XSOAR Content Pack Updates - Axonius Integration Version 1.0.5

Hey everybody, we recently added some additional commands to the Axonius integration within XSOAR. I thought it would be a good idea to review these new additions as well as the existing capabilities in XSOAR. From there, we’ll review some potential use cases you can tie into your playbooks today and some of our plans for the future. Let’s begin.

Existing Features

Before version 1.0.5, we could search Axonius for devices and users based on some of their identifying attributes (email, username, hostname, IP, MAC) or by saved queries. Because we already have many robust ways to enrich incidents in XSOAR with data from Axonius, we went out to build additional capabilities to feed data back into Axonius.

What’s New?

There are four new commands available in XSOAR

  • !axonius-get-tags
    • Get all tags of a given asset type (Devices or Users)
  • !axonius-get-saved-queries
    • Get all saved queries of a given asset type (Devices or Users)
  • !axonius-add-tag
    • Add a tag to a list of devices or users
  • !axonius-remove-tag
    • Remove a tag from a list of devices or users

The team decided that adding and removing tags would be the best place to start for customers looking to write data back to Axonius. Along with that, we added the capability to return all existing saved queries and tags for devices and users, which could assist with grabbing a large amount of data from Axonius for further automation.

If you need help getting started with these commands let us know and we’ll be more than happy to help.

Use Cases

Enriching Incidents 

Rather than searching across disparate data sources with their unique data points, Axonius can complete one search and return data across all relevant tooling. Let’s imagine an IDS incident was created within XSOAR between two IPs in your internal network. We might want to search if Crowdstrike is installed on those particular IPs and if the device is connected to Active Directory. Rather than searching both CrowdStrike and AD, let’s just use Axonius!

!axonius-get-by-ip value=ip.address.goes.here

Now, to confirm if the device exists in CrowdStrike and AD, we’ll have to add some fields from those data sources. Let’s use the adapters’ IDs. We can use the query wizard to grab the names of our fields. From here, we can enter those fields into our command.

!axonius-get-devices-by-ip value=ip.address.goes.here fields=adapters_data.active_directory_adapter.id,adapters_data.crowd_strike_adapter.id

Now, if we wanted to confirm the device is within AD, we can check if the field we included in our results is defined. We will not return the field if that field contains no results for that particular asset. Within XSOAR playbooks, we can include the following conditional.

The command, Is Defined, was formerly known as Exists.

From there, XSOAR has the context needed to perform additional automated responses, such as disabling the account in AD, or containing the device in CrowdStrike and beginning a real-time response.

Flowing Back to Axonius

Once Assets in Axonius have been identified in an active incident in XSOAR, we can feed that information back to Axonius with a tag.

!axonius-add-tag ids=${Axonius.Devices.internal_axon_id} tag_name="Active Incident" type=devices

We can use this tag as a filter for a saved query to power dashboards for SOC analysts, reports for leadership, or enforcement center actions for additional follow-up or notifications to other parts of the organization. 

If a user falls victim to a phishing attack or fails to correctly identify a test phishing campaign, XSOAR can send a tag to the user account in Axonius where an enforcement center action will create a Jira ticket containing the list of users requiring additional training against phishing attacks.

These tags can be removed when the investigation is over, or at a later time. 

!axonius-remove-tag ids=${Axonius.Devices.internal_axon_id} tag_name="Active Incident" type=devices

Bulk Automation

XSOAR supports automation that can run scheduled without the need for an incident to occur within the environment. This can help complete regularly manual tasks in a no-code environment. Axonius can be a part of that scheduled automation by quickly returning a list of devices or users in a saved query. From there, XSOAR can run extremely granular actions on these assets in a way that the enforcement center might not be able to do today.

If there are any use cases you are solving with this workflow that you can’t with the Enforcement Center, let us know! We are constantly looking for ways to improve.

Looking Ahead

The team is continuing to iterate and add new features to our integration in XSOAR, and we have identified automatic indicator enrichment as a great way for customers to get immediate value out of the box. 

Indicators within XSOAR supply additional context to incidents and greatly assist in the remediation of incidents where they are present. The following are a few of the different types of indicators:

  • IP Address
  • Host
  • Email

Once indicators are detected in an incident, they can be enriched with a multitude of supporting scripts to provide additional context to analysts and drive further automated responses. Be on the lookout for our next release, in which we plan to provide automatic enrichment from Axonius on the indicators we have identified above. 

Are there any other features you would like to see in XSOAR? Again, let us know and we’ll do our best to bring those ideas to life!




Please sign in to leave a comment.

Didn't find what you were looking for?

New post