Skip to main content

Analyst1

This Integration is part of the Analyst1 Pack.#

Overview#


Analyst1 is an indicator, countermeasure and sensor management tool that enables analysts to collect and analyze evidence of malicious activity. Analyst1’s web based interface provides a single location to collect and analyze evidence of malicious activity and manage indicators then author, test, task and track rules to detect malicious cyber activity. Maintaing traceability between evidence, indicators, rules and sensors, analysts can identify why a rule was created, the type of activity it detects and what sensors are tasked.

This integration utilizes Analyst1's system to enrich Cortex XSOAR indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.

This integration was integrated and tested with version 1.8.7 of Analyst1

Analyst1 Playbook#


Analyst1 Basic Indicator Enrichment: This is a simple playbook that can apply on top of an incident created from an indicator that will determine the indicator type and then properly enrich it with the associated Analyst1 integration command.

Use Cases#


  • When you wish to have more information on a given indicator
  • When you use both Cortex XSOAR and Analyst1 and wish to have easy linking between the two

Configure Analyst1 on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Analyst1.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Analyst1 API Credentials (username/password)
    • Domain of Analyst1 server to use
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. domain
  2. email
  3. ip
  4. file
  5. analyst1-enrich-string
  6. analyst1-enrich-ipv6
  7. analyst1-enrich-mutex
  8. analyst1-enrich-http-request
  9. url

1. domain#


Queries the Analyst1 REST API and enriches the given domain with Analyst1 Indicator data

Base Command#

domain

Input#
Argument NameDescriptionRequired
domainThe domain for which to return information.Required
Context Output#
PathTypeDescription
Domain.NamestringThe domain name, for example, "google.com".
Analyst1.Domain.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.Domain.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Domain.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Domain.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Domain.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Domain.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Domain.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Domain.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Domain.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Domain.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Domain.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Domain.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Analyst1.Domain.IpResolutionstringThe resolved IP address for this domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example#

!domain domain=abc.com

Context Example#
{
"Analyst1.Domain": {
"LastHit": null,
"ReportedDates": [
"2018-06-12"
],
"Indicator": "abc.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/2043650",
"ID": 2043650
},
"Domain": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Name": "abc.com"
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "abc.com",
"Score": 3,
"Type": "domain"
}
}
Human Readable Output#

Analyst1 Domain Information#

ActiveEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true12043650https://partner.cloud.analyst1.com/indicators/2043650abc.com2018-06-12

2. email#


Queries the Analyst1 REST API and enriches the given email with Analyst1 indicator data.

Base Command#

email

Input#
Argument NameDescriptionRequired
emailThe email for which to return information.Required
Context Output#
PathTypeDescription
Email.FromstringThe sender of the email.
Analyst1.Email.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Email.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Email.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Email.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Email.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Email.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Email.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Email.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Email.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Email.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Email.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Email.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example#

!email email=001toxic@gmail.com

Context Example#
{
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "001toxic@gmail.com",
"Score": 3,
"Type": "email"
},
"Analyst1.Email": {
"LastHit": null,
"ReportedDates": [
"2018-02-05"
],
"Indicator": "001toxic@gmail.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/1637756",
"ID": 1637756
},
"Email": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"From": "001toxic@gmail.com"
}
}
Human Readable Output#

Analyst1 Email Information#

ActiveActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
trueid = -2, name = Unknown11637756https://partner.cloud.analyst1.com/indicators/1637756001toxic@gmail.com2018-02-05

3. ip#


Queries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.

Base Command#

ip

Input#
Argument NameDescriptionRequired
ipThe IP address for which to return information.Required
Context Output#
PathTypeDescription
IP.AddressstringThe IP address.
Analyst1.Ip.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.Ip.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Ip.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Ip.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Ip.FirstHitdateThe first date this this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Ip.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Ip.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Ip.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Ip.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Ip.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Ip.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Ip.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example#

!ip ip=0.154.17.105

Context Example#
{
"IP": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Address": "0.154.17.105"
},
"Analyst1.Ip": {
"LastHit": null,
"ReportedDates": [
"2014-01-04"
],
"Indicator": "0.154.17.105",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/51469",
"ID": 51469
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "0.154.17.105",
"Score": 3,
"Type": "ip"
}
}
Human Readable Output#

Analyst1 Ip Information#

ActiveEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true151469https://partner.cloud.analyst1.com/indicators/514690.154.17.1052014-01-04

4. file#


Queries the Analyst1 REST API and enriches the given file with Analyst1 indicator data.

Base Command#

file

Input#
Argument NameDescriptionRequired
fileThe file for which to return information.Required
Context Output#
PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Analyst1.File.IDnumberThe indicator's unique ID in Analyst1.
Analyst1.File.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.File.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.File.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.File.FirstHitdateThe first date this this indicator was seen in a source scanned by Analyst1.
Analyst1.File.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.File.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.File.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.File.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.File.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.File.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.File.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.File.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.File.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example#

!file file=00000000000000000000000000000000

Context Example#
{
"Analyst1.File": {
"LastHit": null,
"ReportedDates": [
"2019-06-25",
"2020-01-09"
],
"Indicator": "00000000000000000000000000000000",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-08-02",
"2019-09-01"
],
"EvidenceCount": 2,
"Actors": [
{
"id": -4,
"name": "Multiple Actors Extracted"
},
{
"id": 150,
"name": "FIN8"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/1527155",
"ID": 1527155
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "00000000000000000000000000000000",
"Score": 3,
"Type": "file"
},
"File": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"MD5": "00000000000000000000000000000000"
}
}
Human Readable Output#

Analyst1 File Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-08-02,
2019-09-01
id = -4, name = Multiple Actors Extracted,
id = 150, name = FIN8
21527155https://partner.cloud.analyst1.com/indicators/1527155000000000000000000000000000000002019-06-25,
2020-01-09

5. analyst1-enrich-string#


Queries the Analyst1 REST API and enriches the given string with Analyst1 indicator data

Base Command#

analyst1-enrich-string

Input#
Argument NameDescriptionRequired
stringThe string for which to return information.Required
Context Output#
PathTypeDescription
Analyst1.String.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.String.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.String.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.String.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.String.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.String.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.String.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.String.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.String.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.String.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.String.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.String.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.String.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.String.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Command Example#

!analyst1-enrich-string string=??

Context Example#
{
"Analyst1.String": {
"LastHit": null,
"ReportedDates": [
"2014-12-12",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2014-12-11",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"EvidenceCount": 15,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/90548",
"ID": 90548
}
}
Human Readable Output#

Analyst1 String Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2014-12-11,
2014-12-14,
2014-12-19,
2014-12-20
id = -2, name = Unknown1590548https://partner.cloud.analyst1.com/indicators/90548??2014-12-12,
2014-12-14,
2014-12-19,
2014-12-20

6. analyst1-enrich-ipv6#


Queries the Analyst1 REST API and enriches the given IP address with Analyst1 indicator data.

Base Command#

analyst1-enrich-ipv6

Input#
Argument NameDescriptionRequired
ipThe IP address for which to return information.Required
Context Output#
PathTypeDescription
Analyst1.Ipv6.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Ipv6.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Ipv6.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Ipv6.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Ipv6.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Ipv6.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Ipv6.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Ipv6.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Ipv6.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Ipv6.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Ipv6.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Ipv6.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Command Example#

!analyst1-enrich-ipv6 ip=16::

Context Example#
{
"Analyst1.Ipv6": {
"LastHit": null,
"ReportedDates": [
"2015-05-13"
],
"Indicator": "16::",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-09-08"
],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/2623838",
"ID": 2623838
}
}
Human Readable Output#

Analyst1 Ipv6 Information#

ActiveActivityDatesEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-09-0812623838https://partner.cloud.analyst1.com/indicators/262383816::2015-05-13

7. analyst1-enrich-mutex#


Queries the Analyst1 REST API and enriches the given mutex with Analyst1 indicator data.

Base Command#

analyst1-enrich-mutex

Input#
Argument NameDescriptionRequired
mutexThe mutex to query information forRequired
Context Output#
PathTypeDescription
Analyst1.Mutex.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Mutex.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Mutex.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Mutex.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Mutex.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Mutex.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Mutex.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Mutex.Malwares.IDnumberEach matched malware unique identifier in Analyst1.
Analyst1.Mutex.Malwares.NamestringEach matched malware name in Analyst1
Analyst1.Mutex.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Mutex.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Mutex.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Command Example#

!analyst1-enrich-mutex mutex=??

Context Example#
{
"Analyst1.Mutex": {
"LastHit": null,
"ReportedDates": [
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2015-01-06",
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"EvidenceCount": 6,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/95267",
"ID": 95267
}
}
Human Readable Output#

Analyst1 Mutex Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2015-01-06,
2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06
id = -2, name = Unknown695267https://partner.cloud.analyst1.com/indicators/95267??2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06

8. analyst1-enrich-http-request#


Queries the Analyst1 REST API and enriches the given HTTP request with Analyst1 indicator data.

Base Command#

analyst1-enrich-http-request

Input#
Argument NameDescriptionRequired
http-requestThe HTTP request for which to return information.Required
Context Output#
PathTypeDescription
Analyst1.Httprequest.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Httprequest.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Httprequest.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Httprequest.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Httprequest.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.HitCountnumberThe total number of times this indicator was seen in a source scanned by Analyst1.
Analyst1.Httprequest.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Httprequest.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Httprequest.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Httprequest.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Httprequest.Actors.IDnumberEach matched actor unique identifier in Analyst1.
Analyst1.Httprequest.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Httprequest.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
Command Example#

!analyst1-enrich-http-request http-request=/~

Context Example#
{
"Analyst1.Httprequest": {
"LastHit": null,
"ReportedDates": [
"2020-01-06"
],
"Indicator": "/~",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": "high",
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/2885382",
"ID": 2885382
}
}
Human Readable Output#

Analyst1 Httprequest Information#

ActiveConfidenceLevelEvidenceCountIDAnalyst1LinkIndicatorReportedDates
truehigh12885382https://partner.cloud.analyst1.com/indicators/2885382/~2020-01-06

9. url#


Queries the Analyst1 REST API and enriches the given URL with Analyst1 indicator data.

Base Command#

url

Input#
Argument NameDescriptionRequired
urlThe URL for which to return information.Required
Context Output#
PathTypeDescription
URL.DataStringThe URL.
Analyst1.Url.IDnumberThe unique identifier of the given Indicator in Analyst1
Analyst1.Url.EvidenceCountnumberThe number of evidence reports of the given indicator in Analyst1.
Analyst1.Url.ActivebooleanWhether the given indicator is noted as active in Analyst1.
Analyst1.Url.ConfidenceLevelstringThe confidence level of the data in Analyst1.
Analyst1.Url.FirstHitdateThe first date this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.LastHitdateThe most recent date this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.HitCountnumberThe total number of this indicator was seen in a source scanned by Analyst1.
Analyst1.Url.ReportedDatesdateThe dates this indicator was reported on in Analyst1.
Analyst1.Url.ActivityDatesdateThe dates this indicator had reported activity in Analyst1.
Analyst1.Url.Malwares.IDnumberEach matched malware unique identifier in Analyst1
Analyst1.Url.Malwares.NamestringEach matched malware name in Analyst1.
Analyst1.Url.Actors.IDnumberEach matched actor unique identifier in Analyst1
Analyst1.Url.Actors.NamestringEach matched actor name in Analyst1.
Analyst1.Url.Analyst1LinkstringThe URL of the matched indicator in Analyst1.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumbeThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example#

!url url=104.218.120.128/check.aspx

Context Example#
{
"URL": {
"Malicious": {
"Vendor": "Analyst1",
"Description": "Analyst1 has determined that this indicator is malicious via internal analysis."
},
"Data": "104.218.120.128/check.aspx"
},
"Analyst1.Url": {
"LastHit": null,
"ReportedDates": [
"2019-07-04"
],
"Indicator": "104.218.120.128/check.aspx",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-12-08"
],
"EvidenceCount": 1,
"Actors": [
{
"id": 178,
"name": "APT33"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"Analyst1Link": "https://partner.cloud.analyst1.com/indicators/2699554",
"ID": 2699554
},
"DBotScore": {
"Vendor": "Analyst1",
"Indicator": "104.218.120.128/check.aspx",
"Score": 3,
"Type": "url"
}
}
Human Readable Output#

Analyst1 Url Information#

ActiveActivityDatesActorsEvidenceCountIDAnalyst1LinkIndicatorReportedDates
true2018-12-08id = 178, name = APT3312699554https://partner.cloud.analyst1.com/indicators/2699554104.218.120.128/check.aspx2019-07-04