SECDO Integrations v1.1
Resolution
Introducing SECDO
SECDO is the first and only preemptive incident response solution. From a single platform, it empowers security and IR teams to slash incident response time to minutes, gain complete endpoint visibility and improve cyber defenses to prevent future attacks.
SECDO provides unmatched thread-level host visibility by continuously recording and storing all host forensic data and automatically analyzing it with the SECDO Causality Analysis Engine™ to create causality chains. Alerts from any source are manually or automatically ingested into SECDO, correlated with the already-established causality chains and are instantly put into context, resulting in a forensic timeline of all entities involved in the attack, a visual attack chain back to the root cause, accurate damage assessment, entities involved, infected endpoints and servers (“hosts”), behaviors and more. Analysts can instantly validate alerts because they have conclusive answers to all questions and immediately understand the “who, what, where, when and how” behind every alert.
With a complete analysis of exactly how hosts were compromised, SECDO enables containment and remediation of threats in minutes. Through a powerful set of real-time, granular response tools – including freezing processes and isolating hosts – analysts can run commands and code interactively on any host and perform memory forensics remotely. SECDO enables rapid and surgical response and remediation on any endpoint without impacting business productivity.
Armed with a conclusive understanding of the attack, including the timeline of the breach, root cause and damage assessment, security teams gain a complete understanding of the gaps in their defenses and how to close them to prevent future attacks.
Integrations
Today, cyber threats are coming at us from all angles and attacking us at many different points. To protect our intellectual property, personal data, and other digital valuables, we deploy numerous cyber security systems to watch over our networks, endpoints, servers, and other targets. In order to provide a comprehensive cyber security ecosystem, disparate systems often need to be integrated.
SECDO was designed to enable easy integration with myriad cyber security systems such as AVs, firewalls and SIEMs. Users of SECDO can easily implement uni- or bi-directional communications that share critical security data, such as alerts, to improve overall cyber defenses.
In addition, SECDO provides integration capabilities that enable IT and cyber security teams to query the SECDO database from external systems.
This document describes two of the interfaces that are available:
- Using the Application Program Interface (API) to conduct a SECDO investigation on alerts generated from an external application
- Querying SECDO via URL
Application Program Interface (API)
SECDO customers often want to use SECDO’s unique capability to correlate alerts generated from 3rd -party systems with its stored endpoint data to give security analysts the complete forensic picture that leads to proper analysis, validation and response to cyber incidents.
This section describes how to investigate alerts within SECDO from external systems using the SECDO REST API.\
Via the API, you can send alerts from security products—AVs, IPS, etc.—to SECDO to investigate them automatically using the data collected by SECDO from endpoints and servers.
An Example Using Palo Alto Networks
The Palo Alto Networks gateway service generates an alert on an endpoint in the LAN that is trying to connect to an online proxy service. Palo Alto has blocked the connection.
The alert can be posted to SECDO using the public API.
{
'company': ‘secdo’,
'apikey': ‘b9cbe23a2c0acaa61c40abef3c792a83f302adb15649fe19bf73402e253dfd16’,
'timestamp': ‘1490209247000',
'vendor': ‘Palo Alto Networks’,
'product': ‘PAN-OS’,
'source_port': '59661',
'destination_ip': '66.186.100.181',
'source_ip': '192.168.204.133',
'destination_port': '9000',
'type': 'OutgoingConnectionEvent',
'severity': ‘LOW’,
'event_id': ‘871151’,
}
SECDO will match and correlate the data from the PAN alert with the data that the SECDO agent has collected from the endpoint that initiated the connection to the proxy service.
By navigating to the SECDO Alerts screen, the analyst can view alerts. Palo Alto Network alerts are clearly marked in the VENDOR column.
Right-clicking on any alert that came into SECDO from Palo Alto Networks allows the analyst to see the full causality chain that led up to the alert.
On the right side of the Graph, the analyst can see the alert that was reported by Palo Alto Network, and the complete causality chain leading up to the connection attempt as collected by the SECDO agent from the endpoint. With this data and simple graphic format, the analyst can quickly understand the attack and perform accurate response.
Types of Investigations
The API currently supports two types of investigation within the SECDO system:
- Network events
- File/Process events
API for Network Event Investigations
The API for network events enables an automated investigation within SECDO based on a network event. Systems that commonly generate this type of event are FW, IPS, Web Gateway, etc.
Post to SECDO like this: https://secdo-server/publicapi/v2/enrich_with_secdo/
The data posted to SECDO contains the following attributes:
| Attribute | Description |
| company | Your company or organization name according to the Secdo UI company name (mandatory) |
| apikey | Key obtained from SECDO Support (mandatory) Note: Open a ticket at the SECDO Support Center (secdo.desk.com) to obtain this key |
| timestamp | Timestamp of the alert. UTC (Epoch) Timestamp in milliseconds (mandatory) |
| vendor | Vendor of the product that generated the alert (mandatory) product Product that generated the alert (e.g., Palo Alto Networks) (mandatory) |
| source_port | Source port of the communication |
| destination_ip | Destination IP of the communication (mandatory) |
| source_ip | Source IP of the communication (mandatory) |
| destination_port | Destination port of the communication (mandatory) |
| type |
(mandatory) Values can be:
|
| severity |
Value can be
|
| event_id | Event id of the alert/td> |
Example
{
'company': ‘secdo’,
'apikey': ‘b9cbe23a2c0acaa61c40abef3c792a83f302adb15649fe19bf73402e253dfd16’,
'timestamp': ‘1493209485000',
'vendor': ‘Check Point’,
'product': ‘FireWall-1 GX’,
'source_port': '59661',
'destination_ip': '137.254.120.31',
'source_ip': '192.168.52.131',
'destination_port': '80',
'type': 'OutgoingConnectionEvent',
'severity': ‘HIGH’,
'event_id': ‘1674573196751’,
}
API for File and Process Event Investigations
The API for file and process events enables an automated investigation within SECDO based on a file path or MD5 on a specific machine. Systems that commonly generate this type of event are AV, EPP, NGAV, HIPS, etc.
Post to SECDO like this: https://secdo-server/publicapi/v2/enrich_with_secdo/
The data posted to SECDO contains the following attributes:
| Attribute | Description |
| company | Your company or organization name according to the Secdo UI company name (mandatory) |
| apikey | Key obtained from SECDO Support (mandatory) Note: Open a ticket at the SECDO Support Center (secdo.desk.com) to obtain this key |
| timestamp | Timestamp of the alert. UTC (Epoch) Timestamp in milliseconds (mandatory) |
| vendor | Vendor of the product that generated the alert (mandatory) product Product that generated the alert (e.g., Palo Alto Networks) (mandatory) |
| product | Product that generated the alert (e.g., Palo Alto Networks) (mandatory) |
| agent_ip | Host on which the files was reported (mandatory) |
| file_path | Full file path (mandatory) |
| type | Must be SuspiciousFileEvent (mandatory) |
| severity |
Value can be
|
| event_id | Event id of the alert/td> |
Example
{
'company': ‘secdo’,
'apikey': ‘b9cbe23a2c0acaa61c40abef3c792a83f302adb15649fe19bf73402e253dfd16’,
'timestamp': ‘1493209485000',
'vendor': ‘McAfee’,
'product': ‘ePO’,
‘agent_ip': '192.168.52.131',
‘file_path’: ‘c:\\temp\\55\\pageant.exe’,
'type': ‘SuspiciousFileEvent’,
'severity': ‘HIGH’,
'event_id': ‘1674573196751’,
}
Full Python Script
You can use a Python script to interact with the API.
Example:
import hashlib
import json
import datetime
import sys, os, time
import urllib2 from pprint import pprint
# Parsing of incoming data from the commandline
# Just call the .py script with the parameters
alertType = str(sys.argv[1])
alertTime = str(sys.argv[2]) # must be epoch, if not epoch, additional processing needed
alertVendor = str(sys.argv[3])
alertProduct = str(sys.argv[4])
alertEventId = str(sys.argv[5])
alertSeverity = str(sys.argv[6])
secdoKey = str(sys.argv[7])
secdoCompany = str(sys.argv[8])
if "SuspiciousFileEvent" in alertType:
# handles file-related alerts
alertAgentIP = str(sys.argv[9])
alertFilePath = str(sys.argv[10])
data = {
'company': secdoCompany,
'apikey': secdoKey,
'agent_ip': alertAgentIP,
'timestamp': alertTime,
'event_id': alertEventId,
'vendor': alertVendor,
'product': alertProduct,
'file_path': alertFilePath,
'type': alertType,
'severity': alertSeverity
}
else:
# handles network related alerts
alertSourceAddress = str(sys.argv[9])
alertSourcePort = str(sys.argv[10])
alertDestinationAddress = str(sys.argv[11])
alertDestinationPort = str(sys.argv[12])
data = {
'company': secdoCompany,
'apikey': secdoKey,
'timestamp': alertTime,
'vendor': alertVendor,
'product': alertProduct,
'source_port': alertSourcePort,
'destination_ip': alertDestinationAddress,
'source_ip': alertSourceAddress,
'destination_port': alertDestinationPort,
'type': alertType,
'severity': alertSeverity,
'event_id': alertEventId
}
print data # prints the json result of the data parsing
start_time = datetime.datetime.now()
req =
urllib2.Request('https://cloud1.us.secdo.net/publicapi/v2/enrich_with_secdo/')
req.add_header('Content-Type', 'application/json')
response = urllib2.urlopen(req, json.dumps(data))
print response.code # should return '200'
res = json.loads(response.read())
end_time = datetime.datetime.now()
pprint (res) # should return 'True'
###########################################################
# Examples of calling the .py file using the Windows command line # ###########################################################
# C:\Users\or\Desktop\secdo_api.py OutgoingConnectionEvent 1497457869000 "Check Point" "FireWall-1 GX" 11111212 LOW b9cbe23a2c0acaa61c40abef3c792a83f302adb15649fe19bf73402e253dfd16 secdo 10.212.134.102 2375 54.230.46.82 443
###########################################################
# C:\Users\or\Desktop\secdo_api.py SuspiciousFileEvent 1497457869000 "McAfee" "ePO" 1121 HIGH b9cbe23a2c0acaa61c40abef3c792a83f302adb15649fe19bf73402e253dfd16 secdo 10.212.134.102 "c:\users\or\appdata\local\slack\app-2.6.3\slack.exe"
####################################################
Querying SECDO via URL
You can take advantage of SECDO’s amazing investigation capabilities via URL queries. Here’s how.
URL Parameters
To query SECDO via URL, you build a query like this:
http://secdo-server/#/investigationNG/builder?entity={entity}&action={action1,action2}&attr ={attr_name:attr_value,attr_name2:attr_value2}
| Entity | Action | Attribute | Value |
|---|---|---|---|
| Process | run | file_name | free text |
| parent | file_path | free text | |
| child | process_hash | free text | |
| injection | pid | free text | |
| injector | thread_id | free text | |
| username | free text | ||
| cmd | free text | ||
| CGN | free text | ||
| signed | 0 (signed),1 (unsigned),2 (invalid signature) | ||
| instanceId | free text | ||
| Registry | exists | key_name | free text |
| write_registry | key_value | free text | |
| rename_registry | thread_id | free text | |
| delete_registry | instanceId | free text | |
| File | exists | file_name | free text |
| create_file | file_path | free text | |
| write_file | file_hash | free text | |
| read_file | old_file_path | free text | |
| delete_file | thread_id | free text | |
| rename_file | instanceId | free text | |
| Network | outgoing_network | remote_ip | free text |
| incoming_network | remote_port | free text | |
| failed_network | remote_host | free text | |
| country | free text | ||
| access_type | tcp / udp | ||
| local_ip | free text | ||
| local_port | free text | ||
| thread_id | free text | ||
| instanceId | free text | ||
| Host | host_name | free text | |
| host_ip | free text |
General Query Examples
Here are some examples that show how to query about a network event and a process event.
Query SECDO about a network event
Build this URL:
https://secdo-server/#/investigationNG/builder?entity=network&action=outgoing_network, incoming_network,failed_network&attr=remote_ip:8.8.8.8|8.8.4.4
The URL query is the equivalent of this internal SECDO query:
Query SECDO about a process event
Build this URL:
https://secdo-server/#/investigationNG/builder?entity=process&action=run&attr=file_name: powershell.exe,cmd:*download*|*encoded*
The URL query is the equivalent of this internal SECDO query:
ArcSight Query Example
Some 3rd -party systems enable you to build the SECDO URL query internally. Here is how ArcSight does it.
- Login to the Java console
- Click on 'Tools' → 'Local Commands' → 'Configure'
- Click on 'New...'
- Give the command a name.
- In the program write "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" (include the quotation marks).
- Under 'Program Parameters', write the URL for SECDO along with the full URL query (with quotation marks). At the end, use a variable to take the value from the current cell the user clicks on:
"https://100.64.64.62/#/investigationNG/builder?entity=network&action=outgoing_network ,incoming_network,failed_network&attr=remote_ip:$selectedCell"
- Click 'OK'.
- Right-click on any field in ArcSight that contains an IP → 'Tools' → the name of the command created.
- A new tab in Chrome will open with the SECDO query builder already filled in with the relevant data.