Skip to main content

Digital Shadows

This Integration is part of the ReliaQuest GreyMatter DRP Incidents Pack.#

Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web.

Configure Digital Shadows in Cortex#

ParameterDescriptionRequired
serverServer URLTrue
apikeyAPI KeyTrue
secretSecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ds-get-breach-reviews#


Retrieve all review updates for a given data breach record

Base Command#

ds-get-breach-reviews

Input#

Argument NameDescriptionRequired
breach_idUnique id of the data breach record to retrieve the status history forRequired

Context Output#

PathTypeDescription
DigitalShadows.BreachReviews.NoteunknownThe note at this version (max length 500 characters)
DigitalShadows.BreachReviews.VersionunknownStarts counting at 1 and increments for each review of a given data breach credential. Will initially be 0 until a review is performed (when returned as part of a credential)
DigitalShadows.BreachReviews.StatusunknownReview status
DigitalShadows.BreachReviews.UserIDunknownID of user that changed the status/set the note
DigitalShadows.BreachReviews.UserRoleunknownRole of user that changed the status/set the note
DigitalShadows.BreachReviews.UserPermissionsunknownPermissins of user that changed the status/set the note
DigitalShadows.BreachReviews.UserEmailunknownEmail address of user that changed the status/set the note
DigitalShadows.BreachReviews.CreatedAtunknownThe moment in time the review was created

ds-snapshot-breach-status#


Snapshot the review status of a data breach record

Base Command#

ds-snapshot-breach-status

Input#

Argument NameDescriptionRequired
noteThe note at this version (max length 500 characters).Optional
statusReview status.Required
versionWhen submitting, this value can be optionally set to the version of the most recently read reviewOptional
breach_idUnique id of the data breach record to submit a status update forRequired

Context Output#

There is no context output for this command.

ds-find-breach-records#


Find data breach records

Base Command#

ds-find-breach-records

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_distinctionNarrow down to records based on how unique their username and/or password are.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_passwordRecords that match this password, use '' for wildcard matching, '\' to find an actual asterisk.Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.BreachRecords.ContentunknownThe row content of this data breach record (a line from a csv file, for example)
DigitalShadows.BreachRecords.IdunknownIdentifier for this data breach record
DigitalShadows.BreachRecords.PasswordunknownThe password found in the breach record, if any could be found
DigitalShadows.BreachRecords.DomainNamesunknownThe domain names identified within the breach row
DigitalShadows.BreachRecords.PriorRowTextBreachCountunknownThe number of breaches the entire text of the breach row has appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernameBreachCountunknownThe number of breaches this username appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernamePasswordBreachCountunknownThe number of breaches this username/password combination have appeared in prior to the current breach
DigitalShadows.BreachRecords.PublishedunknownWhen did this record become available
DigitalShadows.BreachRecords.Review.CreatedunknownThe moment in time the review was created.
DigitalShadows.BreachRecords.Review.StatusunknownReview status
DigitalShadows.BreachRecords.Review.User.idunknownUnique id of user
DigitalShadows.BreachRecords.Review.User.fullNameunknownFull name of the user
DigitalShadows.BreachRecords.Review.User.emailAddressunknownEmail address of the user
DigitalShadows.BreachRecords.UsernameunknownA best effort to identify a username within the content of the breach record
DigitalShadows.BreachRecords.DataBreachIdunknownThe data breach this record belongs to

Command Example#

!ds-find-breach-records pagination_size=2

Context Example#

{
"DigitalShadows": {
"BreachRecords": [
{
"Content": "A",
"DataBreachId": 99000001,
"DomainNames": [
"xsoar.com"
],
"Id": 140260931001,
"Password": "1",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "some_mail@mail.com"
},
{
"Content": "B",
"DataBreachId": 99000002,
"DomainNames": [
"xsoar.com"
],
"Id": 140261100001,
"Password": "2",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:53:00.635Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "another_mail@mail.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breach Records#

ContentDataBreachIdDomainNamesIdPasswordPriorRowTextBreachCountPriorUsernameBreachCountPriorUsernamePasswordBreachCountPublishedReview CreatedReview StatusReview UserUsername
A99000001xsoar.com1402609310011002019-05-30T20:52:59.489ZOPENsome_mail@mail.com
aB99000002xsoar.com1402611000012002019-05-30T20:53:00.635ZOPENanother_mail@mail.com

ds-get-breach-summary#


Summary of all data breaches for the current client

Base Command#

ds-get-breach-summary

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!ds-get-breach-summary

Context Example#

{}

Human Readable Output#

{"breachesPerDomain":[{"count":3,"key":"molnnet.com"}],"totalBreaches":3,"totalUsernames":238,"usernamesPerDomain":[{"count":238,"key":"xsoar.com"}]}

ds-find-breach-usernames#


Find unique usernames found across all data breaches

Base Command#

ds-find-breach-usernames

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.Users.BreachCountunknownThe number of data breaches this username has appeared on
DigitalShadows.Users.DistinctPasswordCountunknownThe number of distict passwords encountered for this user
DigitalShadows.Users.UsernameunknownThe username that this summary is for

Command Example#

!ds-find-breach-usernames pagination_size=2

Context Example#

{
"DigitalShadows": {
"Users": [
{
"BreachCount": 1,
"DistinctPasswordCount": 1,
"Username": "mail1@mail.com"
},
{
"BreachCount": 1,
"DistinctPasswordCount": 1,
"Username": "mail2@mail.com"
}
]
}
}

Human Readable Output#

Digital SHadows Breach Reviews#

BreachCountDistinctPasswordCountUsername
11mail1@mail.com
11mail2@mail.com

ds-get-breach#


Retrieve a data breach by its id

Base Command#

ds-get-breach

Input#

Argument NameDescriptionRequired
breach_idId of the data breach to retrieveRequired

Context Output#

PathTypeDescription
DigitalShadows.Breaches.DomainCountunknownNumber of unique domains contained in the breach.
DigitalShadows.Breaches.DomainNameunknownThe domain the data breach occurred against
DigitalShadows.Breaches.DataClassesunknownData types contained within the breach
DigitalShadows.Breaches.IdunknownUnique identifier for a breach
DigitalShadows.Breaches.IncidentIdunknownThe ID of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentScopeunknownThe scope of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentSeverityunknownThe severity of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTitleunknownThe title of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTypeunknownThe type of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.OccurredunknownDate the breach occurred
DigitalShadows.Breaches.RecordCountunknownNumber of records contained in the breach
DigitalShadows.Breaches.SourceUrlunknownThe url the data breach was found on
DigitalShadows.Breaches.TitleunknownThe title assigned to this data breach

Command Example#

!ds-get-breach breach_id=99000001

Context Example#

{
"DigitalShadows": {
"Breaches": {
"DataClasses": [
"EMAIL_ADDRESSES",
"PASSWORDS"
],
"DomainCount": 3372,
"DomainName": "xsoar.com",
"Id": 99000001,
"IncidentId": 99002706,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from xsoar.com",
"IncidentType": "DATA_LEAKAGE",
"Occurred": "2016-07-03",
"RecordCount": 5846,
"SourceUrl": "some_url",
"Title": "Report of data leak from xsoar.com"
}
}
}

Human Readable Output#

Digital Shadows Breaches#

DataClassesDomainCountDomainNameIdIncidentIdIncidentScopeIncidentSeverityIncidentTitleIncidentTypeOccurredRecordCountSourceUrlTitle
EMAIL_ADDRESSES,PASSWORDS3372xsoar.com9900000199002706ORGANIZATIONHIGHReport of data leak from xsoar.comDATA_LEAKAGE2016-07-035846some_urlReport of data leak from xsoar.com

ds-get-breach-records#


Find data breach records

Base Command#

ds-get-breach-records

Input#

Argument NameDescriptionRequired
breach_idUnique id of the data breach to retrieve records forRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_distinctionNarrow down to records based on how unique their username and/or password are.Optional
filter_domainNamesOnly records that are related to these domain namesOptional
filter_passwordRecords that match this password, use '' for wildcard matching, '\' to find an actual asterisk.Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_reviewStatusesList of statuses to include. Possible values are OPEN CLOSED IGNOREDOptional
filter_usernameRecords that match this username, use '*' for wildcard matching.Optional

Context Output#

PathTypeDescription
DigitalShadows.BreachRecords.IdunknownIdentifier for this data breach record
DigitalShadows.BreachRecords.PasswordunknownThe password found in the breach record, if any could be found
DigitalShadows.BreachRecords.PriorRowTextBreachCountunknownThe number of breaches the entire text of the breach row has appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernameBreachCountunknownThe number of breaches this username appeared in prior to the current breach
DigitalShadows.BreachRecords.PriorUsernamePasswordBreachCountunknownThe number of breaches this username/password combination have appeared in prior to the current breach
DigitalShadows.BreachRecords.PublishedunknownWhen did this record become available
DigitalShadows.BreachRecords.Review.CreatedunknownThe most recent review for this record
DigitalShadows.BreachRecords.Review.StatusunknownThe status of the most recent review for this record
DigitalShadows.BreachRecords.Review.UserunknownThe user who created the most recent review for this record
DigitalShadows.BreachRecords.UsernameunknownA best effort to identify a username within the content of the breach record

Command Example#

!ds-get-breach-records breach_id=99000001 pagination_size=2

Context Example#

{
"DigitalShadows": {
"BreachRecords": [
{
"Id": 140260931001,
"Password": "1",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "some_mail@mail.com"
},
{
"Id": 140260944001,
"Password": "2",
"PriorRowTextBreachCount": null,
"PriorUsernameBreachCount": 0,
"PriorUsernamePasswordBreachCount": 0,
"Published": "2019-05-30T20:52:59.489Z",
"Review": {
"Created": null,
"Status": "OPEN",
"User": null
},
"Username": "another_mail@mail.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breach Records#

IdPasswordPriorRowTextBreachCountPriorUsernameBreachCountPriorUsernamePasswordBreachCountPublishedReview CreatedReview StatusReview UserUsername
1402609310011002019-05-30T20:52:59.489ZOPENsome_mail@mail.com
1402609440012002019-05-30T20:52:59.489ZOPENanother_mail@mail.com

ds-find-data-breaches#


Find data breaches

Base Command#

ds-find-data-breaches

Input#

Argument NameDescriptionRequired
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_alertedOnly include data breaches with associated incidents that have been alertedOptional
filter_domainNamesOnRecordsList of domain names to filter by. Only data breaches that have one or more records attributed to this domain nameOptional
filter_minimumTotalRecordsOnly include data breaches that have at least this many total records (inclusive)Optional
filter_publishedNarrow down to records based on when they were publishedOptional
filter_repostedCredentialsFilter out breaches depending on whether they consist entirely of reposted credentials or not. ORIGINAL or REPOSTOptional
filter_severitiesOnly include data breaches with associated incidents having one of these severities, if not specified, all are consideredOptional
filter_statusesList of statuses to filter by. Pssible values:UNREAD, READ, CLOSED.Optional
filter_usernameOnly show breaches that include this usernameOptional

Context Output#

PathTypeDescription
DigitalShadows.Breaches.DomainCountunknownNumber of unique domains contained in the breach
DigitalShadows.Breaches.DomainNameunknownThe domain the data breach occurred against
DigitalShadows.Breaches.DataClassesunknownData types contained within the breach
DigitalShadows.Breaches.IdunknownUnique identifier for a breach
DigitalShadows.Breaches.IncidentIdunknownThe ID of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentScopeunknownThe Scope of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentSeverityunknownThe severity of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTitleunknownThe title of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.IncidentTypeunknownThe type of the incident raised for the breach, most specific to the client.
DigitalShadows.Breaches.OccurredunknownDate the breach occurred
DigitalShadows.Breaches.ModifiedunknownWhen was this breach last modified
DigitalShadows.Breaches.RecordCountunknownNumber of records contained in the breach
DigitalShadows.Breaches.SourceUrlunknownThe url the data breach was found on
DigitalShadows.Breaches.TitleunknownThe title assigned to this data breach
DigitalShadows.Breaches.OrganisationUsernameCountunknownThe number of distict usernames found that belong to the current organisation

Command Example#

!ds-find-data-breaches pagination_size=2

Context Example#

{
"DigitalShadows": {
"Breaches": [
{
"DataClasses": null,
"DomainCount": 3372,
"DomainName": "xsoar.com",
"Id": 99000001,
"IncidentId": 99002706,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from xsoar.com",
"IncidentType": "DATA_LEAKAGE",
"Modified": "2018-07-24T18:24:59.449Z",
"Occurred": "2016-07-03",
"OrganisationUsernameCount": 100,
"RecordCount": 5846,
"SourceUrl": "some_url",
"Title": "Report of data leak from xsoar.com"
},
{
"DataClasses": null,
"DomainCount": 5848,
"DomainName": "someDomain.com",
"Id": 99000000,
"IncidentId": 99002728,
"IncidentScope": "ORGANIZATION",
"IncidentSeverity": "HIGH",
"IncidentTitle": "Report of data leak from someDomain.com",
"IncidentType": "DATA_LEAKAGE",
"Modified": "2018-07-24T18:22:42.780Z",
"Occurred": "2016-06-29",
"OrganisationUsernameCount": 100,
"RecordCount": 5858,
"SourceUrl": "another_url",
"Title": "Report of data leak from someDomain.com"
}
]
}
}

Human Readable Output#

Digital Shadows Breaches#

DataClassesDomainCountDomainNameIdIncidentIdIncidentScopeIncidentSeverityIncidentTitleIncidentTypeModifiedOccurredOrganisationUsernameCountRecordCountSourceUrlTitle
3372xsoar.com9900000199002706ORGANIZATIONHIGHReport of data leak from xsoar.comDATA_LEAKAGE2018-07-24T18:24:59.449Z2016-07-031005846some_urlReport of data leak from xsoar.com
5848someDomain.com9900000099002728ORGANIZATIONHIGHReport of data leak from someDomain.comDATA_LEAKAGE2018-07-24T18:22:42.780Z2016-06-291005858another_urlReport of data leak from someDomain.com

ds-get-incident#


Retrieve an incident by its id

Base Command#

ds-get-incident

Input#

Argument NameDescriptionRequired
incident_idIdentifier of the incidentRequired
fulltextShow full text resultsOptional

Context Output#

PathTypeDescription
DigitalShadows.Incidents.AlertedunknownThe moment this incident was brought to the attention of the client
DigitalShadows.Incidents.DescriptionunknownPlain text description of this incident
DigitalShadows.Incidents.ImpactDescriptionunknownDescription of what impact the incident will have
DigitalShadows.Incidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.Incidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwise
DigitalShadows.Incidents.MitigationunknownInformation about what can be done to mitigate the effect of the problem
DigitalShadows.Incidents.OccurredunknownBest effort to establish when the incident occurre
DigitalShadows.Incidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.Incidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization
DigitalShadows.Incidents.TypeunknownThe category of incident that has been raised
DigitalShadows.Incidents.TitleunknownA short but descriptive identifier for the incident
DigitalShadows.Incidents.Review.CreatedunknownThe moment in time the review was created
DigitalShadows.Incidents.Review.StatusunknownReview status
DigitalShadows.Incidents.Review.UserunknownThe user that changed the status/set the note
DigitalShadows.Incidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.Incidents.SeverityunknownAnalyst defined severity based on potential risk to the client

Command Example#

!ds-get-incident incident_id=99002724

Context Example#

{
"DigitalShadows": {
"Incidents": {
"Alerted": null,
"Description": "Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4. \r\n",
"Id": 99002724,
"ImpactDescription": "The IP address contained 30 documents relating to the Company at the following paths: \r\n\r\n1.\thxxps://1.2.3.4//man",
"Internal": false,
"Mitigation": "As the drives are no longer accessible",
"Modified": "2020-11-06T00:22:57.753Z",
"Occurred": "2018-08-23T03:45:57.215Z",
"Review": {
"Created": "2019-08-01T13:19:53.522Z",
"Status": "UNREAD",
"User": null
},
"Scope": "ORGANIZATION",
"Severity": "MEDIUM",
"SubType": "UNMARKED_DOCUMENT",
"Title": "Vendor documents identified on publicly accessible Network Attached Storage drive",
"Type": "DATA_LEAKAGE"
}
}
}

Human Readable Output#

Digital Shadows Incidents#

AlertedDescriptionIdImpactDescriptionInternalMitigationModifiedOccurredReview CreatedReview StatusReview UserScopeSeveritySubTypeTitleType
Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.
99002724The IP address contained 30 documents relating to the Company at the following paths:

1. hxxps://1.2.3.4//man
falseAs the drives are no longer accessible.2020-11-06T00:22:57.753Z2018-08-23T03:45:57.215Z2019-08-01T13:19:53.522ZUNREADORGANIZATIONMEDIUMUNMARKED_DOCUMENTVendor documents identified on publicly accessible Network Attached Storage driveDATA_LEAKAGE

ds-get-incident-reviews#


Retrieve all review updates for a given incident

Base Command#

ds-get-incident-reviews

Input#

Argument NameDescriptionRequired
incident_idId of the incident to retrieve the review history for.Required

Context Output#

PathTypeDescription
DigitalShadows.IncidentReviews.NoteunknownThe note at this version (max length 500 characters)
DigitalShadows.IncidentReviews.CreatedunknownThe moment in time the review was created
DigitalShadows.IncidentReviews.StatusunknownReview status
DigitalShadows.IncidentReviews.User.IdunknownThe unique id of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.EmailAddressunknownThe email address of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.FullNameunknownThe full name of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.RoleunknownThe role of the user that changed the status/set the note.
DigitalShadows.IncidentReviews.User.StatusunknownThe status of the user that changed the status/set the note.

Command Example#

!ds-get-incident-reviews incident_id=99002724

Context Example#

{
"DigitalShadows": {
"IncidentReviews": {
"Created": "2019-08-01T13:19:53.522Z",
"Note": null,
"Status": "UNREAD",
"User": {
"EmailAddress": null,
"FullName": null,
"Id": null,
"Role": null,
"Status": null
},
"Version": 1
}
}
}

Human Readable Output#

Digital Shadows Incident Reviews#

CreatedNoteStatusUser EmailAddressUser FullNameUser IdUser RoleUser StatusVersion
2019-08-01T13:19:53.522ZUNREAD1

ds-snapshot-incident-review#


Snapshot the review status of an incident

Base Command#

ds-snapshot-incident-review

Input#

Argument NameDescriptionRequired
incident_idId of the incident to apply a review update to.Required
noteThe note at this version (max length 500 characters).Optional
statusReview statusOptional
versionWhen submitting, this value can be optionally set to the version of the most recently read review. If the version on the server does not match this value, a 409 conflict will be returned.Optional

Context Output#

There is no context output for this command.

ds-find-incidents-filtered#


Find incidents with filtering options

Base Command#

ds-find-incidents-filtered

Input#

Argument NameDescriptionRequired
subscribedIf true, the results will also include any subscribed intelligence incidents.Optional
subscribedOnlyIf true, the only results returned will be subscribed intelligence incidents. Must not be set to true with subscribed set to falseOptional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
filter_alertedOnly incidents that have been alerted to the client.Optional
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_domainNameOnly incidents that have this domain, applied if domainSelection is null or CUSTOMOptional
filter_domainSelectionDetermine how domain filtering will be applied.Optional
filter_identifierOnly return the incident that has this identifier.Optional
filter_repostedCredentialsOption specific to data breach based incidents to filter out new and reposted breach credentials. ORIGINAL, REPOSTOptional
filter_severitiesOnly include incidents with these severities, if not specified, all are considered. VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONEOptional
filter_statusesUNREAD, READ, CLOSEDOptional
filter_types_typeThe category of incident that has been raised.Optional
filter_types_subTypesThe sub-category of incident that has been raised, if available.Optional
filter_types_content_severityAnalyst defined severity based on potential risk to the client.Optional
filter_tagOperatorWhether multiple tags should be logically applied as AND/OR with the resultsetOptional
filter_withContentRemovedInclude incidents for which the content of the incident has been removed form the source.Optional
filter_withTakedownInclude incidents on which one or more takedown requests have been generated.Optional
filter_withoutContentRemovedInclude incidents for which the content of the incident has not been removed form the source.Optional
filter_withoutTakedownInclude incidents on which a takedown request has not been generated.Optional

Context Output#

PathTypeDescription
DigitalShadows.Incidents.AlertedunknownThe moment this incident was brought to the attention of the client
DigitalShadows.Incidents.DescriptionunknownPlain text description of this incident
DigitalShadows.Incidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.Incidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwis
DigitalShadows.Incidents.MitigationunknownInformation about what can be done to mitigate the effect of the problem
DigitalShadows.Incidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.Incidents.OccurredunknownBest effort to establish when the incident occurred
DigitalShadows.Incidents.PublishedunknownWhen was this incident originally published
DigitalShadows.Incidents.RestrictedContentunknownIdentifies this incident as potentially containing questionable content. If this is true images will be restricted
DigitalShadows.Incidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization
DigitalShadows.Incidents.SeverityunknownAnalyst defined severity based on potential risk to the client
DigitalShadows.Incidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.Incidents.VerifiedunknownThe moment when the incident was verified
DigitalShadows.Incidents.TypeunknownThe category of incident that has been raised
DigitalShadows.Incidents.VersionunknownEach time an update occurs, this version number is incremented
DigitalShadows.Incidents.Review.CreatedunknownThe date the review state for this incident was created
DigitalShadows.Incidents.Review.StatusunknownThe status of the review state for this incident
DigitalShadows.Incidents.Review.User.idunknownThe user that create the review state for this incident
DigitalShadows.Incidents.Review.User.fullNameunknownThe full name of the user that created review state for this incident

Command Example#

!ds-find-incidents-filtered pagination_size=3

Context Example#

{
"DigitalShadows": {
"Incidents": {
"Alerted": null,
"Description": "Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.",
"Id": 99002724,
"Internal": null,
"Mitigation": "As the drives are no longer accessible.",
"Modified": "2020-11-05T00:33:48.344Z",
"Occurred": "2018-08-23T03:45:57.215Z",
"Published": "2020-11-04T23:59:59.999Z",
"RecordCount": null,
"RestrictedContent": null,
"Review": {
"Created": "2019-08-01T13:19:53.522Z",
"Status": "UNREAD",
"User": null
},
"Scope": "ORGANIZATION",
"Score": 0,
"Severity": "MEDIUM",
"SubType": {
"Error": "You must provide the query to use"
},
"Title": "Vendor documents identified on publicly accessible Network Attached Storage drive",
"Type": "DATA_LEAKAGE",
"Verified": {
"Error": "You must provide the query to use"
},
"Version": {
"Error": "You must provide the query to use"
}
}
}
}

Human Readable Output#

Digital Shadows Incidents#

AlertedDescriptionIdInternalMitigationModifiedOccurredPublishedRecordCountRestrictedContentReview CreatedReview StatusReview UserScopeScoreSeveritySubTypeTitleTypeVerifiedVersion
Several documents in .docx, .xls, and .ppt format were identified on a publicly accessible some derive on the following IP: 1.2.3.4.99002724As the drives are no longer accessible.2020-11-05T00:33:48.344Z2018-08-23T03:45:57.215Z2020-11-04T23:59:59.999Z2019-08-01T13:19:53.522ZUNREADORGANIZATION0MEDIUM{"Error":"You must provide the query to use"}Vendor documents identified on publicly accessible Network Attached Storage driveDATA_LEAKAGE{"Error":"You must provide the query to use"}{"Error":"You must provide the query to use"}

ds-get-incidents-summary#


Aggregated summary of incident information used to generate reports/statistics

Base Command#

ds-get-incidents-summary

Input#

Argument NameDescriptionRequired
filter_domainNameOnly incidents that have this domain, applied if domainSelection is null or CUSTOMOptional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_identifierOnly return the incident that has this identifier.Optional
filter_dateRangeOnly return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
groupByKeyDetermines which incident property will be grouped on. Mutually exclusive with groupByKeysOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional

Context Output#

There is no context output for this command.

Command Example#

!ds-get-incidents-summary pagination_size=2

Human Readable Output#

{"keySet":[null],"ranges":[{"groupedIncidentCounts":[{"count":25}],"rangeEnd":"2020-11-05T17:37:26.533Z","rangeStart":"2020-11-01T00:00:00.000Z","total":25}]}

ds-get-apt-report#


Retrieve details of the specified APT report

Base Command#

ds-get-apt-report

Input#

Argument NameDescriptionRequired
report_idThe unique identifier assigned to a given APT report (UUID based).Required

Context Output#

PathTypeDescription
DigitalShadows.APTReports.IdunknownInternal identifier for uniquely identifying this report
DigitalShadows.APTReports.NameunknownName assigned to this report for ease of identification
DigitalShadows.APTReports.PublishedunknownThe date the report became available
DigitalShadows.APTReports.Report.IdunknownThe ID of the report resource allowing it to be downloaded
DigitalShadows.APTReports.Report.LinkunknownThe link of the report resource allowing it to be downloaded
DigitalShadows.APTReports.Preview.IdunknownID of a preview image of the frontpage of the report, if available
DigitalShadows.APTReports.Preview.LinkunknownA fully qualified link URI for preview image of the frontpage of the report, if available

ds-get-intelligence-incident#


Retrieve an intelligence incident by its id

Base Command#

ds-get-intelligence-incident

Input#

Argument NameDescriptionRequired
incident_idThe id of the intelligence incident to retrieveRequired

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidents.DescriptionunknownPlain text description of this incident.
DigitalShadows.IntelligenceIncidents.IdunknownIdentifier for this incident, unique in combination with the scope
DigitalShadows.IntelligenceIncidents.IndicatorOfCompromiseCountunknownCount of IOCs that can be retrieved via /api/incidents/{id}/iocs endpoint
DigitalShadows.IntelligenceIncidents.InternalunknownWill be true if domain belongs to your organization (as defined by the assets), false otherwise
DigitalShadows.IntelligenceIncidents.LinkedContentIncidentsunknownOther incidents that appear to be based on the same content as this incident. Each incident record will normally only contain the id and the scope it applies to. Could also include more details depending on the context it is called in.
DigitalShadows.IntelligenceIncidents.ModifiedunknownWhen was this incident last modified
DigitalShadows.IntelligenceIncidents.OccurredunknownBest effort to establish when the incident occurred
DigitalShadows.IntelligenceIncidents.PublishedunknownWhen was this incident originally published
DigitalShadows.IntelligenceIncidents.RelatedIncidentIdunknownIf an incident specific to your organization exists for this intelligence incident, it will be included here.
DigitalShadows.IntelligenceIncidents.RestrictedContentunknownIdentifies this incident as potentially containing questionable content. If this is true images will be restricted.
DigitalShadows.IntelligenceIncidents.ScopeunknownIdentifies whether this incident applies globally (intelligence) or just to your organization.
DigitalShadows.IntelligenceIncidents.SeverityunknownAnalyst defined severity based on potential risk to the client
DigitalShadows.IntelligenceIncidents.SubTypeunknownThe sub-category of incident that has been raised, if available
DigitalShadows.IntelligenceIncidents.TitleunknownA short but descriptive identifier for the incident
DigitalShadows.IntelligenceIncidents.TypeunknownThe category of incident that has been raised
DigitalShadows.IntelligenceIncidents.VerifiedunknownThe moment when the incident was verified.
DigitalShadows.IntelligenceIncidents.VersionunknownEach time an update occurs, this version number is incremented

Command Example#

!ds-get-intelligence-incident incident_id=6470614

Context Example#

{
"DigitalShadows": {
"IntelligenceIncidents": {
"Description": "Summary: some event in the past",
"Id": 6470614,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2018-08-30T07:18:22.566Z",
"Occurred": "2016-02-08T10:55:00.000Z",
"Published": "2016-02-08T12:22:03.203Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "08 Feb 2016 protest update",
"Type": "CYBER_THREAT",
"Verified": "2016-02-08T11:22:48.539Z",
"Version": 12
}
}
}

Human Readable Output#

Digital Shadows Intelligence Incident#

DescriptionIdIndicatorOfCompromiseCountInternalLinkedContentIncidentsModifiedOccurredPublishedRelatedIncidentIdRestrictedContentScopeSeveritySubTypeTitleTypeVerifiedVersion
Summary: some event in the past64706140false2018-08-30T07:18:22.566Z2016-02-08T10:55:00.000Z2016-02-08T12:22:03.203ZfalseGLOBALLOW08 Feb 2016 protest updateCYBER_THREAT2016-02-08T11:22:48.539Z12

ds-get-intelligence-incident-iocs#


Retrieve the indicatorsOfCompromise for this intel incident

Base Command#

ds-get-intelligence-incident-iocs

Input#

Argument NameDescriptionRequired
incident_idThe intelligence incident identifierRequired
visibleList of values to control the visibility of elements. If a value is present then the correspinding element should be displayedOptional
sort_directionThe direction of sorting. If not specified, ASCENDING is assumedOptional
sort_propertyThe name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'.Optional
pagination_containingIdSelect the page containing the record with this id, if supported. Mutually exclusive with offset.Optional
pagination_offsetInclude results at this offset within the full resultset, where the first result is at position 0Optional
pagination_sizeMaximum number of results to return per page, can be initially null to be replaced by default laterOptional
filter_valueThe filter that will narrow the results based on one or more criteriaOptional
filter_typesList of types to filter by. Possible values are IP,MD5,SHA1,SHA256,URL,CVE,EMAIL,HOST,REGISTRY,FILEPATH,FILENAMEOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceIncidentsIOCs.IdunknownInternal identifier for uniquely identifying this IOC
DigitalShadows.IntelligenceIncidentsIOCs.IntelIncident.IdunknownIf this IOC is associated with an intel incident
DigitalShadows.IntelligenceIncidentsIOCs.IntelIncident.ScopeunknownIf this IOC is associated with an intel incident
DigitalShadows.IntelligenceIncidentsIOCs.TypeunknownIdentifies the type of incidicator that also determines how it is encoded into a string
DigitalShadows.IntelligenceIncidentsIOCs.ValueunknownThe value of this indicator, encoded according to its type. For example hashes are base16 encoded.
DigitalShadows.IntelligenceIncidentsIOCs.SourceunknownA comment provided by the analysts as to where this IOC came from.
DigitalShadows.IntelligenceIncidentsIOCs.LastUpdatedunknownWhen this record last changed
DigitalShadows.IntelligenceIncidentsIOCs.AptReport.IdunknownIf this IOC is associated with an APT report

Command Example#

#### Human Readable Output
### ds-find-intelligence-incidents
***
Find intelligence incidents
#### Base Command
`ds-find-intelligence-incidents`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter_dateRange | Only return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_dateRangeField | Determines which date/time field the dateRange will apply to. | Optional |
| filter_domainName | Only incidents that have this domain, applied if domainSelection is null or CUSTOM | Optional |
| filter_domainSelection | Determine how domain filtering will be applied. | Optional |
| filter_identifier | Only return the incident that has this identifier. | Optional |
| filter_severities | Only include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONE | Optional |
| filter_tagOperator | Whether multiple tags should be logically applied as AND/OR with the resultset | Optional |
| filter_tags_id | Limit to incidents that have these tags ids only. | Optional |
| filter_threatRecordIds | Restrict intel incidents to those tagged with one or more of these threat records. | Optional |
| filter_threatTypes_type | Restrict intel incidents to those associated with threats of these types:ACTOR,CAMPAIGN,EVENT,TOOL,SPECIFIC_TTP,LOCATION | Optional |
| filter_threatTypes | The type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered. | Optional |
| filter_threatSubTypes | List of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENT | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IntelligenceIncidents.Description | unknown | Plain text description of this incident. |
| DigitalShadows.IntelligenceIncidents.Id | unknown | Identifier for this incident, unique in combination with the scope |
| DigitalShadows.IntelligenceIncidents.IndicatorOfCompromiseCount | unknown | Count of IOCs that can be retrieved via /api/incidents/\{id\}/iocs endpoint |
| DigitalShadows.IntelligenceIncidents.Internal | unknown | Will be true if domain belongs to your organization \(as defined by the assets\), false otherwise |
| DigitalShadows.IntelligenceIncidents.LinkedContentIncidents | unknown | Other incidents that appear to be based on the same content as this incident. Each incident record will normally only contain the id and the scope it applies to. Could also include more details depending on the context it is called in. |
| DigitalShadows.IntelligenceIncidents.Modified | unknown | When was this incident last modified |
| DigitalShadows.IntelligenceIncidents.Occurred | unknown | Best effort to establish when the incident occurred |
| DigitalShadows.IntelligenceIncidents.Published | unknown | When was this incident originally published |
| DigitalShadows.IntelligenceIncidents.RelatedIncidentId | unknown | If an incident specific to your organization exists for this intelligence incident, it will be included here. |
| DigitalShadows.IntelligenceIncidents.RestrictedContent | unknown | Identifies this incident as potentially containing questionable content. If this is true images will be restricted. |
| DigitalShadows.IntelligenceIncidents.Scope | unknown | Identifies whether this incident applies globally \(intelligence\) or just to your organization. |
| DigitalShadows.IntelligenceIncidents.Severity | unknown | Analyst defined severity based on potential risk to the client |
| DigitalShadows.IntelligenceIncidents.SubType | unknown | The sub-category of incident that has been raised, if available |
| DigitalShadows.IntelligenceIncidents.Title | unknown | A short but descriptive identifier for the incident |
| DigitalShadows.IntelligenceIncidents.Type | unknown | The category of incident that has been raised |
| DigitalShadows.IntelligenceIncidents.Verified | unknown | The moment when the incident was verified. |
| DigitalShadows.IntelligenceIncidents.Version | unknown | Each time an update occurs, this version number is incremented |
#### Command Example
```!ds-find-intelligence-incidents pagination_size=2```
#### Context Example
```json
{
"DigitalShadows": {
"IntelligenceIncidents": [
{
"Description": "A new post was added to Happy Blog.",
"Id": 65624604,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2020-11-05T15:53:33.166Z",
"Occurred": "2020-11-05T05:48:42.588Z",
"Published": "2020-11-05T15:53:33.161Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "Tipper: Richardson Sales Performance named on Happy Blog ",
"Type": "CYBER_THREAT",
"Verified": "2020-11-05T14:01:48.656Z",
"Version": 7
},
{
"Description": "A new post was added to Happy Blog.",
"Id": 65604506,
"IndicatorOfCompromiseCount": 0,
"Internal": false,
"LinkedContentIncidents": null,
"Modified": "2020-11-05T15:47:36.590Z",
"Occurred": "2020-11-04T21:48:04.784Z",
"Published": "2020-11-05T15:47:36.582Z",
"RelatedIncidentId": null,
"RestrictedContent": false,
"Scope": "GLOBAL",
"Severity": "LOW",
"SubType": null,
"Title": "Tipper: New Jersey Dental Hygienists' Association",
"Type": "CYBER_THREAT",
"Verified": "2020-11-05T14:01:48.656Z",
"Version": 7
}
]
}
}
```
#### Human Readable Output
>### Digital Shadows Intelligence Incidents
>
> Description| Id| IndicatorOfCompromiseCount| Internal| LinkedContentIncidents| Modified| Occurred| Published| RelatedIncidentId| RestrictedContent| Scope| Severity| SubType| Title| Type| Verified| Version
>---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---
>A new post was added to Happy Blog. | 65624604 | 0 | false | | 2020-11-05T15:53:33.166Z | 2020-11-05T05:48:42.588Z | 2020-11-05T15:53:33.161Z | | false | GLOBAL | LOW | | Tipper: Richardson Sales Performance named on Happy Blog | CYBER_THREAT | 2020-11-05T14:01:48.656Z | 7
>A new post was added to Happy Blog. | 65604506 | 0 | false | | 2020-11-05T15:47:36.590Z | 2020-11-04T21:48:04.784Z | 2020-11-05T15:47:36.582Z | | false | GLOBAL | LOW | | Tipper: New Jersey Dental Hygienists' Association | CYBER_THREAT | 2020-11-05T14:01:48.656Z | 7
### ds-find-intelligence-incidents-regional
***
Incidents grouped by the target country over a given time range
#### Base Command
`ds-find-intelligence-incidents-regional`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| threat_id | Threat ID | Optional |
| countryTag_created | When was this tag created. | Optional |
| countryTag_description | Description text for this tag. | Optional |
| countryTag_id | Unique integer identifier for this tag | Optional |
| countryTag_name | The name of this tag. Is unique in combination with the type | Optional |
| countryTag_parent_id | Parent id of the tag | Optional |
| countryTag_threat_id | Unique integer identifier (among threats). | Optional |
| countryTag_threat_type | The type of profile being represented. | Optional |
| countryTag_type | The type of this tag. The name of tags with the same type must be unique. | Optional |
| filter_dateRange | Determines the interval the incidents must have occurred within to be included. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_periodRelativeTo | Optional timestamp that will be used as the end date for a period based dateRange. If not specified, then the end of the current day (based on the requesting user's timezone) will be used. | Optional |
| filter_tagType | What types of tags should be considered. Should be one of SOURCE_GEOGRAPHY or TARGET_GEOGRAPHY (the default) | Optional |
| regionTag_created | When was this tag created. | Optional |
| regionTag_description | Description text for this tag. | Optional |
| regionTag_id | Unique integer identifier for this tag | Optional |
| regionTag_name | The name of this tag. Is unique in combination with the type | Optional |
| regionTag_parent_id | Parent id of the tag | Optional |
| regionTag_threat_id | Unique integer identifier (among threats). | Optional |
| regionTag_threat_type | The type of profile being represented. | Optional |
| regionTag_type | The type of this tag. The name of tags with the same type must be unique. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IntelligenceIncidentsRegional.CountryTag.Id | unknown | The ID of the country these incidents are attributed to |
| DigitalShadows.IntelligenceIncidentsRegional.CountryTag.Name | unknown | The country name these incidents are attributed to |
| DigitalShadows.IntelligenceIncidentsRegional.CountryTag.ParentId | unknown | The parent ID of the country these incidents are attributed to |
| DigitalShadows.IntelligenceIncidentsRegional.CountryTag.ThreatId | unknown | The threat id of the country tag these incidents are attributed to |
| DigitalShadows.IntelligenceIncidentsRegional.CountryTag.Type | unknown | The country tag type these incidents are attributed to |
| DigitalShadows.IntelligenceIncidentsRegional.IncidentIds | unknown | The list of intelligence incidents |
### ds-get-intelligence-threat
***
Retrieve a specific item of intelligence by its id
#### Base Command
`ds-get-intelligence-threat`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| threat_id | The id of the intelligence threat to retrieve. | Required |
| opt | Options to include additional relevant data with the request | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IntelligenceThreats.ActivityLevel | unknown | Level of activity, based on last active |
| DigitalShadows.IntelligenceThreats.DetailLevel | unknown | Determines how detailed the record is |
| DigitalShadows.IntelligenceThreats.EndDate | unknown | The end date of the period this was/is active |
| DigitalShadows.IntelligenceThreats.Id | unknown | Unique integer identifier \(among threats\) |
| DigitalShadows.IntelligenceThreats.ImageId | unknown | The unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/\{id\} \(replacing \{id\} with the value of this property\). |
| DigitalShadows.IntelligenceThreats.ImageThumbnailId | unknown | The unique identifier for a thumbnail of the image, if available. The image can be retrieved by requesting /api/thumbnails/\{id\} \(replacing \{id\} with the value of this property\) |
| DigitalShadows.IntelligenceThreats.IndicatorOfCompromiseCount | unknown | Count of IOCs |
| DigitalShadows.IntelligenceThreats.LastActive | unknown | The date of last activity \(last incident\) |
| DigitalShadows.IntelligenceThreats.Recurring | unknown | Will this become active again in future? |
| DigitalShadows.IntelligenceThreats.StartDate | unknown | The start date of the period this was/is active |
| DigitalShadows.IntelligenceThreats.Type | unknown | The type of profile being represented |
| DigitalShadows.IntelligenceThreats.Tags.ActorTypeTags | unknown | Tags for the type of actor |
| DigitalShadows.IntelligenceThreats.AnnouncementIncidentIDs | unknown | List of public declarations made \(incidents\) |
| DigitalShadows.IntelligenceThreats.AptReportIDs | unknown | APT reports associated with this threat. Each entry can be resolved via the /api/apt-report/\{id\} endpoint. |
| DigitalShadows.IntelligenceThreats.Tags.AssociatedActorTags | unknown | Actors related to this threat \(if any\) |
| DigitalShadows.IntelligenceThreats.Tags.AssociatedCampaignTags | unknown | Campaigns related to this threat \(if any\) |
| DigitalShadows.IntelligenceThreats.AssociatedEventIDs | unknown | Events associated with this threat \(if any\) |
| DigitalShadows.IntelligenceThreats.AttackEvidenceIncidentIDs | unknown | List of damage caused incidents |
| DigitalShadows.IntelligenceThreats.Tags.ImpactEffectTags | unknown | What impact did it have |
| DigitalShadows.IntelligenceThreats.Tags.IntendedEffectTags | unknown | What the threat intended to happen |
| DigitalShadows.IntelligenceThreats.LatestIncidentID | unknown | The latest incident attributed to this threat |
| DigitalShadows.IntelligenceThreats.Tags.MotivationTags | unknown | Tags that define what motivates the threat |
| DigitalShadows.IntelligenceThreats.Tags.OverviewTags | unknown | Tags that will appear in the overview. Only one per primary type |
| DigitalShadows.IntelligenceThreats.Tags.PrimaryLanguageTags | unknown | Tags that identify the primary languages used |
| DigitalShadows.IntelligenceThreats.ThreatLevel | unknown | Information about the level of threat, for example low or high |
#### Command Example
```!ds-get-intelligence-threat threat_id=2351```
#### Context Example
```json
{
"DigitalShadows": {
"IntelligenceThreats": {
"ActivityLevel": "INACTIVE",
"AnnouncementIncidentIDs": null,
"AptReportIDs": null,
"AssociatedEventIDs": null,
"AttackEvidenceIncidentIDs": null,
"EndDate": null,
"Id": 2351,
"ImageId": "id",
"ImageThumbnailId": "id",
"IndicatorOfCompromiseCount": 0,
"LastActive": "2016-07-20T22:00:00.000Z",
"LatestIncident": null,
"LatestIncidentID": null,
"Recurring": null,
"StartDate": null,
"Tags": {
"ActorTypeTags": [
{
"id": 1107,
"name": "Hacker - Black hat",
"type": "ACTOR_TYPE"
},
],
"AssociatedActorTags": [
{
"id": 3208,
"name": "Peace of Mind",
"type": "ACTOR"
},
],
"AssociatedCampaignTags": [],
"ImpactEffectTags": [
{
"id": 424,
"name": "Data Breach or Compromise",
"type": "IMPACT_EFFECTS"
},
{
"id": 431,
"name": "Unintended Access",
"type": "IMPACT_EFFECTS"
}
],
"IntendedEffectTags": [
{
"id": 418,
"name": "Unauthorised Access",
"type": "INTENDED_EFFECTS"
},
{
"id": 412,
"name": " Exposure",
"type": "INTENDED_EFFECTS"
}
],
"MotivationTags": [
{
"id": 434,
"name": "Ideological - Anti-Corruption",
"type": "MOTIVATION"
},
{
"id": 440,
"name": "Ideological - Security Awareness",
"type": "MOTIVATION"
}
],
"OverviewTags": [
{
"id": 1874,
"name": "Data Leakage",
"parent": {
"id": 2684
},
"type": "GENERAL_TTP"
},
{
"id": 1088,
"name": "Government",
"type": "TARGET_SECTORS"
}
],
"PrimaryLanguageTags": [
{
"id": 467,
"name": "English",
"type": "LANGUAGE"
},
{
"id": 526,
"name": "Spanish",
"type": "LANGUAGE"
}
],
"PrimaryTag": {
"id": 3177,
"name": "CthulhuSec",
"type": "ACTOR"
},
"SourceGeographyTags": []
},
"ThreatLevel": "LOW",
"Type": "ACTOR"
}
}
}
```
#### Human Readable Output
>### Digital Shadows Intelligence Threat
>
> ActivityLevel| AnnouncementIncidentIDs| AptReportIDs| AssociatedEventIDs| AttackEvidenceIncidentIDs| EndDate| Id| ImageId| ImageThumbnailId| IndicatorOfCompromiseCount| LastActive| LatestIncident| LatestIncidentID| Recurring| StartDate| ThreatLevel| Type
>---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---
>INACTIVE | | | | | | 2351 | id | id | 0 | 2016-07-20T22:00:00.000Z | | | | | LOW | ACTOR
### ds-get-intelligence-threat-iocs
***
Retrieve the indicatorsOfCompromise for a threat record
#### Base Command
`ds-get-intelligence-threat-iocs`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| threat_id | The intelligence threat identifier | Required |
| filter_types | List of types to filter by. Possible values are IP,MD5,SHA1,SHA256,URL,CVE,EMAIL,HOST,REGISTRY,FILEPATH,FILENAME | Optional |
| filter_value | Value to filter by | Optional |
| visible | List of values to control the visibility of elements. If a value is present then the correspinding element should be displayed | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IntelligenceThreatIOCs.AptReportId | unknown | If this IOC is associated with an APT report |
| DigitalShadows.IntelligenceThreatIOCs.Id | unknown | Internal identifier for uniquely identifying this IOC |
| DigitalShadows.IntelligenceThreatIOCs.IntelIncidentId | unknown | If this IOC is associated with an intel incident |
| DigitalShadows.IntelligenceThreatIOCs.LastUpdated | unknown | When this record last changed |
| DigitalShadows.IntelligenceThreatIOCs.Source | unknown | A comment provided by the analysts as to where this IOC came from |
| DigitalShadows.IntelligenceThreatIOCs.Type | unknown | Identifies the type of incidicator that also determines how it is encoded into a string |
| DigitalShadows.IntelligenceThreatIOCs.Value | unknown | The value of this indicator, encoded according to its type. For example hashes are base16 encoded. |
#### Command Example

Human Readable Output#

ds-get-intelligence-threat-activity#


Threat activity based on the number of intelligence incidents over a given period of time.

Base Command#

ds-get-intelligence-threat-activity

Input#

Argument NameDescriptionRequired
customPrimaryTags_idInstead of most active, specify the ids of threat primary tags to retrieve activity forOptional
includeIncidentsShould basic incident information be included with the activity for each tag.Optional
maximumIncidentsPerTagUpper limit on the number of incidents to include for each threat.Optional
mostActiveForTypesFetch the top presetPerTypeCount most active threats for each type. Possible values:ACTOR,CAMPAIGN,EVENT,TOOL,SPECIFIC_TTP,LOCATIONOptional
mostActiveLimitHow many threats to retrieve activity for per threat type. Only applies when mostActiveForTypes is not null. If not specified, 10 is assumed.Optional
segmentCountNumber of time segments to aggregrate the incidents into.Optional
filter_dateRangeReturn activity that occurred in this date range. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Required

Context Output#

There is no context output for this command.

Command Example#

!ds-get-intelligence-threat-activity threat_id=2351 filter_dateRange=2016-08-16T19:55:00.000Z/2016-09-16T19:55:00.000Z

Human Readable Output#

{"tagActivities":[{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":1,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":4,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11303017,"scope":"GLOBAL"},{"id":11300637,"scope":"GLOBAL"},{"id":11212704,"scope":"GLOBAL"},{"id":11187135,"scope":"GLOBAL"},{"id":11187153,"scope":"GLOBAL"},{"id":11186833,"scope":"GLOBAL"}],"tag":{"id":3065,"name":"The Real Deal","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2144,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":1,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11258586,"scope":"GLOBAL"},{"id":10924047,"scope":"GLOBAL"}],"tag":{"id":4742,"name":"CrdClub","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":3199,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":1,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11303017,"scope":"GLOBAL"}],"tag":{"id":3044,"name":"Hell Forum","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2122,"threatLevel":{"type":"MEDIUM"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":1,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":11222970,"scope":"GLOBAL"}],"tag":{"id":6966,"name":"Hansa","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":4159,"threatLevel":{"type":"VERY_LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":1,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":0,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":10923947,"scope":"GLOBAL"}],"tag":{"id":3048,"name":"AlphaBay","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2126,"threatLevel":{"type":"VERY_LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"},{"counts":[{"count":0,"key":"2016-09-13T19:55:00.001Z/2016-09-16T19:55:00.000Z"},{"count":0,"key":"2016-09-10T19:55:00.001Z/2016-09-13T19:55:00.000Z"},{"count":0,"key":"2016-09-07T19:55:00.001Z/2016-09-10T19:55:00.000Z"},{"count":0,"key":"2016-09-04T19:55:00.001Z/2016-09-07T19:55:00.000Z"},{"count":0,"key":"2016-09-01T19:55:00.001Z/2016-09-04T19:55:00.000Z"},{"count":0,"key":"2016-08-29T19:55:00.001Z/2016-09-01T19:55:00.000Z"},{"count":0,"key":"2016-08-26T19:55:00.001Z/2016-08-29T19:55:00.000Z"},{"count":0,"key":"2016-08-23T19:55:00.001Z/2016-08-26T19:55:00.000Z"},{"count":0,"key":"2016-08-20T19:55:00.001Z/2016-08-23T19:55:00.000Z"},{"count":1,"key":"2016-08-17T19:55:00.001Z/2016-08-20T19:55:00.000Z"},{"count":0,"key":"2016-08-16T19:55:00.000Z/2016-08-17T19:55:00.000Z"}],"from":"2016-08-16T19:55:00.000Z","incidents":[{"id":10847816,"scope":"GLOBAL"}],"tag":{"id":3121,"name":"DownThem","threat":{"activityLevel":"INACTIVE","closedSource":false,"id":2275,"threatLevel":{"type":"LOW"},"type":"LOCATION"}},"until":"2016-09-16T19:55:00.000Z"}],"threatType":"LOCATION","timeSpanDays":31}

ds-find-intelligence-threats#


Find intelligence threat records

Base Command#

ds-find-intelligence-threats

Input#

Argument NameDescriptionRequired
filter_dateRangeOnly return results that were last active within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_dateRangeFieldDetermines which date/time field the dateRange will apply to.Optional
filter_identifiersList of identifiers. Only return threat profiles with these identifiersOptional
filter_relevantToNarrow to threats that have a specific relevance to my organizationOptional
filter_tagOperatorWhether multiple tags should be logically applied as AND/OR with the resultsetOptional
filter_tagsLimit to threats related to these tags onlyOptional
filter_threatLevelsOnly include threats with one of these threat levelsOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreatsRegional.ActivityLevelunknownLevel of activity, based on last active
DigitalShadows.IntelligenceThreatsRegional.IdunknownUnique integer identifier (among threats)
DigitalShadows.IntelligenceThreatsRegional.ImageIdunknownThe unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/{id} (replacing {id} with the value of this property)
DigitalShadows.IntelligenceThreatsRegional.LastActiveunknownThe date of last activity (last incident)
DigitalShadows.IntelligenceThreatsRegional.TypeunknownThe type of profile being represented
DigitalShadows.IntelligenceThreatsRegional.ThreatLevelTypeunknownInformation about the level of threat, for example low or high
DigitalShadows.IntelligenceThreatsRegional.EventunknownFor an EVENT or CAMPAIGN threat this will contain a summary of when it occurred and possibly when it will re-occur

Command Example#

!ds-find-intelligence-threats filter_dateRange=2016-08-16T19:55:00.000Z/2016-08-16T19:55:00.000Z

Context Example#

{
"DigitalShadows": {
"IntelligenceThreats": {
"ActivityLevel": "INACTIVE",
"Event": null,
"Id": 5013,
"ImageId": null,
"LastActive": "2016-08-16T19:55:00.000Z",
"ThreatLevelType": "LOW",
"Type": "SPECIFIC_TTP"
}
}
}

Human Readable Output#

Digital Shadows Intelligence Threats#

ActivityLevelEventIdImageIdLastActiveThreatLevelTypeType
INACTIVE50132016-08-16T19:55:00.000ZLOWSPECIFIC_TTP

ds-find-intelligence-threats-regional#


Threat profiles associated with incidents over a given time range

Base Command#

ds-find-intelligence-threats-regional

Input#

Argument NameDescriptionRequired
countryTag_createdWhen was this tag created.Optional
countryTag_descriptionDescription text for this tag.Optional
countryTag_idUnique integer identifier for this tagOptional
countryTag_nameThe name of this tag. Is unique in combination with the typeOptional
countryTag_parent_idParent id of the tagOptional
countryTag_threat_idUnique integer identifier (among threats).Optional
countryTag_threat_typeThe type of profile being represented.Optional
countryTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional
filter_dateRangeDetermines the interval the incidents must have occurred within to be included. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}.Optional
filter_periodRelativeToOptional timestamp that will be used as the end date for a period based dateRange. If not specified, then the end of the current day (based on the requesting user's timezone) will be used.Optional
filter_tagTypeWhat types of tags should be considered. Should be one of SOURCE_GEOGRAPHY or TARGET_GEOGRAPHY (the default)Optional
regionTag_createdWhen was this tag created.Optional
regionTag_descriptionDescription text for this tag.Optional
regionTag_idUnique integer identifier for this tagOptional
regionTag_nameThe name of this tag. Is unique in combination with the typeOptional
regionTag_parent_idParent id of the tagOptional
regionTag_threat_idUnique integer identifier (among threats).Optional
regionTag_threat_typeThe type of profile being represented.Optional
regionTag_typeThe type of this tag. The name of tags with the same type must be unique.Optional
threat_idId of the threatOptional

Context Output#

PathTypeDescription
DigitalShadows.IntelligenceThreatsRegional.ActivityLevelunknownLevel of activity, based on last active
DigitalShadows.IntelligenceThreatsRegional.IdunknownUnique integer identifier (among threats)
DigitalShadows.IntelligenceThreatsRegional.ImageIdunknownThe unique identifier for an image of the threat, if available. The actual image can be retrieved by requesting /api/resources/{id} (replacing {id} with the value of this property)
DigitalShadows.IntelligenceThreatsRegional.LastActiveunknownThe date of last activity (last incident)
DigitalShadows.IntelligenceThreatsRegional.TypeunknownThe type of profile being represented
DigitalShadows.IntelligenceThreatsRegional.ThreatLevelTypeunknownInformation about the level of threat, for example low or high
DigitalShadows.IntelligenceThreatsRegional.EventunknownFor an EVENT or CAMPAIGN threat this will contain a summary of when it occurred and possibly when it will re-occur
DigitalShadows.IntelligenceThreatsRegional.OverviewTagsunknownTags that will appear in the overview. Only one per primary type.

Command Example#

#### Human Readable Output
### ds-get-port-reviews
***
Retrieve all review updates for a given port inspection
#### Base Command
`ds-get-port-reviews`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| port | Port inspection id | Required |
| incidentId | ID of incident to query | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IpPortReviews.Created | unknown | The moment in time the review was created |
| DigitalShadows.IpPortReviews.Status | unknown | Review status |
| DigitalShadows.IpPortReviews.Version | unknown | Starts counting at 1 and increments for each review of a given port. Will initially be 0 until a review is performed \(when returned as part of a port\) |
| DigitalShadows.IpPortReviews.Incident.Id | unknown | Id of the incident the port inspection is associated with |
| DigitalShadows.IpPortReviews.Incident.Scope | unknown | Scope of the incident the port inspection is associated with |
| DigitalShadows.IpPortReviews.User.Id | unknown | ID of the user that changed the status/set the note. |
| DigitalShadows.IpPortReviews.User.FullName | unknown | Full name of the user that changed the status/set the note. |
#### Command Example

Human Readable Output#

ds-snapshot-port-review#


Snapshot the review status of a port inspection

Base Command#

ds-snapshot-port-review

Input#

Argument NameDescriptionRequired
portPort inspection idRequired
versionWhen submitting, this value can be optionally set to the version of the most recently read reviewOptional
statusReview statusOptional
incident_idIdentifier for this incident, unique in combination with the scope.Optional
incident_scopeIdentifies whether this incident applies globally (intelligence) or just to your organization.Optional

Context Output#

There is no context output for this command.

Command Example#

#### Human Readable Output
### ds-find-ports
***
Find ports
#### Base Command
`ds-find-ports`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter_alerted | Only include SSL/certificates with associated incidents that have been alerted | Optional |
| filter_detectedClosed | Only return IP ports that were detected closed | Optional |
| filter_detectedOpen | Only return IP ports that were detected open within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_domainName | Name of domain to filter by | Optional |
| filter_incidentTypes | The type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered. | Optional |
| filter_incidentSubTypes | List of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENT | Optional |
| filter_ipAddress | IP address to filter by | Optional |
| filter_ipRange_lowerAddress | Lower address for ip range | Optional |
| filter_ipRange_maskBits | Int value for mask bits | Optional |
| filter_ipRange_upperAddress | Upper address for ip range | Optional |
| filter_markedClosed | Is incident closed | Optional |
| filter_published | Only return IP ports that were published within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_severities | Only include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONE | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.IpPorts.DiscoveredOpen | unknown | When was the port found to be open |
| DigitalShadows.IpPorts.Id | unknown | Identifier for the port inspection |
| DigitalShadows.IpPorts.IpAddress | unknown | The IP address this port was found on |
| DigitalShadows.IpPorts.PortNumber | unknown | The IP port number scanned \(1-65535\) |
| DigitalShadows.IpPorts.Transport | unknown | IP transport protocol used |
| DigitalShadows.IpPorts.Incident.Id | unknown | Id the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.Scope | unknown | Scope of the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.Severity | unknown | Severity of the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.SubType | unknown | Subtype of the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.Type | unknown | Type of the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.Title | unknown | Title of the most recent incident to include this port |
| DigitalShadows.IpPorts.Incident.Published | unknown | Published time the most recent incident to include this port |
| DigitalShadows.IpPorts.Review.Status | unknown | Status of when the port was last reviewed |
| DigitalShadows.IpPorts.Review.UserId | unknown | User Id of the port last review |
| DigitalShadows.IpPorts.Review.UserName | unknown | Name of user who created last review |
| DigitalShadows.IpPorts.Review.Version | unknown | Version of last port review |
#### Command Example
```!ds-find-ports pagination_size=1```
#### Context Example
```json
{
"DigitalShadows": {
"IpPorts": [
{
"DiscoveredOpen": "2018-08-22T00:58:07.014Z",
"Id": 8247047,
"Incident": {
"Id": 99002722,
"Published": "2020-11-03T21:44:41.840Z",
"Scope": "ORGANIZATION",
"Severity": "MEDIUM",
"SubType": "EXPOSED_PORT",
"Title": "Block listed open ports found on IP",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "1.2.3.4",
"PortNumber": 179,
"Review": {
"Status": "OPEN",
"UserId": null,
"UserName": null,
"Version": null
},
"Transport": "TCP"
}
]
}
}
```
#### Human Readable Output
>### Digital Shadows Ports
>
> DiscoveredOpen| Id| Incident Id| Incident Published| Incident Scope| Incident Severity| Incident SubType| Incident Title| Incident Type| IpAddress| PortNumber| Review Status| Review UserId| Review UserName| Review Version| Transport
>---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---
>2018-08-22T00:58:07.014Z | 8247047 | 99002722 | 2020-11-03T21:44:41.840Z | ORGANIZATION | MEDIUM | EXPOSED_PORT | Blacklisted open ports found on IP | INFRASTRUCTURE | 1.2.3.4 | 179 | OPEN | | | | TCP
### ds-find-secure-sockets
***
Find secure sockets
#### Base Command
`ds-find-secure-sockets`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter_alerted | Only include SSL/certificates with associated incidents that have been alerted | Optional |
| filter_detected | Only include detected sockets | Optional |
| filter_determinedResolved | Only include determined resolved sockets | Optional |
| filter_domain | Filter by domain | Optional |
| filter_expiry | Filter by expiry date | Optional |
| filter_grades | List of grades (A,B,C,D,E,F,T) | Optional |
| filter_incidentTypes | The type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered. | Optional |
| filter_incidentSubTypes | List of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENT | Optional |
| filter_ipAddress | IP address to filter by | Optional |
| filter_issues | List of string values from POODLE, POODLE_TLS, FREAK, DROWN, LOGJAM, RC4_AVAILABLE, SELF_SIGNED, MD5_OR_SHA1_SIGNED, REVOKED, EXPIRING_LOW, EXPIRING_MEDIUM, EXPIRING_HIGH, EXPIRED, HOSTNAME_MISMATCH, TLS_1_2_NOT_FOUND | Optional |
| filter_markedClosed | Is incident closed | Optional |
| filter_published | Filter by publish time | Optional |
| filter_revoked | Only include revoked sockets | Optional |
| filter_severities | Only include SSL/certificate infrastructure incidents with these severities. String values from VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONE | Optional |
| filter_statuses | Only include SSL/certificates with associated incidents having these statuses, (or with any status if none are supplied). UNREAD, READ, CLOSED | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.SecureSockets.Id | unknown | Unique identifier for this inspection |
| DigitalShadows.SecureSockets.ReverseDomainName | unknown | The reverse DNS name of the host |
| DigitalShadows.SecureSockets.CertificateCommonName | unknown | The server certificate common name |
| DigitalShadows.SecureSockets.Discovered | unknown | When were the certificate issue\(s\) found |
| DigitalShadows.SecureSockets.DomainName | unknown | The domain name the secure socket was discovered on for the default port 443/TCP |
| DigitalShadows.SecureSockets.Grade | unknown | The rating calculated for the secure socket at the time of the scan |
| DigitalShadows.SecureSockets.IpAddress | unknown | The actual IP address the probe connected to |
| DigitalShadows.SecureSockets.PortNumber | unknown | The port number the socket was found listening on |
| DigitalShadows.SecureSockets.Transport | unknown | IP transport protocol used, most likely TCP |
| DigitalShadows.SecureSockets.Issues | unknown | The set of issues detected for the secure socket |
| DigitalShadows.SecureSockets.Review.Status | unknown | Status of most recent review of this inspection |
| DigitalShadows.SecureSockets.Review.UserId | unknown | ID of user who created the most recent review of this inspection |
| DigitalShadows.SecureSockets.Review.UserName | unknown | Name of user who created the most recent review of this inspection |
| DigitalShadows.SecureSockets.Review.Version | unknown | Version of most recent review of this inspection |
| DigitalShadows.SecureSockets.Incident.Id | unknown | Incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.Scope | unknown | Scope of incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.Severity | unknown | Severity of incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.SubType | unknown | SubType of incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.Type | unknown | Type of incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.Title | unknown | Title of incident corresponding for this secure socket issues occurence |
| DigitalShadows.SecureSockets.Incident.Published | unknown | Published time of incident corresponding for this secure socket issues occurence |
### ds-find-vulnerabilities
***
Find vulnerabilities
#### Base Command
`ds-find-vulnerabilities`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter_alerted | Only include SSL/certificates with associated incidents that have been alerted | Optional |
| filter_cveIdentifiers | Filter by CVE identifiers | Optional |
| filter_detected | Only return vulnerabilities that were detected within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_detectedClosed | True or false | Optional |
| filter_domainName | Name of domain to filter by | Optional |
| filter_incidentTypes | The type to match to. Will match to any incident with this type unless subTypes is not empty, in which case only incident matches based on the sub-type will be considered. | Optional |
| filter_incidentSubTypes | List of pecific sub type(s) to match to. String values from BRAND_MISUSE, COMPANY_THREAT, CORPORATE_INFORMATION, CREDENTIAL_COMPROMISE, CUSTOMER_DETAILS, CVE, DEFAMATION, DOMAIN_CERTIFICATE_ISSUE, EMPLOYEE_THREAT, EXPOSED_PORT, INTELLECTUAL_PROPERTY, INTERNALLY_MARKED_DOCUMENT, LEGACY_MARKED_DOCUMENT, MOBILE_APPLICATION, NEGATIVE_PUBLICITY, PERSONAL_INFORMATION, PHISHING_ATTEMPT, PROTECTIVELY_MARKED_DOCUMENT, SPOOF_PROFILE, TECHNICAL_INFORMATION,TECHNICAL_LEAKAGE, UNMARKED_DOCUMENT | Optional |
| filter_ipAddress | IP address to filter by | Optional |
| filter_markedClosed | Filter by incidents that are marked as CLOSED | Optional |
| filter_published | Only return vulnerabilities that were published within this date range (inclusive). Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_severities | List of sevirity values to filter by. Can be VERY_HIGH, HIGH, MEDIUM, LOW, VERY_LOW, NONE | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DigitalShadows.Vulnerabilities.CveId | unknown | The CVE id |
| DigitalShadows.Vulnerabilities.Id | unknown | Identifier for this detected vulnerability |
| DigitalShadows.Vulnerabilities.Discovered | unknown | When was the vulnerability found |
| DigitalShadows.Vulnerabilities.IpAddress | unknown | The IP address this port was found on |
| DigitalShadows.Vulnerabilities.Review.Status | unknown | Status of most recent review of this vulnerability |
| DigitalShadows.Vulnerabilities.Review.UserId | unknown | ID of user who created the most recent review of this vulnerability |
| DigitalShadows.Vulnerabilities.Review.UserName | unknown | Name of user who created the most recent review of this vulnerability |
| DigitalShadows.Vulnerabilities.Review.Version | unknown | Version of most recent review of this vulnerability |
| DigitalShadows.Vulnerabilities.Incident.Id | unknown | ID of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.Scope | unknown | Scope of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.Severity | unknown | Severity of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.SubType | unknown | SubType of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.Type | unknown | Type of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.Title | unknown | Title of incident corresponding for this vulnerability occurence |
| DigitalShadows.Vulnerabilities.Incident.Published | unknown | Published of incident corresponding for this vulnerability occurence |
#### Command Example
```!ds-find-vulnerabilities pagination_size=2```
#### Context Example
```json
{
"DigitalShadows": {
"Vulnerabilities": [
{
"CveId": "CVE-id",
"Discovered": "2018-04-12T14:15:51.991Z",
"Id": 529072,
"Incident": {
"Id": 99002720,
"Published": "2020-11-04T17:32:57.855Z",
"Scope": "ORGANIZATION",
"Severity": "VERY_HIGH",
"SubType": "CVE",
"Title": "CVE with 4 exploits detected on 1.2.3.4.\r\n",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "1.2.3.4",
"Review": {
"Status": "UNREAD",
"UserId": null,
"UserName": null,
"Version": null
}
},
{
"CveId": "CVE-2018-6789",
"Discovered": "2019-01-27T17:39:55.428Z",
"Id": 879356,
"Incident": {
"Id": 99002711,
"Published": "2020-11-04T23:54:22.672Z",
"Scope": "ORGANIZATION",
"Severity": "HIGH",
"SubType": "CVE",
"Title": "CVE with 2 exploits detected on 2.2.2.2",
"Type": "INFRASTRUCTURE"
},
"IpAddress": "2.2.2.2",
"Review": {
"Status": "UNREAD",
"UserId": null,
"UserName": null,
"Version": null
}
}
]
}
}
```
#### Human Readable Output
>### Digital Shadows Vulnerabilities
>
> CveId| Discovered| Id| Incident Id| Incident Published| Incident Scope| Incident Severity| Incident SubType| Incident Title| Incident Type| IpAddress| Review Status| Review UserId| Review UserName| Review Version
>---|---|---|---|---|---|---|---|---|---|---|---|---|---|---
>CVE-id | 2018-04-12T14:15:51.991Z | 529072 | 99002720 | 2020-11-04T17:32:57.855Z | ORGANIZATION | VERY_HIGH | CVE | CVE with 4 exploits detected on 1.2.3.4.<br/> | INFRASTRUCTURE | 1.2.3.4 | UNREAD | | |
>CVE-id | 2019-01-27T17:39:55.428Z | 879356 | 99002711 | 2020-11-04T23:54:22.672Z | ORGANIZATION | HIGH | CVE | CVE with 2 exploits detected on 2.2.2.2 | INFRASTRUCTURE | 2.2.2.2 | UNREAD | | |
### ds-search
***
Perform a textual search against the available record types
#### Base Command
`ds-search`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter_datePeriod | Only return results that occurred during the given period prior to the current time. For absolute dates, use from and until | Optional |
| filter_dateRange | Only return results that were verified/occurred/modified within this date range (inclusive). The field this applies to is controlled by dateRangeField. Supports ISO Periods (eg P1D), intervals (eg 2015-01-01T00:00:00Z/2015-01-31T00:00:00Z) and any one of the constants {TODAY, YESTERDAY, WEEK, LAST_WEEK, MONTH, LAST_MONTH, YEAR, LAST_YEAR}. | Optional |
| filter_from | Only return results that were last active after this date/time (inclusive) | Optional |
| filter_tags | Only return results that have the following tags associated with them. | Optional |
| filter_types | Restrict the result types to only those listed here. At least one value is required. | Optional |
| filter_until | Only return results that were last active before this date/time (inclusive) | Optional |
| query | The query text to search for. | Optional |
| sort_direction | The direction of sorting. If not specified, ASCENDING is assumed | Optional |
| sort_property | The name of the property being sorted on. This normally corresponds to the property name of the result type, but could be a 'virtual property'. | Optional |
| pagination_offset | Include results at this offset within the full resultset, where the first result is at position 0 | Optional |
| pagination_size | Maximum number of results to return per page, can be initially null to be replaced by default later | Optional |
| pagination_containingId | Select the page containing the record with this id, if supported. Mutually exclusive with offset. | Optional |
#### Context Output
There is no context output for this command.
#### Command Example
```!ds-search query=breach pagination_size=1```
#### Human Readable Output
>{"content":[{"entity":{"author":"name","id":"id","observableCounts":{"cve":{"count":1,"exceededMaximum":false},"email":{"count":0,"exceededMaximum":false},"host":{"count":0,"exceededMaximum":false},"ipV4":{"count":0,"exceededMaximum":false},"md5":{"count":0,"exceededMaximum":false},"sha1":{"count":0,"exceededMaximum":false},"sha256":{"count":0,"exceededMaximum":false}},"published":"2016-05-16T00:00:00.000Z","screenshot":{"id":"id,"link":"https://portal-digitalshadows.com/api/external/resources/id"},"screenshotThumbnail":{"id":"id","link":"https://portal-digitalshadows.com/api/thumbnails/id.jpg"},"siteCategories":["BLOG","SECURITY_COMMENTATOR"],"title":"The popular crime forum nnn...","sortDate":"2016-05-16T00:00:00.000Z","type":"BLOG_POST"}],"currentPage":{"offset":0,"size":1},"facets":{},"total":284483}
### ds-get-tags
***
Batch retrieve specic tags by their ids
#### Base Command
`ds-get-tags`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| ids | One or more tag identifiers | Optional |
| detailed | Determines whether the tag descriptions will be included. | Optional |
#### Context Output
There is no context output for this command.