Integration with Pentera. This integration was integrated and tested with version 4.5.2 of Pentera
Integration Use Cases:
- Integrate PenTera’s Automated Penetration Testing findings within Cortex XSOAR for playbook-driven enrichment and response
- Address penetration testing findings, prioritize, and automate response tasks
- Leverage Cortex XSOAR’s third-party product integrations
Use Case #1: Automate Dynamic Vulnerability Alerts - Password Policy Challenge: Password policies are a continuous undertaking that organizations need to review regularly. Solution: With the Cortex XSOAR-PenTera integration, PenTera can continuously validate the effectiveness of enterprise passwords and take action on easily crackable passwords with focus on high privileged accounts. Once PenTera flags a password that doesn’t meet the standard, automated playbooks through Cortex XSOAR take action and remediate the vulnerability based on corporate policy.
Use Case #2: Automated real-time validation for critical vulnerabilities Challenge: Continuous security validation is critical for the ongoing cyber hygiene of an organization’s network. However, critical vulnerabilities require on-demand testing as they influence many components of the network. Security teams struggle with prioritizing remediation and understanding the true impact vulnerabilities have on their specific network. Solution: After running automated single-action tests for critical vulnerabilities, the Cortex XSOAR integration allows security teams to automate the response process based on the findings. For example, PenTera discovers the vulnerability of different components of the network, e.g a server or an endpoint. The latter is a simpler fix that should go through one workflow, perhaps even be automatically remediated, while the first, a much more complex process, will create a high-risk task in the relevant workflow, automatically prioritizing the response tasks based on business impact severity.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Pentera.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Server URL (e.g. https://192.168.64.128)
- Pentera API port
- TGT (The token from Pentera UI in Administration -> API Clients)
- Client Id
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- pentera-run-template-by-name
- pentera-get-task-run-status
- pentera-get-task-run-full-action-report
Run a specific template by its name. Please add the template name in the parameters
Operator and admin users
pentera-run-template-by-name
| Argument Name | Description | Required |
|---|---|---|
| template_name | The name of the template that you want to run | Required |
| Path | Type | Description |
|---|---|---|
| Pentera.TaskRun.TemplateName | String | Returns the name of the template |
| Pentera.TaskRun.ID | String | The task run id |
| Pentera.TaskRun.StartTime | Date | The date when the task run started |
| Pentera.TaskRun.EndTime | Date | The date when the task run ended |
| Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
!pentera-run-template-by-name template_name="Test Template for Playbook"
{
"Pentera.TaskRun": {
"Status": "Running",
"TemplateName": "Test Template for Playbook",
"StartTime": 2020-02-13T19:32:45Z,
"EndTime": null,
"ID": "5e45883d1deb8eda82b1eed5"
}
}
| ID | StartTime | Status | TemplateName |
|---|---|---|---|
| 2020-02-13 17:32:45Z | 5e45883d1deb8eda82b1eed5 | '2020-02-13T17:32:45Z' | Running |
| Integration log: Full Integration Log: | |||
| Got command: pentera-run-template-by-name | |||
| result is JSON | |||
| Parsed JSON Response: {'ID': '5e45883d1deb8eda82b1eed5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:32:45Z', 'EndTime': None, 'Status': 'Running'} | |||
| Parsed JSON Response: {'ID': '5e45883d1deb8eda82b1eed5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:32:45Z', 'EndTime': None, 'Status': 'Running'} |
Get the status of a task run by its task run id
Operator and admin users
pentera-get-task-run-status
| Argument Name | Description | Required |
|---|---|---|
| task_run_id | The ID of the task run | Required |
| Path | Type | Description |
|---|---|---|
| Pentera.TaskRun.ID | String | The task run id |
| Pentera.TaskRun.TemplateName | String | Returns the name of the template |
| Pentera.TaskRun.StartTime | Date | The date when the task run started |
| Pentera.TaskRun.EndTime | Date | The date when the task run ended |
| Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
{
"Pentera.TaskRun": {
"Status": "Done",
"TemplateName": "Test Template for Playbook",
"StartTime": "2020-02-13T17:10:58Z",
"EndTime": "2020-02-13T19:14:12Z",
"ID": "5e4583221deb8eda82b195c5"
}
}
| EndTime | ID | StartTime | Status | TemplateName |
|---|---|---|---|---|
| 2020-02-13 17:10:58Z | 1581614052321.0 | 5e4583221deb8eda82b195c5 | 1581613858961.0 | Done |
| Integration log: Full Integration Log: | ||||
| Got command: pentera-get-task-run-status | ||||
| result is JSON | ||||
| Parsed JSON Response: {'ID': '5e4583221deb8eda82b195c5', 'TemplateName': 'Test Template for Playbook', 'StartTime': '2020-02-13T17:10:58Z', 'EndTime': '2020-02-13T19:14:12Z', 'Status': 'Done'} |
Get the full action report of a task run
- Low: [0: 2.5)
- Medium: [2.5: 5)
- High: [5: 7.5)
- Critical: [7.5: 10]
In milliseconds
'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'.
User view, operator and admin users
pentera-get-task-run-full-action-report
| Argument Name | Description | Required |
|---|---|---|
| task_run_id | The ID of the task run | Required |
| Path | Type | Description |
|---|---|---|
| Pentera.TaskRun.ID | String | The task run id |
| Pentera.TaskRun.TemplateName | String | Returns the name of the template |
| Pentera.TaskRun.StartTime | Date | The date when the task run started |
| Pentera.TaskRun.EndTime | Date | The date when the task run ended |
| Pentera.TaskRun.Status | String | The status of the task run; e.g.: 'Running', 'Pending', 'Failed', 'Cleaning up', 'Canceled', 'Done', 'Warning', 'Aborted (exceeded max hosts limit)'. |
| Pentera.TaskRun.FullActionReport | String | The full action report of the task run |
{
"Pentera.TaskRun": {
"FullActionReport": [
{
"Status": "no results",
"Severity": "",
"Parameters": "Host: 192.168.1.2",
"Time": "13/02/2020, 17:11:59",
"Duration": "31578",
"Operation Type": "BlueKeep (CVE-2019-0708) Vulnerability Discovery",
"Techniques": "Network Service Scanning(T1046)"
},
{
"Status": "no results",
"Severity": "",
"Parameters": "Host: 192.168.1.1",
"Time": "13/02/2020, 17:12:01",
"Duration": "31618",
"Operation Type": "BlueKeep (CVE-2019-0708) Vulnerability Discovery",
"Techniques": "Network Service Scanning(T1046)"
}
],
"ID": "5e4583221deb8eda82b195c5"
}
}
| Agent Name | Categories | Duration | Operation Type | Parameters | Severity | Status | Techniques | Time |
|---|---|---|---|---|---|---|---|---|
| default-node | Discovery, Reconnaissance | 31578 | BlueKeep (CVE-2019-0708) Vulnerability Discovery | Host: 192.168.1.2 | no results | Network Service Scanning(T1046) | 13/02/2020, 17:11:59 | |
| default-node | Discovery, Reconnaissance | 31618 | BlueKeep (CVE-2019-0708) Vulnerability Discovery | Host: 192.168.1.1 | no results | Network Service Scanning(T1046) | 13/02/2020, 17:12:01 | |
| Integration log: Full Integration Log: | ||||||||
| Got command: pentera-get-task-run-full-action-report | ||||||||
| result is TEXT |