Skip to main content

Cisco Secure Malware Analytics Feed

This Integration is part of the Cisco Threat Grid Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

Configure Cisco Secure Malware Analytics on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Secure Malware Analytics.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyThe Cisco Secure Malware Analytics API key.True
    Feed NameThe feed name to fetch.True
    First fetchThe date or number of days from when to start fetching indicators.False
    Fetch indicatorsWhether to fetch indicators.False
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    TagsSupports CSV values.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Feed Fetch IntervalThe feed fetch interval.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Use system proxy settingsWhether to use the system proxy settings.False
    Trust any certificateWhether to trust any certificate (not secure).False
  4. Click Test to validate the API Key, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-sma-get-indicators#


Retrieves indicators.

Base Command#

cisco-sma-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to retrieve.Optional

Context Output#

PathTypeDescription
CiscoSMA.valueStringThe indicator value.
CiscoSMA.typeUnknownThe indicator type.
CiscoSMA.TagsStringTags that are associated with the indicator.
CiscoSMA.DescriptionStringThe feed description.
CiscoSMA.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the domain.
CiscoSMA.FeedRelatedIndicators.valueStringIndicators that are associated with the domain.

Command Example#

!cisco-sma-get-indicators limit=1

Context Example#

{
"CiscoSMA": {
"fields": {
"Description": "DNS response information from requests made by document samples performing network communications.",
"FirstSeenBySource": "2021-04-13T12:47:34Z",
"Tags": [
"doc-net-com-dns"
],
"reportedby": "CiscoSMA",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"description": "DNS response information from requests made by document samples performing network communications.",
"domain": "example.com",
"info": "example.com/feeds/doc-net-com-dns/domain",
"ips": [
"0.0.0.0"
],
"sample": "example",
"sample_md5": "1234556",
"sample_sha1": "1234556",
"sample_sha256": "1234556",
"timestamp": "2021-04-13T12:47:34Z"
},
"type": "IP",
"value": "0.0.0.0"
}
}

Human Readable Output#

CiscoSMA Indicators:#

valuetype
o.o.o.oIP

cisco-sma-reset-fetch-indicators#


WARNING: This command will reset your fetch history.

Base Command#

cisco-sma-reset-fetch-indicators

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!cisco-sma-reset-fetch-indicators

Human Readable Output#

Fetch history deleted successfully