SecBI
This Integration is part of the SecBI Pack.#
The SecBI solution is designed for a transformation of the security operation, enabled by automation of the detection and investigation, to the response, including remediation and prevention policy enforcements on all integrated appliances. This integration was integrated and tested with version 3.2.x of SecBI
Use Cases
-
secbi-get-incidents-list: Get all of the incidents related to a specific hunting query (Elasticsearch), return (if matched) the list of IDs of relevant incidents inside the SecBI system. -
secbi-get-incident: Get all of the details of a specific incident by its ID (could be used as the next step after GetIncidents), returns all the details of the specific incident, including all involved users, destinations and the detailed detections made by the SecBI system. -
secbi-get-incident-by-host: Get all of the details of a specific incident by searching for a specific destination (could be used for IOC match or as a broader scope detection request), returns all the details of the specific incident involving the specific host, including all involved users, and all destinations (possibly implicating other destinations aside from the one in the request), and the detailed detections made by the SecBI system.
Detailed Description
With attacks growing exponentially in volume and complexity, organizations face an almost insurmountable challenge to implement effective security programs at a time when security resources are severely limited. They struggle with inadequate time, funds, skillsets and headcount.
SecBI makes detection and response quick, accurate and simple, with its proprietary underlined technology, AI-based Autonomous Investigationâ„¢, mimicking an expert analyst at machine speed.
SecBI’s Autonomous Investigation amplifies the alert prioritization and incident investigation skills of security analyst teams, allowing them to efficiently prioritize alerts from other systems, and easily investigate and triage incidents through analytics-driven visibility.
SecBI builds behavioral profiles for users and hosts by applying Autonomous Investigation techniques, including supervised and unsupervised machine learning, on data from the network and security infrastructure, enriched with threat intelligence.
The security insights generated by SecBI analytics are oriented around a user or host and make it easy for automated response, as well as allowing analysts to conduct their incident investigation efforts and the hunting for the unknown threats.
The SecBI solution is designed for a transformation of the security operation, enabled by automation of the detection and investigation, to the response, including remediation and prevention policy enforcements on all integrated appliances.
Configure SecBI on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for SecBI.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- SecBI API URL (e.g. https://demisto.secbi.com)
- SecBI API key
- Use system proxy settings
- Trust any certificate (not secure)
- Click Test to validate the new instance.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- SecBI Get All Incident IDs: secbi-get-incidents-list
- Get a specific SecBI Incident by SecBI Incident ID: secbi-get-incident
- Get a specific SecBI Incident by Host: secbi-get-incident-by-host
1. secbi-get-incidents-list
SecBI Get All Incident IDs
Base Command
secbi-get-incidents-list
Required Permissions
No special permissions required.
Input
| Argument Name | Description | Required |
|---|---|---|
| query | The Query by which to filter the Incident IDs | Optional |
| limit |
Limit amount of IDs to return (
-1
) for all. Default is
100
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SecBI.IncidentsList | String | SecBI Incident IDs List |
Command Example
!secbi-get-incidents-list query="severity:[60 TO 100]" limit="3"
Human Readable Output
### List of SecBI Incidents |ID| |---| | 7899b0ff-810b-4df4-a0e3-806557aecc2e | | 3de12111-3b09-45b7-8ac8-6ab88be48b52 | | 0e83beac-b374-4f89-b2ab-ecc851414ec9 |
2. secbi-get-incident
Get a specific SecBI Incident by SecBI Incident ID
Base Command
secbi-get-incident
Required Permissions
No special permissions required.
Input
| Argument Name | Description | Required |
|---|---|---|
| incident_id | SecBI incident ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SecBI.Incident.ID | String | SecBI incident ID |
| SecBI.Incident.Host | String | SecBI incident host names |
| SecBI.Incident.Identity | String | SecBI incident identities |
| SecBI.Incident.InternalIp | String | SecBI incident client internal IP addresses |
| SecBI.Incident.SIp | String | SecBI incident client IP addresses |
| SecBI.Incident.FirstAppearance | Date | SecBI incident first appearance of data |
| SecBI.Incident.LastAppearance | Date | SecBI incident last appearance of data |
Command Example
!secbi-get-incident incident_id=7899b0ff-810b-4df4-a0e3-806557aecc2e
Human Readable Output
### SecBI incident ID "7899b0ff-810b-4df4-a0e3-806557aecc2e"
|FirstAppearance|Host|ID|Identity|InternalIp|LastAppearance|SIp|
|---|---|---|---|---|---|---|
| 2017-07-31 06:46:14 | pix.crp.education,
solutions.sante-corps-esprit.com,
tracking.notizie.it,
editions.biosante-editions.fr,
www.nikon.fr,
www.mailant.it,
static.biosante-editions.com,
static.pubfac.com,
moodle.ead-online.be,
img1.gtv.digimondo.net,
static.snieditions.com,
www.trgmedia.it,
ws.atomikad.com,
www.ead-online.be,
www.smooto.com,
www.cronacaeugubina.it,
www.elfri.be | 7899b0ff-810b-4df4-a0e3-806557aecc2e | joe@acme.com | 172.23.152.25,
172.23.152.26 | 2017-08-04 08:22:43 | 141.101.61.31,
37.187.151.239,
52.85.180.13,
52.85.180.203,
151.80.18.159,
94.23.64.3,
134.213.72.175,
46.37.22.52,
95.85.13.99,
46.37.22.123,
54.72.0.177,
23.253.140.198,
0.0.0.0,
176.62.160.38,
52.85.180.177 |
3. secbi-get-incident-by-host
Get a specific SecBI Incident by Host
Base Command
secbi-get-incident-by-host
Required Permissions
No special permissions required.
Input
| Argument Name | Description | Required |
|---|---|---|
| host | The host by which to get a SecBI Incident | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SecBI.Incident.ID | String | SecBI incident ID |
| SecBI.Incident.Host | String | SecBI incident host names |
| SecBI.Incident.Identity | String | SecBI incident identities |
| SecBI.Incident.InternalIp | String | SecBI incident client internal IP addresses |
| SecBI.Incident.SIp | String | SecBI incident client IP addresses |
| SecBI.Incident.FirstAppearance | Date | SecBI incident first appearance of data |
| SecBI.Incident.LastAppearance | Date | SecBI incident last appearance of data |
Command Example
!secbi-get-incident-by-host host=www.smooto.com
Human Readable Output
### SecBI incident by host "www.smooto.com"
|FirstAppearance|Host|ID|Identity|InternalIp|LastAppearance|SIp|
|---|---|---|---|---|---|---|
| 2017-07-31 06:46:14 | pix.crp.education,
solutions.sante-corps-esprit.com,
tracking.notizie.it,
editions.biosante-editions.fr,
www.nikon.fr,
www.mailant.it,
static.biosante-editions.com,
static.pubfac.com,
moodle.ead-online.be,
img1.gtv.digimondo.net,
static.snieditions.com,
www.trgmedia.it,
ws.atomikad.com,
www.ead-online.be,
www.smooto.com,
www.cronacaeugubina.it,
www.elfri.be | 7899b0ff-810b-4df4-a0e3-806557aecc2e | joe@acme.com | 172.23.152.25,
172.23.152.26 | 2017-08-04 08:22:43 | 141.101.61.31,
37.187.151.239,
52.85.180.13,
52.85.180.203,
151.80.18.159,
94.23.64.3,
134.213.72.175,
46.37.22.52,
95.85.13.99,
46.37.22.123,
54.72.0.177,
23.253.140.198,
0.0.0.0,
176.62.160.38,
52.85.180.177 |