DeepInstinct v3
DeepInstinct Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
Deep Instinct is a prevention-first approach to stopping ransomware and other malware using the world's first purpose-built, deep learning cybersecurity framework. This integration was integrated and tested with version 3.3.x of DeepInstinct v3
This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.
#
Configure DeepInstinct v3 in CortexParameter | Required |
---|---|
Base server URL | True |
API Key | True |
First event ID to fetch from | False |
Fetch incidents | False |
Incidents Fetch Interval | False |
Incident type | False |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
deepinstinctv3-get-deviceGet device information from its ID
#
Base Commanddeepinstinctv3-get-device
#
InputArgument Name | Description | Required |
---|---|---|
device_id | Get device information from its ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
deepinstinctv3.devices.ID | number | Device ID |
deepinstinctv3.devices.os | string | Device OS |
deepinstinctv3.devices.osv | string | Device OS version |
deepinstinctv3.devices.ip_address | string | Device IP address |
deepinstinctv3.devices.email | sting | Device email ip_address |
deepinstinctv3.devices.mac_address | string | Device mac address |
deepinstinctv3.devices.hostname | string | Device hostname |
deepinstinctv3.devices.domain | string | Device domain |
deepinstinctv3.devices.scanned_files | number | Num of device scanned files |
deepinstinctv3.devices.comment | string | Device comment |
deepinstinctv3.devices.tag | string | Device tag |
deepinstinctv3.devices.connectivity_status | string | Device connectivity status |
deepinstinctv3.devices.deployment_status | string | Device deployment status |
deepinstinctv3.devices.deployment_status_last_update | string | Device last client version update |
deepinstinctv3.devices.license_status | string | Device license status |
deepinstinctv3.devices.last_registration | string | Device last registration datetime |
deepinstinctv3.devices.last_contact | string | Device last contact datetime |
deepinstinctv3.devices.distinguished_name | string | Device distinguished name |
deepinstinctv3.devices.group_name | string | Device group name |
deepinstinctv3.devices.group_id | number | Device group ID |
deepinstinctv3.devices.policy_name | string | Device policy name |
deepinstinctv3.devices.policy_id | number | Device policy ID |
deepinstinctv3.devices.log_status | string | Device log status |
deepinstinctv3.devices.agent_version | string | Device agent version |
deepinstinctv3.devices.brain_version | string | Device brain version |
deepinstinctv3.devices.logged_in_users | string | Device logged in user(s) |
deepinstinctv3.devices.msp_name | string | Device msp name |
deepinstinctv3.devices.msp_id | number | Device msp ID |
deepinstinctv3.devices.tenant_name | string | Device tenant name |
deepinstinctv3.devices.tenant_id | number | Device tenant ID |
#
deepinstinctv3-get-eventsGet all events after given event ID
#
Base Commanddeepinstinctv3-get-events
#
InputArgument Name | Description | Required |
---|---|---|
first_event_id | Get all events. Max events in response is 50, use first_event_id parameter to define first event id to get. Default is 0. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
deepinstinctv3.Events.events.id | number | event ID |
deepinstinctv3.Events.events.device_id | number | event device ID |
deepinstinctv3.Events.events.timestamp | string | event timestamp from device |
deepinstinctv3.Events.events.insertion_timestamp | string | event timestamp from console |
deepinstinctv3.Events.events.close_timestamp | string | event closed timestamp |
deepinstinctv3.Events.events.last_action | string | event last last_action |
deepinstinctv3.Events.events.status | string | event status |
deepinstinctv3.Events.events.comment | string | event comment |
deepinstinctv3.Events.events.recorded_device_info | unknown | event device information |
deepinstinctv3.Events.events.msp_name | string | event msp name |
deepinstinctv3.Events.events.msp_id | number | event msp id |
deepinstinctv3.Events.events.tenant_name | string | event tenant name |
deepinstinctv3.Events.events.tenant_id | number | event tenant id |
deepinstinctv3.Events.events.mitre_classifications | unknown | event MITRE classification |
deepinstinctv3.Events.events.type | string | event type |
deepinstinctv3.Events.events.trigger | string | event trigger |
deepinstinctv3.Events.events.action | string | event action |
deepinstinctv3.Events.events.close_trigger | string | event close trigger |
deepinstinctv3.Events.events.reoccurrence_count | number | event reoccurrence_count |
deepinstinctv3.Events.events.file_type | string | event file type |
deepinstinctv3.Events.events.file_hash | string | event file hash |
deepinstinctv3.Events.events.file_archive_hash | string | event file archive hash |
deepinstinctv3.Events.events.path | unknown | event file path |
deepinstinctv3.Events.events.file_size | number | event file size |
deepinstinctv3.Events.events.threat_severity | string | event threat severity |
deepinstinctv3.Events.events.certificate_thumbprint | string | event certificate certificate thumbprint |
deepinstinctv3.Events.events.certificate_vendor_name | string | event certificate certificate vendor name |
deepinstinctv3.Events.events.deep_classification | string | Deep Instinct classification |
deepinstinctv3.Events.events.file_status | string | event file status |
deepinstinctv3.Events.events.sandbox_status | string | event sandbox status |
#
deepinstinctv3-get-suspicious-eventsGet all suspicious events after given event ID
#
Base Commanddeepinstinctv3-get-suspicious-events
#
InputArgument Name | Description | Required |
---|---|---|
first_event_id | Get all suspicious events. Max events in response is 50, use first_event_id parameter to define first event id to get. Default is 0. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
deepinstinctv3.Suspicious-Events.events.ID | number | event ID |
deepinstinctv3.Suspicious-Events.events.device_id | number | event device ID |
deepinstinctv3.Suspicious-Events.events.timestamp | string | event timestamp from device |
deepinstinctv3.Suspicious-Events.events.insertion_timestamp | string | event timestamp from console |
deepinstinctv3.Suspicious-Events.events.status | string | event status |
deepinstinctv3.Suspicious-Events.events.recorded_device_info | unkown | event device info |
deepinstinctv3.Suspicious-Events.events.msp_name | string | event msp name |
deepinstinctv3.Suspicious-Events.events.msp_id | number | event msp id |
deepinstinctv3.Suspicious-Events.events.tenant_name | string | event tenant name |
deepinstinctv3.Suspicious-Events.events.tenant_id | number | event tenant id |
deepinstinctv3.Suspicious-Events.events.mitre_classifications | unknown | event MITRE classification |
deepinstinctv3.Suspicious-Events.events.type | string | event type |
deepinstinctv3.Suspicious-Events.events.trigger | string | event trigger |
deepinstinctv3.Suspicious-Events.events.action | string | event action |
deepinstinctv3.Suspicious-Events.events.close_trigger | string | event close trigger |
deepinstinctv3.Suspicious-Events.events.file_type | string | event file type |
deepinstinctv3.Suspicious-Events.events.rule_trigger | string | event rule trigger |
deepinstinctv3.Suspicious-Events.events.file_archive_hash | string | event file archive hash |
deepinstinctv3.Suspicious-Events.events.remediation | unknown | event remediation |
deepinstinctv3.Suspicious-Events.events.path | unknown | event file path |
#
deepinstinctv3-get-all-groupsGet all groups
#
Base Commanddeepinstinctv3-get-all-groups
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
deepinstinctv3.Groups.ID | number | group id |
deepinstinctv3.Groups.is_default_group | boolean | True if group is a default group, false otherwise |
deepinstinctv3.Groups.msp_id | number | msp ID |
deepinstinctv3.Groups.name | string | group name |
deepinstinctv3.Groups.os | string | group operation system |
deepinstinctv3.Groups.policy_id | number | group policy ID |
#
deepinstinctv3-get-all-policiesGet list of all policies
#
Base Commanddeepinstinctv3-get-all-policies
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
deepinstinctv3.Policies.ID | number | policy ID |
deepinstinctv3.Policies.name | string | policy name |
deepinstinctv3.Policies.os | string | policy operating system |
deepinstinctv3.Policies.is_default_policy | boolean | True if policy is a default policy, False otherwise |
deepinstinctv3.Policies.msp_id | number | msp ID |
deepinstinctv3.Policies.msp_name | string | msp name |
#
deepinstinctv3-add-hash-to-deny-listAdd file hash to Deny List
#
Base Commanddeepinstinctv3-add-hash-to-deny-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | Policy ID. | Required |
file_hash | file hash. | Required |
comment | comment to hash field. | Optional |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-add-hash-to-allow-listAdd file hash to Allow List
#
Base Commanddeepinstinctv3-add-hash-to-allow-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | Policy ID. | Required |
file_hash | file hash. | Required |
comment | comment to hash field. | Optional |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-remove-hash-from-deny-listRemove hash from Deny List
#
Base Commanddeepinstinctv3-remove-hash-from-deny-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | Policy ID. | Required |
file_hash | file hash. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-remove-hash-from-allow-listRemove hash from Allow List
#
Base Commanddeepinstinctv3-remove-hash-from-allow-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | Policy ID. | Required |
file_hash | file hash. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-add-devices-to-groupAdd multiple devices to a group
#
Base Commanddeepinstinctv3-add-devices-to-group
#
InputArgument Name | Description | Required |
---|---|---|
group_id | group ID. | Required |
device_ids | comma seperated list of device ids to address. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-remove-devices-from-groupRemove list of devices from groups
#
Base Commanddeepinstinctv3-remove-devices-from-group
#
InputArgument Name | Description | Required |
---|---|---|
group_id | Group ID to remove from. | Required |
device_ids | Comma seperated list of device ids to remove. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-delete-files-remotelyDelete multiple files remotely
#
Base Commanddeepinstinctv3-delete-files-remotely
#
InputArgument Name | Description | Required |
---|---|---|
event_ids | comma separated list of event ids. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-terminate-processesTerminate list of processes
#
Base Commanddeepinstinctv3-terminate-processes
#
InputArgument Name | Description | Required |
---|---|---|
event_ids | comma separated list of event ids. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-close-eventsClose list of events
#
Base Commanddeepinstinctv3-close-events
#
InputArgument Name | Description | Required |
---|---|---|
event_ids | comma separated list of event ids. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-disable-deviceDisable device at next check-in
#
Base Commanddeepinstinctv3-disable-device
#
InputArgument Name | Description | Required |
---|---|---|
device_id | single device id. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-enable-deviceEnable device at next check-in
#
Base Commanddeepinstinctv3-enable-device
#
InputArgument Name | Description | Required |
---|---|---|
device_id | single device id. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-isolate-from-networkIsolate device(s) from Network
#
Base Commanddeepinstinctv3-isolate-from-network
#
InputArgument Name | Description | Required |
---|---|---|
device_ids | comma separated list of device ids. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-release-from-isolationRelease device(s) from isolation
#
Base Commanddeepinstinctv3-release-from-isolation
#
InputArgument Name | Description | Required |
---|---|---|
device_ids | comma separated list of device ids. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-remote-file-uploadUpload file associated with given event id at next check-in
#
Base Commanddeepinstinctv3-remote-file-upload
#
InputArgument Name | Description | Required |
---|---|---|
event_id | the event id. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-upload-logsUpload device logs from given device at next check-in
#
Base Commanddeepinstinctv3-upload-logs
#
InputArgument Name | Description | Required |
---|---|---|
device_id | single device id. | Required |
#
Context OutputThere is no context output for this command.
#
deepinstinctv3-remove-deviceRemove agent from device at next check-in
#
Base Commanddeepinstinctv3-remove-device
#
InputArgument Name | Description | Required |
---|---|---|
device_id | single device id. | Required |
#
Context OutputThere is no context output for this command.