Analyst1
Analyst1 Pack.#
This Integration is part of the#
OverviewAnalyst1 is an indicator, countermeasure and sensor management tool that enables analysts to collect and analyze evidence of malicious activity. Analyst1’s web based interface provides a single location to collect and analyze evidence of malicious activity and manage indicators then author, test, task and track rules to detect malicious cyber activity. Maintaing traceability between evidence, indicators, rules and sensors, analysts can identify why a rule was created, the type of activity it detects and what sensors are tasked.
This integration utilizes Analyst1's system to enrich Cortex XSOAR indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.
This integration was integrated and tested with version 1.8.7 of Analyst1
#
Analyst1 PlaybookAnalyst1 Basic Indicator Enrichment: This is a simple playbook that can apply on top of an incident created from an indicator that will determine the indicator type and then properly enrich it with the associated Analyst1 integration command.
#
Use Cases- When you wish to have more information on a given indicator
- When you use both Cortex XSOAR and Analyst1 and wish to have easy linking between the two
#
Configure Analyst1 on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for Analyst1.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Analyst1 API Credentials (username/password)
- Domain of Analyst1 server to use
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- domain
- ip
- file
- analyst1-enrich-string
- analyst1-enrich-ipv6
- analyst1-enrich-mutex
- analyst1-enrich-http-request
- url
#
1. domainQueries the Analyst1 REST API and enriches the given domain with Analyst1 Indicator data
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | string | The domain name, for example, "google.com". |
Analyst1.Domain.ID | number | The indicator's unique ID in Analyst1. |
Analyst1.Domain.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Domain.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Domain.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Domain.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Domain.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Domain.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Domain.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Domain.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Domain.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.Domain.Malwares.Name | string | Each matched malware name in Analyst1. |
Analyst1.Domain.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Domain.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Domain.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
Analyst1.Domain.IpResolution | string | The resolved IP address for this domain. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The type of indicator. |
DBotScore.Vendor | String | The AlienVault OTX vendor. |
#
Command Example!domain domain=abc.com
#
Context Example#
Human Readable Output#
Analyst1 Domain InformationActive | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|
true | 1 | 2043650 | https://partner.cloud.analyst1.com/indicators/2043650 | abc.com | 2018-06-12 |
#
2. emailQueries the Analyst1 REST API and enriches the given email with Analyst1 indicator data.
#
Base Commandemail
#
InputArgument Name | Description | Required |
---|---|---|
The email for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Email.From | string | The sender of the email. |
Analyst1.Email.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.Email.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Email.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Email.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Email.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Email.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Email.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Email.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Email.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Email.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.Email.Malwares.Name | string | Each matched malware name in Analyst1. |
Analyst1.Email.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Email.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Email.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The AlienVault OTX vendor. |
#
Command Example!email email=001toxic@gmail.com
#
Context Example#
Human Readable Output#
Analyst1 Email InformationActive | Actors | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|
true | id = -2, name = Unknown | 1 | 1637756 | https://partner.cloud.analyst1.com/indicators/1637756 | 001toxic@gmail.com | 2018-02-05 |
#
3. ipQueries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IP address for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | string | The IP address. |
Analyst1.Ip.ID | number | The indicator's unique ID in Analyst1. |
Analyst1.Ip.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Ip.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Ip.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Ip.FirstHit | date | The first date this this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ip.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ip.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ip.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Ip.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Ip.Malwares.ID | number | Each matched malware unique identifier in Analyst1 |
Analyst1.Ip.Malwares.Name | string | Each matched malware name in Analyst1 |
Analyst1.Ip.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Ip.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Ip.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The type of indicator. |
DBotScore.Vendor | String | The AlienVault OTX vendor. |
#
Command Example!ip ip=0.154.17.105
#
Context Example#
Human Readable Output#
Analyst1 Ip InformationActive | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|
true | 1 | 51469 | https://partner.cloud.analyst1.com/indicators/51469 | 0.154.17.105 | 2014-01-04 |
#
4. fileQueries the Analyst1 REST API and enriches the given file with Analyst1 indicator data.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | The file for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
Analyst1.File.ID | number | The indicator's unique ID in Analyst1. |
Analyst1.File.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.File.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.File.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.File.FirstHit | date | The first date this this indicator was seen in a source scanned by Analyst1. |
Analyst1.File.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.File.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.File.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.File.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.File.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.File.Malwares.Name | string | Each matched malware name in Analyst1 |
Analyst1.File.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.File.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.File.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The type of indicator. |
DBotScore.Vendor | String | The AlienVault OTX vendor. |
#
Command Example!file file=00000000000000000000000000000000
#
Context Example#
Human Readable Output#
Analyst1 File InformationActive | ActivityDates | Actors | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|---|
true | 2018-08-02, 2019-09-01 | id = -4, name = Multiple Actors Extracted, id = 150, name = FIN8 | 2 | 1527155 | https://partner.cloud.analyst1.com/indicators/1527155 | 00000000000000000000000000000000 | 2019-06-25, 2020-01-09 |
#
5. analyst1-enrich-stringQueries the Analyst1 REST API and enriches the given string with Analyst1 indicator data
#
Base Commandanalyst1-enrich-string
#
InputArgument Name | Description | Required |
---|---|---|
string | The string for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Analyst1.String.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.String.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.String.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.String.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.String.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.String.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.String.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.String.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.String.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.String.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.String.Malwares.Name | string | Each matched malware name in Analyst1 |
Analyst1.String.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.String.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.String.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
#
Command Example!analyst1-enrich-string string=??
#
Context Example#
Human Readable Output#
Analyst1 String InformationActive | ActivityDates | Actors | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|---|
true | 2014-12-11, 2014-12-14, 2014-12-19, 2014-12-20 | id = -2, name = Unknown | 15 | 90548 | https://partner.cloud.analyst1.com/indicators/90548 | ?? | 2014-12-12, 2014-12-14, 2014-12-19, 2014-12-20 |
#
6. analyst1-enrich-ipv6Queries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.
#
Base Commandanalyst1-enrich-ipv6
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IP address for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Analyst1.Ipv6.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.Ipv6.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Ipv6.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Ipv6.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Ipv6.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ipv6.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ipv6.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Ipv6.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Ipv6.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Ipv6.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.Ipv6.Malwares.Name | string | Each matched malware name in Analyst1 |
Analyst1.Ipv6.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Ipv6.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Ipv6.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
#
Command Example!analyst1-enrich-ipv6 ip=16::
#
Context Example#
Human Readable Output#
Analyst1 Ipv6 InformationActive | ActivityDates | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|
true | 2018-09-08 | 1 | 2623838 | https://partner.cloud.analyst1.com/indicators/2623838 | 16:: | 2015-05-13 |
#
7. analyst1-enrich-mutexQueries the Analyst1 REST API and enriches the given mutex with Analyst1 indicator data.
#
Base Commandanalyst1-enrich-mutex
#
InputArgument Name | Description | Required |
---|---|---|
mutex | The mutex to query information for | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Analyst1.Mutex.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.Mutex.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Mutex.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Mutex.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Mutex.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Mutex.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Mutex.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Mutex.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Mutex.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Mutex.Malwares.ID | number | Each matched malware unique identifier in Analyst1. |
Analyst1.Mutex.Malwares.Name | string | Each matched malware name in Analyst1 |
Analyst1.Mutex.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Mutex.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Mutex.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
#
Command Example!analyst1-enrich-mutex mutex=??
#
Context Example#
Human Readable Output#
Analyst1 Mutex InformationActive | ActivityDates | Actors | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|---|
true | 2015-01-06, 2015-01-07, 2015-01-14, 2015-02-23, 2017-08-05, 2017-08-06 | id = -2, name = Unknown | 6 | 95267 | https://partner.cloud.analyst1.com/indicators/95267 | ?? | 2015-01-07, 2015-01-14, 2015-02-23, 2017-08-05, 2017-08-06 |
#
8. analyst1-enrich-http-requestQueries the Analyst1 REST API and enriches the given HTTP request with Analyst1 indicator data.
#
Base Commandanalyst1-enrich-http-request
#
InputArgument Name | Description | Required |
---|---|---|
http-request | The HTTP request for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Analyst1.Httprequest.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.Httprequest.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Httprequest.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Httprequest.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Httprequest.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Httprequest.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Httprequest.HitCount | number | The total number of times this indicator was seen in a source scanned by Analyst1. |
Analyst1.Httprequest.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Httprequest.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Httprequest.Malwares.ID | number | Each matched malware unique identifier in Analyst1 |
Analyst1.Httprequest.Malwares.Name | string | Each matched malware name in Analyst1. |
Analyst1.Httprequest.Actors.ID | number | Each matched actor unique identifier in Analyst1. |
Analyst1.Httprequest.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Httprequest.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
#
Command Example!analyst1-enrich-http-request http-request=/~
#
Context Example#
Human Readable Output#
Analyst1 Httprequest InformationActive | ConfidenceLevel | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|
true | high | 1 | 2885382 | https://partner.cloud.analyst1.com/indicators/2885382 | /~ | 2020-01-06 |
#
9. urlQueries the Analyst1 REST API and enriches the given URL with Analyst1 indicator data.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL for which to return information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | String | The URL. |
Analyst1.Url.ID | number | The unique identifier of the given Indicator in Analyst1 |
Analyst1.Url.EvidenceCount | number | The number of evidence reports of the given indicator in Analyst1. |
Analyst1.Url.Active | boolean | Whether the given indicator is noted as active in Analyst1. |
Analyst1.Url.ConfidenceLevel | string | The confidence level of the data in Analyst1. |
Analyst1.Url.FirstHit | date | The first date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Url.LastHit | date | The most recent date this indicator was seen in a source scanned by Analyst1. |
Analyst1.Url.HitCount | number | The total number of this indicator was seen in a source scanned by Analyst1. |
Analyst1.Url.ReportedDates | date | The dates this indicator was reported on in Analyst1. |
Analyst1.Url.ActivityDates | date | The dates this indicator had reported activity in Analyst1. |
Analyst1.Url.Malwares.ID | number | Each matched malware unique identifier in Analyst1 |
Analyst1.Url.Malwares.Name | string | Each matched malware name in Analyst1. |
Analyst1.Url.Actors.ID | number | Each matched actor unique identifier in Analyst1 |
Analyst1.Url.Actors.Name | string | Each matched actor name in Analyst1. |
Analyst1.Url.Analyst1Link | string | The URL of the matched indicator in Analyst1. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Numbe | The actual score. |
DBotScore.Type | String | The type of indicator. |
DBotScore.Vendor | String | The AlienVault OTX vendor. |
#
Command Example!url url=104.218.120.128/check.aspx
#
Context Example#
Human Readable Output#
Analyst1 Url InformationActive | ActivityDates | Actors | EvidenceCount | ID | Analyst1Link | Indicator | ReportedDates |
---|---|---|---|---|---|---|---|
true | 2018-12-08 | id = 178, name = APT33 | 1 | 2699554 | https://partner.cloud.analyst1.com/indicators/2699554 | 104.218.120.128/check.aspx | 2019-07-04 |