Axonius¶
The Axonius integration will download data about all entities known to Axonius that have a current IP address.
Axonius relies on connections to other vendor platforms, and polls for data every 12 hours by default. Once data has been ingested, a discovery process will correlate data from multiple connectors. The discovery process can take up to four hours to complete.
The Axonius integration will automatically check the status of the discovery process each time the service runs, as querying the Axonius API can have unpredictable results if the discovery process is still processing during the query. In scenarios where the discovery process has not completed, the data cached from the previous successful run will be used, and the API will be queried again on the next service interval.
The interval_hours
setting should not be set lower than the Axonius polling frequency. If it’s set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings
Once downloaded, the data can then be used to create two separate Input Framework files. One file includes CVE information, and the other contains Host information. These files can be used by Zeek scripts to generate new logs, or enrich existing logs, such as the known_hosts.log or suricata_corelight.log.
The input file will be published along with any other input files from other configured integrations, if any. If Corelight-update is configured to push input files, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Settings¶
axonius:
cve_enabled: false
cve_filename: cve_data.tsv
hosts_enabled: false
hosts_filename: hosts_data.tsv
interval_hours: 0
url: ""
api_key: ""
api_secret: ""
request_limit: 1000
debug: false
CVE Input file¶
The input file contains the following information (if it’s available):
IP address (required)
Hostname
Host Unique ID: Provided by the device data
'internal_axon_id'
field.OS version
Machine domain
Endpoint information source (required)
Known CVE list (required)
The following is a sample input file created by this integration, using tab-separated values.
#fields ip hostname host_uid machine_domain os_version source cve_list
10.21.0.102 DC fb5946b0422e4da49e4575995fb89060 windomain.local Windows Server 2016 Axonius CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
192.168.1.120 fleet 04a15f26ace249f68c583fd7be70f9db - Ubuntu 20.04 Axonius CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.155 ss2oh 62c850ec617843f8959f1442843bb816 - Ubuntu 20.04 Axonius CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.12.212 skynet fae3f73ce1404e0aae1626dbddfc3fe8 - Ubuntu 22.04 Axonius CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.102 DC 34a6b864b61146d6ad051a9d63a5585f windomain.local Windows Server 2016 Axonius CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103 WEF c6f3d2351739482baf36cc6e4af65163 windomain.local Windows Server 2016 Axonius CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103 WEF 0bb70f50a9a3470dbc3e09bd6eb18fc4 windomain.local Windows Server 2016 Axonius CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.104 WIN10 a71be784db1a40e5b0fd7e6b73f6c7b7 windomain.local Windows 10 Axonius CVE-2021-36965,CVE-2021-43217,CVE-2022-22012,CVE-2020-9633,CVE-2021-24077
192.168.56.104 WIN10 23fac76b0e5246f8b8ba22d1bbd6bc04 windomain.local Windows 10 Axonius CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391
Hosts Input file¶
The input file contains the following information (if it’s available):
IP address (required)
MAC address
Hostname
Host Unique ID: Provided by the device data
'internal_axon_id'
field.OS version
Endpoint status
Machine domain
Endpoint information source (required)
The following is a sample input file created by this integration, using tab-separated values.
#fields ip mac hostname host_uid os_version status machine_domain source
192.168.56.103 00-50-56-A3-B1-C2 WEF ced83f0c26493b638086fdc7b8b2c01d - - - Axonius
10.21.0.102 00-50-56-A1-B1-C4 DC c53fdc3178ba36759c471d6b6655e324 - - - Axonius
192.168.56.104 00-50-56-A2-B1-C2 WIN10 abb6c27309cf3730bb73e8cfd732d838 Windows 10 - lab.local Axonius
192.168.1.155 92-91-E0-3E-66-A8 ss2oh 9caa11e26d1f371797e73e9b9199d481 - - - Axonius
192.168.1.120 00-0C-29-AB-75-05 fleet 81f845fe72ae32168aba94707fc8a49f - - - Axonius
192.168.12.1 - - 613cd0e8a671350e83dec735143db1e0 - - - Axonius
192.168.12.210 - - 5f67453d7e833b0f82ac1d7a5788142a - - - Axonius
192.168.12.222 - - 5abcec34b3443f3cb7fe17c4f7100e02 - - - Axonius
192.168.12.212 00-50-56-A1-1F-07 skynet 439293445449716808dec735143db1e9 Ubuntu 22.04 - - Axonius
Attention
The integration only creates the Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.
See Zeek package management for information about using Corelight-update to manage Zeek package bundles.
See Zeek-Endpoint-Enrichment for an example of a Zeek package that can use this data.