DeepInstinct v3

This Integration is part of the DeepInstinct Pack.

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Deep Instinct is a prevention-first approach to stopping ransomware and other malware using the world's first purpose-built, deep learning cybersecurity framework. This integration was integrated and tested with version 3.3.x of DeepInstinct v3

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure DeepInstinct v3 on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for DeepInstinct v3.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Required
   Base server URL	True
   API Key	True
   First event ID to fetch from	False
   Fetch incidents	False
   Incidents Fetch Interval	False
   Incident type	False
   Trust any certificate (not secure)	False
   Use system proxy settings	False

4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

deepinstinctv3-get-device

---

Get device information from its ID

Base Command

deepinstinctv3-get-device

Input

Argument Name	Description	Required
device_id	Get device information from its ID.	Required

Context Output

Path	Type	Description
deepinstinctv3.devices.ID	number	Device ID
deepinstinctv3.devices.os	string	Device OS
deepinstinctv3.devices.osv	string	Device OS version
deepinstinctv3.devices.ip_address	string	Device IP address
deepinstinctv3.devices.email	sting	Device email ip_address
deepinstinctv3.devices.mac_address	string	Device mac address
deepinstinctv3.devices.hostname	string	Device hostname
deepinstinctv3.devices.domain	string	Device domain
deepinstinctv3.devices.scanned_files	number	Num of device scanned files
deepinstinctv3.devices.comment	string	Device comment
deepinstinctv3.devices.tag	string	Device tag
deepinstinctv3.devices.connectivity_status	string	Device connectivity status
deepinstinctv3.devices.deployment_status	string	Device deployment status
deepinstinctv3.devices.deployment_status_last_update	string	Device last client version update
deepinstinctv3.devices.license_status	string	Device license status
deepinstinctv3.devices.last_registration	string	Device last registration datetime
deepinstinctv3.devices.last_contact	string	Device last contact datetime
deepinstinctv3.devices.distinguished_name	string	Device distinguished name
deepinstinctv3.devices.group_name	string	Device group name
deepinstinctv3.devices.group_id	number	Device group ID
deepinstinctv3.devices.policy_name	string	Device policy name
deepinstinctv3.devices.policy_id	number	Device policy ID
deepinstinctv3.devices.log_status	string	Device log status
deepinstinctv3.devices.agent_version	string	Device agent version
deepinstinctv3.devices.brain_version	string	Device brain version
deepinstinctv3.devices.logged_in_users	string	Device logged in user(s)
deepinstinctv3.devices.msp_name	string	Device msp name
deepinstinctv3.devices.msp_id	number	Device msp ID
deepinstinctv3.devices.tenant_name	string	Device tenant name
deepinstinctv3.devices.tenant_id	number	Device tenant ID

deepinstinctv3-get-events

---

Get all events after given event ID

Base Command

deepinstinctv3-get-events

Input

Argument Name	Description	Required
first_event_id	Get all events. Max events in response is 50, use first_event_id parameter to define first event id to get. Default is 0.	Required

Context Output

Path	Type	Description
deepinstinctv3.Events.events.id	number	event ID
deepinstinctv3.Events.events.device_id	number	event device ID
deepinstinctv3.Events.events.timestamp	string	event timestamp from device
deepinstinctv3.Events.events.insertion_timestamp	string	event timestamp from console
deepinstinctv3.Events.events.close_timestamp	string	event closed timestamp
deepinstinctv3.Events.events.last_action	string	event last last_action
deepinstinctv3.Events.events.status	string	event status
deepinstinctv3.Events.events.comment	string	event comment
deepinstinctv3.Events.events.recorded_device_info	unknown	event device information
deepinstinctv3.Events.events.msp_name	string	event msp name
deepinstinctv3.Events.events.msp_id	number	event msp id
deepinstinctv3.Events.events.tenant_name	string	event tenant name
deepinstinctv3.Events.events.tenant_id	number	event tenant id
deepinstinctv3.Events.events.mitre_classifications	unknown	event MITRE classification
deepinstinctv3.Events.events.type	string	event type
deepinstinctv3.Events.events.trigger	string	event trigger
deepinstinctv3.Events.events.action	string	event action
deepinstinctv3.Events.events.close_trigger	string	event close trigger
deepinstinctv3.Events.events.reoccurrence_count	number	event reoccurrence_count
deepinstinctv3.Events.events.file_type	string	event file type
deepinstinctv3.Events.events.file_hash	string	event file hash
deepinstinctv3.Events.events.file_archive_hash	string	event file archive hash
deepinstinctv3.Events.events.path	unknown	event file path
deepinstinctv3.Events.events.file_size	number	event file size
deepinstinctv3.Events.events.threat_severity	string	event threat severity
deepinstinctv3.Events.events.certificate_thumbprint	string	event certificate certificate thumbprint
deepinstinctv3.Events.events.certificate_vendor_name	string	event certificate certificate vendor name
deepinstinctv3.Events.events.deep_classification	string	Deep Instinct classification
deepinstinctv3.Events.events.file_status	string	event file status
deepinstinctv3.Events.events.sandbox_status	string	event sandbox status

deepinstinctv3-get-suspicious-events

---

Get all suspicious events after given event ID

Base Command

deepinstinctv3-get-suspicious-events

Input

Argument Name	Description	Required
first_event_id	Get all suspicious events. Max events in response is 50, use first_event_id parameter to define first event id to get. Default is 0.	Required

Context Output

Path	Type	Description
deepinstinctv3.Suspicious-Events.events.ID	number	event ID
deepinstinctv3.Suspicious-Events.events.device_id	number	event device ID
deepinstinctv3.Suspicious-Events.events.timestamp	string	event timestamp from device
deepinstinctv3.Suspicious-Events.events.insertion_timestamp	string	event timestamp from console
deepinstinctv3.Suspicious-Events.events.status	string	event status
deepinstinctv3.Suspicious-Events.events.recorded_device_info	unkown	event device info
deepinstinctv3.Suspicious-Events.events.msp_name	string	event msp name
deepinstinctv3.Suspicious-Events.events.msp_id	number	event msp id
deepinstinctv3.Suspicious-Events.events.tenant_name	string	event tenant name
deepinstinctv3.Suspicious-Events.events.tenant_id	number	event tenant id
deepinstinctv3.Suspicious-Events.events.mitre_classifications	unknown	event MITRE classification
deepinstinctv3.Suspicious-Events.events.type	string	event type
deepinstinctv3.Suspicious-Events.events.trigger	string	event trigger
deepinstinctv3.Suspicious-Events.events.action	string	event action
deepinstinctv3.Suspicious-Events.events.close_trigger	string	event close trigger
deepinstinctv3.Suspicious-Events.events.file_type	string	event file type
deepinstinctv3.Suspicious-Events.events.rule_trigger	string	event rule trigger
deepinstinctv3.Suspicious-Events.events.file_archive_hash	string	event file archive hash
deepinstinctv3.Suspicious-Events.events.remediation	unknown	event remediation
deepinstinctv3.Suspicious-Events.events.path	unknown	event file path

deepinstinctv3-get-all-groups

---

Get all groups

Base Command

deepinstinctv3-get-all-groups

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
deepinstinctv3.Groups.ID	number	group id
deepinstinctv3.Groups.is_default_group	boolean	True if group is a default group, false otherwise
deepinstinctv3.Groups.msp_id	number	msp ID
deepinstinctv3.Groups.name	string	group name
deepinstinctv3.Groups.os	string	group operation system
deepinstinctv3.Groups.policy_id	number	group policy ID

deepinstinctv3-get-all-policies

---

Get list of all policies

Base Command

deepinstinctv3-get-all-policies

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
deepinstinctv3.Policies.ID	number	policy ID
deepinstinctv3.Policies.name	string	policy name
deepinstinctv3.Policies.os	string	policy operating system
deepinstinctv3.Policies.is_default_policy	boolean	True if policy is a default policy, False otherwise
deepinstinctv3.Policies.msp_id	number	msp ID
deepinstinctv3.Policies.msp_name	string	msp name

deepinstinctv3-add-hash-to-deny-list

---

Add file hash to Deny List

Base Command

deepinstinctv3-add-hash-to-deny-list

Input

Argument Name	Description	Required
policy_id	Policy ID.	Required
file_hash	file hash.	Required
comment	comment to hash field.	Optional

Context Output

There is no context output for this command.

deepinstinctv3-add-hash-to-allow-list

---

Add file hash to Allow List

Base Command

deepinstinctv3-add-hash-to-allow-list

Input

Argument Name	Description	Required
policy_id	Policy ID.	Required
file_hash	file hash.	Required
comment	comment to hash field.	Optional

Context Output

There is no context output for this command.

deepinstinctv3-remove-hash-from-deny-list

---

Remove hash from Deny List

Base Command

deepinstinctv3-remove-hash-from-deny-list

Input

Argument Name	Description	Required
policy_id	Policy ID.	Required
file_hash	file hash.	Required

Context Output

There is no context output for this command.

deepinstinctv3-remove-hash-from-allow-list

---

Remove hash from Allow List

Base Command

deepinstinctv3-remove-hash-from-allow-list

Input

Argument Name	Description	Required
policy_id	Policy ID.	Required
file_hash	file hash.	Required

Context Output

There is no context output for this command.

deepinstinctv3-add-devices-to-group

---

Add multiple devices to a group

Base Command

deepinstinctv3-add-devices-to-group

Input

Argument Name	Description	Required
group_id	group ID.	Required
device_ids	comma seperated list of device ids to address.	Required

Context Output

There is no context output for this command.

deepinstinctv3-remove-devices-from-group

---

Remove list of devices from groups

Base Command

deepinstinctv3-remove-devices-from-group

Input

Argument Name	Description	Required
group_id	Group ID to remove from.	Required
device_ids	Comma seperated list of device ids to remove.	Required

Context Output

There is no context output for this command.

deepinstinctv3-delete-files-remotely

---

Delete multiple files remotely

Base Command

deepinstinctv3-delete-files-remotely

Input

Argument Name	Description	Required
event_ids	comma separated list of event ids.	Required

Context Output

There is no context output for this command.

deepinstinctv3-terminate-processes

---

Terminate list of processes

Base Command

deepinstinctv3-terminate-processes

Input

Argument Name	Description	Required
event_ids	comma separated list of event ids.	Required

Context Output

There is no context output for this command.

deepinstinctv3-close-events

---

Close list of events

Base Command

deepinstinctv3-close-events

Input

Argument Name	Description	Required
event_ids	comma separated list of event ids.	Required

Context Output

There is no context output for this command.

deepinstinctv3-disable-device

---

Disable device at next check-in

Base Command

deepinstinctv3-disable-device

Input

Argument Name	Description	Required
device_id	single device id.	Required

Context Output

There is no context output for this command.

deepinstinctv3-enable-device

---

Enable device at next check-in

Base Command

deepinstinctv3-enable-device

Input

Argument Name	Description	Required
device_id	single device id.	Required

Context Output

There is no context output for this command.

deepinstinctv3-isolate-from-network

---

Isolate device(s) from Network

Base Command

deepinstinctv3-isolate-from-network

Input

Argument Name	Description	Required
device_ids	comma separated list of device ids.	Required

Context Output

There is no context output for this command.

deepinstinctv3-release-from-isolation

---

Release device(s) from isolation

Base Command

deepinstinctv3-release-from-isolation

Input

Argument Name	Description	Required
device_ids	comma separated list of device ids.	Required

Context Output

There is no context output for this command.

deepinstinctv3-remote-file-upload

---

Upload file associated with given event id at next check-in

Base Command

deepinstinctv3-remote-file-upload

Input

Argument Name	Description	Required
event_id	the event id.	Required

Context Output

There is no context output for this command.

deepinstinctv3-upload-logs

---

Upload device logs from given device at next check-in

Base Command

deepinstinctv3-upload-logs

Input

Argument Name	Description	Required
device_id	single device id.	Required

Context Output

There is no context output for this command.

deepinstinctv3-remove-device

---

Remove agent from device at next check-in

Base Command

deepinstinctv3-remove-device

Input

Argument Name	Description	Required
device_id	single device id.	Required

Context Output

There is no context output for this command.