Skip to main content

Digital Shadows

This Integration is part of the ReliaQuest GreyMatter DRP Incidents Pack.#

Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web.

Configure Digital Shadows in Cortex#

ParameterDescriptionRequired
serverServer URLTrue
apikeyAPI KeyTrue
secretSecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ds-get-breach-reviews#


Retrieve all review updates for a given data breach record

Base Command#

ds-get-breach-reviews

Input#

Argument NameDescriptionRequired
breach_idUnique id of the data breach record to retrieve the status history forRequired

Context Output#

PathTypeDescription
DigitalShadows.BreachReviews.NoteunknownThe note at this version (max length 500 characters)
DigitalShadows.BreachReviews.VersionunknownStarts counting at 1 and increments for each review of a given data breach credential. Will initially be 0 until a review is performed (when returned as part of a credential)
DigitalShadows.BreachReviews.StatusunknownReview status
DigitalShadows.BreachReviews.UserIDunknownID of user that changed the status/set the note
DigitalShadows.BreachReviews.UserRoleunknownRole of user that changed the status/set the note
DigitalShadows.BreachReviews.UserPermissionsunknownPermissins of user that changed the status/set the note
DigitalShadows.BreachReviews.UserEmailunknownEmail address of user that changed the status/set the note
DigitalShadows.BreachReviews.CreatedAtunknownThe moment in time the review was created

ds-snapshot-breach-status#


Snapshot the review status of a data breach record

Base Command#

ds-snapshot-breach-status

Input#

Argument NameDescriptionRequired
noteThe note at this version (max length 500 characters).Optional
statusReview status.Required
versionWhen submitting, this value can be optionally set to the version of the most recently read reviewOptional
breach_idUnique id of the data breach record to submit a status update forRequired

Context Output#

There is no context output for this command.

ds-find-breach-records#


Find data breach records

Base Command#

ds-find-breach-records

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_distinctionNarrow down to records based on how unique their username and/or password are.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_passwordRecords that match this password, use '' for wildcard matching, '\' to find an actual asterisk.Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.BreachRecords.ContentunknownThe row content of this data breach record (a line from a csv file, for example)
DigitalShadows.BreachRecords.IdunknownIdentifier for this data breach record
DigitalShadows.BreachRecords.PasswordunknownThe password found in the breach record, if any could be found
DigitalShadows.BreachRecords.DomainNamesunknownThe domain names identified within the breach row
DigitalShadows.BreachRecords.PriorRowTextBreachCountunknownThe number of breaches the entire text of the breach row has appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernameBreachCountunknownThe number of breaches this username appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernamePasswordBreachCountunknownThe number of breaches this username/password combination have appeared in prior to the current breach
DigitalShadows.BreachRecords.PublishedunknownWhen did this record become available
DigitalShadows.BreachRecords.Review.CreatedunknownThe moment in time the review was created.
DigitalShadows.BreachRecords.Review.StatusunknownReview status
DigitalShadows.BreachRecords.Review.User.idunknownUnique id of user
DigitalShadows.BreachRecords.Review.User.fullNameunknownFull name of the user
DigitalShadows.BreachRecords.Review.User.emailAddressunknownEmail address of the user
DigitalShadows.BreachRecords.UsernameunknownA best effort to identify a username within the content of the breach record
DigitalShadows.BreachRecords.DataBreachIdunknownThe data breach this record belongs to

Command Example#

!ds-find-breach-records pagination_size=2

Context Example#

{
"DigitalShadows": {
"BreachRecords": [
{
"Content": "A",
"DataBreachId": 99000001,
"DomainNames": [
"xsoar.com"
],
"Id": 140260931001,
"Password": "1",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "some_mail@mail.com"
},
{
"Content": "B",
"DataBreachId": 99000002,
"DomainNames": [
"xsoar.com"
],
"Id": 140261100001,
"Password": "2",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:53:00.635Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "another_mail@mail.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breach Records#

ContentDataBreachIdDomainNamesIdPasswordPriorRowTextBreachCountPriorUsernameBreachCountPriorUsernamePasswordBreachCountPublishedReview CreatedReview StatusReview UserUsername
A99000001xsoar.com1402609310011002019-05-30T20:52:59.489ZOPENsome_mail@mail.com
aB99000002xsoar.com1402611000012002019-05-30T20:53:00.635ZOPENanother_mail@mail.com

ds-get-breach-summary#


Summary of all data breaches for the current client

Base Command#

ds-get-breach-summary

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!ds-get-breach-summary

Context Example#

{}

Human Readable Output#

{"breachesPerDomain":[{"count":3,"key":"molnnet.com"}],"totalBreaches":3,"totalUsernames":238,"usernamesPerDomain":[{"count":238,"key":"xsoar.com"}]}

ds-find-breach-usernames#


Find unique usernames found across all data breaches

Base Command#

ds-find-breach-usernames

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.Users.BreachCountunknownThe number of data breaches this username has appeared on
DigitalShadows.Users.DistinctPasswordCountunknownThe number of distict passwords encountered for this user
DigitalShadows.Users.UsernameunknownThe username that this summary is for

Command Example#

!ds-find-breach-usernames pagination_size=2

Context Example#

{
"DigitalShadows": {
"Users": [
{
"BreachCount": 1,
"DistinctPasswordCount": 1,
"Username": "mail1@mail.com"
},
{
"BreachCount": 1,
"DistinctPasswordCount": 1,
"Username": "mail2@mail.com"
}
]
}
}

Human Readable Output#

Digital SHadows Breach Reviews#

BreachCountDistinctPasswordCountUsername
11mail1@mail.com
11mail2@mail.com

ds-get-breach#


Retrieve a data breach by its id

Base Command#

ds-get-breach

Input#

Argument NameDescriptionRequired
breach_idId of the data breach to retrieveRequired

Context Output#

PathTypeDescription
DigitalShadows.Breaches.DomainCountunknownNumber of unique domains contained in the breach.
DigitalShadows.Breaches.DomainNameunknownThe domain the data breach occurred against
DigitalShadows.Breaches.DataClassesunknownData types contained within the breach
DigitalShadows.Breaches.IdunknownUnique identifier for a breach
DigitalShadows.Breaches.IncidentIdunknownThe ID of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentScopeunknownThe scope of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentSeverityunknownThe severity of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTitleunknownThe title of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTypeunknownThe type of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.OccurredunknownDate the breach occurred
DigitalShadows.Breaches.RecordCountunknownNumber of records contained in the breach
DigitalShadows.Breaches.SourceUrlunknownThe url the data breach was found on
DigitalShadows.Breaches.TitleunknownThe title assigned to this data breach

Command Example#

!ds-get-breach breach_id=99000001

Context Example#

{
"DigitalShadows": {
"Breaches": {
"DataClasses": [
"EMAIL_ADDRESSES",
"PASSWORDS"
],
"DomainCount": 3372,
"DomainName": "xsoar.com",
"Id": 99000001,
"IncidentId": 99002706,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from xsoar.com",
"IncidentType": "DATA_LEAKAGE",
"Occurred": "2016-07-03",
"RecordCount": 5846,
"SourceUrl": "some_url",
"Title": "Report of data leak from xsoar.com"
}
}
}

Human Readable Output#

Digital Shadows Breaches#

DataClassesDomainCountDomainNameIdIncidentIdIncidentScopeIncidentSeverityIncidentTitleIncidentTypeOccurredRecordCountSourceUrlTitle
EMAIL_ADDRESSES,PASSWORDS3372xsoar.com9900000199002706ORGANIZATIONHIGHReport of data leak from xsoar.comDATA_LEAKAGE2016-07-035846some_urlReport of data leak from xsoar.com

ds-get-breach-records#


Find data breach records

Base Command#

ds-get-breach-records

Input#

Argument NameDescriptionRequired
breach_idUnique id of the data breach to retrieve records forRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_distinctionNarrow down to records based on how unique their username and/or password are.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_passwordRecords that match this password, use '' for wildcard matching, '\' to find an actual asterisk.Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.BreachRecords.IdunknownIdentifier for this data breach record
DigitalShadows.BreachRecords.PasswordunknownThe password found in the breach record, if any could be found
DigitalShadows.BreachRecords.PriorRowTextBreachCountunknownThe number of breaches the entire text of the breach row has appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernameBreachCountunknownThe number of breaches this username appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernamePasswordBreachCountunknownThe number of breaches this username/password combination have appeared in prior to the current breach
DigitalShadows.BreachRecords.PublishedunknownWhen did this record become available
DigitalShadows.BreachRecords.Review.CreatedunknownThe most recent review for this record
DigitalShadows.BreachRecords.Review.StatusunknownThe status of the most recent review for this record
DigitalShadows.BreachRecords.Review.UserunknownThe user who created the most recent review for this record
DigitalShadows.BreachRecords.UsernameunknownA best effort to identify a username within the content of the breach record

Command Example#

!ds-get-breach-records breach_id=99000001 pagination_size=2

Context Example#

{
"DigitalShadows": {
"BreachRecords": [
{
"Id": 140260931001,
"Password": "1",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "some_mail@mail.com"
},
{
"Id": 140260944001,
"Password": "2",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "another_mail@mail.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breach Records#

IdPasswordPriorRowTextBreachCountPriorUsernameBreachCountPriorUsernamePasswordBreachCountPublishedReview CreatedReview StatusReview UserUsername
1402609310011002019-05-30T20:52:59.489ZOPENsome_mail@mail.com
1402609440012002019-05-30T20:52:59.489ZOPENanother_mail@mail.com

ds-find-data-breaches#


Find data breaches

Base Command#

ds-find-data-breaches

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_alertedOnly include data breaches with associated incidents that have been alertedOptional
filter_domainNamesOnRecordsList of domain names to filter by. Only data breaches that have one or more records attributed to this domain nameOptional
filter_minimumTotalRecordsOnly include data breaches that have at least this many total records (inclusive)Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_repostedCredentialsFilter out breaches depending on whether they consist entirely of reposted credentials or not. ORIGINAL or REPOSTOptional
filter_severitiesOnly include data breaches with associated incidents having one of these severities, if not specified, all are consideredOptional
filter_statusesList of statuses to filter by. Pssible values:UNREAD, READ, CLOSED.Optional
filter_usernameOnly show breaches that include this usernameOptional

Context Output#

PathTypeDescription
DigitalShadows.Breaches.DomainCountunknownNumber of unique domains contained in the breach
DigitalShadows.Breaches.DomainNameunknownThe domain the data breach occurred against
DigitalShadows.Breaches.DataClassesunknownData types contained within the breach
DigitalShadows.Breaches.IdunknownUnique identifier for a breach
DigitalShadows.Breaches.IncidentIdunknownThe ID of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentScopeunknownThe Scope of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentSeverityunknownThe severity of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTitleunknownThe title of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTypeunknownThe type of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.OccurredunknownDate the breach occurred
DigitalShadows.Breaches.ModifiedunknownWhen was this breach last modified
DigitalShadows.Breaches.RecordCountunknownNumber of records contained in the breach
DigitalShadows.Breaches.SourceUrlunknownThe url the data breach was found on
DigitalShadows.Breaches.TitleunknownThe title assigned to this data breach
DigitalShadows.Breaches.OrganisationUsernameCountunknownThe number of distict usernames found that belong to the current organisation

Command Example#

!ds-find-data-breaches pagination_size=2

Context Example#

{
"DigitalShadows": {
"Breaches": [
{
"DataClasses": null,
"DomainCount": 3372,
"DomainName": "xsoar.com",
"Id": 99000001,
"IncidentId": 99002706,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from xsoar.com",
"IncidentType": "DATA_LEAKAGE",
"Modified": "2018-07-24T18:24:59.449Z",
"Occurred": "2016-07-03",
"OrganisationUsernameCount": 100,
"RecordCount": 5846,
"SourceUrl": "some_url",
"Title": "Report of data leak from xsoar.com"
},
{
"DataClasses": null,
"DomainCount": 5848,
"DomainName": "someDomain.com",
"Id": 99000000,
"IncidentId": 99002728,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from someDomain.com",
"IncidentType": "DATA_LEAKAGE",
"Modified": "2018-07-24T18:22:42.780Z",
"Occurred": "2016-06-29",
"OrganisationUsernameCount": 100,
"RecordCount": 5858,
"SourceUrl": "another_url",
"Title": "Report of data leak from someDomain.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breaches#

DataClassesDomainCountDomainNameIdIncidentIdIncidentScopeIncidentSeverityIncidentTitleIncidentTypeModifiedOccurredOrganisationUsernameCountRecordCountSourceUrlTitle
3372xsoar.com9900000199002706ORGANIZATIONHIGHReport of data leak from xsoar.comDATA_LEAKAGE2018-07-24T18:24:59.449Z2016-07-031005846some_urlReport of data leak from xsoar.com
5848someDomain.com9900000099002728ORGANIZATIONHIGHReport of data leak from someDomain.comDATA_LEAKAGE2018-07-24T18:22:42.780Z2016-06-291005858another_urlReport of data leak from someDomain.com

ds-get-incident#


Retrieve an incident by its id

Base Command#

ds-get-incident

Input#

Argument NameDescriptionRequired
incident_idIdentifier of the incidentRequired
fulltextShow full text resultsOptional

Context Output#

PathTypeDescription
DigitalShadows.Incidents.AlertedunknownThe moment this incident was brought to the attention of the client
DigitalShadows.Incidents.DescriptionunknownPlain text description of this incident
DigitalShadows.Incidents.ImpactDescriptionunknownDescription of what impact the incident will have
DigitalShadows.Incidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.Incidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwise
DigitalShadows.Incidents.MitigationunknownInformation about what can be done to mitigate the effect of the problem
DigitalShadows.Incidents.OccurredunknownBest effort to establish when the incident occurre
DigitalShadows.Incidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.Incidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization
DigitalShadows.Incidents.TypeunknownThe category of incident that has been raised
DigitalShadows.Incidents.TitleunknownA short but descriptive identifier for the incident
DigitalShadows.Incidents.Review.CreatedunknownThe moment in time the review was created
DigitalShadows.Incidents.Review.StatusunknownReview status
DigitalShadows.Incidents.Review.UserunknownThe user that changed the status/set the note
DigitalShadows.Incidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.Incidents.SeverityunknownAnalyst defined severity based on potential risk to the client

Command Example#

!ds-get-incident incident_id=99002724

Context Example#

{
"DigitalShadows": {
"Incidents": {
"Alerted": null,
"Description": "Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4. \r\n",
"Id": 99002724,
"ImpactDescription": "The IP address contained 30 documents relating to the Company at the following paths: \r\n\r\n1.\thxxps://1.2.3.4//man",
"Internal": false,
"Mitigation": "As the drives are no longer accessible",
"Modified": "2020-11-06T00:22:57.753Z",
"Occurred": "2018-08-23T03:45:57.215Z",
"Review": {
"Created": "2019-08-01T13:19:53.522Z",
"Status": "UNREAD",
"User": null
},
"Scope": "ORGANIZATION",
"Severity": "MEDIUM",
"SubType": "UNMARKED_DOCUMENT",
"Title": "Vendor documents identified on publicly accessible Network Attached Storage drive",
"Type": "DATA_LEAKAGE"
}
}
}

Human Readable Output#

Digital Shadows Incidents#

AlertedDescriptionIdImpactDescriptionInternalMitigationModifiedOccurredReview CreatedReview StatusReview UserScopeSeveritySubTypeTitleType
Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.
99002724The IP address contained 30 documents relating to the Company at the following paths:

1. hxxps://1.2.3.4//man
falseAs the drives are no longer accessible.2020-11-06T00:22:57.753Z2018-08-23T03:45:57.215Z2019-08-01T13:19:53.522ZUNREADORGANIZATIONMEDIUMUNMARKED_DOCUMENTVendor documents identified on publicly accessible Network Attached Storage driveDATA_LEAKAGE

ds-get-incident-reviews#


Retrieve all review updates for a given incident

Base Command#

ds-get-incident-reviews

Input#

Argument NameDescriptionRequired
incident_idId of the incident to retrieve the review history for.Required

Context Output#

PathTypeDescription
DigitalShadows.IncidentReviews.NoteunknownThe note at this version (max length 500 characters)
DigitalShadows.IncidentReviews.CreatedunknownThe moment in time the review was created
DigitalShadows.IncidentReviews.StatusunknownReview status
DigitalShadows.IncidentReviews.User.IdunknownThe unique id of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.EmailAddressunknownThe email address of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.FullNameunknownThe full name of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.RoleunknownThe role of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.StatusunknownThe status of the user that changed the status/set the note.

Command Example#

!ds-get-incident-reviews incident_id=99002724

Context Example#

{
"DigitalShadows": {
"IncidentReviews": {
"Created": "2019-08-01T13:19:53.522Z",
"Note": null,
"Status": "UNREAD",
"User": {
"EmailAddress": null,
"FullName": null,
"Id": null,
"Role": null,
"Status": null
},
"Version": 1
}
}
}

Human Readable Output#

Digital Shadows Incident Reviews#

CreatedNoteStatusUser EmailAddressUser FullNameUser IdUser RoleUser StatusVersion
2019-08-01T13:19:53.522ZUNREAD1

ds-snapshot-incident-review#


Snapshot the review status of an incident

Base Command#

ds-snapshot-incident-review

Input#

Argument NameDescriptionRequired
incident_idId of the incident to apply a review update to.Required
noteThe note at this version (max length 500 characters).Optional
statusReview statusOptional
versionWhen submitting, this value can be optionally set to the version of the most recently read review. If the version on the server does not match this value, a 409 conflict will be returned.Optional

Context Output#

There is no context output for this command.

ds-find-incidents-filtered#


Find incidents with filtering options

Base Command#

ds-find-incidents-filtered

Input#

Argument NameDescriptionRequired
subscribedIf true, the results will also include any subscribed intelligence incidents.Optional
subscribedOnlyIf true, the only results returned will be subscribed intelligence incidents. Must not be set to true with subscribed set to falseOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_alertedOnly incidents that have been alerted to the client.Optional
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_domainNameOnly incidents that have this domain, applied if domainSelection is null or CUSTOMOptional
filter_domainSelectionDetermine how domain filtering will be applied.Optional
filter_identifierOnly return the incident that has this identifier.Optional
filter_repostedCredentialsOption specific to data breach based incidents to filter out new and reposted breach credentials. ORIGINAL, REPOSTOptional
filter_severitiesOnly include incidents with these severities, if not specified, all are considered. VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
filter_statusesUNREAD, READ, CLOSEDOptional
filter_types_typeThe category of incident that has been raised.Optional
filter_types_subTypesThe sub-category of incident that has been raised, if available.Optional
filter_types_content_severityAnalyst defined severity based on potential risk to the client.Optional
filter_tagOperatorWhether multiple tags should be logically applied as AND/OR with the resultsetOptional
filter_withContentRemovedInclude incidents for which the content of the incident has been removed form the source.Optional
filter_withTakedownInclude incidents on which one or more takedown requests have been generated.Optional
filter_withoutContentRemovedInclude incidents for which the content of the incident has not been removed form the source.Optional
filter_withoutTakedownInclude incidents on which a takedown request has not been generated.Optional

Context Output#

PathTypeDescription
DigitalShadows.Incidents.AlertedunknownThe moment this incident was brought to the attention of the client
DigitalShadows.Incidents.DescriptionunknownPlain text description of this incident
DigitalShadows.Incidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.Incidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwis
DigitalShadows.Incidents.MitigationunknownInformation about what can be done to mitigate the effect of the problem
DigitalShadows.Incidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.Incidents.OccurredunknownBest effort to establish when the incident occurred
DigitalShadows.Incidents.PublishedunknownWhen was this incident originally published
DigitalShadows.Incidents.RestrictedContentunknownIdentifies this incident as potentially containing questionable content. If this is true images will be restricted
DigitalShadows.Incidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization
DigitalShadows.Incidents.SeverityunknownAnalyst defined severity based on potential risk to the client
DigitalShadows.Incidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.Incidents.VerifiedunknownThe moment when the incident was verified
DigitalShadows.Incidents.TypeunknownThe category of incident that has been raised
DigitalShadows.Incidents.VersionunknownEach time an update occurs, this version number is incremented
DigitalShadows.Incidents.Review.CreatedunknownThe date the review state for this incident was created
DigitalShadows.Incidents.Review.StatusunknownThe status of the review state for this incident
DigitalShadows.Incidents.Review.User.idunknownThe user that create the review state for this incident
DigitalShadows.Incidents.Review.User.fullNameunknownThe full name of the user that created review state for this incident

Command Example#

!ds-find-incidents-filtered pagination_size=3

Context Example#

{
"DigitalShadows": {
"Incidents": {
"Alerted": null,
"Description": "Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.",
"Id": 99002724,
"Internal": null,
"Mitigation": "As the drives are no longer accessible.",
"Modified": "2020-11-05T00:33:48.344Z",
"Occurred": "2018-08-23T03:45:57.215Z",
"Published": "2020-11-04T23:59:59.999Z",
"RecordCount": null,
"RestrictedContent": null,
"Review": {
"Created": "2019-08-01T13:19:53.522Z",
"Status": "UNREAD",
"User": null
},
"Scope": "ORGANIZATION",
"Score": 0,
"Severity": "MEDIUM",
"SubType": {
"Error": "You must provide the query to use"
},
"Title": "Vendor documents identified on publicly accessible Network Attached Storage drive",
"Type": "DATA_LEAKAGE",
"Verified": {
"Error": "You must provide the query to use"
},
"Version": {
"Error": "You must provide the query to use"
}
}
}
}

Human Readable Output#

Digital Shadows Incidents#

AlertedDescriptionIdInternalMitigationModifiedOccurredPublishedRecordCountRestrictedContentReview CreatedReview StatusReview UserScopeScoreSeveritySubTypeTitleTypeVerifiedVersion
Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.99002724As the drives are no longer accessible.2020-11-05T00:33:48.344Z2018-08-23T03:45:57.215Z2020-11-04T23:59:59.999Z2019-08-01T13:19:53.522ZUNREADORGANIZATION0MEDIUM{"Error":"You must provide the query to use"}Vendor documents identified on publicly accessible Network Attached Storage driveDATA_LEAKAGE{"Error":"You must provide the query to use"}{"Error":"You must provide the query to use"}

ds-get-incidents-summary#


Aggregated summary of incident information used to generate reports/statistics

Base Command#

ds-get-incidents-summary

Input#

Argument NameDescriptionRequired
filter_domainNameOnly incidents that have this domain, applied if domainSelection is null or CUSTOMOptional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_identifierOnly return the incident that has this identifier.Optional
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
groupByKeyDetermines which incident property will be grouped on. Mutually exclusive with groupByKeysOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional

Context Output#

There is no context output for this command.

Command Example#

!ds-get-incidents-summary pagination_size=2

Human Readable Output#

{"keySet":[null],"ranges":[{"groupedIncidentCounts":[{"count":25}],"rangeEnd":"2020-11-05T17:37:26.533Z","rangeStart":"2020-11-01T00:00:00.000Z","total":25}]}

ds-get-apt-report#


Retrieve details of the specified APT report

Base Command#

ds-get-apt-report

Input#

Argument NameDescriptionRequired
report_idThe unique identifier assigned to a given APT report (UUID based).Required

Context Output#

PathTypeDescription
DigitalShadows.APTReports.IdunknownInternal identifier for uniquely identifying this report
DigitalShadows.APTReports.NameunknownName assigned to this report for ease of identification
DigitalShadows.APTReports.PublishedunknownThe date the report became available
DigitalShadows.APTReports.Report.IdunknownThe ID of the report resource allowing it to be downloaded
DigitalShadows.APTReports.Report.LinkunknownThe link of the report resource allowing it to be downloaded
DigitalShadows.APTReports.Preview.IdunknownID of a preview image of the frontpage of the report, if available
DigitalShadows.APTReports.Preview.LinkunknownA fully qualified link URI for preview image of the frontpage of the report, if available

ds-get-intelligence-incident#


Retrieve an intelligence incident by its id

Base Command#

ds-get-intelligence-incident

Input#

Argument NameDescriptionRequired
incident_idThe id of the intelligence incident to retrieveRequired

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidents.DescriptionunknownPlain text description of this incident.
DigitalShadows.IntelligenceIncidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.IntelligenceIncidents.IndicatorOfCompromiseCountunknownCount of IOCs that can be retrieved via /api/incidents/{id}/iocs endpoint
DigitalShadows.IntelligenceIncidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwise
DigitalShadows.IntelligenceIncidents.LinkedContentIncidentsunknownOther incidents that appear to be based on the same content as this incident. Each incident record will normally only contain the id and the scope it applies to. Could also include more details depending on the context it is called in.
DigitalShadows.IntelligenceIncidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.IntelligenceIncidents.OccurredunknownBest effort to establish when the incident occurred
DigitalShadows.IntelligenceIncidents.PublishedunknownWhen was this incident originally published
DigitalShadows.IntelligenceIncidents.RelatedIncidentIdunknownIf an incident specific to your organization exists for this intelligence incident, it will be included here.
DigitalShadows.IntelligenceIncidents.RestrictedContentunknownIdentifies this incident as potentially containing questionable content. If this is true images will be restricted.
DigitalShadows.IntelligenceIncidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization.
DigitalShadows.IntelligenceIncidents.SeverityunknownAnalyst defined severity based on potential risk to the client
DigitalShadows.IntelligenceIncidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.IntelligenceIncidents.TitleunknownA short but descriptive identifier for the incident
DigitalShadows.IntelligenceIncidents.TypeunknownThe category of incident that has been raised
DigitalShadows.IntelligenceIncidents.VerifiedunknownThe moment when the incident was verified.
DigitalShadows.IntelligenceIncidents.VersionunknownEach time an update occurs, this version number is incremented

Command Example#

!ds-get-intelligence-incident incident_id=6470614

Context Example#

{
"DigitalShadows": {
"IntelligenceIncidents": {
"Description": "Summary: some event in the past",
"Id": 6470614,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2018-08-30T07:18:22.566Z",
"Occurred": "2016-02-08T10:55:00.000Z",
"Published": "2016-02-08T12:22:03.203Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "08 Feb 2016 protest update",
"Type": "CYBER_THREAT",
"Verified": "2016-02-08T11:22:48.539Z",
"Version": 12
}
}
}

Human Readable Output#

Digital Shadows Intelligence Incident#

DescriptionIdIndicatorOfCompromiseCountInternalLinkedContentIncidentsModifiedOccurredPublishedRelatedIncidentIdRestrictedContentScopeSeveritySubTypeTitleTypeVerifiedVersion
Summary: some event in the past64706140false2018-08-30T07:18:22.566Z2016-02-08T10:55:00.000Z2016-02-08T12:22:03.203ZfalseGLOBALLOW08 Feb 2016 protest updateCYBER_THREAT2016-02-08T11:22:48.539Z12

ds-get-intelligence-incident-iocs#


Retrieve the indicatorsOfCompromise for this intel incident

Base Command#

ds-get-intelligence-incident-iocs

Input#

Argument NameDescriptionRequired
incident_idThe intelligence incident identifierRequired
visibleList of values to control the visibility of elements. If a value is present then the correspinding element should be displayedOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
filter_valueThe filter that will narrow the results based on one or more criteriaOptional
filter_typesList of types to filter by. Possible values are IP,MD5,SHA1,SHA256,URL,CVE,EMAIL,HOST,REGISTRY,FILEPATH,FILENAMEOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidentsIOCs.IdunknownInternal identifier for uniquely identifying this IOC
DigitalShadows.IntelligenceIncidentsIOCs.IntelIncident.IdunknownIf this IOC is associated with an intel incident
DigitalShadows.IntelligenceIncidentsIOCs.IntelIncident.ScopeunknownIf this IOC is associated with an intel incident
DigitalShadows.IntelligenceIncidentsIOCs.TypeunknownIdentifies the type of incidicator that also determines how it is encoded into a string
DigitalShadows.IntelligenceIncidentsIOCs.ValueunknownThe value of this indicator, encoded according to its type. For example hashes are base16 encoded.
DigitalShadows.IntelligenceIncidentsIOCs.SourceunknownA comment provided by the analysts as to where this IOC came from.
DigitalShadows.IntelligenceIncidentsIOCs.LastUpdatedunknownWhen this record last changed
DigitalShadows.IntelligenceIncidentsIOCs.AptReport.IdunknownIf this IOC is associated with an APT report

Command Example#

Human Readable Output#

ds-find-intelligence-incidents#


Find intelligence incidents

Base Command#

ds-find-intelligence-incidents

Input#

Argument NameDescriptionRequired
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_domainNameOnly incidents that have this domain, applied if domainSelection is null or CUSTOMOptional
filter_domainSelectionDetermine how domain filtering will be applied.Optional
filter_identifierOnly return the incident that has this identifier.Optional
filter_severitiesOnly include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
filter_tagOperatorWhether multiple tags should be logically applied as AND/OR with the resultsetOptional
filter_tags_idLimit to incidents that have these tags ids only.Optional
filter_threatRecordIdsRestrict intel incidents to those tagged with one or more of these threat records.Optional
filter_threatTypes_typeRestrict intel incidents to those associated with threats of these types:ACTOR,CAMPAIGN,EVENT,TOOL,SPECIFIC_TTP,LOCATIONOptional
filter_threatTypesThe type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered.Optional
filter_threatSubTypesList of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENTOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidents.DescriptionunknownPlain text description of this incident.
DigitalShadows.IntelligenceIncidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.IntelligenceIncidents.IndicatorOfCompromiseCountunknownCount of IOCs that can be retrieved via /api/incidents/{id}/iocs endpoint
DigitalShadows.IntelligenceIncidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwise
DigitalShadows.IntelligenceIncidents.LinkedContentIncidentsunknownOther incidents that appear to be based on the same content as this incident. Each incident record will normally only contain the id and the scope it applies to. Could also include more details depending on the context it is called in.
DigitalShadows.IntelligenceIncidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.IntelligenceIncidents.OccurredunknownBest effort to establish when the incident occurred
DigitalShadows.IntelligenceIncidents.PublishedunknownWhen was this incident originally published
DigitalShadows.IntelligenceIncidents.RelatedIncidentIdunknownIf an incident specific to your organization exists for this intelligence incident, it will be included here.
DigitalShadows.IntelligenceIncidents.RestrictedContentunknownIdentifies this incident as potentially containing questionable content. If this is true images will be restricted.
DigitalShadows.IntelligenceIncidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization.
DigitalShadows.IntelligenceIncidents.SeverityunknownAnalyst defined severity based on potential risk to the client
DigitalShadows.IntelligenceIncidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.IntelligenceIncidents.TitleunknownA short but descriptive identifier for the incident
DigitalShadows.IntelligenceIncidents.TypeunknownThe category of incident that has been raised
DigitalShadows.IntelligenceIncidents.VerifiedunknownThe moment when the incident was verified.
DigitalShadows.IntelligenceIncidents.VersionunknownEach time an update occurs, this version number is incremented

Command Example#

!ds-find-intelligence-incidents pagination_size=2

Context Example#

{
"DigitalShadows": {
"IntelligenceIncidents": [
{
"Description": "A new post was added to Happy Blog.",
"Id": 65624604,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2020-11-05T15:53:33.166Z",
"Occurred": "2020-11-05T05:48:42.588Z",
"Published": "2020-11-05T15:53:33.161Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "Tipper: Richardson Sales Performance named on Happy Blog ",
"Type": "CYBER_THREAT",
"Verified": "2020-11-05T14:01:48.656Z",
"Version": 7
},
{
"Description": "A new post was added to Happy Blog.",
"Id": 65604506,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2020-11-05T15:47:36.590Z",
"Occurred": "2020-11-04T21:48:04.784Z",
"Published": "2020-11-05T15:47:36.582Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "Tipper: New Jersey Dental Hygienists' Association",
"Type": "CYBER_THREAT",
"Verified": "2020-11-05T14:01:48.656Z",
"Version": 7
}
]
}
}

Human Readable Output#

Digital Shadows Intelligence Incidents#

DescriptionIdIndicatorOfCompromiseCountInternalLinkedContentIncidentsModifiedOccurredPublishedRelatedIncidentIdRestrictedContentScopeSeveritySubTypeTitleTypeVerifiedVersion
A new post was added to Happy Blog.656246040false2020-11-05T15:53:33.166Z2020-11-05T05:48:42.588Z2020-11-05T15:53:33.161ZfalseGLOBALLOWTipper: Richardson Sales Performance named on Happy BlogCYBER_THREAT2020-11-05T14:01:48.656Z7
A new post was added to Happy Blog.656045060false2020-11-05T15:47:36.590Z2020-11-04T21:48:04.784Z2020-11-05T15:47:36.582ZfalseGLOBALLOWTipper: New Jersey Dental Hygienists' AssociationCYBER_THREAT2020-11-05T14:01:48.656Z7

ds-find-intelligence-incidents-regional#


Incidents grouped by the target country over a given time range

Base Command#

ds-find-intelligence-incidents-regional

Input#

Argument NameDescriptionRequired
threat_idThreat IDOptional
countryTag_createdWhen was this tag created.Optional
countryTag_descriptionDescription text for this tag.Optional
countryTag_idUnique integer identifier for this tagOptional
countryTag_nameThe name of this tag. Is unique in combination with the typeOptional
countryTag_parent_idParent id of the tagOptional
countryTag_threat_idUnique integer identifier (among threats).Optional
countryTag_threat_typeThe type of profile being represented.Optional
countryTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional
filter_dateRangeDetermines the interval the incidents must have occurred within to be included. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_periodRelativeToOptional timestamp that will be used as the end date for a period based dateRange. If not specified, then the end of the current day (based on the requesting user's timezone) will be used.Optional
filter_tagTypeWhat types of tags should be considered. Should be one of SOURCE_GEOGRAPHY or TARGET_GEOGRAPHY (the default)Optional
regionTag_createdWhen was this tag created.Optional
regionTag_descriptionDescription text for this tag.Optional
regionTag_idUnique integer identifier for this tagOptional
regionTag_nameThe name of this tag. Is unique in combination with the typeOptional
regionTag_parent_idParent id of the tagOptional
regionTag_threat_idUnique integer identifier (among threats).Optional
regionTag_threat_typeThe type of profile being represented.Optional
regionTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidentsRegional.CountryTag.IdunknownThe ID of the country these incidents are attributed to
DigitalShadows.IntelligenceIncidentsRegional.CountryTag.NameunknownThe country name these incidents are attributed to
DigitalShadows.IntelligenceIncidentsRegional.CountryTag.ParentIdunknownThe parent ID of the country these incidents are attributed to
DigitalShadows.IntelligenceIncidentsRegional.CountryTag.ThreatIdunknownThe threat id of the country tag these incidents are attributed to
DigitalShadows.IntelligenceIncidentsRegional.CountryTag.TypeunknownThe country tag type these incidents are attributed to
DigitalShadows.IntelligenceIncidentsRegional.IncidentIdsunknownThe list of intelligence incidents

ds-get-intelligence-threat#


Retrieve a specific item of intelligence by its id

Base Command#

ds-get-intelligence-threat

Input#

Argument NameDescriptionRequired
threat_idThe id of the intelligence threat to retrieve.Required
optOptions to include additional relevant data with the requestOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreats.ActivityLevelunknownLevel of activity, based on last active
DigitalShadows.IntelligenceThreats.DetailLevelunknownDetermines how detailed the record is
DigitalShadows.IntelligenceThreats.EndDateunknownThe end date of the period this was/is active
DigitalShadows.IntelligenceThreats.IdunknownUnique integer identifier (among threats)
DigitalShadows.IntelligenceThreats.ImageIdunknownThe unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/{id} (replacing {id} with the value of this property).
DigitalShadows.IntelligenceThreats.ImageThumbnailIdunknownThe unique identifier for a thumbnail of the image, if available. The image can be retrieved by requesting /api/thumbnails/{id} (replacing {id} with the value of this property)
DigitalShadows.IntelligenceThreats.IndicatorOfCompromiseCountunknownCount of IOCs
DigitalShadows.IntelligenceThreats.LastActiveunknownThe date of last activity (last incident)
DigitalShadows.IntelligenceThreats.RecurringunknownWill this become active again in future?
DigitalShadows.IntelligenceThreats.StartDateunknownThe start date of the period this was/is active
DigitalShadows.IntelligenceThreats.TypeunknownThe type of profile being represented
DigitalShadows.IntelligenceThreats.Tags.ActorTypeTagsunknownTags for the type of actor
DigitalShadows.IntelligenceThreats.AnnouncementIncidentIDsunknownList of public declarations made (incidents)
DigitalShadows.IntelligenceThreats.AptReportIDsunknownAPT reports associated with this threat. Each entry can be resolved via the /api/apt-report/{id} endpoint.
DigitalShadows.IntelligenceThreats.Tags.AssociatedActorTagsunknownActors related to this threat (if any)
DigitalShadows.IntelligenceThreats.Tags.AssociatedCampaignTagsunknownCampaigns related to this threat (if any)
DigitalShadows.IntelligenceThreats.AssociatedEventIDsunknownEvents associated with this threat (if any)
DigitalShadows.IntelligenceThreats.AttackEvidenceIncidentIDsunknownList of damage caused incidents
DigitalShadows.IntelligenceThreats.Tags.ImpactEffectTagsunknownWhat impact did it have
DigitalShadows.IntelligenceThreats.Tags.IntendedEffectTagsunknownWhat the threat intended to happen
DigitalShadows.IntelligenceThreats.LatestIncidentIDunknownThe latest incident attributed to this threat
DigitalShadows.IntelligenceThreats.Tags.MotivationTagsunknownTags that define what motivates the threat
DigitalShadows.IntelligenceThreats.Tags.OverviewTagsunknownTags that will appear in the overview. Only one per primary type
DigitalShadows.IntelligenceThreats.Tags.PrimaryLanguageTagsunknownTags that identify the primary languages used
DigitalShadows.IntelligenceThreats.ThreatLevelunknownInformation about the level of threat, for example low or high

Command Example#

!ds-get-intelligence-threat threat_id=2351

Context Example#

{
"DigitalShadows": {
"IntelligenceThreats": {
"ActivityLevel": "INACTIVE",
"AnnouncementIncidentIDs": null,
"AptReportIDs": null,
"AssociatedEventIDs": null,
"AttackEvidenceIncidentIDs": null,
"EndDate": null,
"Id": 2351,
"ImageId": "id",
"ImageThumbnailId": "id",
"IndicatorOfCompromiseCount": 0,
"LastActive": "2016-07-20T22:00:00.000Z",
"LatestIncident": null,
"LatestIncidentID": null,
"Recurring": null,
"StartDate": null,
"Tags": {
"ActorTypeTags": [
{
"id": 1107,
"name": "Hacker - Black hat",
"type": "ACTOR_TYPE"
},
],
"AssociatedActorTags": [
{
"id": 3208,
"name": "Peace of Mind",
"type": "ACTOR"
},
],
"AssociatedCampaignTags": [],
"ImpactEffectTags": [
{
"id": 424,
"name": "Data Breach or Compromise",
"type": "IMPACT_EFFECTS"
},
{
"id": 431,
"name": "Unintended Access",
"type": "IMPACT_EFFECTS"
}
],
"IntendedEffectTags": [
{
"id": 418,
"name": "Unauthorised Access",
"type": "INTENDED_EFFECTS"
},
{
"id": 412,
"name": " Exposure",
"type": "INTENDED_EFFECTS"
}
],
"MotivationTags": [
{
"id": 434,
"name": "Ideological - Anti-Corruption",
"type": "MOTIVATION"
},
{
"id": 440,
"name": "Ideological - Security Awareness",
"type": "MOTIVATION"
}
],
"OverviewTags": [
{
"id": 1874,
"name": "Data Leakage",
"parent": {
"id": 2684
},
"type": "GENERAL_TTP"
},
{
"id": 1088,
"name": "Government",
"type": "TARGET_SECTORS"
}
],
"PrimaryLanguageTags": [
{
"id": 467,
"name": "English",
"type": "LANGUAGE"
},
{
"id": 526,
"name": "Spanish",
"type": "LANGUAGE"
}
],
"PrimaryTag": {
"id": 3177,
"name": "CthulhuSec",
"type": "ACTOR"
},
"SourceGeographyTags": []
},
"ThreatLevel": "LOW",
"Type": "ACTOR"
}
}
}

Human Readable Output#

Digital Shadows Intelligence Threat#

ActivityLevelAnnouncementIncidentIDsAptReportIDsAssociatedEventIDsAttackEvidenceIncidentIDsEndDateIdImageIdImageThumbnailIdIndicatorOfCompromiseCountLastActiveLatestIncidentLatestIncidentIDRecurringStartDateThreatLevelType
INACTIVE2351idid02016-07-20T22:00:00.000ZLOWACTOR

ds-get-intelligence-threat-iocs#


Retrieve the indicatorsOfCompromise for a threat record

Base Command#

ds-get-intelligence-threat-iocs

Input#

Argument NameDescriptionRequired
threat_idThe intelligence threat identifierRequired
filter_typesList of types to filter by. Possible values are IP,MD5,SHA1,SHA256,URL,CVE,EMAIL,HOST,REGISTRY,FILEPATH,FILENAMEOptional
filter_valueValue to filter byOptional
visibleList of values to control the visibility of elements. If a value is present then the correspinding element should be displayedOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreatIOCs.AptReportIdunknownIf this IOC is associated with an APT report
DigitalShadows.IntelligenceThreatIOCs.IdunknownInternal identifier for uniquely identifying this IOC
DigitalShadows.IntelligenceThreatIOCs.IntelIncidentIdunknownIf this IOC is associated with an intel incident
DigitalShadows.IntelligenceThreatIOCs.LastUpdatedunknownWhen this record last changed
DigitalShadows.IntelligenceThreatIOCs.SourceunknownA comment provided by the analysts as to where this IOC came from
DigitalShadows.IntelligenceThreatIOCs.TypeunknownIdentifies the type of incidicator that also determines how it is encoded into a string
DigitalShadows.IntelligenceThreatIOCs.ValueunknownThe value of this indicator, encoded according to its type. For example hashes are base16 encoded.

Command Example#

Human Readable Output#

ds-get-intelligence-threat-activity#


Threat activity based on the number of intelligence incidents over a given period of time.

Base Command#

ds-get-intelligence-threat-activity

Input#

Argument NameDescriptionRequired
customPrimaryTags_idInstead of most active, specify the ids of threat primary tags to retrieve activity forOptional
includeIncidentsShould basic incident information be included with the activity for each tag.Optional
maximumIncidentsPerTagUpper limit on the number of incidents to include for each threat.Optional
mostActiveForTypesFetch the top presetPerTypeCount most active threats for each type. Possible values:ACTOR,CAMPAIGN,EVENT,TOOL,SPECIFIC_TTP,LOCATIONOptional
mostActiveLimitHow many threats to retrieve activity for per threat type. Only applies when mostActiveForTypes is not null. If not specified, 10 is assumed.Optional
segmentCountNumber of time segments to aggregrate the incidents into.Optional
filter_dateRangeReturn activity that occurred in this date range. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Required

Context Output#

There is no context output for this command.

Command Example#

!ds-get-intelligence-threat-activity threat_id=2351 filter_dateRange=2016-08-16T19:55:00.000Z/2016-09-16T19:55:00.000Z

Human Readable Output#

{"tagActivities":[{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":1,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":4,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11303017,"scope":"GLOBAL"},{"id":11300637,"scope":"GLOBAL"},{"id":11212704,"scope":"GLOBAL"},{"id":11187135,"scope":"GLOBAL"},{"id":11187153,"scope":"GLOBAL"},{"id":11186833,"scope":"GLOBAL"}],"tag":{"id":3065,"name":"The Real Deal","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2144,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":1,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11258586,"scope":"GLOBAL"},{"id":10924047,"scope":"GLOBAL"}],"tag":{"id":4742,"name":"CrdClub","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":3199,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":1,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11303017,"scope":"GLOBAL"}],"tag":{"id":3044,"name":"Hell Forum","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2122,"threatLevel":{"type":"MEDIUM"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11222970,"scope":"GLOBAL"}],"tag":{"id":6966,"name":"Hansa","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":4159,"threatLevel":{"type":"VERY_LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":1,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":10923947,"scope":"GLOBAL"}],"tag":{"id":3048,"name":"AlphaBay","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2126,"threatLevel":{"type":"VERY_LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":1,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":10847816,"scope":"GLOBAL"}],"tag":{"id":3121,"name":"DownThem","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2275,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"}],"threatType":"LOCATION","timeSpanDays":31}

ds-find-intelligence-threats#


Find intelligence threat records

Base Command#

ds-find-intelligence-threats

Input#

Argument NameDescriptionRequired
filter_dateRangeOnly return results that were last active within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_identifiersList of identifiers. Only return threat profiles with these identifiersOptional
filter_relevantToNarrow to threats that have a specific relevance to my organizationOptional
filter_tagOperatorWhether multiple tags should be logically applied as AND/OR with the resultsetOptional
filter_tagsLimit to threats related to these tags onlyOptional
filter_threatLevelsOnly include threats with one of these threat levelsOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreatsRegional.ActivityLevelunknownLevel of activity, based on last active
DigitalShadows.IntelligenceThreatsRegional.IdunknownUnique integer identifier (among threats)
DigitalShadows.IntelligenceThreatsRegional.ImageIdunknownThe unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/{id} (replacing {id} with the value of this property)
DigitalShadows.IntelligenceThreatsRegional.LastActiveunknownThe date of last activity (last incident)
DigitalShadows.IntelligenceThreatsRegional.TypeunknownThe type of profile being represented
DigitalShadows.IntelligenceThreatsRegional.ThreatLevelTypeunknownInformation about the level of threat, for example low or high
DigitalShadows.IntelligenceThreatsRegional.EventunknownFor an EVENT or CAMPAIGN threat this will contain a summary of when it occurred and possibly when it will re-occur

Command Example#

!ds-find-intelligence-threats filter_dateRange=2016-08-16T19:55:00.000Z/2016-08-16T19:55:00.000Z

Context Example#

{
"DigitalShadows": {
"IntelligenceThreats": {
"ActivityLevel": "INACTIVE",
"Event": null,
"Id": 5013,
"ImageId": null,
"LastActive": "2016-08-16T19:55:00.000Z",
"ThreatLevelType": "LOW",
"Type": "SPECIFIC_TTP"
}
}
}

Human Readable Output#

Digital Shadows Intelligence Threats#

ActivityLevelEventIdImageIdLastActiveThreatLevelTypeType
INACTIVE50132016-08-16T19:55:00.000ZLOWSPECIFIC_TTP

ds-find-intelligence-threats-regional#


Threat profiles associated with incidents over a given time range

Base Command#

ds-find-intelligence-threats-regional

Input#

Argument NameDescriptionRequired
countryTag_createdWhen was this tag created.Optional
countryTag_descriptionDescription text for this tag.Optional
countryTag_idUnique integer identifier for this tagOptional
countryTag_nameThe name of this tag. Is unique in combination with the typeOptional
countryTag_parent_idParent id of the tagOptional
countryTag_threat_idUnique integer identifier (among threats).Optional
countryTag_threat_typeThe type of profile being represented.Optional
countryTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional
filter_dateRangeDetermines the interval the incidents must have occurred within to be included. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_periodRelativeToOptional timestamp that will be used as the end date for a period based dateRange. If not specified, then the end of the current day (based on the requesting user's timezone) will be used.Optional
filter_tagTypeWhat types of tags should be considered. Should be one of SOURCE_GEOGRAPHY or TARGET_GEOGRAPHY (the default)Optional
regionTag_createdWhen was this tag created.Optional
regionTag_descriptionDescription text for this tag.Optional
regionTag_idUnique integer identifier for this tagOptional
regionTag_nameThe name of this tag. Is unique in combination with the typeOptional
regionTag_parent_idParent id of the tagOptional
regionTag_threat_idUnique integer identifier (among threats).Optional
regionTag_threat_typeThe type of profile being represented.Optional
regionTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional
threat_idId of the threatOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreatsRegional.ActivityLevelunknownLevel of activity, based on last active
DigitalShadows.IntelligenceThreatsRegional.IdunknownUnique integer identifier (among threats)
DigitalShadows.IntelligenceThreatsRegional.ImageIdunknownThe unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/{id} (replacing {id} with the value of this property)
DigitalShadows.IntelligenceThreatsRegional.LastActiveunknownThe date of last activity (last incident)
DigitalShadows.IntelligenceThreatsRegional.TypeunknownThe type of profile being represented
DigitalShadows.IntelligenceThreatsRegional.ThreatLevelTypeunknownInformation about the level of threat, for example low or high
DigitalShadows.IntelligenceThreatsRegional.EventunknownFor an EVENT or CAMPAIGN threat this will contain a summary of when it occurred and possibly when it will re-occur
DigitalShadows.IntelligenceThreatsRegional.OverviewTagsunknownTags that will appear in the overview. Only one per primary type.

Command Example#

Human Readable Output#

ds-get-port-reviews#


Retrieve all review updates for a given port inspection

Base Command#

ds-get-port-reviews

Input#

Argument NameDescriptionRequired
portPort inspection idRequired
incidentIdID of incident to queryOptional

Context Output#

PathTypeDescription
DigitalShadows.IpPortReviews.CreatedunknownThe moment in time the review was created
DigitalShadows.IpPortReviews.StatusunknownReview status
DigitalShadows.IpPortReviews.VersionunknownStarts counting at 1 and increments for each review of a given port. Will initially be 0 until a review is performed (when returned as part of a port)
DigitalShadows.IpPortReviews.Incident.IdunknownId of the incident the port inspection is associated with
DigitalShadows.IpPortReviews.Incident.ScopeunknownScope of the incident the port inspection is associated with
DigitalShadows.IpPortReviews.User.IdunknownID of the user that changed the status/set the note.
DigitalShadows.IpPortReviews.User.FullNameunknownFull name of the user that changed the status/set the note.

Command Example#

Human Readable Output#

ds-snapshot-port-review#


Snapshot the review status of a port inspection

Base Command#

ds-snapshot-port-review

Input#

Argument NameDescriptionRequired
portPort inspection idRequired
versionWhen submitting, this value can be optionally set to the version of the most recently read reviewOptional
statusReview statusOptional
incident_idIdentifier for this incident, unique in combination with the scope.Optional
incident_scopeIdentifies whether this incident applies globally (intelligence) or just to your organization.Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

ds-find-ports#


Find ports

Base Command#

ds-find-ports

Input#

Argument NameDescriptionRequired
filter_alertedOnly include SSL/certificates with associated incidents that have been alertedOptional
filter_detectedClosedOnly return IP ports that were detected closedOptional
filter_detectedOpenOnly return IP ports that were detected open within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_domainNameName of domain to filter byOptional
filter_incidentTypesThe type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered.Optional
filter_incidentSubTypesList of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENTOptional
filter_ipAddressIP address to filter byOptional
filter_ipRange_lowerAddressLower address for ip rangeOptional
filter_ipRange_maskBitsInt value for mask bitsOptional
filter_ipRange_upperAddressUpper address for ip rangeOptional
filter_markedClosedIs incident closedOptional
filter_publishedOnly return IP ports that were published within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_severitiesOnly include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional

Context Output#

PathTypeDescription
DigitalShadows.IpPorts.DiscoveredOpenunknownWhen was the port found to be open
DigitalShadows.IpPorts.IdunknownIdentifier for the port inspection
DigitalShadows.IpPorts.IpAddressunknownThe IP address this port was found on
DigitalShadows.IpPorts.PortNumberunknownThe IP port number scanned (1-65535)
DigitalShadows.IpPorts.TransportunknownIP transport protocol used
DigitalShadows.IpPorts.Incident.IdunknownId the most recent incident to include this port
DigitalShadows.IpPorts.Incident.ScopeunknownScope of the most recent incident to include this port
DigitalShadows.IpPorts.Incident.SeverityunknownSeverity of the most recent incident to include this port
DigitalShadows.IpPorts.Incident.SubTypeunknownSubtype of the most recent incident to include this port
DigitalShadows.IpPorts.Incident.TypeunknownType of the most recent incident to include this port
DigitalShadows.IpPorts.Incident.TitleunknownTitle of the most recent incident to include this port
DigitalShadows.IpPorts.Incident.PublishedunknownPublished time the most recent incident to include this port
DigitalShadows.IpPorts.Review.StatusunknownStatus of when the port was last reviewed
DigitalShadows.IpPorts.Review.UserIdunknownUser Id of the port last review
DigitalShadows.IpPorts.Review.UserNameunknownName of user who created last review
DigitalShadows.IpPorts.Review.VersionunknownVersion of last port review

Command Example#

!ds-find-ports pagination_size=1

Context Example#

{
"DigitalShadows": {
"IpPorts": [
{
"DiscoveredOpen": "2018-08-22T00:58:07.014Z",
"Id": 8247047,
"Incident": {
"Id": 99002722,
"Published": "2020-11-03T21:44:41.840Z",
"Scope": "ORGANIZATION",
"Severity": "MEDIUM",
"SubType": "EXPOSED_PORT",
"Title": "Block listed open ports found on IP",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "1.2.3.4",
"PortNumber": 179,
"Review": {
"Status": "OPEN",
"UserId": null,
"UserName": null,
"Version": null
},
"Transport": "TCP"
}
]
}
}

Human Readable Output#

Digital Shadows Ports#

DiscoveredOpenIdIncident IdIncident PublishedIncident ScopeIncident SeverityIncident SubTypeIncident TitleIncident TypeIpAddressPortNumberReview StatusReview UserIdReview UserNameReview VersionTransport
2018-08-22T00:58:07.014Z8247047990027222020-11-03T21:44:41.840ZORGANIZATIONMEDIUMEXPOSED_PORTBlacklisted open ports found on IPINFRASTRUCTURE1.2.3.4179OPENTCP

ds-find-secure-sockets#


Find secure sockets

Base Command#

ds-find-secure-sockets

Input#

Argument NameDescriptionRequired
filter_alertedOnly include SSL/certificates with associated incidents that have been alertedOptional
filter_detectedOnly include detected socketsOptional
filter_determinedResolvedOnly include determined resolved socketsOptional
filter_domainFilter by domainOptional
filter_expiryFilter by expiry dateOptional
filter_gradesList of grades (A,B,C,D,E,F,T)Optional
filter_incidentTypesThe type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered.Optional
filter_incidentSubTypesList of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENTOptional
filter_ipAddressIP address to filter byOptional
filter_issuesList of string values from POODLE, POODLE_TLS, FREAK, DROWN, LOGJAM, RC4_AVAILABLE, SELF_SIGNED, MD5_OR_SHA1_SIGNED, REVOKED, EXPIRING_LOW, EXPIRING_MEDIUM, EXPIRING_HIGH, EXPIRED, HOSTNAME_MISMATCH, TLS_1_2_NOT_FOUNDOptional
filter_markedClosedIs incident closedOptional
filter_publishedFilter by publish timeOptional
filter_revokedOnly include revoked socketsOptional
filter_severitiesOnly include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
filter_statusesOnly include SSL/certificates with associated incidents having these statuses, (or with any status if none are supplied). UNREAD, READ, CLOSEDOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional

Context Output#

PathTypeDescription
DigitalShadows.SecureSockets.IdunknownUnique identifier for this inspection
DigitalShadows.SecureSockets.ReverseDomainNameunknownThe reverse DNS name of the host
DigitalShadows.SecureSockets.CertificateCommonNameunknownThe server certificate common name
DigitalShadows.SecureSockets.DiscoveredunknownWhen were the certificate issue(s) found
DigitalShadows.SecureSockets.DomainNameunknownThe domain name the secure socket was discovered on for the default port 443/TCP
DigitalShadows.SecureSockets.GradeunknownThe rating calculated for the secure socket at the time of the scan
DigitalShadows.SecureSockets.IpAddressunknownThe actual IP address the probe connected to
DigitalShadows.SecureSockets.PortNumberunknownThe port number the socket was found listening on
DigitalShadows.SecureSockets.TransportunknownIP transport protocol used, most likely TCP
DigitalShadows.SecureSockets.IssuesunknownThe set of issues detected for the secure socket
DigitalShadows.SecureSockets.Review.StatusunknownStatus of most recent review of this inspection
DigitalShadows.SecureSockets.Review.UserIdunknownID of user who created the most recent review of this inspection
DigitalShadows.SecureSockets.Review.UserNameunknownName of user who created the most recent review of this inspection
DigitalShadows.SecureSockets.Review.VersionunknownVersion of most recent review of this inspection
DigitalShadows.SecureSockets.Incident.IdunknownIncident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.ScopeunknownScope of incident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.SeverityunknownSeverity of incident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.SubTypeunknownSubType of incident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.TypeunknownType of incident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.TitleunknownTitle of incident corresponding for this secure socket issues occurence
DigitalShadows.SecureSockets.Incident.PublishedunknownPublished time of incident corresponding for this secure socket issues occurence

ds-find-vulnerabilities#


Find vulnerabilities

Base Command#

ds-find-vulnerabilities

Input#

Argument NameDescriptionRequired
filter_alertedOnly include SSL/certificates with associated incidents that have been alertedOptional
filter_cveIdentifiersFilter by CVE identifiersOptional
filter_detectedOnly return vulnerabilities that were detected within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_detectedClosedTrue or falseOptional
filter_domainNameName of domain to filter byOptional
filter_incidentTypesThe type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered.Optional
filter_incidentSubTypesList of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENTOptional
filter_ipAddressIP address to filter byOptional
filter_markedClosedFilter by incidents that are marked as CLOSEDOptional
filter_publishedOnly return vulnerabilities that were published within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_severitiesList of sevirity values to filter by. Can be VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional

Context Output#

PathTypeDescription
DigitalShadows.Vulnerabilities.CveIdunknownThe CVE id
DigitalShadows.Vulnerabilities.IdunknownIdentifier for this detected vulnerability
DigitalShadows.Vulnerabilities.DiscoveredunknownWhen was the vulnerability found
DigitalShadows.Vulnerabilities.IpAddressunknownThe IP address this port was found on
DigitalShadows.Vulnerabilities.Review.StatusunknownStatus of most recent review of this vulnerability
DigitalShadows.Vulnerabilities.Review.UserIdunknownID of user who created the most recent review of this vulnerability
DigitalShadows.Vulnerabilities.Review.UserNameunknownName of user who created the most recent review of this vulnerability
DigitalShadows.Vulnerabilities.Review.VersionunknownVersion of most recent review of this vulnerability
DigitalShadows.Vulnerabilities.Incident.IdunknownID of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.ScopeunknownScope of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.SeverityunknownSeverity of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.SubTypeunknownSubType of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.TypeunknownType of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.TitleunknownTitle of incident corresponding for this vulnerability occurence
DigitalShadows.Vulnerabilities.Incident.PublishedunknownPublished of incident corresponding for this vulnerability occurence

Command Example#

!ds-find-vulnerabilities pagination_size=2

Context Example#

{
"DigitalShadows": {
"Vulnerabilities": [
{
"CveId": "CVE-id",
"Discovered": "2018-04-12T14:15:51.991Z",
"Id": 529072,
"Incident": {
"Id": 99002720,
"Published": "2020-11-04T17:32:57.855Z",
"Scope": "ORGANIZATION",
"Severity": "VERY_HIGH",
"SubType": "CVE",
"Title": "CVE with 4 exploits detected on 1.2.3.4.\r\n",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "1.2.3.4",
"Review": {
"Status": "UNREAD",
"UserId": null,
"UserName": null,
"Version": null
}
},
{
"CveId": "CVE-2018-6789",
"Discovered": "2019-01-27T17:39:55.428Z",
"Id": 879356,
"Incident": {
"Id": 99002711,
"Published": "2020-11-04T23:54:22.672Z",
"Scope": "ORGANIZATION",
"Severity": "HIGH",
"SubType": "CVE",
"Title": "CVE with 2 exploits detected on 2.2.2.2",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "2.2.2.2",
"Review": {
"Status": "UNREAD",
"UserId": null,
"UserName": null,
"Version": null
}
}
]
}
}

Human Readable Output#

Digital Shadows Vulnerabilities#

CveIdDiscoveredIdIncident IdIncident PublishedIncident ScopeIncident SeverityIncident SubTypeIncident TitleIncident TypeIpAddressReview StatusReview UserIdReview UserNameReview Version
CVE-id2018-04-12T14:15:51.991Z529072990027202020-11-04T17:32:57.855ZORGANIZATIONVERY_HIGHCVECVE with 4 exploits detected on 1.2.3.4.
INFRASTRUCTURE1.2.3.4UNREAD
CVE-id2019-01-27T17:39:55.428Z879356990027112020-11-04T23:54:22.672ZORGANIZATIONHIGHCVECVE with 2 exploits detected on 2.2.2.2INFRASTRUCTURE2.2.2.2UNREAD

ds-search#


Perform a textual search against the available record types

Base Command#

ds-search

Input#

Argument NameDescriptionRequired
filter_datePeriodOnly return results that occurred during the given period prior to the current time. For absolute dates, use from and untilOptional
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_fromOnly return results that were last active after this date/time (inclusive)Optional
filter_tagsOnly return results that have the following tags associated with them.Optional
filter_typesRestrict the result types to only those listed here. At least one value is required.Optional
filter_untilOnly return results that were last active before this date/time (inclusive)Optional
queryThe query text to search for.Optional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional

Context Output#

There is no context output for this command.

Command Example#

!ds-search query=breach pagination_size=1

Human Readable Output#

{"content":[{"entity":{"author":"name","id":"id","observableCounts":{"cve":{"count":1,"exceededMaximum":false},"email":{"count":0,"exceededMaximum":false},"host":{"count":0,"exceededMaximum":false},"ipV4":{"count":0,"exceededMaximum":false},"md5":{"count":0,"exceededMaximum":false},"sha1":{"count":0,"exceededMaximum":false},"sha256":{"count":0,"exceededMaximum":false}},"published":"2016-05-16T00:00:00.000Z","screenshot":{"id":"id,"link":"https://portal-digitalshadows.com/api/external/resources/id"},"screenshotThumbnail":{"id":"id","link":"https://portal-digitalshadows.com/api/thumbnails/id.jpg"},"siteCategories":["BLOG","SECURITY_COMMENTATOR"],"title":"The popular crime forum nnn...","sortDate":"2016-05-16T00:00:00.000Z","type":"BLOG_POST"}],"currentPage":{"offset":0,"size":1},"facets":{},"total":284483}

ds-get-tags#


Batch retrieve specic tags by their ids

Base Command#

ds-get-tags

Input#

Argument NameDescriptionRequired
idsOne or more tag identifiersOptional
detailedDetermines whether the tag descriptions will be included.Optional

Context Output#

There is no context output for this command.