Skip to main content

Deep Instinct

This Integration is part of the DeepInstinct Pack.#

Overview#


Deep Instinct This integration was integrated and tested with version 2.3.1.17 of Deep Instinct

Configure Deep Instinct on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Deep Instinct.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Base server URL
    • API Key
    • Fetch incidents
    • Incident type
    • First event ID to fetch from
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#


Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. deepinstinct-get-device
  2. deepinstinct-get-events
  3. deepinstinct-get-all-groups
  4. deepinstinct-get-all-policies
  5. deepinstinct-add-hash-to-blacklist
  6. deepinstinct-add-hash-to-whitelist
  7. deepinstinct-remove-hash-from-blacklist
  8. deepinstinct-remove-hash-from-whitelist
  9. deepinstinct-add-devices-to-group
  10. deepinstinct-remove-devices-from-group
  11. deepinstinct-delete-files-remotely
  12. deepinstinct-terminate-processes
  13. deepinstinct-close-events

1. deepinstinct-get-device#


get specific device by ID

Base Command#

deepinstinct-get-device

Input#
Argument NameDescriptionRequired
device_idThe device IDRequired
Context Output#
PathTypeDescription
DeepInstinct.devices.IDnumberDevice ID
DeepInstinct.devices.osstringDevice OS
DeepInstinct.devices.osvstringDevice OS version
DeepInstinct.devices.ip_addressstringDevice IP address
DeepInstinct.devices.mac_addressstringDevice mac address
DeepInstinct.devices.hostnamestringDevice hostname
DeepInstinct.devices.domainstringDevice domain
DeepInstinct.devices.scanned_filesnumberNum of device scanned files
DeepInstinct.devices.tagstringDevice tag
DeepInstinct.devices.connectivity_statusstringDevice connectivity status
DeepInstinct.devices.deployment_statusstringDevice deployment status
DeepInstinct.devices.last_registrationstringDevice last registration datetime
DeepInstinct.devices.last_contactstringDevice last contact datetime
DeepInstinct.devices.distinguished_namestringDevice distinguished name
DeepInstinct.devices.group_namestringDevice group name
DeepInstinct.devices.group_idnumberDevice group ID
DeepInstinct.devices.policy_namestringDevice policy name
DeepInstinct.devices.policy_idnumberDevice policy ID
DeepInstinct.devices.log_statusstringDevice log status
DeepInstinct.devices.agent_versionstringDevice agent version
DeepInstinct.devices.brain_versionstringDevice brain version
DeepInstinct.devices.msp_namestringDevice msp name
DeepInstinct.devices.msp_idnumberDevice msp ID
DeepInstinct.devices.tenant_namestringDevice tenant name
DeepInstinct.devices.tenant_idnumberDevice tenant ID
Command Example#

!deepinstinct-get-device device_id=1

Context Example#
{
"DeepInstinct.Devices": {
"last_registration": "2020-04-09T14:49:39.722292Z",
"domain": "",
"msp_name": "MSP 1",
"distinguished_name": "OU=Organizations & Sites,DC=bancshares,DC=mib",
"tenant_name": "Tenant 1",
"osv": "Windows",
"tag": "",
"id": 1,
"last_contact": "2020-04-09T14:49:39.711487Z",
"hostname": "Mock_2020-04-09 17:49:39.408405_1",
"mac_address": "00:00:00:00:00:00",
"brain_version": "115wt",
"connectivity_status": "EXPIRED",
"deployment_status": "REGISTERED",
"msp_id": 1,
"group_name": "Windows Default Group",
"ip_address": "192.168.88.80",
"log_status": "NA",
"tenant_id": 1,
"agent_version": "2.3.1.12",
"scanned_files": 0,
"policy_name": "Windows Default Policy",
"group_id": 3,
"os": "WINDOWS",
"policy_id": 3
}
}
Human Readable Output#

Device#

agent_versionbrain_versionconnectivity_statusdeployment_statusdistinguished_namedomaingroup_idgroup_namehostnameidip_addresslast_contactlast_registrationlog_statusmac_addressmsp_idmsp_nameososvpolicy_idpolicy_namescanned_filestagtenant_idtenant_name
2.3.1.12115wtEXPIREDREGISTEREDOU=Organizations & Sites,DC=bancshares,DC=mib3Windows Default GroupMock_2020-04-09 17:49:39.408405_11192.168.88.802020-04-09T14:49:39.711487Z2020-04-09T14:49:39.722292ZNA00:00:00:00:00:001MSP 1WINDOWSWindows3Windows Default Policy01Tenant 1

2. deepinstinct-get-events#


Get all events. Max events in response can be 50, use first_event_id parameter to define first event id to get

Base Command#

deepinstinct-get-events

Input#
Argument NameDescriptionRequired
first_event_idFirst event id to get as max events in response can be 50Optional
Context Output#
PathTypeDescription
DeepInstinct.Events.events.IDnumberevent ID
DeepInstinct.Events.events.device_idnumberevent device ID
DeepInstinct.Events.events.file_hashstringevent file hash
DeepInstinct.Events.events.file_typestringevent file type
DeepInstinct.Events.events.file_archive_hashstringevent file archive hash
DeepInstinct.Events.events.pathunknownevent file path
DeepInstinct.Events.events.file_sizenumberevent file size
DeepInstinct.Events.events.threat_severitystringevent threat severity
DeepInstinct.Events.events.deep_classificationstringDeep Instinct classification
DeepInstinct.Events.events.file_statusstringevent file status
sandbox_statusDeepInstinct.Events.events.stringevent sandbox status
DeepInstinct.Events.events.modelstringevent model
DeepInstinct.Events.events.typestringevent type
DeepInstinct.Events.events.triggerstringevent trigger
DeepInstinct.Events.events.actionstringevent action
DeepInstinct.Events.events.tenant_idnumberevent tenant id
DeepInstinct.Events.events.msp_idnumberevent msp id
DeepInstinct.Events.events.statusunknownevent status
DeepInstinct.Events.events.close_triggerunknownevent close trigger
DeepInstinct.Events.events.recorded_device_infounknownevent device info
DeepInstinct.Events.events.reoccurrence_countnumberevent reoccurrence_count
Command Example#

!deepinstinct-get-events

Context Example#
{
"DeepInstinct.Events": [
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 18127052,
"close_timestamp": "2020-04-22T10:27:45.391625Z",
"id": 1,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:39.408405_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:41.170331Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:41.154850Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file1.exe",
"reoccurrence_count": 0,
"device_id": 1,
"tenant_id": 1,
"file_archive_hash": "d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 15090736,
"close_timestamp": null,
"id": 2,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:41.170765_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:41.810047Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:41.805228Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file2.exe",
"reoccurrence_count": 0,
"device_id": 2,
"tenant_id": 1,
"file_archive_hash": "edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "5b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb8571",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 6100823,
"close_timestamp": null,
"id": 3,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:41.826874_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:42.406046Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:42.400310Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file2.exe",
"reoccurrence_count": 0,
"device_id": 3,
"tenant_id": 1,
"file_archive_hash": "5b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb8571",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 1274571,
"close_timestamp": null,
"id": 4,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:42.419868_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:43.096316Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:43.091237Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file3.exe",
"reoccurrence_count": 0,
"device_id": 4,
"tenant_id": 1,
"file_archive_hash": "727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 5797166,
"close_timestamp": null,
"id": 5,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:43.110126_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:43.829681Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:43.821976Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file4.exe",
"reoccurrence_count": 0,
"device_id": 5,
"tenant_id": 1,
"file_archive_hash": "59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "8e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e42",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 20730162,
"close_timestamp": null,
"id": 6,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:43.843723_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:44.453057Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:44.446870Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file5.exe",
"reoccurrence_count": 0,
"device_id": 6,
"tenant_id": 1,
"file_archive_hash": "8e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e42",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "5fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd4",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 9009328,
"close_timestamp": "2020-04-20T11:45:00.987088Z",
"id": 7,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:44.464658_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:45.101055Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:45.096553Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file6.exe",
"reoccurrence_count": 0,
"device_id": 7,
"tenant_id": 1,
"file_archive_hash": "5fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd4",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 6975122,
"close_timestamp": "2020-04-12T10:12:45.428138Z",
"id": 8,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:45.116724_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:45.889202Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:45.884910Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file7.exe",
"reoccurrence_count": 0,
"device_id": 8,
"tenant_id": 1,
"file_archive_hash": "56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 11929486,
"close_timestamp": "2020-04-12T10:12:45.428138Z",
"id": 9,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:45.906650_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:46.515957Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:46.510849Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file8.exe",
"reoccurrence_count": 0,
"device_id": 9,
"tenant_id": 1,
"file_archive_hash": "fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d",
"action": "DETECTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "0a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b2",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 18723521,
"close_timestamp": "2020-04-12T09:41:19.991511Z",
"id": 10,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:46.533149_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:47.192314Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:47.187327Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file9.exe",
"reoccurrence_count": 0,
"device_id": 10,
"tenant_id": 1,
"file_archive_hash": "0a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b2",
"action": "DETECTED",
"model": "FileEvent",
"certificate_vendor_name": null
}
]
}
Human Readable Output#

Events#

actioncertificate_thumbprintcertificate_vendor_nameclose_timestampclose_triggercommentdeep_classificationdevice_idfile_archive_hashfile_hashfile_sizefile_statusfile_typeidinsertion_timestamplast_actionlast_reoccurrencemodelmsp_idmsp_namepathrecorded_device_inforeoccurrence_countsandbox_statusstatustenant_idtenant_namethreat_severitytimestamptriggertype
PREVENTED2020-04-22T10:27:45.391625ZCLOSED_BY_ADMIN1d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053fd1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f18127052NOT_UPLOADEDZIP12020-04-09T14:49:41.170331ZFileEvent1MSP 1c:\temp\file1.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:39.408405_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:41.154850ZBRAINSTATIC_ANALYSIS
PREVENTED2edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f96015090736NOT_UPLOADEDZIP22020-04-09T14:49:41.810047ZFileEvent1MSP 1c:\temp\file1.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:41.170765_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:41.805228ZBRAINSTATIC_ANALYSIS
PREVENTED35b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb85715b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb85716100823NOT_UPLOADEDZIP32020-04-09T14:49:42.406046ZFileEvent1MSP 1c:\temp\file2.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:41.826874_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:42.400310ZBRAINSTATIC_ANALYSIS
PREVENTED4727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a1274571NOT_UPLOADEDZIP42020-04-09T14:49:43.096316ZFileEvent1MSP 1c:\temp\file3.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:42.419868_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:43.091237ZBRAINSTATIC_ANALYSIS
PREVENTED559c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf5797166NOT_UPLOADEDZIP52020-04-09T14:49:43.829681ZFileEvent1MSP 1c:\temp\file4.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:43.110126_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:43.821976ZBRAINSTATIC_ANALYSIS
PREVENTED68e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e428e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e4220730162NOT_UPLOADEDZIP62020-04-09T14:49:44.453057ZFileEvent1MSP 1c:\temp\file5.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:43.843723_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:44.446870ZBRAINSTATIC_ANALYSIS
PREVENTED2020-04-20T11:45:00.987088ZCLOSED_BY_ADMIN75fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd45fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd49009328NOT_UPLOADEDZIP72020-04-09T14:49:45.101055ZFileEvent1MSP 1c:\temp\file6.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:44.464658_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:45.096553ZBRAINSTATIC_ANALYSIS
PREVENTED2020-04-12T10:12:45.428138ZCLOSED_BY_ADMIN856bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d6975122NOT_UPLOADEDZIP82020-04-09T14:49:45.889202ZFileEvent1MSP 1c:\temp\file7.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:45.116724_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:45.884910ZBRAINSTATIC_ANALYSIS
DETECTED2020-04-12T10:12:45.428138ZCLOSED_BY_ADMIN9fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81dfbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d11929486NOT_UPLOADEDZIP92020-04-09T14:49:46.515957ZFileEvent1MSP 1c:\temp\file8.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:45.906650_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:46.510849ZBRAINSTATIC_ANALYSIS
DETECTED2020-04-12T09:41:19.991511ZCLOSED_BY_ADMIN100a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b20a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b218723521NOT_UPLOADEDZIP102020-04-09T14:49:47.192314ZFileEvent1MSP 1c:\temp\file9.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:46.533149_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:47.187327ZBRAINSTATIC_ANALYSIS

3. deepinstinct-get-all-groups#


get all groups

Base Command#

deepinstinct-get-all-groups

Input#
Argument NameDescriptionRequired
Context Output#
PathTypeDescription
DeepInstinct.Groups.IDnumbergroup id
DeepInstinct.Groups.osstringgroup operation system
DeepInstinct.Groups.namestringgroup name
DeepInstinct.Groups.policy_idnumbergroup policy ID
DeepInstinct.Groups.is_default_groupbooleanTrue if group is a default group, false otherwise
DeepInstinct.Groups.msp_namestringmsp name
DeepInstinct.Groups.msp_idnumbermsp ID
Command Example#

!deepinstinct-get-all-groups first_event_id=0

Context Example#
{
"DeepInstinct.Groups": [
{
"name": "Android Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "ANDROID",
"id": 1,
"policy_id": 1
},
{
"name": "iOS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "IOS",
"id": 2,
"policy_id": 2
},
{
"name": "Windows Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "WINDOWS",
"id": 3,
"policy_id": 3
},
{
"name": "macOS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "MAC",
"id": 4,
"policy_id": 4
},
{
"name": "Chrome OS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "CHROME",
"id": 5,
"policy_id": 5
},
{
"name": "Test",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": false,
"priority": 1,
"os": "WINDOWS",
"id": 6,
"policy_id": 3
}
]
}
Human Readable Output#

Groups#

idis_default_groupmsp_idmsp_namenameospolicy_id
1true1MSP 1Android Default GroupANDROID1
2true1MSP 1iOS Default GroupIOS2
3true1MSP 1Windows Default GroupWINDOWS3
4true1MSP 1macOS Default GroupMAC4
5true1MSP 1Chrome OS Default GroupCHROME5
6false1MSP 1TestWINDOWS3

4. deepinstinct-get-all-policies#


get all policies

Base Command#

deepinstinct-get-all-policies

Input#
Argument NameDescriptionRequired
Context Output#
PathTypeDescription
DeepInstinct.Policies.IDnumberpolicy ID
DeepInstinct.Policies.namestringpolicy name
DeepInstinct.Policies.osstringpolicy operating system
DeepInstinct.Policies.is_default_policybooleanTrue if policy is a default policy, False otherwise
DeepInstinct.Policies.msp_idnumbermsp ID
DeepInstinct.Policies.msp_namestringmsp name
Command Example#

!deepinstinct-get-all-policies

Context Example#
{
"DeepInstinct.Policies": [
{
"name": "iOS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "IOS",
"id": 2
},
{
"name": "Windows Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "WINDOWS",
"id": 3
},
{
"name": "macOS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "MAC",
"id": 4
},
{
"name": "Chrome OS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "CHROME",
"id": 5
},
{
"name": "testPolicy",
"is_default_policy": false,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "WINDOWS",
"id": 6
},
{
"name": "Android Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "ANDROID",
"id": 1
}
]
}
Human Readable Output#

Policies#

idis_default_policymsp_idmsp_namenameos
2true1MSP 1iOS Default PolicyIOS
3true1MSP 1Windows Default PolicyWINDOWS
4true1MSP 1macOS Default PolicyMAC
5true1MSP 1Chrome OS Default PolicyCHROME
6false1MSP 1testPolicyWINDOWS
1true1MSP 1Android Default PolicyANDROID

5. deepinstinct-add-hash-to-blacklist#


add file hash to blacklist

Base Command#

deepinstinct-add-hash-to-blacklist

Input#
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
commentOptional, add comment to hash fieldOptional
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-add-hash-to-blacklist file_hash=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb00 policy_id=6 comment=mycomment

Human Readable Output#

ok

6. deepinstinct-add-hash-to-whitelist#


add file hash to whitelist

Base Command#

deepinstinct-add-hash-to-whitelist

Input#
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
commentOptional, add comment to hash fieldOptional
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-add-hash-to-whitelist file_hash=wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww00 policy_id=6 comment=mycomment

Human Readable Output#

ok

7. deepinstinct-remove-hash-from-blacklist#


remove file hash from blacklist

Base Command#

deepinstinct-remove-hash-from-blacklist

Input#
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-remove-hash-from-blacklist file_hash=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb00 policy_id=6

Human Readable Output#

ok

8. deepinstinct-remove-hash-from-whitelist#


remove file hash from whitelist

Base Command#

deepinstinct-remove-hash-from-whitelist

Input#
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-remove-hash-from-whitelist file_hash=wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww00 policy_id=6

Human Readable Output#

ok

9. deepinstinct-add-devices-to-group#


add multiple devices to group

Base Command#

deepinstinct-add-devices-to-group

Input#
Argument NameDescriptionRequired
group_idgroup IDRequired
device_idscomma separated devices idsRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-add-devices-to-group device_ids=1 group_id=6

Human Readable Output#

ok

10. deepinstinct-remove-devices-from-group#


remove list of devices from group

Base Command#

deepinstinct-remove-devices-from-group

Input#
Argument NameDescriptionRequired
group_idgroup ID to remove fromRequired
device_idscomma separeted list of device ids to removeRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-remove-devices-from-group device_ids=1 group_id=6

Human Readable Output#

ok

11. deepinstinct-delete-files-remotely#


delete multiple files remotely

Base Command#

deepinstinct-delete-files-remotely

Input#
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-delete-files-remotely event_ids=1

Human Readable Output#

ok

12. deepinstinct-terminate-processes#


terminate list of processes

Base Command#

deepinstinct-terminate-processes

Input#
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-terminate-processes event_ids=1,2

Human Readable Output#

ok

13. deepinstinct-close-events#


close list of events

Base Command#

deepinstinct-close-events

Input#
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output#

There is no context output for this command.

Command Example#

!deepinstinct-close-events event_ids=1

Human Readable Output#

ok