WithSecure
Interact with WithSecure Elements
Configuration
| Name | Type | Description |
|---|---|---|
client_id |
string |
Client identifier |
secret |
string |
API secret to authenticate |
Triggers
Fetch security events
Get last security events
Arguments
| Name | Type | Description |
|---|---|---|
intake_server |
string |
Server of the intake server (e.g. 'https://intake.sekoia.io') |
intake_key |
string |
Intake key to use when sending events |
Actions
Add comment on Incident
Add comment on Incident.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Incident identifier to comment. |
comment |
string |
Comment. |
Isolate Device From Network
Isolate a device from network connections.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier of the computer to isolate. |
message |
string |
Optional message that is displayed on isolated device. |
List Detections For Incident
List Detections For Incident.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Incident identifier to list detections. |
List devices
Retrieves devices details.
Arguments
| Name | Type | Description |
|---|---|---|
organization_id |
string |
UUID of an organization. If organizationId is missing, default organization of authenticated client is used. |
Outputs
| Name | Type | Description |
|---|---|---|
devices |
array |
Release Device From Network Isolation
Release a device from network isolation.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier of the computer to release. |
Scan Device For Malware
Scan Device For Malware.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier to scan for malware. |
Update status on Incident
Update status on Incident.
Arguments
| Name | Type | Description |
|---|---|---|
target |
string |
Incident identifier to comment. |
status |
string |
Status. |
resolution |
string |
Resolution. |
Enumerate processes
Enumerate running processes.
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier on which action is created. |
organization_id |
string |
UUID of an organization. |
Kill Thread
Kill thread.
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier on which action is created. |
organization_id |
string |
UUID of an organization. |
thread_id |
integer |
ID of a Thread to kill. |
Kill Process
Kill processes matching patterns.
| Name | Type | Description |
|---|---|---|
target |
string |
Device identifier on which action is created. |
organization_id |
string |
UUID of an organization. |
match |
string |
Strategy used to match processes ( processId,processName,processNameRegex,processPath,processPathRegex) |
process_match_values |
array |
List of values that are used to match process to kill. Depending on selected strategy it might be list of identifiers, names or regular expressions. Up to 6 elements. |
process_memory_dump |
boolean |
Whether to run memory dump on process before killing it. Memory dump can be run only if processName or processId strategy is used |
memory_dump_flag |
string |
Memory dump flag (full - memory dump includes all accessible memory of process, pmem - only information necessary to capture process' stack traces) |
Extra
Module WithSecure v2.14.0