Solved

WebGateway/Browsing - way to collect URL's in real time

  • 20 June 2023
  • 4 replies
  • 101 views

Userlevel 1
Badge

Hi all,

Is there any way, during the execution of tests involving Web Gateway (browsing, phishing, etc), from the Cymulate environment (agent or API logs, or even integration with Splunk via SPL), to allow the collection of IOC's (URL's mostly) in realtime? The goal is to send it to the SIEM (Splunk) and correlate it with firewall and proxy logs (for example) so that the team is told that that connection to that URL is related to Cymulate tests. What I have identified so far at this level is the collection via API (feeds and technical reports) but this collection is only possible when the tests are finished, but some tests, depending on the scope, take up to 3 days to complete.

Regards

Uiliam Mello

icon

Best answer by Shiraz 21 June 2023, 10:15

View original

4 replies

Userlevel 3
Badge +3

Hi @uiliam_mello 

Did you try using the API endpoint: GET /browsing/feed/url ?

It will give you the current feed of URLs

 

Shiraz

Product manager

Cymulate

Userlevel 1
Badge

Hello @Shiraz , thanks for reply

Yes, but, in the initial tests I realized that the URLs are also fed after the end of the tests. Do you know if this statement is correct?
Another point, as the intention is to cross-reference firewall/proxy communication events with calls made by Cymulate agents, the objective would be to collect somewhere which agent/ip made the call to the malicious URL (for example, the Cymulate agent from XPTO host is currently making a connection attempt to the URL http://xyz.com), something like this.

Regards

Uiliam Mello

Userlevel 3
Badge +3

Hi @uiliam_mello 

1- Phishing, Command & Control URLs feed updates daily, so if you export the feed from the API in the same day you launch the assessment you will get the same list

 

2- The agent who made the call is the agent you have launched the assessment with, the IP address is displayed in our “Agents” page (under settings menu).

There is a somewhere else you would lie to view it ?

 

Shiraz

Product manager

Cymulate

Userlevel 1
Badge

Hello @Shiraz 

About item 1, understood. We have an updated feed whether we have a test running or not, right? But that doesn't solve my question, unfortunately, because I want to collect both source agent and called URL.

Regarding item 2, I would like to obtain this information externally, collecting from Cymulate (from the API or another possible integration) what the agent/host calls that malicious url at that moment, not exactly seeing it in the web console. Imagine the following scenario (a playbook for a SOAR, for example): I get an IPS/threat alert from my firewall on my SIEM, a source trying to access a URL that matches a malicious URL. I can't identify the correct source because the source IP that the firewall brings me is an outgoing NAT IP. Using the API (or reading the agent logs, or another way that gives me that information) I would like to get information from Cymulate if there is any agent/host calling this URL (if there is a browser/webGateway test running) and take the decision to close this FW alert. I have this information in the WebGateway API /browsing/history/technical/{id} , but this report is only available after the end of the test, and as I mentioned before, it can take several days (between the beginning and the end), restraining of close this alert automatically.

Regards

Uiliam Mello

Reply