diff --git a/LICENSE b/LICENSE index 2702b2c..be245e0 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright (c) ThreatDown Nebula, 2019-2024 + Copyright (c) ThreatDown, 2019-2024 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md index e9adda7..2167f24 100644 --- a/README.md +++ b/README.md @@ -2,13 +2,13 @@ # ThreatDown Nebula Publisher: ThreatDown -Connector Version: 2\.0\.1 +Connector Version: 2.1.0 Product Vendor: ThreatDown Product Name: Malwarebytes Endpoint Protection -Product Version Supported (regex): "\.\*" -Minimum Product Version: 6\.1\.1 +Product Version Supported (regex): ".\*" +Minimum Product Version: 6.1.1 -This app integrates with the ThreatDown Nebula platform to perform prevention, detection, remediation, and forensics endpoint management tasks +This app integrates with the ThreatDown (powered by Malwarebytes) Nebula platform to perform prevention, detection, remediation, and forensics endpoint management tasks [comment]: # " File: README.md" [comment]: # " Copyright (c) ThreatDown, 2019-2024" @@ -26,14 +26,14 @@ This app integrates with the ThreatDown Nebula platform to perform prevention, d [comment]: # "" ## Authentication -The ThreatDown Nebula App uses the same Cloud console credential to authenticate and issue RESTful API +The ThreatDown App uses the same Cloud console credential to authenticate and issue RESTful API commands. [![](img/threatdown_login.png)](img/threatdown_login.png) ### Configuration Variables -The below configuration variables are required for this Connector to operate. These variables are specified when configuring a ThreatDown Endpoint Protection asset in SOAR. +The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Malwarebytes Endpoint Protection asset in SOAR. VARIABLE | REQUIRED | TYPE | DESCRIPTION -------- | -------- | ---- | ----------- @@ -78,15 +78,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to scan and remediate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'scan and report' Scan an endpoint and report threats found @@ -100,15 +100,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to scan and report | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'isolate endpoint' When threats are found, isolate a network, process, or desktop endpoint @@ -122,15 +122,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to isolate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'isolate process' When threats are found, isolate a process endpoint @@ -144,15 +144,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to isolate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'isolate network' Network Isolation on an endpoint when threats are found @@ -166,15 +166,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to isolate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'isolate desktop' Desktop Isolation an endpoint when threats are found @@ -188,15 +188,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to isolate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'deisolate endpoint' Deisolate endpoint after threats are removed @@ -210,15 +210,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of endpoint to deisolate | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | +action_result.data | string | | +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | +summary.total_objects_successful | numeric | | ## action: 'list endpoints' List all the endpoints/sensors configured on the device @@ -230,22 +230,22 @@ Read only: **True** No parameters are required for this action #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.data\.\*\.machines\.\*\.created\_at | string | -action\_result\.data\.\*\.machines\.\*\.id | string | -action\_result\.data\.\*\.machines\.\*\.last\_seen\_at | string | -action\_result\.data\.\*\.machines\.\*\.name | string | -action\_result\.data\.\*\.machines\.\*\.online | boolean | -action\_result\.data\.\*\.machines\.\*\.os\_architecture | string | -action\_result\.data\.\*\.machines\.\*\.os\_platform | string | -action\_result\.data\.\*\.machines\.\*\.os\_release\_name | string | -action\_result\.data\.\*\.total\_count | numeric | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.data.\*.machines.\*.created_at | string | | 2018-10-19T17:59:32.877626Z +action_result.data.\*.machines.\*.id | string | | 9c3999cb-bdd0-4b01-b7f3-42a2f17ec429 +action_result.data.\*.machines.\*.last_seen_at | string | | 2018-11-05T05:23:18.615218Z +action_result.data.\*.machines.\*.name | string | | test +action_result.data.\*.machines.\*.online | boolean | | True False +action_result.data.\*.machines.\*.os_architecture | string | | AMD64 +action_result.data.\*.machines.\*.os_platform | string | | WINDOWS +action_result.data.\*.machines.\*.os_release_name | string | | Microsoft Windows 10 Pro +action_result.data.\*.total_count | numeric | | 7 +action_result.summary | string | | +action_result.message | string | | +summary.total_objects | numeric | | 2 +summary.total_objects_successful | numeric | | 0 ## action: 'get endpoint info' Get information about an endpoint @@ -259,22 +259,22 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **hostname** | required | Hostname of the endpoint to get information | string | `host name` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.hostname | string | `host name` -action\_result\.data\.\*\.created\_at | string | -action\_result\.data\.\*\.id | string | -action\_result\.data\.\*\.last\_seen\_at | string | -action\_result\.data\.\*\.name | string | -action\_result\.data\.\*\.online | boolean | -action\_result\.data\.\*\.os\_architecture | string | -action\_result\.data\.\*\.os\_platform | string | -action\_result\.data\.\*\.os\_release\_name | string | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.hostname | string | `host name` | test +action_result.data.\*.created_at | string | | 2019-05-01T22:03:31.019437Z +action_result.data.\*.id | string | | 6013e073d5a384b4bc1b494f9258a43a6af11a50 +action_result.data.\*.last_seen_at | string | | 2019-05-04T17:28:00.211005Z +action_result.data.\*.name | string | | WIN-V9TNRP1M0G4 +action_result.data.\*.online | boolean | | True False +action_result.data.\*.os_architecture | string | | AMD64 +action_result.data.\*.os_platform | string | | WINDOWS +action_result.data.\*.os_release_name | string | | Microsoft Windows 10 Pro +action_result.summary | string | | +action_result.message | string | | Message from action +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'get scan info' Get information about a scan job @@ -285,29 +285,29 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**scan\_id** | required | Scan ID for the job | string | `scan id` +**scan_id** | required | Scan ID for the job | string | `scan id` #### Action Output -DATA PATH | TYPE | CONTAINS ---------- | ---- | -------- -action\_result\.status | string | -action\_result\.parameter\.scan\_id | string | `scan id` -action\_result\.data\.\*\.deleted\_count | numeric | -action\_result\.data\.\*\.duration\_seconds | numeric | -action\_result\.data\.\*\.found\_count | numeric | -action\_result\.data\.\*\.from\_cloud | boolean | -action\_result\.data\.\*\.id | string | -action\_result\.data\.\*\.machine\_id | string | -action\_result\.data\.\*\.machine\_name | string | -action\_result\.data\.\*\.ondemand | boolean | -action\_result\.data\.\*\.os\_platform | string | -action\_result\.data\.\*\.quarantined\_count | numeric | -action\_result\.data\.\*\.reported\_at | string | -action\_result\.data\.\*\.scan\_type | string | -action\_result\.data\.\*\.started\_at | string | -action\_result\.data\.\*\.started\_at\_local | string | -action\_result\.data\.\*\.total\_count | numeric | -action\_result\.summary | string | -action\_result\.message | string | -summary\.total\_objects | numeric | -summary\.total\_objects\_successful | numeric | \ No newline at end of file +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.status | string | | success failed +action_result.parameter.scan_id | string | `scan id` | 0f03a753-553e-4dbd-a3d6-94b18a96799b +action_result.data.\*.deleted_count | numeric | | 0 +action_result.data.\*.duration_seconds | numeric | | 90 +action_result.data.\*.found_count | numeric | | 2 +action_result.data.\*.from_cloud | boolean | | True False +action_result.data.\*.id | string | | fd47c2e9-83a3-4675-bac4-0133ab3a4f65 +action_result.data.\*.machine_id | string | | ebc10d20-7a2e-4f69-8313-97a472bc712b +action_result.data.\*.machine_name | string | | test.domain.com +action_result.data.\*.ondemand | boolean | | True False +action_result.data.\*.os_platform | string | | WINDOWS +action_result.data.\*.quarantined_count | numeric | | 2 +action_result.data.\*.reported_at | string | | 2019-04-25T16:01:39.093722Z +action_result.data.\*.scan_type | string | | ThreatScan +action_result.data.\*.started_at | string | | 2019-04-25T16:01:01Z +action_result.data.\*.started_at_local | string | | 2019-04-25T09:01:01-07:00 +action_result.data.\*.total_count | numeric | | 2 +action_result.summary | string | | +action_result.message | string | | Message from action +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 \ No newline at end of file diff --git a/release_notes/2.1.0.md b/release_notes/2.1.0.md new file mode 100644 index 0000000..88e43ca --- /dev/null +++ b/release_notes/2.1.0.md @@ -0,0 +1 @@ +* Changed App name from 'Malwarebytes Cloud' to 'ThreatDown' \ No newline at end of file diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index 393b076..fbcb2fd 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1,2 +1 @@ **Unreleased** -* Changed App name from 'Malwarebytes Cloud' to 'ThreatDown' \ No newline at end of file