Attivo

Integration version: 5.0

Configure Attivo integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
API Root String https:/{{ip address}} Yes API root of the Attivo instance.
Username String N/A Yes Attivo API Username.
Password Password N/A Yes Attivo API Password.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Attivo server is valid.

Actions

Ping

Description

Test connectivity to Attivo with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
Case wall
Result type Description Type
Output message*

If successful: Successfully connected to the Attivo server with the provided connection parameters!

If not successful: Failed to connect to the Attivo server! Error: {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich entities using information from Attivo. Supported entities: Hostname, IP Address.

Parameters

Parameter name Type Default value Is mandatory Description
Include ThreatPaths Checkbox Checked No If enabled, the action returns information about ThreatPaths related to the entity.
Include Vulnerabilities Checkbox Checked No If enabled, the action returns information about vulnerabilities related to the entity.
Include Credential Info Checkbox Checked No If enabled, the action returns information about credential information related to the entity.
Create Insight Checkbox Checked No If enabled, the action creates an insight containing all of the retrieved information about the entity.
Max ThreatPaths To Return Integration 50 No Specify the number of ThreatPaths to return per entity.
Max Vulnerabilities To Return Integration 50 No Specify the number of vulnerabilities to return per entity.
Max Credentials To Return Integration 50 No Specify the number of credentials to return per entity.

Run on

This action runs on the Hostname and IP Address entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
JSON result
{
    "upgradeToVersion": null,
    "quarantineStatus": 0,
    "acmId": -1,
    "tostatus": 0,
    "systemtype": "VM",
    "adsErrorMessage": "",
    "accessprotection": false,
    "functionalId": {
        "templateName": null,
        "usersid": null,
        "errorCode": 0,
        "debugInfo": "",
        "userName": "exlab.local\\Administrator",
        "status": null,
        "timestamp": 1636558715000
    },
    "ondAssigned": false,
    "usersInfo": [
        {
            "templateName": "Default_ThreatStrike_Profile:2",
            "usersid": "S-1-5-21-2143737273-3756110848-2070699859-500",
            "errorCode": 0,
            "debugInfo": "Error:0 lsass UnInstallation\\nError:0 webftp UnInstallation\\nError:0 cookies UnInstallation\\nError:0 mstsc UnInstallation\\nError:0 SMB UnInstallation\\nError:0 Web Credential UnInstallation\\nError:0 outlook UnInstallation\\nError:0 iexplorer UnInstallation\\nError:0 Putty UnInstallation\\nError:0 Mozilla UnInstallation\\nError:0 Chrome UnInstallation\\nError:0 FileZilla UnInstallation\\nError:0 lsass UnInstallation\\nError:0 AWS UnInstallation\\nError:0 Telnet UnInstallation\\nError:0 OracleDBClient UnInstallation\\nError:0 IEFavorite UnInstallation\\nError:0 WindowsDNS UnInstallation\\nError:0 RasVPN UnInstallation",
            "userName": "exlab.local\\Administrator",
            "status": "INSTALLED",
            "timestamp": 1636558727000
        }
    ],
    "id": 101,
    "epVersion": "5.0.1.25",
    "activeDirectory": {
        "groups": [
            "Domain Computers"
        ],
        "organizationalUnit": "Computers"
    },
    "installMode": 2,
    "processor_arch": " 64-bit",
    "tdDeflectMessage": "",
    "clientGroupId": "ThreatStrike-Default-Client",
    "deployMode": 0,
    "latestExecutableStatus": "INSTALLED",
    "subscriberId": 1,
    "botsinkDocumentId": 0,
    "executableStatus": [
        {
            "timestamp": 1636558715000,
            "status": "INSTALLED"
        }
    ],
    "processor_cpuSpeed": "2300 MHz",
    "guid": "27f018b6-47c8-4b20-ab62-545c672ddf7cHOST02SMIME",
    "ondMessage": "",
    "debugCollect": false,
    "ondInActive": false,
    "adsstatus": 1,
    "upgradeRequired": false,
    "ondstatus": 0,
    "hostName": "HOST02SMIME",
    "memory": "8190 MB",
    "lastModifiedTime": "2021-11-11T15:41:16.254Z",
    "arstatus": 1,
    "dnsName": "exlab.local",
    "botsinkDeviceId": 0,
    "endpoint_os_type": 1,
    "disabledInClientGroup": false,
    "tddstatus": 1,
    "adsenabled": false,
    "tdDeflectStatus": 0,
    "osType": "Non-Server",
    "featuresstatusforusers": [
        {
            "tddstatus": 1,
            "tsstatus": 1,
            "tostatus": 0,
            "usersid": "S-1-5-21-2143737273-3756110848-2070699859-500",
            "adsstatus": 1,
            "logIn": 1636558717,
            "ondstatus": 0,
            "logOut": 0,
            "tpstatus": 1,
            "live": true,
            "username": "exlab.local\\Administrator"
        }
    ],
    "interfaces": [
        {
            "subnet": "172.30.201.0/24",
            "score": 1400.133919820602,
            "macAddress": "00:50:56:a2:4c:e0",
            "ipAddress": "172.30.201.198",
            "name": "Intel(R) 82574L Gigabit Network Connection",
            "type": "Wired",
            "timestamp": 1636645218000
        }
    ],
    "migrateCL": false,
    "debugStatus": false,
    "osName": "Windows 10 64-bit",
    "uptime": "134836",
    "tsstatus": 1,
    "processor_numOfCpu": 4,
    "newClientGroup": null,
    "tpstatus": 1,
    "threatPaths": [
        {
            "destIp": "172.30.201.198",
            "permissionId": -1,
            "reason": null,
            "srcHostName": "Unmanaged host",
            "acmId": -1,
            "source": null,
            "type": "Paths",
            "permScore": "Medium",
            "cancellable": false,
            "targetScore": "Medium",
            "crRuleName": "System Default: Domain Admin Pilferage",
            "credOuPath": "CN=Users,DC=exlab,DC=local",
            "submissionId": -1,
            "credAcctStatus": "Enabled",
            "credential": "exlab.local\\administrator",
            "srcId": "dummy-endpoint-1SUB1"
        }
    ],
    "vulnerabilities": [
        "More than two Administrators were found on this computer",
        "Presence of local administrative privileges for domain user account"
    ],
    "credentials": [
        {
            "isDeceptive": true,
            "service": "putty",
            "domain": "EXLAB-W10H66.exlab.local\\accessDBuser",
            "serverIp": "EXLAB-W10H66.exlab.local",
            "isShortcut": false
        },
        {
            "isDeceptive": true,
            "service": "putty",
            "domain": "EXLAB-W10H77.exlab.local\\accessDBadm",
            "serverIp": "EXLAB-W10H77.exlab.local",
            "isShortcut": false
        }
    ]
}
Enrichment Table
Enrichment field name Logic - When to apply
os When available in JSON
ip When available in JSON
mac When available in JSON
hostname When available in JSON
users When available in JSON
type When available in JSON
uptime When available in JSON
num_threatpaths When available in JSON
num_vulnerabilities When available in JSON
num_deceptive_creds When available in JSON
num_real_creds When available in JSON
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

>If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Attivo: {entity.identifier}".

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Attivo: {entity.identifier}".

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

>If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Title: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Case Wall Table

(If vulnerabilities are available)

Table Name: {entity identifier} Vulnerabilities

Table Column:Name

General

Case Wall Table

(If threatpaths are available)

Table Name: {entity identifier} ThreatPaths

Table Columns:

  • Dest IP
  • Src Ip
  • Src Host
  • Dest Host
  • Name
  • Credential
  • Description
  • Critical
  • Severity
  • Service
  • Category
General
Case Wall Table (If credentials are available)

Table Name: {entity identifier} Credentials

Table Columns:

  • Deceptive
  • Service
  • Domain
  • Server IP
  • Shortcut
General

List Critical ThreatPath

Description

List available critical ThreatPaths in Attivo.

Parameters

Parameter name Type Default value Is mandatory Description
Filter Key DDL

Select One

Possible Values:

  • Rule Name
  • Service
  • Severity
  • Description
  • Category
No Specify the key that needs to be used to filter critical paths.
Filter Logic DDL

Not Specified

Possible Values:

  • Not Specified
  • Equal
  • Contains
No

Specify the filter logic that should be applied.

Filtering logic works based on the value provided in the "Filter Key" parameter.

Filter Value N/a N/A No

Specify the value that should be used in the filter.

If "Equal" is selected, the action tries to find the exact match among results.

If "Contains" is selected, the action tries to find results that contain the provided substring.

If nothing is provided in this parameter, the filter is not applied.

Filtering logic works based on the value provided in the "Filter Key" parameter.

Max Records To Return Integrations 50 No

Specify the number of records to return.

If nothing is provided, action will return 50 records.

Runs on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
{
    "criticalPaths": [
        {
            "destIp": "172.30.201.198",
            "permissionId": -1,
            "reason": null,
            "srcHostName": "Unmanaged host",
            "acmId": -1,
            "source": null,
            "type": "Paths",
            "permScore": "Medium",
            "cancellable": false,
            "targetScore": "Medium",
            "crRuleName": "System Default: Domain Admin Pilferage",
            "credOuPath": "CN=Users,DC=exlab,DC=local",
            "submissionId": -1,
            "credAcctStatus": "Enabled",
            "credential": "exlab.local\\administrator",
            "srcId": "dummy-endpoint-1SUB1",
            "destHostName": "HOST02SMIME",
            "cid2": "rdp1",
            "id": "Unmanaged host172.16.30.5HOST02SMIME172.30.201.198RDP Memory Credentialexlab.local\\administratorPaths",
            "srcIp": "172.16.30.5",
            "firstSeen": 1636667535105,
            "credDept": null,
            "subscriberId": 1,
            "remediable": false,
            "credLastPswResetTime": 1620201383000,
            "credLastLogonTime": 1636729127000,
            "moretarget": false,
            "destId": "27f018b6-47c8-4b20-ab62-545c672ddf7cHOST02SMIME:S-1-5-21-2143737273-3756110848-2070699859-500",
            "shareName": null,
            "desc": "rdp Active logon session for exlab.local\\administrator at Unmanaged OU/172.16.30.5 (unmanaged host). Potential movement to Computers/HOST02SMIME.",
            "cid": "rdp0",
            "permissionName": "",
            "destOu": "Computers",
            "critical": true,
            "isgrouppath": false,
            "credUpn": "Administrator@exlab.local",
            "credCreatedTime": 1610374114000,
            "memberList": null,
            "memberOf": null,
            "remediateStatus": null,
            "severity": "High",
            "srcOu": "Unmanaged",
            "target": "HOST02SMIME(172.30.201.198)",
            "loggedOn": false,
            "credSamAcctName": "Administrator",
            "service": "RDP Memory Credential",
            "credDisplayName": null,
            "ukey": null,
            "category": "Saved credential"
        }
    ]
}
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully found critical ThreatPaths for the provided criteria in Attivo".

If data is not available (is_success=false): "No ThreatPaths were found for the provided criteria in Attivo"

If the "Filter Value" parameter is empty (is_success=true): The filter was not applied, because parameter "Filter Value" has an empty value.

The action should fail and stop a playbook execution:

If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter."

If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided"."

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {entity identifier} ThreatPaths

Table Columns:

  • Dest IP
  • Src Ip
  • Src Host
  • Dest Host
  • Name
  • Credential
  • Description
  • Critical
  • Severity
  • Service
  • Category
Entity

List Vulnerability Hosts

Description

List hosts related to the vulnerability in Attivo.

Parameters

Parameter name Type Default value Is mandatory Description
Vulnerabilities CSV N/A Yes Specify a comma-separated list of vulnerabilities for which action needs to return hostnames.
Max Hosts To Return Integer 50 No

Specify the number of hosts to return.

If nothing is provided, action will return 50 hosts.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
JSON result
[
    {
        "vulnerability": "Presence of local administrative privileges for domain user account",
        "hostNames": [
            "HOST02SMIME"
        ]
    }
]
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one vulnerability (is_success=true): "Successfully retrieved hosts for the following vulnerabilities: {vulnerabilities}".

If no hosts are related for one vulnerability (is_success=true): "No hosts were found for the following vulnerabilities: {vulnerabilities}"

If no hosts are related for all vulnerabilities (is_success=false): "No hosts were found for the provided vulnerabilities."

If the response is "{}" for one vulnerability (is_success=true): "Action wasn't able to retrieve information about hosts for the following vulnerabilities: {vulnerabilities}"

If the response is "{}" for one vulnerabilities (is_success=false): "Action wasn't able to retrieve information about hosts for the provided vulnerabilities."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {Vulnerability Name i}

Table Columns: Name

Entity

List Service ThreatPaths

Description

List ThreatPaths related to services in Attivo.

Parameters

Parameter name Type Default value Is mandatory Description
Services CSV N/A Yes Specify a comma-separated list of services for which action needs to return ThreatPaths
Max ThreatPaths To Return Integer 50 No

Specify the number of ThreatPaths to return.

If nothing is provided, the action returns 50 ThreatPaths.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
JSON result
[
    {
        "service": "Web",
        "paths": [
            "HOST02SMIME"
        ]
    }
]
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully retrieved ThreatPaths for the following services in Attivo: {services}.

If no data is available for one service: "No ThreatPaths were found for the following services in Attivo: {services}.

If no data available for all services: "No ThreatPaths were found for the provided services in Attivo.

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {entity identifier} ThreatPaths

Table Columns:

  • Dest IP
  • Src Ip
  • Src Host
  • Dest Host
  • Name
  • Credential
  • Description
  • Severity
  • Service
  • < li>Category
Entity

Update Event

Description

Update event in Attivo.

Parameters

Parameter name Type Default value Is mandatory Description
Event ID String N/A Yes Specify the ID of the event, which needs to be updated.
Status DDL

Select One

Possible Values:

  • Acknowledge
  • Unacknowledge
No Specify the status for the event.
Comment String N/A No Specify a comment that needs to be added to the event.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success=False
Case Wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully updated the event with ID "{event_id}" in Attivo.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Event". Reason: {0}''.format(error.Stacktrace)

If "Select One" is selected and the "Comment" is not provided: "Error executing action "Update Event". Reason: at least one of the parameters "Status" or "Comment" should have a value.''

General

Connector

Attivo - Events Connector

Description

Pull events from Attivo into Google Security Operations SOAR.

Configure Attivo - Events Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String attackName Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https:/{{ip address}}} Yes API root of the Attivo instance.
Username String N/A Yes Attivo API Username.
Password Password N/A Attivo API Password.
Status Filter String All Yes Status filter for the connector. Possible values: unacknowledged, acknowledged, all.
Lowest Severity To Fetch String Medium No

Severity that will be used to fetch events. If nothing is specified, action will ingest all events. Possible values:

System Activity, Very Low, Low, Medium, High, Very High.

Max Hours Backwards Integer 1 No Amount of hours from where to fetch events.
Max Events To Fetch Integer 100 No How many events to process per one connector iteration. Maximum is 1000.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Attivo server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.