Skip to main content

Analyst1

This Integration is part of the Analyst1 Pack.#

Overview#


Analyst1 is an advanced threat intelligence platform (TIP) which simplifies every cybrersecurity analyst's role. This integration with XSOAR presently emphasizes indicator, countermeasure, sensor management, and intelligence collection workflows to enable analysts to collect, analyze, and respond to evidence of malicious activity. Analyst1’s web based interface provides a single location to collect and analyze evidence of malicious activity and manage indicators then author, test, task and track rules to detect malicious cyber activity. Maintaing traceability between evidence, indicators, rules and sensors, analysts can identify why a rule was created, the type of activity it detects and what sensors are tasked.

This integration utilizes Analyst1's system API to:

  1. enrich Cortex XSOAR indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.
  2. submit Evidence as content created in XSOAR, downloaded by XSOAR, or a synthesis of both back to Analsyt1 as 'evidence'.
  3. access the Analyst1 Sensor records to get indicator and/or signature tasking definitions for deployment to IDS/IPS/Firewall/XDR/other boundary tools.

This integration was integrated and tested with version 2.1.0 of Analyst1.

For full documentation on the Analyst1 API, please access the "Help" or "Guides" section within your Analyst1 instance. For help please contact support@analyst1.com.

Analyst1 Playbook#


Analyst1 Basic Indicator Enrichment: This is a simple playbook that can apply on top of an incident created from an indicator that will determine the indicator type and then properly enrich it with the associated Analyst1 integration command.

For additional example playbooks please contact support@analyst1.com.

Use Cases#


  • When you wish to have more information on a given indicator
  • When you want to look up batch indicator values en mass
  • When you want to get indicator metadata from 100s of sources in one call
  • When you want to get indicator cached enrichment, like VirusTotal, without rehitting other APIs
  • When you use both Cortex XSOAR and Analyst1 and wish to have easy linking between the two
  • When you want to submit any form of created or discovered intelligence back to Analyst1
  • When you want to get the current Analyst1 created defensive outputs of Indicators and Signatures
  • When you want to get iterate diffs of Indicator and Singature sets for proactive defensive configurations

Configure Analyst1 on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Analyst1.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Analyst1 API Credentials (username/password)
    • Domain of Analyst1 server to use
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. domain
  2. email
  3. ip
  4. file
  5. analyst1-enrich-string
  6. analyst1-enrich-ipv6
  7. analyst1-enrich-mutex
  8. analyst1-enrich-http-request
  9. url
  10. analyst1-evidence-submit
  11. analyst1-evidence-status
  12. analyst1-batch-check
  13. analyst1-batch-check-post
  14. analyst1-indicator-by-id
  15. analyst1-get-sensor-config
  16. analyst1-get-sensor-taskings
  17. analyst1-get-sensor-diff
  18. analyst1-get-sensors

1. domain#


Queries the Analyst1 REST API and enriches the given domain with Analyst1 Indicator data

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain for which to return information.Required

Context Output#

PathTypeDescription
Domain.NamestringThe domain name, for example, "google.com".
Analyst1.Domain.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.Domain.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Domain.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Domain.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Domain.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Domain.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Domain.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Domain.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Domain.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Domain.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Domain.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Analyst1.Domain.IpResolutionstringThe resolved IP address for this domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.

Command Example#

!domain domain=abc.com

Context Example#

{
"Analyst1.Domain": {
"LastHit": null,
"ReportedDates": [
"2018-06-12"
],
"Indicator": "abc.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/2043650",
"ID": 2043650
},
"Domain": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Name": "abc.com"
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "abc.com",
"Score": 3,
"Type": "domain"
}
}

Human Readable Output#

Analyst1 Domain Information#

ActiveEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true12043650https://analyst1instance.domain/indicators/2043650abc.com2018-06-12

2. email#


Queries the Analyst1 REST API and enriches the given email with Analyst1 indicator data.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailThe email for which to return information.Required

Context Output#

PathTypeDescription
Email.FromstringThe sender of the email.
Analyst1.Email.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Email.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Email.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Email.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Email.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Email.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Email.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Email.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Email.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Email.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Email.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.

Command Example#

!email email=001toxic@gmail.com

Context Example#

{
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "001toxic@gmail.com",
"Score": 3,
"Type": "email"
},
"Analyst1.Email": {
"LastHit": null,
"ReportedDates": [
"2018-02-05"
],
"Indicator": "001toxic@gmail.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/1637756",
"ID": 1637756
},
"Email": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"From": "001toxic@gmail.com"
}
}

Human Readable Output#

Analyst1 Email Information#

ActiveActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
trueid = -2, name = Unknown11637756https://analyst1instance.domain/indicators/1637756001toxic@gmail.com2018-02-05

3. ip#


Queries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address for which to return information.Required

Context Output#

PathTypeDescription
IP.AddressstringThe IP address.
Analyst1.Ip.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.Ip.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Ip.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Ip.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Ip.FirstHitdateThe first date this this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Ip.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Ip.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Ip.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Ip.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Ip.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Ip.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.

Command Example#

!ip ip=0.154.17.105

Context Example#

{
"IP": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Address": "0.154.17.105"
},
"Analyst1.Ip": {
"LastHit": null,
"ReportedDates": [
"2014-01-04"
],
"Indicator": "0.154.17.105",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/51469",
"ID": 51469
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "0.154.17.105",
"Score": 3,
"Type": "ip"
}
}

Human Readable Output#

Analyst1 Ip Information#

ActiveEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true151469https://analyst1instance.domain/indicators/514690.154.17.1052014-01-04

4. file#


Queries the Analyst1 REST API and enriches the given file with Analyst1 indicator data.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe file for which to return information.Required

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Analyst1.File.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.File.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.File.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.File.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.File.FirstHitdateThe first date this this indicator was seen in a source scanned by Analyst1.
Analyst1.File.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.File.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.File.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.File.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.File.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.File.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.File.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.File.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.File.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.

Command Example#

!file file=00000000000000000000000000000000

Context Example#

{
"Analyst1.File": {
"LastHit": null,
"ReportedDates": [
"2019-06-25",
"2020-01-09"
],
"Indicator": "00000000000000000000000000000000",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-08-02",
"2019-09-01"
],
"EvidenceCount": 2,
"Actors": [
{
"id": -4,
"name": "Multiple Actors Extracted"
},
{
"id": 150,
"name": "FIN8"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/1527155",
"ID": 1527155
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "00000000000000000000000000000000",
"Score": 3,
"Type": "file"
},
"File": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"MD5": "00000000000000000000000000000000"
}
}

Human Readable Output#

Analyst1 File Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-08-02,
2019-09-01
id = -4, name = Multiple Actors Extracted,
id = 150, name = FIN8
21527155https://analyst1instance.domain/indicators/1527155000000000000000000000000000000002019-06-25,
2020-01-09

5. analyst1-enrich-string#


Queries the Analyst1 REST API and enriches the given string with Analyst1 indicator data

Base Command#

analyst1-enrich-string

Input#

Argument NameDescriptionRequired
stringThe string for which to return information.Required

Context Output#

PathTypeDescription
Analyst1.String.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.String.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.String.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.String.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.String.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.String.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.String.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.String.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.String.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.String.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.String.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.String.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.String.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.String.Analyst1LinkstringThe URL of the matched indicator in Analyst1.

Command Example#

!analyst1-enrich-string string=??

Context Example#

{
"Analyst1.String": {
"LastHit": null,
"ReportedDates": [
"2014-12-12",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2014-12-11",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"EvidenceCount": 15,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/90548",
"ID": 90548
}
}

Human Readable Output#

Analyst1 String Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2014-12-11,
2014-12-14,
2014-12-19,
2014-12-20
id = -2, name = Unknown1590548https://analyst1instance.domain/indicators/90548??2014-12-12,
2014-12-14,
2014-12-19,
2014-12-20

6. analyst1-enrich-ipv6#


Queries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.

Base Command#

analyst1-enrich-ipv6

Input#

Argument NameDescriptionRequired
ipThe IP address for which to return information.Required

Context Output#

PathTypeDescription
Analyst1.Ipv6.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Ipv6.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Ipv6.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Ipv6.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Ipv6.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Ipv6.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Ipv6.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Ipv6.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Ipv6.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Ipv6.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Ipv6.Analyst1LinkstringThe URL of the matched indicator in Analyst1.

Command Example#

!analyst1-enrich-ipv6 ip=16::

Context Example#

{
"Analyst1.Ipv6": {
"LastHit": null,
"ReportedDates": [
"2015-05-13"
],
"Indicator": "16::",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-09-08"
],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/2623838",
"ID": 2623838
}
}

Human Readable Output#

Analyst1 Ipv6 Information#

ActiveActivityDatesEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-09-0812623838https://analyst1instance.domain/indicators/262383816::2015-05-13

7. analyst1-enrich-mutex#


Queries the Analyst1 REST API and enriches the given mutex with Analyst1 indicator data.

Base Command#

analyst1-enrich-mutex

Input#

Argument NameDescriptionRequired
mutexThe mutex to query information forRequired

Context Output#

PathTypeDescription
Analyst1.Mutex.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Mutex.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Mutex.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Mutex.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Mutex.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Mutex.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Mutex.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Mutex.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Mutex.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Mutex.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Mutex.Analyst1LinkstringThe URL of the matched indicator in Analyst1.

Command Example#

!analyst1-enrich-mutex mutex=??

Context Example#

{
"Analyst1.Mutex": {
"LastHit": null,
"ReportedDates": [
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2015-01-06",
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"EvidenceCount": 6,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/95267",
"ID": 95267
}
}

Human Readable Output#

Analyst1 Mutex Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2015-01-06,
2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06
id = -2, name = Unknown695267https://analyst1instance.domain/indicators/95267??2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06

8. analyst1-enrich-http-request#


Queries the Analyst1 REST API and enriches the given HTTP request with Analyst1 indicator data.

Base Command#

analyst1-enrich-http-request

Input#

Argument NameDescriptionRequired
http-requestThe HTTP request for which to return information.Required

Context Output#

PathTypeDescription
Analyst1.Httprequest.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Httprequest.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Httprequest.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Httprequest.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Httprequest.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Httprequest.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Httprequest.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Httprequest.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Httprequest.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Httprequest.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Httprequest.Analyst1LinkstringThe URL of the matched indicator in Analyst1.

Command Example#

!analyst1-enrich-http-request http-request=/~

Context Example#

{
"Analyst1.Httprequest": {
"LastHit": null,
"ReportedDates": [
"2020-01-06"
],
"Indicator": "/~",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": "high",
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/2885382",
"ID": 2885382
}
}

Human Readable Output#

Analyst1 Httprequest Information#

ActiveConfidenceLevelEvidenceCountIDAnalyst1LinkIndicatorReportedDates
truehigh12885382https://analyst1instance.domain/indicators/2885382/~2020-01-06

9. url#


Queries the Analyst1 REST API and enriches the given URL with Analyst1 indicator data.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL for which to return information.Required

Context Output#

PathTypeDescription
URL.DataStringThe URL.
Analyst1.Url.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Url.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Url.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Url.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Url.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.HitCountnumberThe total number of this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Url.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Url.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Url.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Url.Actors.IDnumberEach matched actor unique identifier in Analyst1
Analyst1.Url.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Url.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumbeThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.

Command Example#

!url url=104.218.120.128/check.aspx

Context Example#

{
"URL": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Data": "104.218.120.128/check.aspx"
},
"Analyst1.Url": {
"LastHit": null,
"ReportedDates": [
"2019-07-04"
],
"Indicator": "104.218.120.128/check.aspx",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-12-08"
],
"EvidenceCount": 1,
"Actors": [
{
"id": 178,
"name": "APT33"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://analyst1instance.domain/indicators/2699554",
"ID": 2699554
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "104.218.120.128/check.aspx",
"Score": 3,
"Type": "url"
}
}

Human Readable Output#

Analyst1 Url Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-12-08id = 178, name = APT3312699554https://analyst1instance.domain/indicators/2699554104.218.120.128/check.aspx2019-07-04

10. analyst1-evidence-submit#


Submits an 'Evidence' to Analyst1. Submission can be any text or attachment (PDF, JSON,DOCX...). The a1Bot will extract all relevant context. The 'Evidence' can from an external source (email attachment, secure download) or constructed text/JSON within XSOAR to communicate intelligence results back to Analyst1.

Base Command#

analyst1-evidence-submit

Input#

Argument NameDescriptionRequired
sourceIdAnalyst1 ID# of the Source to associate the Evidence. It is a best practice to create a 'Reference' source in Analyst1 to which XSOAR may submit.Required
fileContentContent of the Evidence to create within Analyst1. Should be used when content is TXT or JSON. Use fileEntryId for attachments in XSOAR context. One of fileConent or fileEntryId must be included.Optional
tlpTraffic Light Protocol (TLP) value for the Evidence. If the Evidence is TLP marked that will override this input as the a1bot finds the TLP markings. . Default is GREEN.Optional
fileClassificationGovernment classification of the Evidence. Ignore if not operating in a Military/Government capacity. Default is U.Optional
fileNameName of the 'file' as it was received as an attachment/download, or as it should be represented in Analyst1. Will become the default 'title' of the created Evidence record. File extension will be used in MIME type discovery which does influence extraction by a1bot.Required
fileEntryIdEntry ID in XSOAR context. How the File was acquired matters. For instance, if using the http command, setting saveAsFile=yes is very important or the original, real format will be lost in a {"Body":"encoded file"} wrapping. One of fileConent or fileEntryIdmust be included.Optional

Context Output#

PathTypeDescription
Analyst1.EvidenceSubmit.uuidunknownThe unique GUID tracking this specific Evidence's submission. Can be used to monitor to finish extraction. If empty, check 'message'.
Analyst1.EvidenceSubmit.messageunknownAn explanation of the error which occurred that prevented acceptance of the Evidence submission.

11. analyst1-evidence-status#


Check on the status of the analyst1-evidence-submit action by using its output UUID.

Base Command#

analyst1-evidence-status

Input#

Argument NameDescriptionRequired
uuidIdentifier from an Evidence Submission to track status.Required

Context Output#

PathTypeDescription
Analyst1.EvidenceStatus.idunknownEvidence ID created by the submission. If 'blank' and message is 'blank', indicates the upload is still procesing.
Analyst1.EvidenceStatus.messageunknownIf populated, will communicate errors which occurred with the status check or the upload processing.
Analyst1.EvidenceStatus.processingCompleteunknownTrue or false to indicate if processing of the Evidence upload is done. Determined by evaluating the id or message are present and populated. If an id is returned but blank, this is false, indicating the upload is still in progress.

Command example#

!analyst1-evidence-status uuid=8b7eee23-d71b-d3da-f66b-b4d3917fdb80

Context Example#

{
"Analyst1": {
"EvidenceStatus": {
"id": 1608592,
"processingComplete": "true"
}
}
}

Human Readable Output#

Results#

idprocessingComplete
1608592true

12. analyst1-batch-check#


Queries the Analyst1 REST API for indicator enrichment data based on a CSV input of multiple indicator values.

Base Command#

analyst1-batch-check

Input#

Argument NameDescriptionRequired
valuesComma delimited set of possible Indicator or other Observable values. Submit as a basic string input with commas separating each value. For more complex or higher volume batches, use analyst1-batch-check-post.Required

Context Output#

PathTypeDescription
Analyst1.BatchResults.IDunknownMatched ID values. May not all be Indicators. Could reflect Indicator, Asset, Ignore List, or System records.
Analyst1.BatchResults.matchedValueunknownThe matched terms from Indicators, Assets, Ignore List, or System CIDR entries.
Analyst1.BatchResultsunknownFull Batch Check JSON

Command example#

!analyst1-batch-check values=1.2.3.4,abc.com,google.com

Context Example#

{
"Analyst1": {
"BatchResults": {
"actor": [
{
"akas": [
"Multiple Actors Extracted"
],
"id": -4,
"title": "Multiple Actors Extracted"
}
],
"benign": false,
"entity": {
"key": "INDICATOR",
"title": "Indicator"
},
"id": 2043650,
"malware": [],
"matchedValue": "abc.com",
"searchedValue": "abc.com",
"system": [],
"type": {
"key": "domain",
"title": "Domain"
}
}
}
}

Human Readable Output#

Results#

actorbenignentityidmalwarematchedValuesearchedValuesystemtype
key: IGNORED_INDICATOR
title: Ignored Indicator
10336google.comgoogle.comkey: domain
title: Domain
{'id': -4, 'title': 'Multiple Actors Extracted', 'akas': ['Multiple Actors Extracted']},
{'id': 4188, 'title': 'waterfox', 'akas': ['waterfox']},
{'id': 4618, 'title': 'UNC3944', 'akas': ['Dev0671', 'Dev0971', 'UNC3944', 'UNC 3944', 'UNC-3944']}
key: ASSET
title: Asset
28869google.comgoogle.com{'id': 918, 'title': 'Google Inc.', 'akas': ['AS15169', 'Google Inc.']}key: domain
title: Domain
falsekey: INDICATOR
title: Indicator
438290{'id': 772, 'title': 'AceHash', 'akas': ['AceHash']},
{'id': 875, 'title': '007Keylogger', 'akas': ['007', '007Keylogger']}
1.2.3.41.2.3.4key: ip
title: IPv4
{'id': -4, 'title': 'Multiple Actors Extracted', 'akas': ['Multiple Actors Extracted']}falsekey: INDICATOR
title: Indicator
2043650abc.comabc.comkey: domain
title: Domain

13. analyst1-batch-check-post#


Similar to analyst1-batch-check, however the inputs can be more complex. The 'values' input is an option for a pre-formatted newline separated file. This allows for more complex Indicators or larger Indicator sets to be searched. The 'valeus_array' allows for preformed array inputs or array-like inputs to be sumitted. Output is the same.

Base Command#

analyst1-batch-check-post

Input#

Argument NameDescriptionRequired
valuesNewline delimited text for many Indicator or other observable inputs. Either valeus_array or values must be provided.Optional
values_arrayArray of text, each being an Indicator or other observable value to search. Either valeus_array or values must be provided.Optional

Context Output#

PathTypeDescription
Analyst1unknownFull Batch Check JSON
Analyst1.IDunknownMatched ID values. May not all be Indicators. Could reflect Indicator, Asset, Ignore List, or System records.
Analyst1.matchedValueunknownThe matched terms from Indicators, Assets, Ignore List, or System CIDR entries.

14. analyst1-indicator-by-id#


Gets the full JSON for an Analyst1 Indicator given the internal Analyst1 Indicator ID. Use this when full Indicator context is required for additional processing. This always includes all sources, enrichments, and every piece of information available in the Analyst1 platform, including integrated system's original enrichment JSON or results.

Base Command#

analyst1-indicator-by-id

Input#

Argument NameDescriptionRequired
indicator_idInternal Analyst1 Indicator ID.Required

Context Output#

PathTypeDescription
Analyst1.IndicatorunknownFull Analyst1 native JSON for the Indicator. Will include all attributes, associated sources, enrichment results, and all settings as seen in the Analyst1 UI.

Command example#

!analyst1-indicator-by-id indicator_id=983

Context Example#

{
"Analyst1": {
"Indicator": {
"active": false,
"activityDates": [
{
"classification": "U",
"date": "2012-05-08"
},
{
"classification": "U",
"date": "2012-05-16"
},
{
"classification": "U",
"date": "2012-08-30"
},
{
"classification": "U",
"date": "2012-09-05"
},
{
"classification": "U",
"date": "2012-09-26"
},
{
"classification": "U",
"date": "2012-12-07"
},
{
"classification": "U",
"date": "2013-01-17"
},
{
"classification": "U",
"date": "2013-03-01"
},
{
"classification": "U",
"date": "2013-03-14"
},
{
"classification": "U",
"date": "2013-03-27"
},
{
"classification": "U",
"date": "2013-04-01"
},
{
"classification": "U",
"date": "2013-06-18"
},
{
"classification": "U",
"date": "2014-03-05"
},
{
"classification": "U",
"date": "2014-05-07"
}
],
"actors": [
{
"classification": "U",
"id": 30,
"name": "APT41"
},
{
"classification": "U",
"id": 121,
"name": "Conimes"
}
],
"attackPatterns": [],
"benign": {
"classification": "U",
"value": false
},
"confidenceLevel": {
"classification": "U",
"value": "high"
},
"description": null,
"domainRegistration": {
"classification": "U",
"name": "unknown"
},
"enrichmentFields": [
{
"classification": "unclass",
"name": "IP Resolution (DNS Resolution)",
"numeric": null,
"type": "ipResolution",
"value": "redacted_ip_address"
},
{
"classification": "unclass",
"name": "Reverse IP Lookup (VirusTotal)",
"numeric": 13,
"type": "reverseIp",
"value": "13 resolutions to this domain"
},
{
"classification": "unclass",
"name": "IP Resolution (DomainTools)",
"numeric": null,
"type": "ipResolution",
"value": "redacted_ip_address"
},
{
"classification": "unclass",
"name": "IP Resolution (VirusTotal)",
"numeric": null,
"type": "ipResolution",
"value": "redacted_ip_address"
}
],
"enrichmentResults": [
{
"date": "2020-04-28",
"format": "json",
"result": "{ \"status\": \"redacted to protect content provider's actual JSON output that in a live call would be provided\" }"
"type": "VIRUS_TOTAL"
},
{
"date": "2020-12-15",
"format": "colonDelimited",
"result": "redacted to protected content provider's actual raw text result",
"type": "WHOIS_IP_REGISTRATION"
}
],
"expand": "enrichmentResults,hitStats,sources",
"exploitStage": {
"classification": "U",
"id": 6,
"name": "Stage 7 - Actions on Objectives"
},
"externalhitCount": 0,
"fileNames": null,
"fileSize": null,
"firstExternalHit": null,
"firstHit": null,
"hashes": null,
"hitCount": 0,
"id": 983,
"indicatorDerivation": null,
"integrationSources": [],
"ipRegistration": null,
"ipResolution": null,
"lastExternalHit": null,
"lastHit": null,
"links": [
{
"href": "https://analyst1instance.domain/api/1_0/indicator/983",
"rel": "self"
},
{
"href": "https://analyst1instance.domain/api/1_0/indicator/983/evidence",
"rel": "evidence"
},
{
"href": "https://analyst1instance.domain/api/1_0/indicator/983/stix",
"rel": "stix"
}
],
"malwares": [],
"originatingIps": null,
"path": null,
"ports": [
{
"classification": "U",
"value": 443
},
{
"classification": "U",
"value": 80
}
],
"reportCount": 21,
"reportedDates": [
{
"classification": "U",
"date": "2012-05-10"
},
{
"classification": "U",
"date": "2013-04-01"
},
{
"classification": "U",
"date": "2013-06-19"
},
{
"classification": "U",
"date": "2013-09-16"
},
{
"classification": "U",
"date": "2014-05-19"
},
{
"classification": "U",
"date": "2014-08-14"
},
{
"classification": "U",
"date": "2018-09-19"
},
{
"classification": "U",
"date": "2019-10-17"
},
{
"classification": "U",
"date": "2021-07-01"
}
],
"requestMethods": null,
"sources": [
{
"category": "INTERNAL",
"enabled": false,
"id": 0,
"title": "Internal",
"type": "reference",
"url": null
},
{
"category": "FREE",
"enabled": false,
"id": 78,
"title": "Threat Connect",
"type": "rss",
"url": "https://feeds.feedburner.com/threatconnect-blogs"
},
{
"category": "PAID",
"enabled": true,
"id": 134,
"title": "CrowdStrike Premium Paid",
"type": "api",
"url": "https://api.crowdstrike.com"
}
],
"status": "rc",
"stixObjects": null,
"subjects": null,
"targets": [
{
"classification": "U",
"id": -2,
"name": "Unknown"
},
{
"classification": "U",
"id": 100017,
"name": "Manufacturing Industry"
},
{
"classification": "U",
"id": 100021,
"name": "Energy Industry"
},
{
"classification": "U",
"id": 100026,
"name": "Technology Industry"
}
],
"tasked": true,
"tlp": "undetermined",
"tlpCaveats": null,
"tlpHighestAssociated": "amber",
"tlpJustification": null,
"tlpLowestAssociated": "undetermined",
"tlpResolution": "resolved",
"type": "domain",
"value": {
"classification": "U",
"name": "conimes.com"
},
"verified": true
}
}
}

Human Readable Output#

Results#

activeactivityDatesactorsattackPatternsbenignconfidenceLeveldescriptiondomainRegistrationenrichmentFieldsenrichmentResultsexpandexploitStageexternalhitCountfileNamesfileSizefirstExternalHitfirstHithasheshitCountidindicatorDerivationintegrationSourcesipRegistrationipResolutionlastExternalHitlastHitlinksmalwaresoriginatingIpsPathportsreportCountreportedDatesrequestMethodssourcesstatusstixObjectssubjectstargetstaskedtlptlpCaveatstlpHighestAssociatedtlpJustificationtlpLowestAssociatedtlpResolutiontypevalueverified
false{'date': '2012-05-08', 'classification': 'U'},
{'date': '2012-05-16', 'classification': 'U'},
{'date': '2012-08-30', 'classification': 'U'},
{'date': '2012-09-05', 'classification': 'U'},
{'date': '2012-09-26', 'classification': 'U'},
{'date': '2012-12-07', 'classification': 'U'},
{'date': '2013-01-17', 'classification': 'U'},
{'date': '2013-03-01', 'classification': 'U'},
{'date': '2013-03-14', 'classification': 'U'},
{'date': '2013-03-27', 'classification': 'U'},
{'date': '2013-04-01', 'classification': 'U'},
{'date': '2013-06-18', 'classification': 'U'},
{'date': '2014-03-05', 'classification': 'U'},
{'date': '2014-05-07', 'classification': 'U'}
{'name': 'APT41', 'id': 30, 'classification': 'U'},
{'name': 'Conimes', 'id': 121, 'classification': 'U'}
value: false
classification: U
value: high
classification: U
name: unknown
classification: U
{'type': 'ipResolution', 'name': 'IP Resolution (DNS Resolution)', 'value': 'redacted_ip_address', 'numeric': None, 'classification': 'unclass'},
{'type': 'reverseIp', 'name': 'Reverse IP Lookup (VirusTotal)', 'value': '13 resolutions to this domain', 'numeric': 13.0, 'classification': 'unclass'},
{'type': 'ipResolution', 'name': 'IP Resolution (DomainTools)', 'value': 'redacted_ip_address', 'numeric': None, 'classification': 'unclass'},
{'type': 'ipResolution', 'name': 'IP Resolution (VirusTotal)', 'value': 'redacted_ip_address', 'numeric': None, 'classification': 'unclass'}
{ "date": "2020-04-28", "format": "json", "result": "{ \"status\": \"redacted to protect content provider's actual JSON output that in a live call would be provided\" }" "type": "VIRUS_TOTAL" },
{ "date": "2020-12-15", "format": "colonDelimited", "result": "redacted to protected content provider's actual raw text result", "type": "WHOIS_IP_REGISTRATION" }
enrichmentResults,hitStats,sourcesname: Stage 7 - Actions on Objectives
id: 6
classification: U
00983{'rel': 'self', 'href': 'https://analyst1instance.domain/api/1_0/indicator/983'},
{'rel': 'evidence', 'href': 'https://analyst1instance.domain/api/1_0/indicator/983/evidence'},
{'rel': 'stix', 'href': 'https://analyst1instance.domain/api/1_0/indicator/983/stix'}
{'value': 443, 'classification': 'U'},
{'value': 80, 'classification': 'U'}
21{'date': '2012-05-10', 'classification': 'U'},
{'date': '2013-04-01', 'classification': 'U'},
{'date': '2013-06-19', 'classification': 'U'},
{'date': '2013-09-16', 'classification': 'U'},
{'date': '2014-05-19', 'classification': 'U'},
{'date': '2014-08-14', 'classification': 'U'},
{'date': '2018-09-19', 'classification': 'U'},
{'date': '2019-10-17', 'classification': 'U'},
{'date': '2021-07-01', 'classification': 'U'}
{'type': 'reference', 'enabled': False, 'title': 'Internal', 'url': None, 'category': 'INTERNAL', 'id': 0},
{'type': 'rss', 'enabled': False, 'title': 'Threat Connect', 'url': 'https://feeds.feedburner.com/threatconnect-blogs', 'category': 'FREE', 'id': 78},
{'type': 'api', 'enabled': True, 'title': 'CrowdStrike Premium Paid', 'url': 'https://api.crowdstrike.com', 'category': 'PAID', 'id': 134}
rc{'name': 'Unknown', 'id': -2, 'classification': 'U'},
{'name': 'Manufacturing Industry', 'id': 100017, 'classification': 'U'},
{'name': 'Energy Industry', 'id': 100021, 'classification': 'U'},
{'name': 'Technology Industry', 'id': 100026, 'classification': 'U'}
trueundeterminedamberundeterminedresolveddomainname: conimes.com
classification: U
true

15. analyst1-get-sensor-config#


Queries the Analyst1 REST API for the current sensor config given a valid Sensor ID. This config file is meant to be directly provided to a device (IDS, IPS, Firewall, SNORT...) for configuration replacements.

Base Command#

analyst1-get-sensor-config

Input#

Argument NameDescriptionRequired
sensor_idSensor ID number for this Analyst1 instance.Required

Context Output#

PathTypeDescription
Analyst1.SensorTaskings.ConfigFile.config_textunknownfull text of the current configuration file for the Sensor
Analyst1.SensorTaskings.ConfigFile.warRoomEntry.FileIDunknownFileID from invoking fileResult() in the Common Server Functions. An alternative to the returned config_text in case file processing is preferred.
Analyst1.SensorTaskings.ConfigFile.warRoomEntry.FileunknownFile Name as saved on the War Room file with fileResult()

Command example#

!analyst1-get-sensor-config sensor_id=7689

Context Example#

{
"Analyst1": {
"SensorTaskings": {
"ConfigFile": {
"config_text": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"ET TROJAN Win32/0xtaRAT CnC Activity M5 (POST)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php?GUID=\"; http_uri; pcre:\"/\\.php\\?GUID=[a-zA-Z0-9-]{36}$/U\"; content:\"//\"; http_raw_uri; depth:2; content:\"name=|22|file|22 3b 20|filename=|22|_screenshot_\"; http_client_body; fast_pattern:15,20; content:!\"Referer|3a 20|\"; http_header; reference:md5,a1a39e458977aa512b7ff2ba1995b18d; reference:url,research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia; classtype:trojan-activity; sid:2046186; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Critical, updated_at 2023_06_09;)\nalert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT\"; flow:established,to_server; content:\"/plugins/search/categories.php?\"; nocase; http_uri; content:\"text=\"; nocase; http_uri; content:\"SELECT\"; nocase; http_uri; pcre:\"/SELECT.+FROM/Ui\"; reference:cve,2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2007_0373, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)\n",
"warRoomEntry": {
"Contents": "",
"ContentsFormat": "text",
"File": "sensor7689Config.txt",
"FileID": "8cca47a1-aef6-46c4-a372-8653f82abed0",
"Type": 3
}
}
}
}
}

Human Readable Output#

Results#

config_textwarRoomEntry
alert tcp $HOMENET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/0xtaRAT CnC Activity M5 (POST)"; flow:established,to_server; content:"POST"; http_method; content:".php?GUID="; http_uri; pcre:"/.php\?GUID=[a-zA-Z0-9-]{36}$/U"; content:"//"; http_raw_uri; depth:2; content:"name=|22|file|22 3b 20|filename=|22|_screenshot"; http_client_body; fast_pattern:15,20; content:!"Referer|3a 20|"; http_header; reference:md5,a1a39e458977aa512b7ff2ba1995b18d; reference:url,research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia; classtype:trojan-activity; sid:2046186; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Critical, updated_at 2023_06_09;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2007_0373, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
Contents:
ContentsFormat: text
Type: 3
File: sensor7689Config.txt
FileID: 8cca47a1-aef6-46c4-a372-8653f82abed0

16. analyst1-get-sensor-taskings#


Queries the Analyst1 REST API for the current sensor taskings given a valid Sensor ID. This can be used to start subscription to an Sensor ID. The result gives the version (which can later be used to invoke 'diff') and all current taskings. Note: This operation may trigger XSOAR to "oversize" the task built on this automation. If so, you may need to turn off quiet mode explicitly. The analyst1-get-sensor-config can alternatively be used to get a simple text file of current indicators or signatures.

Base Command#

analyst1-get-sensor-taskings

Input#

Argument NameDescriptionRequired
sensor_idSensor ID number for this Analyst1 instance.Required
timeoutOverrides the XSOAR default of 10s for timeout. Default Analsyt1 app is 200s for this command. Caller may further override as required. Default is 200.Optional

Context Output#

PathTypeDescription
Analyst1.SensorTaskingsunknownRoot JSON for processing all taskings data.
Analyst1.SensorTaskings.idunknownSensor ID for this Taskings response.
Analyst1.SensorTaskings.versionunknownCurrent version of the Sensor.
Analyst1.SensorTaskings.IndicatorsunknownCurrent array of Indicators tasked
Analyst1.SensorTaskings.RulesunknownCurrent array of Signatures tasked

17. analyst1-get-sensor-diff#


Gets the 'difference' from the last known Analyst1 Sensor version against the current. Returns all differences on the Sensor since the 'version' provided and includes the current version in the reply. Current version should be preserved to be used on next scheduled invocation.

Base Command#

analyst1-get-sensor-diff

Input#

Argument NameDescriptionRequired
sensor_idID# of the Sensor record in Analyst1.Required
versionNon zero version of the known Sensor.Required
timeoutOverrides the XSOAR default of 10s for timeout. Default Analsyt1 app is 200s for this command. Caller may further override as required. Default is 200.Optional

Context Output#

PathTypeDescription
Analyst1.SensorTaskings.IDunknownSensor ID
Analyst1.SensorTaskings.latestVersionunknownCurrent version of the Sensor. Meant to be saved and used on subsequent invocations to 'diff' to only get the latest changes.
Analyst1.SensorTaskings.versionunknownVersion which was provided as an input to make this result set.
Analyst1.SensorTaskings.IndicatorsAddedunknownArray of Indicators added between version and latestVersion. Type can be used to limit hash values for action.
Analyst1.SensorTaskings.IndicatorsRemovedunknownArray of Indicators removed between version and latestVersion. Type can be used to limit hash values for action.
Analyst1.SensorTaskings.RulesAddedunknownArray of Rules added between version and latestVersion.
Analyst1.SensorTaskings.RulesRemovedunknownArray of Rules removed between version and latestVersion.

Command example#

!analyst1-get-sensor-diff sensor_id=7682 version=280

Context Example#

{
"Analyst1": {
"SensorTaskings": {
"IndicatorsAdded": [
{
"category": "indicator",
"id": "2594990-SHA256",
"type": "File-SHA256",
"value": "267C9CF2597A23AD957C10553EAF1D8B1196700EAFE67C7999B2CDB4E41995AA"
},
{
"category": "indicator",
"id": 2916021,
"type": "Domain",
"value": "redacted.com"
},
{
"category": "indicator",
"id": 3083418,
"type": "IPv4",
"value": "redacted_ip_address"
},
{
"category": "indicator",
"id": 3166219,
"type": "IPv4",
"value": "redacted_ip_address"
}
],
"IndicatorsRemoved": [
{
"category": "indicator",
"id": 1633777,
"type": "Domain",
"value": "redacted_domain.org"
},
{
"category": "indicator",
"id": 1748796,
"type": "Domain",
"value": "redacted_domain.com"
},
{
"category": "indicator",
"id": 3935921,
"type": "IPv4",
"value": "redacted_ip_address"
}
],
"RulesAdded": null,
"RulesRemoved": null,
"id": 7682,
"latestVersion": 287,
"version": 280
}
}
}

Human Readable Output#

Results#

No entries.

18. analyst1-get-sensors#


Queries the Analyst1 REST API to retrieve a list of registered sensors.

Base Command#

analyst1-get-sensors

Input#

Argument NameDescriptionRequired
pagepage of Sensors to iterate. Default is 1.Optional
pageSizesize of each page of Sensors to iterate. Maximum 50. Default is 50.Optional

Context Output#

There is no context output for this command.

Command example#

!analyst1-get-sensors page=1 pageSize=50

Context Example#

{
"Analyst1": {
"SensorList": [
{
"currentVersionNumber": 5,
"id": 7680,
"latestConfigVersionNumber": 5,
"links": [
{
"href": "https://analyst1instance.domain/api/1_0/sensors/7680",
"rel": "details"
}
],
"logicalLocation": null,
"name": "Iterative Change",
"org": null,
"type": "OTHER_AUTO"
},
{
"currentVersionNumber": 26,
"id": 7681,
"latestConfigVersionNumber": 26,
"links": [
{
"href": "https://analyst1instance.domain/api/1_0/sensors/7681",
"rel": "details"
}
],
"logicalLocation": null,
"name": "Quick Config Check",
"org": null,
"type": "OTHER_AUTO"
},
{
"currentVersionNumber": 2,
"id": 7689,
"latestConfigVersionNumber": 2,
"links": [
{
"href": "https://analyst1instance.domain/api/1_0/sensors/7689",
"rel": "details"
}
],
"logicalLocation": null,
"name": "Barry - Test",
"org": null,
"type": "SNORT"
}
]
}
}

Human Readable Output#

Results#

currentVersionNumberidlatestConfigVersionNumberlinkslogicalLocationnameorgtype
576805{'rel': 'details', 'href': 'https://analyst1instance.domain/api/1_0/sensors/7680'}Example IOCs 1OTHER_AUTO
26768126{'rel': 'details', 'href': 'https://analyst1instance.domain/api/1_0/sensors/7681'}Example IOCS 2OTHER_AUTO
276892{'rel': 'details', 'href': 'https://analyst1instance.domain/api/1_0/sensors/7689'}Example SignatureSNORT