Cisco Secure Malware Analytics Feed

This Integration is part of the Cisco Secure Malware Analytics Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

Configure Cisco Secure Malware Analytics in Cortex#

Parameter	Description	Required
API Key	The Cisco Secure Malware Analytics API key.	True
Feed Name	The feed name to fetch.	True
First fetch	The date or number of days from when to start fetching indicators.	False
Fetch indicators	Whether to fetch indicators.	False
Indicator Reputation	Indicators from this integration instance will be marked with this reputation.	False
Traffic Light Protocol Color	The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.	False
Tags	Supports CSV values.	False
Source Reliability	Reliability of the source providing the intelligence data.	True
Feed Fetch Interval	The feed fetch interval.	False
Bypass exclusion list	When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.	False
Use system proxy settings	Whether to use the system proxy settings.	False
Trust any certificate	Whether to trust any certificate (not secure).	False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-sma-get-indicators#

Retrieves indicators.

Base Command#

cisco-sma-get-indicators

Input#

Argument Name	Description	Required
limit	The maximum number of indicators to retrieve.	Optional

Context Output#

Path	Type	Description
CiscoSMA.value	String	The indicator value.
CiscoSMA.type	Unknown	The indicator type.
CiscoSMA.Tags	String	Tags that are associated with the indicator.
CiscoSMA.Description	String	The feed description.
CiscoSMA.FeedRelatedIndicators.type	String	The type of the indicators that are associated with the domain.
CiscoSMA.FeedRelatedIndicators.value	String	Indicators that are associated with the domain.

Command Example#

!cisco-sma-get-indicators limit=1

Context Example#

{
    "CiscoSMA": {
        "fields": {
            "Description": "DNS response information from requests made by document samples performing network communications.",
            "FirstSeenBySource": "2021-04-13T12:47:34Z",
            "Tags": [
                "doc-net-com-dns"
            ],
            "reportedby": "CiscoSMA",
            "trafficlightprotocol": "GREEN"
        },
        "rawJSON": {
            "description": "DNS response information from requests made by document samples performing network communications.",
            "domain": "example.com",
            "info": "example.com/feeds/doc-net-com-dns/domain",
            "ips": [
                "0.0.0.0"
            ],
            "sample": "example",
            "sample_md5": "1234556",
            "sample_sha1": "1234556",
            "sample_sha256": "1234556",
            "timestamp": "2021-04-13T12:47:34Z"
        },
        "type": "IP",
        "value": "0.0.0.0"
    }
}

Human Readable Output#

CiscoSMA Indicators:#
value type
o.o.o.o IP

value	type
o.o.o.o	IP

cisco-sma-reset-fetch-indicators#

WARNING: This command will reset your fetch history.

Base Command#

cisco-sma-reset-fetch-indicators

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!cisco-sma-reset-fetch-indicators

Human Readable Output#

Fetch history deleted successfully