Document toolboxDocument toolbox

MistNet

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
3 min read
[ 1 Connecting with MistNet with Devo SOAR ] [ 2 Actions for MistNet ] [ 2.1 IOAs Search ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 3 Release Notes ]

MistNet provides a machine learning (ML)-driven network threat detection and response solution and a built-in MITRE ATT&CK™ Engine that eliminates blind spots and monitors your organization’s network in real time.

Connecting with MistNet with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for MistNet.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Customer Name: Customer name to access MistNet.

  9. Certificate: Upload Certificate to access MistNet.

  10. *Passphrase`* (Optional): Passphrase to access MistNet.

  11. After you've entered all the details, click Connect.

Actions for MistNet

IOAs Search

Retrieve IOAs objects.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Jinja-templated text containing the value for start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908

Optional

End Time

Jinja-templated text containing the value for end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908

Optional

Query

Jinja-templated query allows to specify what data should be fetched for a particular search. Example: { "{{field_name_column1}}": "{{field_value_column1}}", "{{field_name_column2}}": "{{field_value_column2}}" }

Optional

Sort By

Jinja-templated text containing comma separated list of fields based on which the search results need to be sorted (Default is timestamp). Example: [{"timestamp": {"order": "desc"}}, {"src": {"order": "{{column_value}}"}}]

Optional

Fields List

Jinja-templated text containing comma separated list of field values to be fetched for a particular search (Default is all fields). Example: {{column_value1}}, {{column_value2}}

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: IOAs Objects

``` {json}{ "result": { "took": 48, "timed_out": false, "_shards": { "total": 128, "successful": 128, "skipped": 0, "failed": 0 }, "hits": { "total": 1, "max_score": null, "hits": [ { "_index": "c-ioas", "_type": "doc", "_id": "258f-e19f-af87-c911cd", "_score": null, "_source": { "entry_source": "c-chicago-0-0", "entry_uuid": "2520f-e19f-af87-c912d1cd", "src": "11.78.77.0", "entry_origin": "Analysis Engine", "dest": "11.78.0.0", "entry_type": "Connection", "timestamp": 1615597364466 }, "sort": [ 1615597364466 ] } ] } }, "error": null, "has_error": false }

## Raw Logs Search Retrieve raw logs objects. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- | | Index | Jinja-templated text containing the index, Usually a date(2021.03.03), allows to specify the index for a particular search (Default is _). This will append the index into requested url \`-raw-logs-_\`. Example: '{{field_index_column}}' | Optional | | Start Time | Jinja-templated text containing the value for start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional | | End Time | Jinja-templated text containing the value for end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional | | Query | Jinja-templated query allows to specify what data should be fetched for a particular search. Example: { "{{field_name_column1}}": "{{field_value_column1}}", "{{field_name_column2}}": "{{field_value_column2}}" } | Optional | | Sort By | Jinja-templated text containing comma separated list of fields based on which the search results need to be sorted (Default is timestamp). Example: [{"timestamp": {"order": "desc"}}, {"src": {"order": "{{column_value}}"}}] | Optional | | Fields List | Jinja-templated text containing comma separated list of field values to be fetched for a particular search (Default is all fields). Example: {{column_value1}}, {{column_value2}} | Optional | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Raw Logs Objects ``` {json}{ "result": { "took": 48, "timed_out": false, "_shards": { "total": 128, "successful": 128, "skipped": 0, "failed": 0 }, "hits": { "total": 1, "max_score": null, "hits": [ { "_index": "raw-logs-2021.03.13", "_type": "doc", "_id": "258f-e19f-af87-c911cd", "_score": null, "_source": { "entry_source": "c-chicago-0-0", "entry_uuid": "2520f-e19f-af87-c912d1cd", "src": "11.78.77.0", "entry_origin": "Analysis Engine", "dest": "11.78.0.0", "entry_type": "Connection", "timestamp": 1615597364466 }, "sort": [ 1615597364466 ] } ] } }, "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem