Accessdata (Deprecated)
#
This Integration is part of the Accessdata (Deprecated) Pack.Deprecated
Use Exterro FTK instead.
Use the Quin-C AccessData integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version 20190926 of Quin-C Accessdata.
Documentation for the integration was provided by Quin-C.
#
AccessData PlaybookFor example, you can look at “Accessdata: Dump memory for malicious process” playbook to understand how to use this integration.
#
Configure AccessData in CortexParameter | Description | Example |
---|---|---|
Name | A meaningful name for the integration instance. | Quin-C Instance Alpha |
Server URL | The URL to the AccessData server, including the scheme. | FQDN or IP address in X.X.X.X format with scheme specified. |
Token | A piece of data that servers use to verify for authenticity | eea810f5-a6f6 |
Trust any certificate (not secure) | When selected, certificates are not checked. | N/A |
Use system proxy settings | Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. | https://proxyserver.com |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
Get a process listReturns a list of processes from the legacy agent.
#
Base Commandaccessdata-legacyagent-get-processlist
#
InputArgument Name | Description | Required |
---|---|---|
caseid | The ID of the case. | Optional |
target_ip | The IP address of the agent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.Job.ID | string | The ID of the job. |
Accessdata.Job.CaseID | string | The ID of the case. |
Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
Accessdata.Job.Type | string | The job type. |
Accessdata.Job.State | string | The execution state of the job. |
#
Command Example#
Context Example#
Human Readable OutputJobID: 157
#
Create a legacy agent memory dumpCreates a legacy agent memory dump.
#
Base Commandaccessdata-legacyagent-get-memorydump
#
InputArgument Name | Description | Required |
---|---|---|
caseid | The ID of the case. | Optional |
target_ip | The IP address of the agent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.Job.ID | string | The ID of the job. |
Accessdata.Job.CaseID | string | The ID of the case. |
Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
Accessdata.Job.Type | string | The job type. |
Accessdata.Job.State | string | The execution state of the job. |
#
Command Example#
Context Example#
Human Readable OutputJobID: 158
#
Read a file from a case folderReads a file from a case folder and puts the contents into the context output.
#
Base Commandaccessdata-read-casefile
#
InputArgument Name | Description | Required |
---|---|---|
filepath | The path to the case file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.File.Contents | string | The contents of the file. |
#
Command Example#
Context Example#
Human Readable Output#
Check the status of a jobChecks the status of a job.
#
Base Commandaccessdata-jobstatus-scan
#
InputArgument Name | Description | Required |
---|---|---|
caseJobID | The concatenated CaseID and JobID, for example, “1_800”. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.Job.CaseID | string | The ID of the case. |
Accessdata.Job.ID | string | The ID of the job. |
Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
Accessdata.Job.State | string | The execution state of the job. |
#
Command Example#
Context Example#
Human Readable OutputCurrent job state: Success
#
Get a snapshot of a pathGets a snapshot of the path from the results of the process list job.
#
Base Commandaccessdata-get-jobstatus-processlist
#
InputArgument Name | Description | Required |
---|---|---|
caseID | The ID of the case. | Required |
jobID | The ID of the job. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.Job.State | string | The state of the job. |
Accessdata.Job.Result | string | The snapshot of the path with the processes list. |
Accessdata.Job.ID | number | The ID of the job. |
Accessdata.Job.CaseID | number | The case ID of the job. |
Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
#
Command Example#
Context Example#
Human Readable Output\X.X.X.X\D$\paths\cases\ProcessingHelperCase\b389a8e9-4ce4-473d-8d2e-9026f53f925c\Jobs\job_153\fa9787a3-49a1-4d73-a194-7c944eb9a3bf\1\snapshot.xml
#
Get a memory dumpGets a memory dump path from the results of a memory dump job.
#
Base Commandaccessdata-get-jobstatus-memorydump
#
InputArgument Name | Description | Required |
---|---|---|
caseID | The ID of the case. | Required |
jobID | The ID of the job. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.Job.State | string | The state of the job. |
Accessdata.Job.Result | string | The path of the memory dump. |
Accessdata.Job.ID | number | The ID of the job. |
Accessdata.Job.CaseID | number | The case ID of the job. |
Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
#
Command Example#
Context Example#
Human Readable Output\X.X.X.X\data\SiteServer\storage\60564598-ca55-475c-9f27-ab4992e8ff46\1\memdump.mem
#
Get an IDReturns the ID of the processing case.
#
Base Commandaccessdata-get-processing-case-id
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Accessdata.ProcessingCaseId | string | The ID of the processing case. |
#
Command Example#
Context Example#
Human Readable Output2