-source
- uptycs-get-users
- uptycs-get-asset-groups
- uptycs-get-user-asset-groups
- uptycs-get-threat-indicator
- uptycs-get-threat-source
- uptycs-get-process-events
- uptycs-get-process-event-information
- uptycs-get-socket-events
- uptycs-get-parent-event-information
- uptycs-get-socket-event-information
- uptycs-get-asset-tags
- uptycs-get-saved-queries
- uptycs-run-saved-query
- uptycs-post-saved-query
1. uptycs-get-assets
return assets enrolled with Uptycs
Base Command
uptycs-get-assets
Input
Argument Name | Description | Required |
---|---|---|
asset_group_id | Only return assets which are a member of this asset group | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
os | Only return assets with this type of operating system. | Optional |
asset_id | Only return the asset with this unique asset id | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Assets.id | string | Uptycs asset id |
Uptycs.Assets.created_at | date | Time asset was enrolled with Uptycs |
Uptycs.Assets.host_name | string | Hostname in Uptycs DB |
Uptycs.Assets.os | string | os installed on asset (Windows, Linux, Mac OS X) |
Uptycs.Assets.os_version | string | os version |
Uptycs.Assets.last_activity_at | date | Last activity |
Uptycs.Assets.deleted_at | date | Time asset was unenrolled from Uptycs |
Uptycs.Assets.osquery_version | string | Current version of osquery installed on the asset |
Command Example
uptycs-get-assets os="Mac OS X/Apple OS X/macOS" limit=1
Context Example
Human Readable Output
Uptycs Assets
id | host_name | os | os_version | osquery_version | last_activity_at |
---|---|---|---|---|---|
984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | Mac OS X | 10.14.5 | 3.2.6.51-Uptycs | 2019-07-19 17:02:41.704 |
2. uptycs-run-query
enter a SQL query to run against your Uptycs database. A list of tables can be found at osquery.io/schema, or by using the query "select * from information_schema.tables"
Base Command
uptycs-run-query
Input
Argument Name | Description | Required |
---|---|---|
query | This is the query that will be run. Queries should be written for a SQLite database. For example, "SELECT * FROM processes" returns the entire table named "processes". | Required |
query_type | The query can be run globally (returns results for entire history stored in Uptycs DB) or real-time (returns results for queries run on endpoints at the time of query execution) | Required |
asset_id | realtime queries only This argument should be used when one wants to run a realtime query on a particular asset. | Optional |
host_name_is | realtime queries only Only return assets with this hostname | Optional |
host_name_like | realtime queries only . Only return assets with this string in the hostname. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.QueryResults | unknown | Results of executed query |
Command Example
uptycs-run-query query="SELECT * FROM process_open_sockets LIMIT 10" query_type=global host_name_like="uptycs-osquery-"
Context Example
Human Readable Output
Uptycs Query Result
protocol | family | upt_counter | pid | upt_asset_id | upt_hostname | local_port | upt_asset_tags | upt_hash | upt_asset_group_id | state | upt_time | local_address | upt_added | upt_server_time | remote_address | fd | upt_asset_group_name | path | upt_day | socket | upt_epoch | remote_port | net_namespace |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6 | 2 | 20595 | 11 | a4991bf9-13e3-026b-7b46-af192746d556 | uptycs-osquery-d4trq | 45864 | 1752f1a2-f773-5812-b611-577ee662b889 | ESTABLISHED | 2019-04-18 02:37:09.000 | 10.8.0.29 | false | 18.213.163.112 | 14 | 20190418 | 127377813 | 0 | 443 | 4026532943 | |||||
6 | 2 | 20595 | 11 | a4991bf9-13e3-026b-7b46-af192746d556 | uptycs-osquery-d4trq | 45864 | 70dce553-3bca-5701-834c-8f2b94afd8f3 | CLOSE_WAIT | 2019-04-18 02:37:09.000 | 10.8.0.29 | true | 18.213.163.112 | 14 | 20190418 | 127377813 | 0 | 443 | 4026532943 | |||||
6 | 2 | 1267 | 11 | a4991bf9-13e3-026b-7b46-af192746d556 | uptycs-osquery-d4trq | 34164 | f8d24a1b-15d5-5c41-9994-2f70920fdc39 | CLOSE_WAIT | 2019-04-18 20:52:05.000 | 10.8.0.29 | false | 18.213.163.112 | 14 | 20190418 | 128588161 | 0 | 443 | 4026532943 | |||||
6 | 2 | 1267 | 11 | a4991bf9-13e3-026b-7b46-af192746d556 | uptycs-osquery-d4trq | 34754 | 0603bdcc-8e90-58d9-831e-8adb3ca35358 | ESTABLISHED | 2019-04-18 20:52:05.000 | 10.8.0.29 | true | 18.213.163.112 | 14 | 20190418 | 128594058 | 0 | 443 | 4026532943 | |||||
6 | 2 | 1024 | 2545 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61925 | 754d2272-caf2-5d56-8638-984d7392e7f2 | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | false | 18.213.163.112 | 186 | 20190418 | 0 | 0 | 443 | ||||||
6 | 2 | 1024 | 2545 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61934 | ce103524-0f5f-5aea-abad-b8529620b7bf | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | false | 18.213.163.112 | 191 | 20190418 | 0 | 0 | 443 | ||||||
6 | 2 | 1024 | 854 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61573 | c2f00244-9fa4-5c47-a49b-9bd0390d169f | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | false | 149.96.6.118 | 33 | 20190418 | 0 | 0 | 443 | ||||||
6 | 2 | 1024 | 2545 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61919 | 0439a9f5-130d-5ff4-a8df-d72275e4b9e2 | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | false | 18.213.163.112 | 54 | 20190418 | 0 | 0 | 443 | ||||||
6 | 2 | 1024 | 854 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61573 | fe0218c2-b337-5198-ac9c-a1f8784a2c08 | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | false | 149.96.6.118 | 62 | 20190418 | 0 | 0 | 443 | ||||||
6 | 2 | 1024 | 854 | 984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | 61939 | 6194c89c-171c-55c8-9355-5b53a4a28a5a | ESTABLISHED | 2019-04-18 15:26:49.000 | 192.168.1.161 | true | 149.96.6.118 | 7 | 20190418 | 0 | 0 | 443 |
3. uptycs-get-alerts
return alerts from Uptycs DB
Base Command
uptycs-get-alerts
Input
Argument Name | Description | Required |
---|---|---|
alert_id | Unique Uptycs alert id which will retrieve a specific alert. Use this argument without any other arguments. | Optional |
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
code | Alert code to specify which types of alerts you would like to retrieve | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
value | Varies for different alerts. For example, a Bad IP alert would have the IP address as the value. A program crash alert would have the name of the program which crashed as the value. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Alerts.description | string | Description of alert |
Uptycs.Alerts.upt_asset_id | string | Uptycs asset ID |
Uptycs.Alerts.code | string | Alert code in Uptycs DB |
Uptycs.Alerts.severity | string | The severity of the alert |
Uptycs.Alerts.alert_time | date | Time alert was created at |
Uptycs.Alerts.value | string | Specific problem which caused an alert. It may be an IP address, a program that crashed, a file with a file hash known to be malware, etc. |
Uptycs.Alerts.host_name | string | Hostname for the asset which fired the alert |
Uptycs.Alerts.id | string | unique Uptycs id for a particular alert |
Uptycs.Alerts.threat_indicator_id | string | unique Uptycs id that identifies the threat indicator which triggered this alert |
Uptycs.Alerts.threat_source_name | string | name of the source of the threat indicator that triggered this alert |
Uptycs.Alerts.pid | number | pid of the process which was responsible for firing the alert |
Command Example
uptycs-get-alerts limit=1 time_ago="30 days"
Context Example
Human Readable Output
Uptycs Alerts:
upt_asset_id | host_name | grouping | alert_time | description | value | severity | threat_indicator_id | threat_source_name |
---|---|---|---|---|---|---|---|---|
984d4a7a-9f3a-580a-a3ef-2841a561669b | kyle-mbp-work | OS X Crashes | 2019-07-02 11:41:22.000 | Crash | Amazon Music Helper | medium | No threat indicator for this alert | No threat source for this alert |
4. uptycs-get-alert-rules
retrieve a list of alert rules
Base Command
uptycs-get-alert-rules
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-alert-rules limit=1
Context Example
Human Readable Output
Uptycs Alert Rules
name | description | grouping | enabled | updatedAt | code |
---|---|---|---|---|---|
Bad Domain Alert | Bad Domain Alert | Bad Domain | true | 2019-06-19T08:17:04.892Z | BAD_DOMAIN |
5. uptycs-get-event-rules
retrieve a list of event rules
Base Command
uptycs-get-event-rules
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-event-rules limit=1
Context Example
Human Readable Output
Uptycs Event Rules
name | description | grouping | enabled | updatedAt | code |
---|---|---|---|---|---|
Bad domain | Malicious domain resolved | default | true | 2019-06-19T08:17:05.115Z | BAD_DOMAIN |
6. uptycs-get-events
return events from Uptycs DB
Base Command
uptycs-get-events
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
code | Event code to specify which types of events you would like to retrieve | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Events.description | string | Description of event |
Uptycs.Events.asset_id | string | Uptycs asset ID |
Uptycs.Events.code | string | Event code in Uptycs DB |
Uptycs.Events.created_at | date | Time event was created at |
Uptycs.Events.id | string | Uptycs event id for this particular event |
Uptycs.Events.host_name | string | Hostname for the assets this event occurred on |
Uptycs.Events.grouping | string | Group that this event belongs to |
Uptycs.Events.value | string | The value will be different for different types of events. It is that which triggered the event. For example, a Bad IP connection will have the IP address here, and a program crash will have the name of the program that crashed here. |
Uptycs.Events.severity | string | The severity of the event |
Command Example
uptycs-get-events limit=10 time_ago="30 days"
Context Example
Human Readable Output
Uptycs Events
host_name | grouping | event_time | description | value | severity |
---|---|---|---|---|---|
brandons-mini.fios-router.home | OS X Crashes | 2019-07-07 13:03:11.000 | Crash | mediaremoted | medium |
kyle-mbp-work | OS X Crashes | 2019-07-02 11:41:22.000 | Crash | Amazon Music Helper | medium |
kyle-mbp-work | OS X Crashes | 2019-06-27 09:26:25.000 | Crash | Amazon Music Helper | medium |
kyle-mbp-work | OS X Crashes | 2019-06-27 09:26:25.000 | Crash | osqueryd | medium |
brandons-mini.fios-router.home | OS X Crashes | 2019-06-27 00:08:17.000 | Crash | mediaremoted | medium |
kyle-mbp-work | OS X Crashes | 2019-06-25 15:19:08.000 | Crash | Amazon Music Helper | medium |
kyle-mbp-work | OS X Crashes | 2019-06-25 15:19:08.000 | Crash | osqueryd | medium |
brandons-mini.fios-router.home | OS X Crashes | 2019-06-24 19:25:30.000 | Crash | mediaremoted | medium |
kyle-mbp-work | OS X Crashes | 2019-06-23 22:23:49.000 | Crash | Amazon Music Helper | medium |
kyle-mbp-work | OS X Crashes | 2019-06-23 22:23:49.000 | Crash | osqueryd | medium |
7. uptycs-get-process-open-sockets
find processes which opened a socket
Base Command
uptycs-get-process-open-sockets
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
ip | IP address which process opened a socket to. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time | Exact time at which the socket was opened. | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Sockets.pid | number | pid of process which opened a connection to a specified IP |
Uptycs.Sockets.upt_hostname | string | hostname of the asset which ran the specified process |
Uptycs.Sockets.upt_time | date | time at which the connection was opened |
Uptycs.Sockets.path | string | file path to the process being run |
Uptycs.Sockets.local_address | string | local IP for specified connection |
Uptycs.Sockets.remote_address | string | remote IP for specified connection |
Uptycs.Sockets.local_port | number | local port for specified connection |
Uptycs.Sockets.remote_port | number | remote port for specified connection |
Uptycs.Sockets.upt_asset_id | string | asset id for asset which ran the specified process |
Uptycs.Sockets.socket | number | socket used to open the connection |
Uptycs.Sockets.family | number | network protocol |
Uptycs.Sockets.state | string | state of the connection |
Uptycs.Sockets.protocol | number | transport protocol |
Command Example
uptycs-get-process-open-sockets limit=1
Context Example
Human Readable Output
process_open_sockets
upt_hostname | pid | local_address | remote_address | upt_time | local_port | remote_port | socket |
---|---|---|---|---|---|---|---|
kyle-mbp-work | 704 | 192.168.86.61 | 69.147.92.12 | 2019-07-19 17:03:31.000 | 54755 | 443 | 0 |
8. uptycs-get-process-information
get information for a particular process
Base Command
uptycs-get-process-information
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
host_name_is | Hostname for asset which spawned the specified process. | Optional |
pid | pid for the process. | Required |
time | Time that the specified process was spawned. | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Proc.pid | number | pid for the process |
Uptycs.Proc.upt_hostname | string | hostname for asset which spawned the specified process |
Uptycs.Proc.upt_asset_id | string | asset id for asset which spawned the specified process |
Uptycs.Proc.parent | number | pid for the parent process |
Uptycs.Proc.upt_add_time | date | time that the process was spawned |
Uptycs.Proc.upt_remove_time | date | time that the process was removed |
Uptycs.Proc.path | string | path to the process binary |
Uptycs.Proc.name | string | name of the process |
Uptycs.Proc.cmdline | string | complete argv of the process |
Uptycs.Proc.pgroup | number | process group |
Uptycs.Proc.cwd | string | process current working directory |
Command Example
uptycs-get-process-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" pid=5119 time="2019-01-29 17:05:07.000"
Context Example
Human Readable Output
Process information
upt_hostname | parent | pid | name | path | cmdline |
---|---|---|---|---|---|
kyle-mbp-work | 484 | 5119 | VBoxHeadless | /Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless | /Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config |
9. uptycs-get-process-child-processes
get all the child processes for a given parent process
Base Command
uptycs-get-process-child-processes
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset_id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
host_name_is | hostname for the asset which executed these processes. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
parent | The pid for which all child processes will be found | Required |
parent_start_time | time at which the parent process was spawned | Required |
parent_end_time | time at which the parent process was killed, if it exists. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Children.pid | number | pid of a child process |
Uptycs.Children.upt_asset_id | string | asset id for asset which this process was run on |
Uptycs.Children.upt_hostname | string | hostname for asset which spawned the specified process |
Uptycs.Children.upt_add_time | date | time that the process was spawned |
Uptycs.Children.upt_remove_time | date | time that the process was removed |
Uptycs.Children.path | string | path to the process binary |
Uptycs.Children.parent | number | parent pid |
Uptycs.Children.name | string | name of the process |
Uptycs.Children.cmdline | string | complete argv for the process |
Uptycs.Children.pgroup | number | process group |
Uptycs.Children.cwd | string | process current working directory |
Command Example
uptycs-get-process-child-processes asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" parent=484 parent_start_time="2019-01-28 14:16:58.000" parent_end_time="2019-01-29 19:21:31.000"
Context Example
Human Readable Output
Child processes of a specified pid
upt_hostname | pid | name | path | cmdline | upt_add_time |
---|---|---|---|---|---|
kyle-mbp-work | 5119 | VBoxHeadless | /Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless | /Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --vrde config | 2019-01-29 16:14:27.000 |
kyle-mbp-work | 5008 | VirtualBoxVM | /Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM | /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox | 2019-01-29 16:00:17.000 |
kyle-mbp-work | 5002 | VirtualBoxVM | /Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM | /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment basevm_centos_7_orig --startvm 58264539-0e7a-418f-91be-365aa0f20854 --no-startvm-errormsgbox | 2019-01-29 15:58:10.000 |
kyle-mbp-work | 4994 | VirtualBoxVM | /Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM | /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment vagrant_default_1535385658307_92120 --startvm 11742093-a8fa-4189-a88c-afc4cb7c70a6 --no-startvm-errormsgbox | 2019-01-29 15:55:32.000 |
kyle-mbp-work | 3448 | VirtualBoxVM | /Applications/VirtualBox.app/Contents/MacOS/VirtualBoxVM | /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM --comment ova-31822- --startvm d7414d11-5764-4583-aeb6-94e5527c851c --no-startvm-errormsgbox | 2019-01-28 17:00:39.000 |
10. uptycs-get-processes
find processes which are running or have run on a registered Uptycs asset
Base Command
uptycs-get-processes
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time | Exact time at which the process was spawned. | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Process.pid | number | pid for a particular process |
Uptycs.Process.parent | number | pid for the parent of a particular process |
Uptycs.Process.upt_asset_id | string | uptycs asset id for the asset which is running (or ran) the process |
Uptycs.Process.upt_hostname | string | host name for the asset which is running (or ran) the process |
Uptycs.Process.upt_time | date | time at which the process was spawned |
Uptycs.Process.name | string | name of the process |
Uptycs.Process.path | string | path to the process binary |
Uptycs.Process.cmdline | string | comeplete argv for the process |
Uptycs.Process.pgroup | number | process group |
Uptycs.Process.cwd | string | process current working directory |
Command Example
uptycs-get-processes limit=1
Context Example
Human Readable Output
Processes
upt_hostname | pid | name | path | upt_time | parent | cmdline |
---|---|---|---|---|---|---|
kyle-mbp-work | 60051 | SCHelper | /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper | 2019-07-19 07:29:32.000 | 1 | /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper |
11. uptycs-get-process-open-files
find processes which have opened files
Base Command
uptycs-get-process-open-files
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time | Exact time at which the process was spawned. | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Files.pid | number | pid for the process which opened a file |
Uptycs.Files.fd | number | process specific file descriptor number |
Uptycs.Files.upt_asset_id | string | Uptycs asset id for the the asset on which the file was opened |
Uptycs.Files.upt_hostname | string | Host name for the asset on which the file was opened |
Uptycs.Files.upt_time | date | time at which the file was opened |
Uptycs.Files.path | string | filesystem path of the file descriptor |
Command Example
uptycs-get-process-open-files limit=1
Context Example
Human Readable Output
Process which has opened a file
upt_hostname | pid | path | fd | upt_time |
---|---|---|---|---|
uptycs-osquery-mhntm | 30143 | /var/osquery/osquery.db/001951.log | 35 | 2019-07-19 17:00:38.000 |
12. uptycs-set-alert-status
Set the status of an alert to new, assigned, resolved, or closed
Base Command
uptycs-set-alert-status
Input
Argument Name | Description | Required |
---|---|---|
alert_id | Uptycs alert id used to identify a particular alert | Required |
status | Status of the alert can be new, assigned, resolved, or closed | Required |
Context Output
There is no context output for this command.
Command Example
uptycs-set-alert-status alert_id="9cb18abd-2c9a-43a8-988a-0601e9140f6c" status=assigned
Context Example
Human Readable Output
Uptycs Alert Status
id | code | status | createdAt | updatedAt |
---|---|---|---|---|
9cb18abd-2c9a-43a8-988a-0601e9140f6c | OUTBOUND_CONNECTION_TO_THREAT_IOC | assigned | 2019-02-22T21:13:21.238Z | 2019-07-19T17:07:27.447Z |
13. uptycs-set-asset-tag
Sets a tag on a particular asset
Base Command
uptycs-set-asset-tag
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Uptycs asset id for the asset that the tag should be set on | Required |
tag_key | Tag key that will be set on the asset | Required |
tag_value | Tag value that will be set on the asset | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-set-asset-tag asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" tag_key="Uptycs" tag_value="work laptop"
Context Example
Human Readable Output
Uptycs Asset Tag
hostName | tags |
---|---|
kyle-mbp-work | Uptycs=work laptop, owner=Uptycs office, network=low, cpu=unknown, memory=unknown, disk=high |
14. uptycs-get-user-information
get info for an Uptycs user
Base Command
uptycs-get-user-information
Input
Argument Name | Description | Required |
---|---|---|
user_id | Unique Uptycs id for the user | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.UserInfo.id | string | unique Uptycs id for the user |
Uptycs.UserInfo.name | string | Uptycs user's name |
Uptycs.UserInfo.email | string | Uptycs user's email address |
Command Example
uptycs-get-user-information user_id="33436e24-f30f-42d0-8438-d948be12b5af"
Context Example
Human Readable Output
Uptycs User Information
name | id | |
---|---|---|
B schmoll | goo@test.com | 33436e24-f30f-42d0-8438-d948be12b5af |
15. uptycs-get-threat-indicators
get Uptycs threat indicators
Base Command
uptycs-get-threat-indicators
Input
Argument Name | Description | Required |
---|---|---|
indicator | the specific indicator you wish to search for. This can be an IP address, a Bad Domain, etc. as well ass any indicators you have added. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-threat-indicators limit=1
Context Example
Human Readable Output
Uptycs Threat Indicators
id | indicator | description | indicatorType | createdAt | isActive | threatId |
---|---|---|---|---|---|---|
8e54f94c-469a-4737-9eef-4e650a93ab58 | 54.165.17.209 | malware.com | IPv4 | 2019-07-19T16:44:17.511Z | true | b3f44b34-f6a1-46bc-88f1-9755e3ac1a65 |
16. uptycs-get-threat-sources
get Uptycs threat sources
Base Command
uptycs-get-threat-sources
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-threat-sources limit=1
Context Example
Human Readable Output
Uptycs Threat Sources
name | description | url | enabled | custom | createdAt | lastDownload |
---|---|---|---|---|---|---|
AlienVault Open Threat Exchange Malicious Domains and IPs | A feed of malicious domains and IP addresses | 4533da856e43f06ee00bb5f1adf170a0ce5cacaca5992ab1279733c2bdd0a88c | true | false | 2019-05-12T01:01:04.154Z | 2019-05-13T01:00:05.934Z |
17. uptycs-get-threat-vendors
get Uptycs threat vendors
Base Command
uptycs-get-threat-vendors
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-threat-vendors
Context Example
Human Readable Output
Uptycs Threat Vendors
description | url | updatedAt | customerId | numIocs | numThreats | lastDownload | id | createdAt | name |
---|---|---|---|---|---|---|---|---|---|
2018-11-20T19:15:05.611Z | e8213ef3-ef92-460e-a542-46dccd700c16 | 42b9220c-7e29-4fd8-9cf7-9f811e851f8e | 2018-11-20T19:15:05.611Z | Bschmoll Inc.-Threats |
18. uptycs-get-parent-information
get the parent process information for a particular child process
Base Command
uptycs-get-parent-information
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
child_add_time | Time that the specified process was spawned. | Required |
host_name_is | Hostname for asset which spawned the specified process. | Optional |
parent | pid for the parent process. | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Parent.pid | number | pid of the process (this is the same number as the input argument 'parent') |
Uptycs.Parent.upt_hostname | string | hostname for asset which spawned the specified process |
Uptycs.Parent.upt_asset_id | string | asset id for asset which spawned the specified process |
Uptycs.Parent.parent | number | pid for the parent process (this is the parent of the input argument 'parent') |
Uptycs.Parent.upt_add_time | date | time that the process was spawned |
Uptycs.Parent.upt_remove_time | date | time that the process was removed |
Uptycs.Parent.name | string | name of the process |
Uptycs.Parent.path | string | path to the process binary |
Uptycs.Parent.cmdline | string | complete argv for the process |
Uptycs.Parent.pgroup | number | process group |
Uptycs.Parent.cwd | string | process current working directory |
Command Example
uptycs-get-parent-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" child_add_time="2019-01-29 16:14:27.000" parent=484
Context Example
Human Readable Output
Parent process information
upt_hostname | parent | pid | name | path | cmdline |
---|---|---|---|---|---|
kyle-mbp-work | 1 | 484 | VBoxSVC | /Applications/VirtualBox.app/Contents/MacOS/VBoxSVC | /Applications/VirtualBox.app/Contents/MacOS/VBoxSVC --auto-shutdown |
19. uptycs-post-threat-source
post a new threat source to your threat sources in Uptycs
Base Command
uptycs-post-threat-source
Input
Argument Name | Description | Required |
---|---|---|
description | A short description for the threat source | Required |
entry_id | entry_id for the file with threat information. This file should be uploaded to demisto in the Playground War Room using the paperclip icon next to the CLI. | Required |
filename | The name of the file being uploaded | Required |
name | The name for the threat source | Required |
Context Output
There is no context output for this command.
Command Example
uptycs-post-threat-source name="testThreatSources" description="testing Uptycs API" entry_id="4322@27d41dbb-9676-4408-88bf-51193334caf7" filename="threatSourcesTest.csv"
Context Example
Human Readable Output
Uptycs Posted Threat Source
20. uptycs-get-users
get a list of Uptycs users
Base Command
uptycs-get-users
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.Users.id | string | unique Uptycs id for the user |
Uptycs.Users.name | string | Uptycs user's name |
Uptycs.Users.email | string | Uptycs user's email address |
Uptycs.Users.createdAt | date | datetime this user was added |
Uptycs.Users.updatedAt | date | last time this user was updated |
Uptycs.Users.admin | boolean | true if this user has admin privileges, false otherwise |
Uptycs.Users.active | boolean | true if this user is currently active, false otherwise |
Command Example
uptycs-get-users limit=1
Context Example
Human Readable Output
Uptycs Users
name | id | admin | active | createdAt | updatedAt | |
---|---|---|---|---|---|---|
B schmoll | goo@test.com | 33436e24-f30f-42d0-8438-d948be12b5af | true | true | 2018-09-24T17:24:38.635Z | 2018-09-25T16:10:28.140Z |
21. uptycs-get-asset-groups
get Uptycs asset groups
Base Command
uptycs-get-asset-groups
Input
Argument Name | Description | Required |
---|---|---|
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.AssetGroups.id | string | unique Uptycs id for a particular object group |
Uptycs.AssetGroups.custom | boolean | true if this is a custom asset group, false otherwise |
Uptycs.AssetGroups.createdAt | date | datetime the group was created |
Uptycs.AssetGroups.updatedAt | date | datetime the group was last updated |
Command Example
uptycs-get-asset-groups
Context Example
Human Readable Output
Uptycs Users
id | name | description | objectType | custom | createdAt | updatedAt |
---|---|---|---|---|---|---|
106eef5e-c3a6-44eb-bb3d-1a2087cded3d | assets | Default asset group | ASSET | false | 2018-09-24T17:24:45.604Z | 2018-09-24T17:24:45.604Z |
a73353c1-1b27-4eea-9a7c-d2f946cca030 | enrolling | Enrolling asset group | ASSET | false | 2018-09-24T17:24:45.601Z | 2018-09-24T17:24:45.601Z |
22. uptycs-get-user-asset-groups
get a list of users in a particular asset group
Base Command
uptycs-get-user-asset-groups
Input
Argument Name | Description | Required |
---|---|---|
asset_group_id | return a list of users with access to this asset group | Required |
Context Output
There is no context output for this command.
Command Example
uptycs-get-user-asset-groups asset_group_id="106eef5e-c3a6-44eb-bb3d-1a2087cded3d"
Context Example
Human Readable Output
Uptycs User Asset Groups
B schmoll | Mike Boldi | Milan Shah |
---|---|---|
email: goo@test.com id: 33436e24-f30f-42d0-8438-d948be12b5af | email: woo@test.com id: e43b0119-8d23-4ea2-9fd9-3a9ff14fc195 | email: foo@test.com id: 89d26aa4-f0a8-48d9-a174-ce5285d9dd60 |
23. uptycs-get-threat-indicator
retrieve information about a specific threat indicator using a unique threat indicator id
Base Command
uptycs-get-threat-indicator
Input
Argument Name | Description | Required |
---|---|---|
indicator_id | unique Uptycs id which identifies a specific threat indicator | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.ThreatIndicator.threat_source_id | string | unique Uptycs id which identifies the source of this specific threat indicator |
Uptycs.ThreatIndicator.threat_vendor_id | string | unique Uptycs id which identifies the vendor of this specific threat source |
Uptycs.ThreatIndicator.indicatorType | string | type of threat indicator (IPv4, domain,...) |
Uptycs.ThreatIndicator.indicator | string | threat indicator |
Uptycs.ThreatIndicator.createdAt | date | datetime the threat indicator was created |
Uptycs.ThreatIndicator.threadId | string | unique id for the group of threat indicators this thread indicator belongs to |
Uptycs.ThreatIndicator.id | string | unique id for this particular threat indicator |
Command Example
uptycs-get-threat-indicator indicator_id="0ab619bb-cfe0-4db0-8a31-0a71fcc2a362"
Context Example
Human Readable Output
Uptycs Threat Indicator
id | indicator | description | indicatorType | createdAt | isActive | threatId |
---|---|---|---|---|---|---|
0ab619bb-cfe0-4db0-8a31-0a71fcc2a362 | 92.242.140.21 | nishant.uptycs.io | IPv4 | 2019-01-10T21:25:49.280Z | true | 60e2e9eb-f756-4a4d-a85d-55aa8167d59d |
24. uptycs-get-threat-source
retrieve information about a specific threat source
Base Command
uptycs-get-threat-source
Input
Argument Name | Description | Required |
---|---|---|
threat_source_id | unique Uptycs id for the threat source you wish to retrive | Required |
Context Output
There is no context output for this command.
Command Example
uptycs-get-threat-source threat_source_id="20ee2177-4fdc-4070-a046-945048373dd1"
Context Example
Human Readable Output
Uptycs Threat Sources
name | description | url | enabled | custom | createdAt | lastDownload |
---|---|---|---|---|---|---|
Debian Linux vulnerabilities | Debian Linux vulnerabilities | https://vulners.com/api/v3/archive/collection/?type=debian | true | false | 2018-09-14T18:43:54.832Z |
25. uptycs-get-process-events
find process events which are running or have run on a registered Uptycs asset
Base Command
uptycs-get-process-events
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open connections. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time | Exact time at which the process was spawned. | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.ProcessEvents.pid | number | pid for a particular process |
Uptycs.ProcessEvents.parent | number | pid for the parent of a particular process |
Uptycs.ProcessEvents.upt_asset_id | string | uptycs asset id for the asset which is running (or ran) the process |
Uptycs.ProcessEvents.upt_hostname | string | host name for the asset which is running (or ran) the process |
Uptycs.ProcessEvents.upt_time | date | time at which the process was spawned |
Uptycs.ProcessEvents.path | string | path to the process binary |
Uptycs.ProcessEvents.cmdline | string | comeplete argv for the process |
Uptycs.ProcessEvents.cwd | string | process current working directory |
Command Example
uptycs-get-process-events limit=1
Context Example
Human Readable Output
Process events
upt_hostname | pid | path | upt_time | parent | cmdline |
---|---|---|---|---|---|
kyle-mbp-work | 60067 | /usr/sbin/spctl | 2019-07-19 09:29:47.000 | 60065 | /usr/sbin/spctl --status |
26. uptycs-get-process-event-information
get information for a particular process event
Base Command
uptycs-get-process-event-information
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
host_name_is | Hostname for asset which spawned the specified process. | Optional |
pid | pid for the process. | Required |
time | Time that the specified process was spawned. | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.ProcEvent.pid | number | pid for the process |
Uptycs.ProcEvent.upt_hostname | string | hostname for asset which spawned the specified process |
Uptycs.ProcEvent.upt_asset_id | string | asset id for asset which spawned the specified process |
Uptycs.ProcEvent.parent | number | pid for the parent process |
Uptycs.ProcEvent.upt_time | date | time that the process was spawned |
Uptycs.ProcEvent.path | string | path to the process binary |
Uptycs.ProcEvent.cmdline | string | comeplete argv for the process |
Uptycs.ProcEvent.cwd | string | process current working directory |
Command Example
uptycs-get-process-event-information asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b" pid=3318 time="2019-02-28 18:43:04.000"
Context Example
Human Readable Output
Process event information
upt_hostname | parent | pid | path | cmdline |
---|---|---|---|---|
kyle-mbp-work | 1 | 3318 | /dev/console | xpcproxy com.apple.WebKit.WebContent.024FB342-0ECE-4E09-82E1-B9C9CF5F9CDF 3266 |
27. uptycs-get-socket-events
find processes which opened a socket
Base Command
uptycs-get-socket-events
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id", "host_name_is" or "host_name_like" at the same time. | Optional |
host_name_is | Only return assets with this hostname. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
host_name_like | Only return assets with this string in the hostname. Use this to find a selection of assets with similar hostnames. Do not use arguments "host_name_is" and "host_name_like" at the same time. | Optional |
ip | IP address which process opened a socket to. | Optional |
limit | Limit the number of entries returned. Use -1 to return all entries (may run slow or cause a time out). | Optional |
start_window | Beginning of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
end_window | End of window to search for open sockets. Format is "YYYY-MM-DD HH:MM:SS.000", for example, March 15, 2019 at 1:52:36 am would be written as "2019-03-15 01:52:36.000". | Optional |
time | Exact time at which the socket was opened. | Optional |
time_ago | Specifies how far back you want to look. Format examples: 2 hours, 4 minutes, 6 month, 1 day, etc. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.SocketEvents.pid | number | pid of process which opened a connection to a specified IP |
Uptycs.SocketEvents.upt_hostname | string | hostname of the asset which ran the specified process |
Uptycs.SocketEvents.upt_time | date | time at which the connection was opened |
Uptycs.SocketEvents.path | string | file path to the process being run |
Uptycs.SocketEvents.local_address | string | local IP for specified connection |
Uptycs.SocketEvents.remote_address | string | remote IP for specified connection |
Uptycs.SocketEvents.local_port | number | local port for specified connection |
Uptycs.SocketEvents.remote_port | number | remote port for specified connection |
Uptycs.SocketEvents.upt_asset_id | string | asset id for asset which ran the specified process |
Uptycs.SocketEvents.socket | number | socket used to open the connection |
Uptycs.SocketEvents.family | number | network protocol |
Uptycs.SocketEvents.action | string | type of socket event (accept, connect, or bind) |
Uptycs.SocketEvents.protocol | number | transfer protocol |
Command Example
uptycs-get-socket-events limit=1 remote_address="98.239.146.208"
Context Example
Human Readable Output
Socket events
upt_hostname | pid | local_address | remote_address | upt_time | local_port | action |
---|---|---|---|---|---|---|
kyle-mbp-work | 89 | 0.0.0.0 | 17.142.171.8 | 2019-07-19 09:29:52.000 | 47873 | connect |
28. uptycs-get-parent-event-information
find information for parent process events which are running or have run on a registered Uptycs assert
Base Command
uptycs-get-parent-event-information
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
child_add_time | Time that the specified process was spawned. | Required |
host_name_is | Hostname for asset which spawned the specified process. | Optional |
parent | pid for the parent process. | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.ParentEvent.pid | number | pid of the process (this is the same number as the input argument 'parent') |
Uptycs.ParentEvent.upt_hostname | string | hostname for asset which spawned the specified process |
Uptycs.ParentEvent.upt_asset_id | string | asset id for asset which spawned the specified process |
Uptycs.ParentEvent.parent | number | pid for the parent process (this is the parent of the input argument 'parent') |
Uptycs.ParentEvent.upt_time | date | time that the process was spawned |
Uptycs.ParentEvent.path | string | path to the parent process binary |
Uptycs.ParentEvent.cmdline | string | complete argv for the parent process |
Uptycs.ParentEvent.cwd | string | parent process current working cirectory |
Command Example
uptycs-get-parent-event-information child_add_time="2019-05-07 12:24:34.000" parent=9347 host_name_is="kyle-mbp-work"
Context Example
Human Readable Output
Parent process event information
upt_hostname | parent | pid | path | cmdline |
---|---|---|---|---|
kyle-mbp-work | 75 | 9347 | /sbin/mount | /sbin/mount -t hfs -o -u=99,-g=99,-m=755,nodev,noowners,nosuid,owners,nobrowse,-t=4m /dev/disk2s2 /Volumes/Time Machine Backups |
29. uptycs-get-socket-event-information
get information for a particular socket event
Base Command
uptycs-get-socket-event-information
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Only return assets with this asset id. Do not use arguments "asset_id" and "host_name_is" at the same time. | Optional |
host_name_is | Hostname for asset which spawned the specified process. | Optional |
ip | IP address which process opened a socket to. | Required |
time | Time that the specified connection was opened. | Required |
Context Output
Path | Type | Description |
---|---|---|
Uptycs.SocketEvents.pid | number | pid of process which opened a connection to a specified IP |
Uptycs.SocketEvents.upt_hostname | string | hostname of the asset which ran the specified process |
Uptycs.SocketEvents.upt_time | date | time at which the connection was opened |
Uptycs.SocketEvents.path | string | file path to the process being run |
Uptycs.SocketEvents.local_address | string | local IP for specified connection |
Uptycs.SocketEvents.remote_address | string | remote IP for specified connection |
Uptycs.SocketEvents.local_port | number | local port for specified connection |
Uptycs.SocketEvents.remote_port | number | remote port for specified connection |
Uptycs.SocketEvents.upt_asset_id | string | asset id for asset which ran the specified process |
Uptycs.SocketEvents.action | string | type of socket event (accept, connect, or bind) |
Uptycs.SocketEvents.family | number | network protocol |
Uptycs.SocketEvents.socket | number | socket used to open the connection |
Uptycs.SocketEvents.protocol | number | transfer protocol |
Command Example
uptycs-get-socket-event-information ip="18.213.163.112" time="2019-03-18 14:34:31.000"
Context Example
Human Readable Output
Socket event information
upt_hostname | pid | local_address | remote_address | upt_time | local_port | action |
---|---|---|---|---|---|---|
kyle-mbp-work | 16570 | 0.0.0.0 | 18.213.163.112 | 2019-03-18 14:34:31.000 | 47873 | connect |
30. uptycs-get-asset-tags
Retrieve a list of tags for a particular asset
Base Command
uptycs-get-asset-tags
Input
Argument Name | Description | Required |
---|---|---|
asset_id | Uptycs asset id for the asset you are looking for. | Required |
Context Output
There is no context output for this command.
Command Example
uptycs-get-asset-tags asset_id="984d4a7a-9f3a-580a-a3ef-2841a561669b"
Context Example
Human Readable Output
Uptycs Asset Tags for asset id: 984d4a7a-9f3a-580a-a3ef-2841a561669b
Tags |
---|
Uptycs=work laptop |
owner=Uptycs office |
network=low |
cpu=unknown |
memory=unknown |
disk=high |
31. uptycs-get-saved-queries
Retrieve a saved query or list of all saved queries
Base Command
uptycs-get-saved-queries
Input
Argument Name | Description | Required |
---|---|---|
limit | limit the number of entries returned | Optional |
query_id | Only return the query with this unique id | Optional |
name | Only return the query with this name | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-get-saved-queries name="test_saved_query"
Context Example
Human Readable Output
Uptycs Saved Queries
name | description | query | executionType | grouping | id |
---|---|---|---|---|---|
test_saved_query | this is a test query | select * from upt_assets limit 1 | global | "" | 16de057d-6f69-46b0-80d0-46cb9348c8fe |
32. uptycs-run-saved-query
Run a saved query
Base Command
uptycs-run-saved-query
Input
Argument Name | Description | Required |
---|---|---|
name | The name of the query you want to run | Optional |
query_id | The unique id for the query you want to run | Optional |
asset_id | realtime queries only This argument should be used when one wants to run a realtime query on a particular asset. | Optional |
host_name_is | realtime queries only Only return assets with this hostname | Optional |
host_name_like | realtime queries only . Only return assets with this string in the hostname. | Optional |
variable_arguments | If your saved query has variable arguments, write them here in a json format where the key is the name of the variable argument and value is the value you want to use for this particular query. | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-run-saved-query name="test_saved_query"
Context Example
Human Readable Output
Uptycs Query Results
city_id | updated_at | hardware_vendor | disabled | last_enrolled_at | deleted_at | gateway | cpu_brand | osquery_version | id | hardware_model | os_version | live | location | latitude | host_name | status | os_key | description | object_group_id | last_activity_at | hardware_serial | created_at | longitude | memory_mb | logical_cores | os_flavor | cores | os |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6ee1f7ef-ad7d-46b1-9f74-384299c90830 | 2018-09-25 16:14:28.898 | Dell Inc. | false | 2018-09-25 16:14:28.863 | 50.79.168.117 | Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz | 3.2.6.15-Uptycs | 4c4c4544-0044-3910-8033-c8c04f5a4832 | PowerEdge T30 | 10.0.14393 | false | United States | 37.751 | caol | active | windows_10.0 | 106eef5e-c3a6-44eb-bb3d-1a2087cded3d | 2018-09-26 17:03:16.187 | HD93ZH2 | 2018-09-25 16:14:28.881 | -97.822 | 16250 | 4 | windows | 4 | Microsoft Windows Server 2016 Datacenter |
33. uptycs-post-saved-query
Save a query to the Uptycs DB
Base Command
uptycs-post-saved-query
Input
Argument Name | Description | Required |
---|---|---|
description | A short description for the query | Optional |
execution_type | The type of query (global or realtime). | Required |
name | The name for the query. This should be unique to this query. | Required |
query | The query which will be saved | Required |
type | Type of issue the query addresses. | Optional |
grouping | Add the query to a group of queries. | Optional |
Context Output
There is no context output for this command.
Command Example
uptycs-post-saved-query name="process_query" query="select * from processes where name=:name limit 1" execution_type=global description="This is a test query with a variable argument for the column 'name’"
Context Example
Human Readable Output
Uptycs Posted Query
name | type | description | query | executionType | grouping | custom |
---|---|---|---|---|---|---|
process_query | default | This is a test query with a variable argument for the column 'name’ | select * from processes where name=:name limit 1 | global | "" | true |
Additional Information
In order to create an instance of the integration, a user API key and secret must be downloaded from the users Uptycs account. After signing in, navigate to Configuration->Users. At the bottom left of the screen you will see a window labeled "User API key". Click download. The downloaded file will have all the information necessary to create the instance.
Known Limitations
While the Demisto-Uptycs integration provides multiple commands with which to access the Uptycs backend, not all features are supported. In particular, configuration changes are best made using the Uptycs UI. Many of the commands have a limit set to reduce the number of rows returned from a query or api call. The limit can be raised, or turned off, however, this may cause the queries take longer to return and potentially return large numbers of rows. When writing queries, it can sometimes be easier to test using the Uptycs UI rather than the integration.