WootCloud

Overview


Append HyperContext™ insights to your SIEM data and feed them into your orchestration workflows. This integration was integrated and tested with version 1.0 of WootCloud

WootCloud Playbook


Use Cases


Configure WootCloud on XSOAR


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for WootCloud.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Client ID
    • API Key
    • Time to retrieve the first fetch (number time unit, e.g., 12 hours, 7 days)
    • Alert Type
    • Severity Type
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. wootcloud-get-pkt-alerts
  2. wootcloud-get-bt-alerts
  3. wootcloud-get-anomaly-alerts
  4. wootcloud-fetch-packet-alert
  5. wootcloud-fetch-bluetooth-alert
  6. wootcloud-fetch-anomaly-alert

1. wootcloud-get-pkt-alerts


list packet alerts generated in requested time span

Base Command

wootcloud-get-pkt-alerts

Input
Argument NameDescriptionRequired
date_rangeExamples are (2 hours, 4 minutes, 6 month, 1 day, etc.)Required
severityseverity with values of 'notice', 'warning', 'critical'Optional
skipinteger value for pagination. Default value: 0Optional
limitInteger value for pagination. Default value: 10. Max Value: 500Optional
site_idArray of site ids. Only entered if you want results for a particular site(s) (building, city, region)Optional
Context Output
PathTypeDescription
WootCloud.PacketAlert.idStringID of alert
WootCloud.PacketAlert.addressStringMac Address of device
WootCloud.PacketAlert.timestampDateAlert timestamp
WootCloud.PacketAlert.severityStringSeverity level
WootCloud.PacketAlert.categoryStringAlert Category
WootCloud.PacketAlert.signatureStringsignature
WootCloud.PacketAlert.source.cityStringsource city
WootCloud.PacketAlert.source.continentStringsource continent
WootCloud.PacketAlert.source.countryStringsource country
WootCloud.PacketAlert.source.ipStringsource ip
WootCloud.PacketAlert.source.latitudeNumbersource latitude
WootCloud.PacketAlert.source.longitudeNumbersource longitude
WootCloud.PacketAlert.source.macStringsource mac address
WootCloud.PacketAlert.source.networkStringsource network
WootCloud.PacketAlert.source.portNumbersource port
WootCloud.PacketAlert.source.stateStringsource state
WootCloud.PacketAlert.source.subnetStringsource subnet
WootCloud.PacketAlert.source.time_zoneStringsource time zone
WootCloud.PacketAlert.source.zipStringsource zip
WootCloud.PacketAlert.source.inferred.device_idStringsource inferred device ID
WootCloud.PacketAlert.source.inferred.assetStringsource inferred asset
WootCloud.PacketAlert.source.inferred.managedNumbersource inferred managed
WootCloud.PacketAlert.source.inferred.categoryStringsource inferred category
WootCloud.PacketAlert.source.inferred.controlStringsource inferred control
WootCloud.PacketAlert.source.inferred.host_nameStringsource inferred host name
WootCloud.PacketAlert.source.inferred.osStringsource inferred OS
WootCloud.PacketAlert.source.inferred.os_versionStringsource inferred OS version
WootCloud.PacketAlert.source.inferred.ownershipStringsource inferred ownership
WootCloud.PacketAlert.source.inferred.total_riskNumbersource inferred total risk score
WootCloud.PacketAlert.source.inferred.typeStringsource inferred type
WootCloud.PacketAlert.source.inferred.usernameStringsource inferred username
WootCloud.PacketAlert.source.inferred.managed_info.host_nameStringsource inferred managed host name
WootCloud.PacketAlert.destination.cityStringdestination city
WootCloud.PacketAlert.destination.continentStringdestination continent
WootCloud.PacketAlert.destination.countryStringdestination country
WootCloud.PacketAlert.destination.ipStringdestination ip
WootCloud.PacketAlert.destination.latitudeNumberdestination latitude
WootCloud.PacketAlert.destination.longitudeNumberdestination longitude
WootCloud.PacketAlert.destination.macStringdestination mac address
WootCloud.PacketAlert.destination.networkStringdestination network
WootCloud.PacketAlert.destination.portNumberdestination port
WootCloud.PacketAlert.destination.stateStringdestination state
WootCloud.PacketAlert.destination.subnetStringdestination subnet
WootCloud.PacketAlert.destination.time_zoneStringdestination time zone
WootCloud.PacketAlert.destination.zipStringdestination zip
WootCloud.PacketAlert.destination.inferred.device_idStringdestination inferred device ID
WootCloud.PacketAlert.destination.inferred.assetStringdestination inferred asset
WootCloud.PacketAlert.destination.inferred.managedNumberdestination inferred managed
WootCloud.PacketAlert.destination.inferred.categoryStringdestination inferred category
WootCloud.PacketAlert.destination.inferred.controlStringdestination inferred control
WootCloud.PacketAlert.destination.inferred.host_nameStringdestination inferred host name
WootCloud.PacketAlert.destination.inferred.osStringdestination inferred OS
WootCloud.PacketAlert.destination.inferred.os_versionStringdestination inferred OS version
WootCloud.PacketAlert.destination.inferred.ownershipStringdestination inferred ownership
WootCloud.PacketAlert.destination.inferred.total_riskNumberdestination inferred total risk score
WootCloud.PacketAlert.destination.inferred.typeStringdestination inferred type
WootCloud.PacketAlert.destination.inferred.usernameStringdestination inferred username
WootCloud.PacketAlert.destination.inferred.managed_info.host_nameStringdestination inferred managed info hostname
WootCloud.PacketAlert.payloadStringpayload
WootCloud.PacketAlert.http.hostnameStringhttp hostname
WootCloud.PacketAlert.http.http_methodStringhttp methon
WootCloud.PacketAlert.http.http_user_agentStringhttp user agent
WootCloud.PacketAlert.http.lengthNumberhttp length
WootCloud.PacketAlert.http.protocolStringhttp protocol
WootCloud.PacketAlert.http.redirectStringhttp redirect
WootCloud.PacketAlert.http.http_referStringhttp referal
WootCloud.PacketAlert.http.statusNumberhttp status code
WootCloud.PacketAlert.http.urlStringhttp url
WootCloud.PacketAlert.typeStringhttp type
WootCloud.PacketAlert.groupStringgroup
WootCloud.PacketAlert.subtypeStringsubtype
WootCloud.PacketAlert.titleStringtitle
WootCloud.PacketAlert.descriptionStringdescription
WootCloud.PacketAlert.referencesStringreferences
Command Example

!wootcloud-get-pkt-alerts date_range="30 days" severity="info" limit="1"

Context Example
{
"WootCloud.PacketAlert": {
"total": 936,
"packet_alerts": [
{
"category": "User Activity Detected",
"http": null,
"description": "ET POLICY Dropbox.com Offsite File Backup in Use",
"subtype": "policy-violation",
"timestamp": "2020-10-05T13:24:27Z",
"destination": {
"city": "Unknown",
"network": "internal",
"zip": "Unknown",
"state": "Unknown",
"ip": "10.10.10.10",
"inferred": {
"category": "computer",
"control": "user",
"managed_info": {
"host_name": "DESKTOP-73OV7ML"
},
"managed": true,
"type": "computer",
"username": "7c67a2377751",
"os_version": "10",
"host_name": "DESKTOP-73OV7ML",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b589f43e4b58d191f7e017c",
"os": "windows",
"asset": "managed"
},
"longitude": -1,
"port": 50859,
"mac": "7c:67:a2:37:77:51",
"time_zone": "Unknown",
"country": "Unknown",
"latitude": -1,
"subnet": "10.10.10.10/24",
"continent": "Unknown"
},
"payload": "FgMBAD8CAAA7AwFfex6KaCWAHK2PAn+AeXKn7gdl3rBlmgEppmvBPra35wDAEwAAE/8BAAEAABcAAAAjAAAACwACAQAWAwELtwsAC7MAC7AABvUwggbxMIIF2aADAgECAhAOMaF7icLT8WQSEL2/oQ1SMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xLzAtBgNVBAMTJkRpZ2lDZXJ0IFNIQTIgSGlnaCBBc3N1cmFuY2UgU2VydmVyIENBMB4XDTE4MDgxNjAwMDAwMFoXDTIwMTEwNTEyMDAwMFowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xFTATBgNVBAoTDERyb3Bib3gsIEluYzEUMBIGA1UECxMLRHJvcGJveCBPcHMxFjAUBgNVBAMMDSouZHJvcGJveC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbMZ4kqSOyakq5klpRxzam+Wt1NDdrU7K6adUNPKo5HAvhDTMX5qx20CidioaD7VGtkDcfCnuqhQeuyiThaZppvw+nXjEBZ9FBvSlrvaqtABGMIVFxPeQ0Ak86OGu9KxYoti3vgM6wLUYxm1WdOT985okPvUmJBdi1DE2nzUlBCodJPrKuH9zxJzEWgvXZ68oUn8c6XTqXSbZk2MdubvU3jGci5GIxMfoGFrgIOPlFSlM1iAnKqzF117I2eL29knjj5cuecQpAhH4OrIhJIcirr3t+6HURbkdry/P9Q0dy5/Ne8Xn2t2wj/feIPHgmVqyo8+fQoBLZSjypNw63Sqi/AgMBAAGjggN2MIIDcjAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQU03y5xdpYdTODesRSBFJVHvRuOJ0wJQYDVR0RBB4wHIINKi5kcm9wYm94LmNvbYILZHJvcGJveC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFlQ9RzuAAABAMASDBGAiEAmkh2i+QsT/lfcmS314gHZ5FDKo6x686OqlYXAGN3tGUCIQC6Nowtjr26Eaa964nnSzxBIuxb2Lk9BRIBtRWymKyAMQB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABZUPUdJAAAAQDAEgwRgIhANNg1DudKCwm53UCQgMkUyi3s+8zk95CI5afqVg0v4OJAiEAqZPgFVhbt0RQUdwZWWhXH9guhvlqxsP7OOkvCtM25R0AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWVD1HSqAAAEAwBGMEQCIHbIeTdHc/Y2Wt/lNygmKHrmxyt0AeMLd4mBEJh0YXkPAiBfuRw2aRORLrr8ybKkfTYkhAybRNuKPzeYGq+r8b6PgDANBgkqhkiG9w0BAQsFAAOCAQEADSK2wlLwkklQBYZpmmzu3uA1GmTBEW0DWJZoI8TOz+LR4gm+Of8VVDy/7RNA6MLVQq5yHEJLICPvjv8k+8V6LxMfIHWQFhuyfkmlcvrPlO5flKZ78DB8MTJHpLAy2CGcve97gtjKWpLvQ5yOIDfi5ZKIoD7MDKcKKEZej6xZDAJ6tEg23QJgOeGIEJeVXKWsDXu9W24y2vyi5UmEuIe1ipG4AImiUJWA8rXRK/72xph+zLkP/+sTtz3Kl8Dk43Ct845i82BGcFJyrUXWwXW4BHOshVRHvwyXBV/Ow27uDNoZ/7n7sKV8yKRLbc6iJC91GfY7ckhMZbvTGQI8DmfuVQAEtTCCBLEwggOZoAMCAQICEATh56TcXPLzbcArQrhdFZ8wDQYJKoZIhvcNAQELBQAwbDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2UgRVYgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHAxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xLzAtBgNVBAMTJkRpZ2lDZXJ0IFNIQTIgSGlnaCBBc3N1cmFuY2UgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuAvwiQGyG0EX9fvCmQGsn0iJmUWrkJAm87cn592Bz7DMFWHGblPlA5alB9VVrTCAiqv0JjuC0DXxNA7csgUnu+QsRGprtLIuEM62QsL1dWV9UCvyB3tTZxfV7eGUGiZ9Yra0scFH6iXydyksYKELcatpZzHGYKmhQ9eRFgqN4/9NfELCCcyWvW7i56kvVHQJ+LdO0IzowUoxLsozJqsKyMNeMZ75l5xt0o+CPuBtxYWoZ0jEk3l15IIrHWknLrNF7IeRDVlf1MlOdEcCppjGxmSdGgKN8LCUkjLOVqituFdwd2gILghopMmbxRKIUHH7W2b8kgv8wP1omiSUy9e4wIDAQABo4IBSTCCAUUwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFFFo/5CvAgd1PMzZZWRiohK4WXI7MB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBCwUAA4IBAQAYipWJA+Zt31z8HWjqSo+D1lEvjWtEFp6sY/XSbmyEmYuqgXGEW+00TrC3eZIpzC2AavCOIOF5pP4DRxPq9YbKWXF99ASWa9NZWD3+0zElXBg4hKPmn4L9jFuYMU7NeJ4a/YXLSaryJw==",
"source": {
"city": "San Francisco",
"network": "external",
"zip": "94107",
"state": "California",
"ip": "4.4.4.4",
"inferred": {
"category": "networking_equipment",
"control": "auto",
"managed_info": {
"host_name": ""
},
"managed": false,
"type": "network infrastructure",
"username": "",
"os_version": "",
"host_name": "",
"ownership": "corporate-unmanaged",
"total_risk": 0,
"device_id": "5d73f6a3c250255491ce3839",
"os": "linux",
"asset": "unmanaged"
},
"longitude": -122.3933,
"port": 443,
"mac": "c4:24:56:87:ef:11",
"time_zone": "America/Los_Angeles",
"country": "United States",
"latitude": 37.7697,
"subnet": "",
"continent": "North America"
},
"type": "pkt_alert",
"references": [],
"title": "User Activity Detected",
"address": "7c:12:a2:45:77:51",
"group": "alert",
"signature": "ET POLICY Dropbox.com Offsite File Backup in Use",
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxXzQxMTYzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDUifQ==",
"severity": "info"
}
]
}
}
Human Readable Output

Results for alerts

idseveritysignaturetimestamp
eyJpIjoiU05XT09UQVBQUFJPRDAxXzQxMTYzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDUifQ==infoET POLICY Dropbox.com Offsite File Backup in Use2020-10-05T13:24:27Z

2. wootcloud-get-bt-alerts


list bluetooth alerts generated in requested time span

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

wootcloud-get-bt-alerts

Input
Argument NameDescriptionRequired
date_rangeExamples are (2 hours, 4 minutes, 6 month, 1 day, etc.)Required
severityseverity with values of 'notice', 'warning', 'critical'Optional
skipinteger value for pagination. Default value: 0Optional
limitInteger value for pagination. Default value: 10. Max Value: 500Optional
site_idArray of site ids. Only entered if you want results for a particular site(s) (building, city, region)Optional
Context Output
PathTypeDescription
WootCloud.BluetoothAlert.idStringID
WootCloud.BluetoothAlert.timestampDatetimestamp
WootCloud.BluetoothAlert.severityStringseverity
WootCloud.BluetoothAlert.signatureStringsignature
WootCloud.BluetoothAlert.descriptionStringdescription
WootCloud.BluetoothAlert.addressStringaddress
WootCloud.BluetoothAlert.inferred.device_idStringinferred device ID
WootCloud.BluetoothAlert.inferred.assetStringinferred asset
WootCloud.BluetoothAlert.inferred.managedNumberinferred managed
WootCloud.BluetoothAlert.inferred.categoryStringinferred category
WootCloud.BluetoothAlert.inferred.controlStringinferred control
WootCloud.BluetoothAlert.inferred.host_nameStringinferred host name
WootCloud.BluetoothAlert.inferred.osStringinferred OS
WootCloud.BluetoothAlert.inferred.os_versionStringinferred OS version
WootCloud.BluetoothAlert.inferred.ownershipStringinferred ownership
WootCloud.BluetoothAlert.inferred.total_riskNumberinferred total risk score
WootCloud.BluetoothAlert.inferred.typeStringinferred type
WootCloud.BluetoothAlert.inferred.usernameStringinferred username
WootCloud.BluetoothAlert.inferred.managed_info.host_nameStringinferred managed info host name
WootCloud.BluetoothAlert.typeStringtype
WootCloud.BluetoothAlert.groupStringgroup
WootCloud.BluetoothAlert.subtypeStringsubtype
WootCloud.BluetoothAlert.titleStringtitle
Command Example

!wootcloud-get-bt-alerts date_range="30 days" limit="1"

Context Example
{
"WootCloud.BluetoothAlert": {
"total": 0,
"alerts": []
}
}
Human Readable Output

Results

alertstotal
0

3. wootcloud-get-anomaly-alerts


list anomaly alerts generated in requested time span

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

wootcloud-get-anomaly-alerts

Input
Argument NameDescriptionRequired
date_rangeExamples are (2 hours, 4 minutes, 6 month, 1 day, etc.)Required
severityseverity with values of 'info, ''notice', 'warning', 'critical'Optional
skipinteger value for pagination. Default value: 0Optional
limitInteger value for pagination. Default value: 10. Max Value: 500Optional
site_idArray of site ids. Only entered if you want results for a particular site(s) (building, city, region)Optional
Context Output
PathTypeDescription
WootCloud.AnomalyAlert.idStringID
WootCloud.AnomalyAlert.timestampDatetimestamp
WootCloud.AnomalyAlert.anomaly_typeStringanomaly type
WootCloud.AnomalyAlert.signatureStringsignature
WootCloud.AnomalyAlert.descriptionStringdescription
WootCloud.AnomalyAlert.severityStringseverity
WootCloud.AnomalyAlert.countNumbercount
WootCloud.AnomalyAlert.averageNumberaverage
WootCloud.AnomalyAlert.minimumNumberminimum
WootCloud.AnomalyAlert.maximumNumbermaximum
WootCloud.AnomalyAlert.standard_deviationNumberstandard deviation
WootCloud.AnomalyAlert.anomaly_scoreNumberanomaly score
WootCloud.AnomalyAlert.observed_valueNumberobserved value
WootCloud.AnomalyAlert.deviation_from_normStringdeviation from the norm
WootCloud.AnomalyAlert.unitsStringunits
WootCloud.AnomalyAlert.addressStringaddress
WootCloud.AnomalyAlert.typeStringtype
WootCloud.AnomalyAlert.groupStringgroup
WootCloud.AnomalyAlert.subtypeStringsubtype
WootCloud.AnomalyAlert.titleStringtitle
WootCloud.AnomalyAlert.device_details.device_idStringdevice details device ID
WootCloud.AnomalyAlert.device_details.assetStringdevice details asset
WootCloud.AnomalyAlert.device_details.managedNumberdevice details managed
WootCloud.AnomalyAlert.device_details.categoryStringdevice details category
WootCloud.AnomalyAlert.device_details.controlStringdevice details control
WootCloud.AnomalyAlert.device_details.host_nameStringdevice details host name
WootCloud.AnomalyAlert.device_details.osStringdevice details OS
WootCloud.AnomalyAlert.device_details.os_versionStringdevice details OS version
WootCloud.AnomalyAlert.device_details.ownershipStringdevice details ownership
WootCloud.AnomalyAlert.device_details.total_riskNumberdevice details total risk score
WootCloud.AnomalyAlert.device_details.typeStringdevice details type
WootCloud.AnomalyAlert.device_details.usernameStringdevice details username
WootCloud.AnomalyAlert.device_details.managed_info.host_nameStringdevice details managed info host name
WootCloud.AnomalyAlert.connections.ipStringconnections ip
WootCloud.AnomalyAlert.connections.portNumberconnections port
WootCloud.AnomalyAlert.connections.connection_countNumberconnections connection count
Command Example

!wootcloud-get-anomaly-alerts date_range="30 days" limit="5"

Context Example
{
"WootCloud.AnomalyAlert": {
"total": 11,
"alerts": [
{
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "2.2.2.2",
"connection_count": 0,
"port": 443
},
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 443
},
{
"ip": "4.4.4.4",
"connection_count": 0,
"port": 443
}
],
"deviation_from_norm": "2",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxV4JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE3NDQ4OTcuNzg0NTg0LDI2ODkzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDMifQ==",
"group": "anomaly",
"severity": "low",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:15 (normally:2.44+/-1.40)\nnumber of destination ips:14 (normally:1.93+/-1.05)\nnumber of destination ports:3 (normally:1.89+/-0.96)\nnormal is based on 26,893 observations.",
"timestamp": "2020-10-03T17:08:17Z",
"address": "3c:a9:f4:64:06:e0",
"count": 26893,
"average": 0,
"anomaly_score": 0.41364444218713525,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "auto",
"managed_info": {
"host_name": "DESKTOP-EV123JG"
},
"managed": true,
"type": "computer",
"username": "3ca9f46406e0",
"os_version": "10",
"host_name": "DESKTOP-EV123JG",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b4c3c91072c98142d308b29",
"os": "windows",
"asset": "managed"
},
"signature": "realtime_p002:pktstats3|1-min|"
},
{
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "4.4.4.4",
"connection_count": 0,
"port": 443
},
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 443
}
],
"deviation_from_norm": "2",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE2NjM0MTIuNzQ4MiwyNTYzM18wMDAiLCJ4IjoiNWEwMGIxNzU5Yzc5NjQ4ODBmYTFjMWE2X2NfZDIwMjAxMDAyIn0=",
"group": "anomaly",
"severity": "low",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:16 (normally:2.58+/-1.52)\nnumber of destination ips:14 (normally:2.03+/-1.14)\nnumber of destination ports:3 (normally:1.92+/-0.93)\nnormal is based on 25,633 observations.",
"timestamp": "2020-10-02T18:30:12Z",
"address": "3c:a9:f4:64:06:e0",
"count": 25633,
"average": 0,
"anomaly_score": 0.41364444218713525,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "auto",
"managed_info": {
"host_name": "DESKTOP-EV607JG"
},
"managed": true,
"type": "computer",
"username": "3ca9f46406e0",
"os_version": "10",
"host_name": "DESKTOP-EV607JG",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b4c3c91072c98142d308b29",
"os": "windows",
"asset": "managed"
},
"signature": "realtime_p002:pktstats3|1-min|"
},
{
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "8.8.8.8",
"connection_count": 0,
"port": 53
},
{
"ip": "2.2.2.2",
"connection_count": 0,
"port": 80
},
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 80
},
],
"deviation_from_norm": "4",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDAwOjBjOjI5OjBjOjY0Ojk2LDE2MDE1NTkxODcuMTE1MjY1LDI1NTAyXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDEifQ==",
"group": "anomaly",
"severity": "medium",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:28 (normally:1.67+/-1.88)\nnumber of destination ips:11 (normally:1.15+/-0.57)\nnumber of destination ports:3 (normally:1.07+/-0.27)\nnormal is based on 25,502 observations.",
"timestamp": "2020-10-01T13:33:07Z",
"address": "00:0c:29:0c:64:96",
"count": 25502,
"average": 0,
"anomaly_score": 0.7064193203972353,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "user",
"managed_info": {
"host_name": ""
},
"managed": false,
"type": "computer",
"username": "",
"os_version": "",
"host_name": "WOOTAPP",
"ownership": "visiting",
"total_risk": 0,
"device_id": "5ea36ccd5c727ddfb1742471",
"os": "windows",
"asset": "unmanaged"
},
"signature": "realtime_p002:pktstats3|1-min|"
},
{
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 80
},
{
"ip": "8.8.4.4",
"connection_count": 0,
"port": 443
},
{
"ip": "8.8.8.8",
"connection_count": 0,
"port": 53
}
],
"deviation_from_norm": "2",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDEzODg4NTAuMjQ0ODM5LDIzMjQzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDA5MjkifQ==",
"group": "anomaly",
"severity": "low",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:17 (normally:2.70+/-1.43)\nnumber of destination ips:16 (normally:2.15+/-1.11)\nnumber of destination ports:3 (normally:2.09+/-0.97)\nnormal is based on 23,243 observations.",
"timestamp": "2020-09-29T14:14:10Z",
"address": "3c:a9:f4:64:06:e0",
"count": 23243,
"average": 0,
"anomaly_score": 0.41364444218713525,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "auto",
"managed_info": {
"host_name": "DESKTOP-EV607JG"
},
"managed": true,
"type": "computer",
"username": "3ca9f46406e0",
"os_version": "10",
"host_name": "DESKTOP-EV607JG",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b4c3c91072c98142d308b29",
"os": "windows",
"asset": "managed"
},
"signature": "realtime_p002:pktstats3|1-min|"
},
{
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "8.8.8.8",
"connection_count": 0,
"port": 53
},
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 80
},
{
"ip": "4.4.4.4",
"connection_count": 0,
"port": 80
},
{
"ip": "5.5.5.5",
"connection_count": 0,
"port": 80
}
],
"deviation_from_norm": "4",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDAwOjBjOjI5OjFhOjdmOmU5LDE2MDEzMzQ1NzQuNTQ1MzAzLDQzMzgzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDA5MjgifQ==",
"group": "anomaly",
"severity": "medium",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:48 (normally:4.17+/-1.60)\nnumber of destination ips:10 (normally:1.29+/-0.47)\nnumber of destination ports:4 (normally:1.29+/-0.46)\nnormal is based on 43,383 observations.",
"timestamp": "2020-09-28T23:09:34Z",
"address": "00:0c:29:1a:7f:e9",
"count": 43383,
"average": 0,
"anomaly_score": 0.7064193203972353,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "user",
"managed_info": {
"host_name": ""
},
"managed": false,
"type": "computer",
"username": "",
"os_version": "",
"host_name": "WOOTAPP",
"ownership": "visiting",
"total_risk": 0,
"device_id": "5ecd43f95c727ddfb186fac0",
"os": "windows",
"asset": "unmanaged"
},
"signature": "realtime_p002:pktstats3|1-min|"
}
]
}
}
Human Readable Output

Results for alerts

idseveritysignaturetimestamp
eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE3NDQ4OTcuNzg0NTg0LDI2ODkzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDMifQ==lowrealtime_p002:pktstats3|1-min|2020-10-03T17:08:17Z
eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE2NjM0MTIuNzQ4MiwyNTYzM18wMDAiLCJ4IjoiNWEwMGIxNzU5Yzc5NjQ4ODBmYTFjMWE2X2NfZDIwMjAxMDAyIn0=lowrealtime_p002:pktstats3|1-min|2020-10-02T18:30:12Z
eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDAwOjBjOjI5OjBjOjY0Ojk2LDE2MDE1NTkxODcuMTE1MjY1LDI1NTAyXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDEifQ==mediumrealtime_p002:pktstats3|1-min|2020-10-01T13:33:07Z
eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDEzODg4NTAuMjQ0ODM5LDIzMjQzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDA5MjkifQ==lowrealtime_p002:pktstats3|1-min|2020-09-29T14:14:10Z
eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDAwOjBjOjI5OjFhOjdmOmU5LDE2MDEzMzQ1NzQuNTQ1MzAzLDQzMzgzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDA5MjgifQ==mediumrealtime_p002:pktstats3|1-min|2020-09-28T23:09:34Z

4. wootcloud-fetch-packet-alert


retrieve single packet alert given packet id

Base Command

wootcloud-fetch-packet-alert

Input
Argument NameDescriptionRequired
alert_idthe ID of the packet alertRequired
Context Output
PathTypeDescription
WootCloud.PacketAlert.idStringID of alert
WootCloud.PacketAlert.addressStringMac Address of device
WootCloud.PacketAlert.timestampDateAlert timestamp
WootCloud.PacketAlert.severityStringSeverity level
WootCloud.PacketAlert.categoryStringAlert Category
WootCloud.PacketAlert.signatureStringsignature
WootCloud.PacketAlert.source.cityStringsource city
WootCloud.PacketAlert.source.continentStringsource continent
WootCloud.PacketAlert.source.countryStringsource country
WootCloud.PacketAlert.source.ipStringsource ip
WootCloud.PacketAlert.source.latitudeNumbersource latitude
WootCloud.PacketAlert.source.longitudeNumbersource longitude
WootCloud.PacketAlert.source.macStringsource mac address
WootCloud.PacketAlert.source.networkStringsource network
WootCloud.PacketAlert.source.portNumbersource port
WootCloud.PacketAlert.source.stateStringsource state
WootCloud.PacketAlert.source.subnetStringsource subnet
WootCloud.PacketAlert.source.time_zoneStringsource time zone
WootCloud.PacketAlert.source.zipStringsource zip
WootCloud.PacketAlert.source.inferred.device_idStringsource inferred device ID
WootCloud.PacketAlert.source.inferred.assetStringsource inferred asset
WootCloud.PacketAlert.source.inferred.managedNumbersource inferred managed
WootCloud.PacketAlert.source.inferred.categoryStringsource inferred category
WootCloud.PacketAlert.source.inferred.controlStringsource inferred control
WootCloud.PacketAlert.source.inferred.host_nameStringsource inferred host name
WootCloud.PacketAlert.source.inferred.osStringsource inferred OS
WootCloud.PacketAlert.source.inferred.os_versionStringsource inferred OS version
WootCloud.PacketAlert.source.inferred.ownershipStringsource inferred ownership
WootCloud.PacketAlert.source.inferred.total_riskNumbersource inferred total risk score
WootCloud.PacketAlert.source.inferred.typeStringsource inferred type
WootCloud.PacketAlert.source.inferred.usernameStringsource inferred username
WootCloud.PacketAlert.source.inferred.managed_info.host_nameStringsource inferred managed host name
WootCloud.PacketAlert.destination.cityStringdestination city
WootCloud.PacketAlert.destination.continentStringdestination continent
WootCloud.PacketAlert.destination.countryStringdestination country
WootCloud.PacketAlert.destination.ipStringdestination ip
WootCloud.PacketAlert.destination.latitudeNumberdestination latitude
WootCloud.PacketAlert.destination.longitudeNumberdestination longitude
WootCloud.PacketAlert.destination.macStringdestination mac address
WootCloud.PacketAlert.destination.networkStringdestination network
WootCloud.PacketAlert.destination.portNumberdestination port
WootCloud.PacketAlert.destination.stateStringdestination state
WootCloud.PacketAlert.destination.subnetStringdestination subnet
WootCloud.PacketAlert.destination.time_zoneStringdestination time zone
WootCloud.PacketAlert.destination.zipStringdestination zip
WootCloud.PacketAlert.destination.inferred.device_idStringdestination inferred device ID
WootCloud.PacketAlert.destination.inferred.assetStringdestination inferred asset
WootCloud.PacketAlert.destination.inferred.managedNumberdestination inferred managed
WootCloud.PacketAlert.destination.inferred.categoryStringdestination inferred category
WootCloud.PacketAlert.destination.inferred.controlStringdestination inferred control
WootCloud.PacketAlert.destination.inferred.host_nameStringdestination inferred host name
WootCloud.PacketAlert.destination.inferred.osStringdestination inferred OS
WootCloud.PacketAlert.destination.inferred.os_versionStringdestination inferred OS version
WootCloud.PacketAlert.destination.inferred.ownershipStringdestination inferred ownership
WootCloud.PacketAlert.destination.inferred.total_riskNumberdestination inferred total risk score
WootCloud.PacketAlert.destination.inferred.typeStringdestination inferred type
WootCloud.PacketAlert.destination.inferred.usernameStringdestination inferred username
WootCloud.PacketAlert.destination.inferred.managed_info.host_nameStringdestination inferred managed info hostname
WootCloud.PacketAlert.payloadStringpayload
WootCloud.PacketAlert.http.hostnameStringhttp hostname
WootCloud.PacketAlert.http.http_methodStringhttp methon
WootCloud.PacketAlert.http.http_user_agentStringhttp user agent
WootCloud.PacketAlert.http.lengthNumberhttp length
WootCloud.PacketAlert.http.protocolStringhttp protocol
WootCloud.PacketAlert.http.redirectStringhttp redirect
WootCloud.PacketAlert.http.http_referStringhttp referal
WootCloud.PacketAlert.http.statusNumberhttp status code
WootCloud.PacketAlert.http.urlStringhttp url
WootCloud.PacketAlert.typeStringhttp type
WootCloud.PacketAlert.groupStringgroup
WootCloud.PacketAlert.subtypeStringsubtype
WootCloud.PacketAlert.titleStringtitle
WootCloud.PacketAlert.descriptionStringdescription
WootCloud.PacketAlert.referencesStringreferences
Command Example

!wootcloud-fetch-packet-alert alert_id="eyJpIjoiU05XT09UQVBQUFJPRDAxXzI2MzY1XzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDQifQ=="

Context Example
{
"WootCloud.PacketAlert": {
"category": "Generic Protocol Command Decode",
"http": {
"redirect": "https://api-wootuno-1606049077.us-west-2.elb.amazonaws.com:443/wpad.dat",
"status": 301,
"http_user_agent": "WinHttp-Autoproxy-Service/5.1",
"protocol": "HTTP/1.1",
"http_refer": "",
"url": "/wpad.dat",
"hostname": "api-wootuno-1606049077.us-west-2.elb.amazonaws.com",
"length": 134,
"http_method": "GET"
},
"description": "ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel",
"subtype": "protocol-command-decode",
"timestamp": "2020-10-04T04:09:05Z",
"destination": {
"city": "Boardman",
"network": "external",
"zip": "97818",
"state": "Oregon",
"ip": "3.3.3.3",
"inferred": {
"category": "networking_equipment",
"control": "auto",
"managed_info": {
"host_name": ""
},
"managed": false,
"type": "network infrastructure",
"username": "",
"os_version": "",
"host_name": "",
"ownership": "corporate-unmanaged",
"total_risk": 0,
"device_id": "5d73f6a3c250255491ce3839",
"os": "linux",
"asset": "unmanaged"
},
"longitude": -119.688,
"port": 80,
"mac": "c4:24:56:87:ef:11",
"time_zone": "America/Los_Angeles",
"country": "United States",
"latitude": 45.8696,
"subnet": "",
"continent": "North America"
},
"payload": "R0VUIC93cGFkLmRhdCBIVFRQLzEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0OiAqLyoNClVzZXItQWdlbnQ6IFdpbkh0dHAtQXV0b3Byb3h5LVNlcnZpY2UvNS4xDQpIb3N0OiBhcGktd29vdHVuby0xNjA2MDQ5MDc3LnVzLXdlc3QtMi5lbGIuYW1hem9uYXdzLmNvbQ0KDQo=",
"source": {
"city": "Unknown",
"network": "internal",
"zip": "Unknown",
"state": "Unknown",
"ip": "10.10.10.10",
"inferred": {
"category": "computer",
"control": "auto",
"managed_info": {
"host_name": "DESKTOP-EV607JG"
},
"managed": true,
"type": "computer",
"username": "3ca9f46406e0",
"os_version": "10",
"host_name": "DESKTOP-EV607JG",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b4c3c91072c98142d308b29",
"os": "windows",
"asset": "managed"
},
"longitude": -1,
"port": 63202,
"mac": "3c:a9:f4:64:06:e0",
"time_zone": "Unknown",
"country": "Unknown",
"latitude": -1,
"subnet": "10.10.10.10/24",
"continent": "Unknown"
},
"type": "pkt_alert",
"references": [],
"title": "Generic Protocol Command Decode",
"address": "3c:a9:f4:64:06:e0",
"group": "alert",
"signature": "ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel",
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxXzI2MzY1XzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDQifQ==",
"severity": "info"
}
}
Human Readable Output

Results

addresscategorydescriptiondestinationgrouphttpidpayloadreferencesseveritysignaturesourcesubtypetimestamptitletype
3c:a9:f4:64:06:e0Generic Protocol Command DecodeET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnelcity: Boardman
continent: North America
country: United States
ip: 3.3.3.3
latitude: 45.8696
longitude: -119.688
mac: c4:24:56:87:ef:11
network: external
port: 80
state: Oregon
subnet:
time_zone: America/Los_Angeles
zip: 97818
inferred: {"device_id": "5d73f6a3c250255491ce3839", "asset": "unmanaged", "managed": false, "category": "networking_equipment", "control": "auto", "host_name": "", "os": "linux", "os_version": "", "ownership": "corporate-unmanaged", "total_risk": 0, "type": "network infrastructure", "username": "", "managed_info": {"host_name": ""}}
alerthostname: api-wootuno-1606049077.us-west-2.elb.amazonaws.com
http_method: GET
http_user_agent: WinHttp-Autoproxy-Service/5.1
length: 134
protocol: HTTP/1.1
redirect: https://api-wootuno-1606049077.us-west-2.elb.amazonaws.com:443/wpad.dat
http_refer:
status: 301
url: /wpad.dat
eyJpIjoiU05XT09UQVBQUFJPRDAxXzI2MzY1XzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDQifQ==R0VUIC93cGFkLmRhdCBIVFRQLzEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0OiAqLyoNClVzZXItQWdlbnQ6IFdpbkh0dHAtQXV0b3Byb3h5LVNlcnZpY2UvNS4xDQpIb3N0OiBhcGktd29vdHVuby0xNjA2MDQ5MDc3LnVzLXdlc3QtMi5lbGIuYW1hem9uYXdzLmNvbQ0KDQo=infoET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnelcity: Unknown
continent: Unknown
country: Unknown
ip: 10.10.10.10
latitude: -1
longitude: -1
mac: 3c:a9:f4:64:06:e0
network: internal
port: 63202
state: Unknown
subnet: 10.10.10.10/24
time_zone: Unknown
zip: Unknown
inferred: {"device_id": "5b4c3c91072c98142d308b29", "asset": "managed", "managed": true, "category": "computer", "control": "auto", "host_name": "DESKTOP-EV607JG", "os": "windows", "os_version": "10", "ownership": "corporate", "total_risk": 0, "type": "computer", "username": "3ca9f46406e0", "managed_info": {"host_name": "DESKTOP-EV607JG"}}
protocol-command-decode2020-10-04T04:09:05ZGeneric Protocol Command Decodepkt_alert

5. wootcloud-fetch-bluetooth-alert


retrieve single bluetooth alert given packet id

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

wootcloud-fetch-bluetooth-alert

Input
Argument NameDescriptionRequired
alert_idthe ID of the bluetooth alertRequired
Context Output
PathTypeDescription
WootCloud.BluetoothAlert.idStringID
WootCloud.BluetoothAlert.timestampDatetimestamp
WootCloud.BluetoothAlert.severityStringseverity
WootCloud.BluetoothAlert.signatureStringsignature
WootCloud.BluetoothAlert.descriptionStringdescription
WootCloud.BluetoothAlert.addressStringaddress
WootCloud.BluetoothAlert.inferred.device_idStringinferred device ID
WootCloud.BluetoothAlert.inferred.assetStringinferred asset
WootCloud.BluetoothAlert.inferred.managedNumberinferred managed
WootCloud.BluetoothAlert.inferred.categoryStringinferred category
WootCloud.BluetoothAlert.inferred.controlStringinferred control
WootCloud.BluetoothAlert.inferred.host_nameStringinferred host name
WootCloud.BluetoothAlert.inferred.osStringinferred OS
WootCloud.BluetoothAlert.inferred.os_versionStringinferred OS version
WootCloud.BluetoothAlert.inferred.ownershipStringinferred ownership
WootCloud.BluetoothAlert.inferred.total_riskNumberinferred total risk score
WootCloud.BluetoothAlert.inferred.typeStringinferred type
WootCloud.BluetoothAlert.inferred.usernameStringinferred username
WootCloud.BluetoothAlert.inferred.managed_info.host_nameStringinferred managed info host name
WootCloud.BluetoothAlert.typeStringtype
WootCloud.BluetoothAlert.groupStringgroup
WootCloud.BluetoothAlert.subtypeStringsubtype
WootCloud.BluetoothAlert.titleStringtitle
Command Example

!wootcloud-fetch-bluetooth-alert alert_id="EXMP001"

Human Readable Output

6. wootcloud-fetch-anomaly-alert


retrieve single anomaly alert given packet id

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

wootcloud-fetch-anomaly-alert

Input
Argument NameDescriptionRequired
alert_idthe ID of the anomaly alertRequired
Context Output
PathTypeDescription
WootCloud.AnomalyAlert.idStringID
WootCloud.AnomalyAlert.timestampDatetimestamp
WootCloud.AnomalyAlert.anomaly_typeStringanomaly type
WootCloud.AnomalyAlert.signatureStringsignature
WootCloud.AnomalyAlert.descriptionStringdescription
WootCloud.AnomalyAlert.severityStringseverity
WootCloud.AnomalyAlert.countNumbercount
WootCloud.AnomalyAlert.averageNumberaverage
WootCloud.AnomalyAlert.minimumNumberminimum
WootCloud.AnomalyAlert.maximumNumbermaximum
WootCloud.AnomalyAlert.standard_deviationNumberstandard deviation
WootCloud.AnomalyAlert.anomaly_scoreNumberanomaly score
WootCloud.AnomalyAlert.observed_valueNumberobserved value
WootCloud.AnomalyAlert.deviation_from_normStringdeviation from the norm
WootCloud.AnomalyAlert.unitsStringunits
WootCloud.AnomalyAlert.addressStringaddress
WootCloud.AnomalyAlert.typeStringtype
WootCloud.AnomalyAlert.groupStringgroup
WootCloud.AnomalyAlert.subtypeStringsubtype
WootCloud.AnomalyAlert.titleStringtitle
WootCloud.AnomalyAlert.device_details.device_idStringdevice details device ID
WootCloud.AnomalyAlert.device_details.assetStringdevice details asset
WootCloud.AnomalyAlert.device_details.managedNumberdevice details managed
WootCloud.AnomalyAlert.device_details.categoryStringdevice details category
WootCloud.AnomalyAlert.device_details.controlStringdevice details control
WootCloud.AnomalyAlert.device_details.host_nameStringdevice details host name
WootCloud.AnomalyAlert.device_details.osStringdevice details OS
WootCloud.AnomalyAlert.device_details.os_versionStringdevice details OS version
WootCloud.AnomalyAlert.device_details.ownershipStringdevice details ownership
WootCloud.AnomalyAlert.device_details.total_riskNumberdevice details total risk score
WootCloud.AnomalyAlert.device_details.typeStringdevice details type
WootCloud.AnomalyAlert.device_details.usernameStringdevice details username
WootCloud.AnomalyAlert.device_details.managed_info.host_nameStringdevice details managed info host name
WootCloud.AnomalyAlert.connections.ipStringconnections ip
WootCloud.AnomalyAlert.connections.portNumberconnections port
WootCloud.AnomalyAlert.connections.connection_countNumberconnections connection count
Command Example

!wootcloud-fetch-anomaly-alert alert_id="eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE3NDQ4OTcuNzg0NTg0LDI2ODkzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDMifQ==" "

Context Example
{
"WootCloud.AnomalyAlert": {
"anomaly_type": "Connection",
"maximum": 0,
"connections": [
{
"ip": "2.2.2.2",
"connection_count": 0,
"port": 443
},
{
"ip": "3.3.3.3",
"connection_count": 0,
"port": 443
},
{
"ip": "4.4.4.4",
"connection_count": 0,
"port": 443
}
],
"deviation_from_norm": "2",
"minimum": 0,
"id": "eyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE3NDQ4OTcuNzg0NTg0LDI2ODkzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDMifQ==",
"group": "anomaly",
"severity": "low",
"title": "Connection Anomaly",
"standard_deviation": 0,
"units": "",
"type": "realtime-anomaly",
"observed_value": 0,
"description": "Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:\nnumber of connections:15 (normally:2.44+/-1.40)\nnumber of destination ips:14 (normally:1.93+/-1.05)\nnumber of destination ports:3 (normally:1.89+/-0.96)\nnormal is based on 26,893 observations.",
"timestamp": "2020-10-03T17:08:17Z",
"address": "3c:a9:f4:64:06:e0",
"count": 26893,
"average": 0,
"anomaly_score": 0.41364444218713525,
"subtype": "realtime_p002",
"device_details": {
"category": "computer",
"control": "auto",
"managed_info": {
"host_name": "DESKTOP-EV607JG"
},
"managed": true,
"type": "computer",
"username": "3ca9f46406e0",
"os_version": "10",
"host_name": "DESKTOP-EV607JG",
"ownership": "corporate",
"total_risk": 0,
"device_id": "5b4c3c91072c98142d308b29",
"os": "windows",
"asset": "managed"
},
"signature": "realtime_p002:pktstats3|1-min|"
}
}
Human Readable Output

Results

addressanomaly_scoreanomaly_typeaverageconnectionscountdescriptiondeviation_from_normdevice_detailsgroupidmaximumminimumobserved_valueseveritysignaturestandard_deviationsubtypetimestamptitletypeunits
3c:a9:f4:64:06:e00.41364444218713525Connection0{'ip': '2.2.2.2', 'port': 443, 'connection_count': 0},
{'ip': '3.3.3.3', 'port': 443, 'connection_count': 0},
{'ip': '4.4.4.4', 'port': 443, 'connection_count': 0},
{'ip': '2.2.2.2', 'port': 443, 'connection_count': 0}
26893Realtime Connection anomaly (1-min) triggered based on combination of 3 attributes:
number of connections:15 (normally:2.44+/-1.40)
number of destination ips:14 (normally:1.93+/-1.05)
number of destination ports:3 (normally:1.89+/-0.96)
normal is based on 26,893 observations.
2device_id: 5b4c3c91072c98142d308b29
asset: managed
managed: true
category: computer
control: auto
host_name: DESKTOP-EV607JG
os: windows
os_version: 10
ownership: corporate
total_risk: 0
type: computer
username: 3ca9f46406e0
managed_info: {"host_name": "DESKTOP-EV607JG"}
anomalyeyJpIjoiU05XT09UQVBQUFJPRDAxX3JlYWx0aW1lX3AwMDIscGt0c3RhdHMzLDNjOmE5OmY0OjY0OjA2OmUwLDE2MDE3NDQ4OTcuNzg0NTg0LDI2ODkzXzAwMCIsIngiOiI1YTAwYjE3NTljNzk2NDg4MGZhMWMxYTZfY19kMjAyMDEwMDMifQ==000lowrealtime_p002:pktstats3|1-min|0realtime_p0022020-10-03T17:08:17ZConnection Anomalyrealtime-anomaly