#### Get Agent, Switches and Events from your Sepio Prime #### This integration was integrated and tested with version 20.07.22.0958 of Sepio Prime ## Configure Sepio in Cortex | **Parameter** | **Description** | **Required** | | --- | --- | --- | | url | Server URL \(e.g. https://sepio\-prime.com\) | True | | credentials | Username | True | | isFetch | Fetch incidents | False | | incidentType | Incident type | False | | insecure | Trust any certificate \(not secure\) | False | | proxy | Use system proxy settings | False | | fetch_time | Initial time to start fetching incidents. In days. | True | | min_severity | Alert severity to retrieve. Values are: Warning, Error, Critical | False | | category | Alert category to retrieve. Values are:USB, Network | True | | max_alerts | Maximum number of alerts to fetch at a time | False | ## Commands You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. For the commands sepio-set-agent-mode, sepio-set-peripherals-mode you need user with Manager profile, other commands need user with User profile. ### sepio-query-agents *** Get Agents #### Base Command `sepio-query-agents` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | host_identifier | Filter results based on Host Identifier. | Optional | | ip_address | Filter results based on IP Address. | Optional | | uuid | Filter results based on Agent’s UUID. | Optional | | has_unapproved_peripherals | Filter only agents that have unapproved peripherals that are attached. | Optional | | has_vulnerable_peripherals | Filter only agents that have vulnerable peripherals that are attached. | Optional | | has_known_attack_tools | Filter only agents that have identified attack tools that attached. | Optional | | limit | Maximum number of Agent entries to return. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | Sepio.Agent.HostIdentifier | string | Sepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance. | | Sepio.Agent.IpAddress | string | Sepio Agent IP Address. | | Sepio.Agent.UUID | string | Sepio Agent’s instance unique identifier. | | Sepio.Agent.OsVersion | string | Version of the Operation System of the host running Sepio Agent. | | Sepio.Agent.HardwareModel | string | The hardware model of the host running Sepio Agent. | | Sepio.Agent.NicInfo | string | A list of the network interfaces of the host running Sepio Agent. | | Sepio.Agent.LastUpdate | date | Last update time. Format YYYY\-MM\-DDThh:mm:ss.sTZD | | Sepio.Agent.Status | string | Current status of Sepio Agent. | | Sepio.Agent.HasUnapprovedPeripherals | boolean | True if the Agent has at least one approved peripheral device that is attached. | | Sepio.Agent.HasVulnerablePeripherals | boolean | True if the Agent has at least one vulnerable peripheral that is attached. | | Sepio.Agent.HasKnownAttackTools | boolean | True if the Agent has at least one peripheral that is identified as a known attack tool. | | Sepio.Agent.LastConfiguration | date | Last configuration time. Format YYYY\-MM\-DDThh:mm:ss.sTZD | | Sepio.Agent.Version | string | Version of Sepio Agent. | | Sepio.Agent.License | string | Agent’s license status \(Pending/Expired/Invalid/Activated\). | #### Command Example ```!sepio-query-agents uuid=BFEBFBFF000806EAL1HF8C4003Z ip_address=192.168.10.107 host_identifier=DESKTOP-ANTONY has_known_attack_tools=False has_unapproved_peripherals=False has_vulnerable_peripherals=False limit=1000``` #### Context Example ``` { "Sepio": { "Agent": { "HardwareModel": "LENOVO 20KS0039IV||2||", "HasKnownAttackTools": false, "HasUnapprovedPeripherals": false, "HasVulnerablePeripherals": false, "HostIdentifier": "DESKTOP-ANTONY", "IpAddress": "192.168.10.107", "LastConfiguration": "2020-07-21T17:56:52.75193", "LastUpdate": "2020-07-21T17:56:52.751994", "License": "Activated", "NicInfo": [ "E8:6A:64:72:C2:BF||Realtek||Realtek PCIe GbE Family Controller", "A0:A4:C5:14:DA:CF||Intel Corporation||Intel(R) Dual Band Wireless-AC 3165" ], "OsVersion": "Windows 10 Pro 64-bit", "Status": "Free", "UUID": "BFEBFBFF000806EAL1HF8C4003Z", "Version": "3.0.18.0" } } } ``` #### Human Readable Output >### Agents > >|UUID|IpAddress|HostIdentifier|HasUnapprovedPeripherals|HasVulnerablePeripherals|HasKnownAttackTools| >|---|---|---|---|---|---| >| BFEBFBFF000806EAL1HF8C4003Z | 192.168.10.107 | DESKTOP-ANTONY | false | false | false | ### sepio-query-peripherals *** Get Peripherals #### Base Command `sepio-query-peripherals` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | host_identifier | Filter results based on Host Identifier. | Optional | | host_uuid | Filter results based on the UUID of the Agent. | Optional | | vendor_name | Filter peripheral devices that contain a certain textual name (partial or full, "contains") in the vendor name. | Optional | | product_name | Filter peripheral devices that contain a certain textual name (partial or full, "contains") in the product name. | Optional | | serial_number | Filter peripheral devices that contain a certain text value (partial or full, "contains") in the serial number. | Optional | | is_unapproved_peripheral | Filter only unapproved peripheral devices that are attached. | Optional | | is_vulnerable_peripheral | Filter only vulnerable peripheral devices that are attached. | Optional | | is_known_attack_tool | Filter only peripheral devices that are identified as known attack tools. | Optional | | limit | Maximum number of peripheral device entries to return. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | Sepio.Peripheral.HostIdentifier | string | Sepio Agent’s instance assigned textual name. usually derived from the HOST name of the workstation. This is not a unique identifier of the Sepio Agent’s instance. | | Sepio.Peripheral.HostUUID | string | Sepio Agent’s instance unique identifier. | | Sepio.Peripheral.DeviceID | string | Sepio device unique identifier. | | Sepio.Peripheral.DeviceIcon | string | Indication of the device type. | | Sepio.Peripheral.DeviceType | string | Textual text indication of the device type. | | Sepio.Peripheral.VID | string | Peripheral device VendorID. | | Sepio.Peripheral.VendorName | string | Peripheral device vendor Name. | | Sepio.Peripheral.PID | string | Peripheral device ProductID. | | Sepio.Peripheral.ProductName | string | Peripheral device product Name. | | Sepio.Peripheral.SerialNumber | string | Peripheral device serial number \(when applicable\). | | Sepio.Peripheral.Status | string | Current status of the peripheral device. | | Sepio.Peripheral.IsUnapprovedPeripheral | boolean | True if the Agent has at least one unapproved peripheral device that is attached. | | Sepio.Peripheral.IsVulnerablePeripheral | boolean | True if the Agent has at least one vulnerable peripheral that is attached. | | Sepio.Peripheral.IsKnownAttackTool | boolean | True if the Agent has at least one peripheral that is identified as a known attack tool. | #### Command Example ```!sepio-query-peripherals host_uuid=BFEBFBFF000806EAL1HF8C4003Z vendor_name="Logitech, Inc." product_name="Keyboard K120" limit=20``` #### Context Example ``` { "Sepio": { "Peripheral": [ { "DeviceID": "USB\\VID_046D&PID_C31C\\5&20DBD6CE&0&1", "DeviceIcon": 0, "DeviceType": "NO_DEV", "HostIdentifier": "DESKTOP-ANTONY", "HostUUID": "BFEBFBFF000806EAL1HF8C4003Z", "IsKnownAttackTool": false, "IsUnapprovedPeripheral": false, "IsVulnerablePeripheral": false, "PID": "C31C", "ProductName": "Keyboard K120", "SerialNumber": null, "Status": "OK", "VID": "046D", "VendorName": "Logitech, Inc." }, { "DeviceID": "USB\\VID_046D&PID_C31C&MI_00\\6&284FE535&0&0000", "DeviceIcon": 1, "DeviceType": "Keyboard", "HostIdentifier": "DESKTOP-ANTONY", "HostUUID": "BFEBFBFF000806EAL1HF8C4003Z", "IsKnownAttackTool": false, "IsUnapprovedPeripheral": false, "IsVulnerablePeripheral": false, "PID": "C31C", "ProductName": "Keyboard K120", "SerialNumber": null, "Status": "OK", "VID": "046D", "VendorName": "Logitech, Inc." }, { "DeviceID": "USB\\VID_046D&PID_C31C&MI_01\\6&284FE535&0&0001", "DeviceIcon": 14, "DeviceType": "HID", "HostIdentifier": "DESKTOP-ANTONY", "HostUUID": "BFEBFBFF000806EAL1HF8C4003Z", "IsKnownAttackTool": false, "IsUnapprovedPeripheral": false, "IsVulnerablePeripheral": false, "PID": "C31C", "ProductName": "Keyboard K120", "SerialNumber": null, "Status": "OK", "VID": "046D", "VendorName": "Logitech, Inc." } ] } } ``` #### Human Readable Output >### Peripherals > >|HostUUID|DeviceID|Status|IsUnapprovedPeripheral|IsVulnerablePeripheral|IsKnownAttackTool| >|---|---|---|---|---|---| >| BFEBFBFF000806EAL1HF8C4003Z | USB\VID_046D&PID_C31C\5&20DBD6CE&0&1 | OK | false | false | false | >| BFEBFBFF000806EAL1HF8C4003Z | USB\VID_046D&PID_C31C&MI_00\6&284FE535&0&0000 | OK | false | false | false | >| BFEBFBFF000806EAL1HF8C4003Z | USB\VID_046D&PID_C31C&MI_01\6&284FE535&0&0001 | OK | false | false | false | ### sepio-query-switches *** Get Switches #### Base Command `sepio-query-switches` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | ip_address | Filter results based on IP Address. | Optional | | switch_name | Filter results based on switch name. | Optional | | model | Filter only switches that are of the specified model (partial or full, "begins with"). | Optional | | ios_version | Filter only switches that run a certain iosVersion (partial or full, "contains"). | Optional | | is_alarmed | Filter only switches that are alarmed. | Optional | | limit | Maximum number of switch entries to return. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | Sepio.Switch.SwitchID | string | Switch unique identifier. | | Sepio.Switch.IpAddress | string | IP Address of the switch. | | Sepio.Switch.Name | string | Assigned name of the switch. | | Sepio.Switch.Model | string | The specific switch model. | | Sepio.Switch.IosVersion | string | The IOS version the switch is running. | | Sepio.Switch.LastUpdate | string | Last update time. Format yyyy\-MM\-dd hh:ss:mm. | | Sepio.Switch.NumberOfPorts | number | The total number of switch ports. | | Sepio.Switch.Status | string | Current status of the switch port. | | Sepio.Switch.IsAlarmed | boolean | True if the switch port is alarmed. | #### Command Example ```!sepio-query-switches switch_name=sepio2960g ios_version=12.2(52)SE ip_address=192.168.100.25 model=WS-C2960G-24TC-L``` #### Context Example ``` { "Sepio": { "Switch": { "IosVersion": "12.2(52)SE", "IpAddress": "192.168.100.25", "IsAlarmed": false, "LastUpdate": "07/21/2020 17:34:26", "Model": "WS-C2960G-24TC-L", "Name": "sepio2960g", "NumberOfPorts": 24, "Status": "Normal", "SwitchID": "DC:7B:94:96:17:80_FOC1428V67S" } } } ``` #### Human Readable Output >### Switches > >|SwitchID|Status|IsAlarmed| >|---|---|---| >| DC:7B:94:96:17:80_FOC1428V67S | Normal | false | ### sepio-query-switch-ports *** Get Switch Ports #### Base Command `sepio-query-switch-ports` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | switch_ip_address | Filter results based on switch IP Address. | Optional | | switch_name | Filter results based on switch name. | Optional | | port_id | Filter results based on port id. | Optional | | port_name | Filter results based on port name. | Optional | | link_partner_data_contains | Filter only switch ports that contain the specified address (partial or full, "contains"). | Optional | | is_alarmed | Filter only switch ports that are alarmed. | Optional | | limit | Maximum number of switch port entries to return. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | Sepio.Port.SwitchID | string | Port Switch unique identifier. | | Sepio.Port.SwitchIpAddress | string | IP Address of the switch. | | Sepio.Port.SwitchName | string | Assigned name of the switch. | | Sepio.Port.PortID | string | Port unique identifier inside the switch. | | Sepio.Port.Name | string | Assigned name of the switch port. | | Sepio.Port.LastUpdate | string | Last update time. | | Sepio.Port.NumberOfMacAddresses | number | The number of MAC addresses detected on the switch port. | | Sepio.Port.LinkPartners | string | List of the MAC addresses detected on the switch port \(limited to maximum of 10\) | | Sepio.Port.Status | string | Current status of the switch port. | | Sepio.Port.IsAlarmed | boolean | True if the switch port is alarmed. | | Sepio.Port.AlarmInfo | string | Details about the cause of alarm \(only if alarmed\). | #### Command Example ```!sepio-query-switch-ports switch_name=sepio2960g switch_ip_address=192.168.100.25 port_id=Gi0/17 link_partner_data_contains=042AE2D31AC0,04D590D51701``` #### Context Example ``` { "Sepio": { "Port": { "AlarmInfo": "", "IsAlarmed": false, "LastUpdate": "2020-07-21T17:34:12.396607", "LinkPartners": [ "0004F24ADCC5", "042AE2D31AC0", "04D590D51701" ], "Name": "HondaCB500X", "NumberOfMacAddresses": 4, "PortID": "Gi0/17", "Status": "connected", "SwitchID": "DC:7B:94:96:17:80_FOC1428V67S", "SwitchIpAddress": "192.168.100.25", "SwitchName": "sepio2960g" } } } ``` #### Human Readable Output >### Ports > >|SwitchID|PortID|Status|IsAlarmed|AlarmInfo| >|---|---|---|---|---| >| DC:7B:94:96:17:80_FOC1428V67S | Gi0/17 | connected | false | | ### sepio-query-system-events *** Get Events #### Base Command `sepio-query-system-events` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | start_datetime | Filter results based on event timestamp. | Optional | | end_datetime | Filter results based on event timestamp. | Optional | | min_severity | Filter only events of specific or higher severity than (>=). | Optional | | category | Filter results based on event category. | Optional | | source | Filter results based on source entity of the event (partial or full, "contains"). | Optional | | peripheral_type | Filter only events (in the case of Peripheral events) that match a certain peripheral type. can contain multiple peripheral types separated with comma, i.e '1,2,3,4' or single type, i.e '1' | Optional | | limit | Maximum number of event entries to return. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | Sepio.Event.CreationDatetime | string | Timestamp of the event. | | Sepio.Event.Severity | string | Severity level of the event. | | Sepio.Event.Category | string | Category of the event. | | Sepio.Event.Source | string | Source entity. | | Sepio.Event.Description | string | Event Description. | | Sepio.Event.PeripheralType | string | Type of peripheral device \(in the case of Peripheral Security events\). | | Sepio.Event.Details | string | Additional details that contain textual description of the event. | #### Command Example ```!sepio-query-system-events start_datetime=2020-07-16T16:50:00Z end_datetime=2020-07-21T11:02:00Z min_severity=Warning peripheral_type=1,2,3,4``` #### Context Example ``` { "Sepio": { "Event": [ { "Category": "USB", "CreationDatetime": "2020-07-16T16:53:29.240559", "Description": "New USB peripheral detected", "Details": "[Agent] Vulnerable Device VID/PID are 046D/C534 (Logitech, Inc. Unifying Receiver 00)", "EventID": 1067, "PeripheralType": "1", "Severity": "Warning", "Source": "DESKTOP-ANTONY (192.168.10.107)" }, { "Category": "USB", "CreationDatetime": "2020-07-16T16:53:29.240606", "Description": "New USB peripheral detected", "Details": "[Agent] Vulnerable Device VID/PID are 046D/C534 (Logitech, Inc. Unifying Receiver 01)", "EventID": 1068, "PeripheralType": "2", "Severity": "Warning", "Source": "DESKTOP-ANTONY (192.168.10.107)" } ] } } ``` #### Human Readable Output >### Events > >|EventID|CreationDatetime|Category|Source|Description| >|---|---|---|---|---| >| 1067 | 2020-07-16T16:53:29.240559 | USB | DESKTOP-ANTONY (192.168.10.107) | New USB peripheral detected | >| 1068 | 2020-07-16T16:53:29.240606 | USB | DESKTOP-ANTONY (192.168.10.107) | New USB peripheral detected | ### sepio-set-agent-mode *** Set Agent Mode #### Base Command `sepio-set-agent-mode` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | uuid | UUID of the Agent to set. | Optional | | host_identifier | Host identifier of the Agent to set. | Optional | | ip_address | IP Address of the Agent to set. | Optional | | mode | New mode to apply – "Free" or "Armed". | Required | #### Context Output There is no context output for this command. #### Command Example ```!sepio-set-agent-mode mode=Free uuid=BFEBFBFF000806EAL1HF8C4003Z``` #### Human Readable Output >Agent ['BFEBFBFF000806EAL1HF8C4003Z'] mode has been changed successfully to 'Free' ### sepio-set-peripherals-mode *** Set Agent Peripherals Mode #### Base Command `sepio-set-peripherals-mode` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | uuid | UUID of the Agent to set. | Optional | | host_identifier | Host identifier of the Agent to set. | Optional | | ip_address | IP Address of the Agent to set. | Optional | | vid | VendorID of the peripheral to set. | Required | | pid | ProductID of the peripheral to set. | Required | | mode | New mode to apply – "Approve" or "Disapprove". | Required | #### Context Output There is no context output for this command. #### Command Example ```!sepio-set-peripherals-mode mode=Approve uuid=BFEBFBFF000806EAL1HF8C4003Z vid=046D pid=C31C``` #### Human Readable Output >Peripherals of ['BFEBFBFF000806EAL1HF8C4003Z'] with vid '046D' and pid 'C31C' mode changed successfully to 'Approve'