MistNet
Version: 2.0.0
MistNet provides a machine learning (ML)-driven network threat detection and response solution and a built-in MITRE ATT&CK™ Engine that eliminates blind spots and monitors your organization’s network in real time.
Connecting with MistNet with LogicHub
- Navigate to Automations > Integrations.
- Search for MistNet.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Customer Name: Customer name to access MistNet.
- Certificate: Upload Certificate to access MistNet.
- *Passphrase`* (Optional): Passphrase to access MistNet.
- After you've entered all the details, click Connect.
Actions for MistNet
IOAs Search
Retrieve IOAs objects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Jinja-templated text containing the value for start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional |
| End Time | Jinja-templated text containing the value for end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional |
| Query | Jinja-templated query allows to specify what data should be fetched for a particular search. Example: { "{{field_name_column1}}": "{{field_value_column1}}", "{{field_name_column2}}": "{{field_value_column2}}" } | Optional |
| Sort By | Jinja-templated text containing comma separated list of fields based on which the search results need to be sorted (Default is timestamp). Example: [{"timestamp": {"order": "desc"}}, {"src": {"order": "{{column_value}}"}}] | Optional |
| Fields List | Jinja-templated text containing comma separated list of field values to be fetched for a particular search (Default is all fields). Example: {{column_value1}}, {{column_value2}} | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: IOAs Objects
{
"result": {
"took": 48,
"timed_out": false,
"_shards": {
"total": 128,
"successful": 128,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 1,
"max_score": null,
"hits": [
{
"_index": "c-ioas",
"_type": "doc",
"_id": "258f-e19f-af87-c911cd",
"_score": null,
"_source": {
"entry_source": "c-chicago-0-0",
"entry_uuid": "2520f-e19f-af87-c912d1cd",
"src": "11.78.77.0",
"entry_origin": "Analysis Engine",
"dest": "11.78.0.0",
"entry_type": "Connection",
"timestamp": 1615597364466
},
"sort": [
1615597364466
]
}
]
}
},
"error": null,
"has_error": false
}
Raw Logs Search
Retrieve raw logs objects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Index | Jinja-templated text containing the index, Usually a date(2021.03.03), allows to specify the index for a particular search (Default is ). This will append the index into requested url `-raw-logs-`. Example: '{{field_index_column}}' | Optional |
| Start Time | Jinja-templated text containing the value for start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional |
| End Time | Jinja-templated text containing the value for end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional |
| Query | Jinja-templated query allows to specify what data should be fetched for a particular search. Example: { "{{field_name_column1}}": "{{field_value_column1}}", "{{field_name_column2}}": "{{field_value_column2}}" } | Optional |
| Sort By | Jinja-templated text containing comma separated list of fields based on which the search results need to be sorted (Default is timestamp). Example: [{"timestamp": {"order": "desc"}}, {"src": {"order": "{{column_value}}"}}] | Optional |
| Fields List | Jinja-templated text containing comma separated list of field values to be fetched for a particular search (Default is all fields). Example: {{column_value1}}, {{column_value2}} | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Raw Logs Objects
{
"result": {
"took": 48,
"timed_out": false,
"_shards": {
"total": 128,
"successful": 128,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 1,
"max_score": null,
"hits": [
{
"_index": "raw-logs-2021.03.13",
"_type": "doc",
"_id": "258f-e19f-af87-c911cd",
"_score": null,
"_source": {
"entry_source": "c-chicago-0-0",
"entry_uuid": "2520f-e19f-af87-c912d1cd",
"src": "11.78.77.0",
"entry_origin": "Analysis Engine",
"dest": "11.78.0.0",
"entry_type": "Connection",
"timestamp": 1615597364466
},
"sort": [
1615597364466
]
}
]
}
},
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago