GCenter
Gatewatcher AionIQ Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
This integration allows, via about twenty commands, to interact with the GCenter appliance via its API. This integration was integrated and tested with version v2.5.3.102 of GCenter. To simplify GCenter v2.5.3.102 is called GCenter in the Pack.
#
Configure GCenter in CortexParameter | Description | Required |
---|---|---|
GCenter IP address | True | |
GCenter Version | False | |
GCenter API token | You must provide either an API token or a username and a password. | False |
GCenter username | False | |
GCenter password | False | |
Check the TLS certificate | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
gw-get-alertGet an alert by it's uid
#
Base Commandgw-get-alert
#
InputArgument Name | Description | Required |
---|---|---|
uid | Alert identifier. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Alert.Single.sha256 | String | The 256 Shasum Of The File |
GCenter.Alert.Single.id | String | The Id Of The Inspectra Alert |
GCenter.Alert.Single.flow_id | Number | The Flow Id Of The Alert |
GCenter.Alert.Single.severity | Number | The Severity Of The Alert |
GCenter.Alert.Single.src_ip | String | The Ip Address Of The Alert'S Source |
GCenter.Alert.Single.dest_ip | String | The Ip Address Of The Alert'S Target |
GCenter.Alert.Single.src_port | Number | The Port Of The Alert'S Source |
GCenter.Alert.Single.dest_port | Number | The Port Of The Alert'S Target |
GCenter.Alert.Single.gcap | String | The Gcap That Raised The Alert |
GCenter.Alert.Single.type | String | Which Type Of Alert (Sigflow, Codebreaker...) |
GCenter.Alert.Single.proto | String | The Protocol Used |
GCenter.Alert.Single.host | String | The Host Where The Alert Was Found |
GCenter.Alert.Single.app_proto | String | The Malware Application Prototype |
GCenter.Alert.Single.alert_type | String | Which Event It Is ? |
GCenter.Alert.Single.state | String | The State Of The Alert |
GCenter.Alert.Single.matched_event | String | Value Of The Id Of An Other Alert That Matched (Allows The Correlation Between Alerts) |
GCenter.Alert.Single.domain_name | String | For Dga Alerts Only |
GCenter.Alert.Single.probability | Number | The Severity Probability |
GCenter.Alert.Single.timestamp_detected | Date | When The Alert Was Detected |
GCenter.Alert.Single.timestamp_analyzed | Date | When The Alert Was Analysed |
GCenter.Alert.Single.retrohunt.timestamp_package | String | Utc Date When The Ioc Was Added To The Lastinfosec Update Package |
GCenter.Alert.Single.retrohunt.ioc_creation_date | Date | The Ioc Creation Date |
GCenter.Alert.Single.retrohunt.ioc_updated_date | Date | The Ioc Updated Date |
GCenter.Alert.Single.retrohunt.description | String | The Alert Description |
GCenter.Alert.Single.retrohunt.ioc_type | String | Host, Md5, Sha1, Sha256, Url |
GCenter.Alert.Single.retrohunt.ioc_value | String | Characteristic Value Of The Ioc |
GCenter.Alert.Single.retrohunt.matched_app_proto | String | The Sigflow Protocol That Contains This Ioc |
GCenter.Alert.Single.retrohunt.matched_event_type | String | The Sigflow Event Type That Contains This Ioc |
GCenter.Alert.Single.retrohunt.case_id | String | Uuid Of The Box To Which The Ioc Belongs |
GCenter.Alert.Single.retrohunt.ioc_id | String | Uuid Of The Ioc |
GCenter.Alert.Single.retrohunt.risk | String | Suspicious, High Suspicious, Malicious |
GCenter.Alert.Single.retrohunt.usage_mode | String | Usage Mode |
GCenter.Alert.Single.retrohunt.tlp | String | Tlp |
GCenter.Alert.Single.powershell.file_id | String | The File Id |
GCenter.Alert.Single.powershell.scores.proba_obfuscated | Number | The Probability It Is Obfuscated |
GCenter.Alert.Single.powershell.scores.analysis | Number | The Powershell Analysis Score |
GCenter.Alert.Single.shellcode.file_id | String | The File Id |
GCenter.Alert.Single.shellcode.encodings.name | String | The Name Of The Encoding |
GCenter.Alert.Single.shellcode.encodings.count | Number | The Number Of The Encoding Elements |
GCenter.Alert.Single.shellcode.calls.call | String | The Name Of The Call Of The Alert |
GCenter.Alert.Single.shellcode.calls.args | String | The Argument Used For The Call |
GCenter.Alert.Single.shellcode.calls.ret | String | The Retention Of The Call |
GCenter.Alert.Single.shellcode.calls.index | Number | The Call Index |
GCenter.Alert.Single.malware.analyzed_clean | Number | Number Of Engines That Returned A Clean Status |
GCenter.Alert.Single.malware.analyzed_infected | Number | Number Of Engines That Returned An Infected Status |
GCenter.Alert.Single.malware.analyzed_suspicious | Number | Number Of Engines That Returned A Suspicious Status |
GCenter.Alert.Single.malware.analyzed_other | Number | Number Of Engines That Returned Other Statuses |
GCenter.Alert.Single.malware.analyzed_error | Number | Number Of Engines That Failed To Analyze The File |
GCenter.Alert.Single.malware.code | Number | The Global Code Result |
GCenter.Alert.Single.malware.def_time | Date | When The Last Engines Have Ended The Scan |
GCenter.Alert.Single.malware.scan_time | Number | The Scan Time In Ms. |
GCenter.Alert.Single.malware.threats_found | String | The Threats Found By The Engines |
GCenter.Alert.Single.malware.reporting_token | String | The Reporting Token Returned By The Gbox. |
GCenter.Alert.Single.malware.engines_report.0.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.0.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.0.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.1.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.1.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.1.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.2.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.2.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.2.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.3.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.3.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.3.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.4.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.4.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.4.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.5.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.5.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.5.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.6.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.6.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.6.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.7.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.7.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.7.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.8.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.8.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.8.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.9.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.9.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.9.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.10.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.10.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.10.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.11.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.11.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.11.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.12.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.12.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.12.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.13.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.13.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.13.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.14.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.14.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.14.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.engines_report.15.id | String | The Hash Pf The Engine |
GCenter.Alert.Single.malware.engines_report.15.threat_details | String | The Threat Found By The Engine |
GCenter.Alert.Single.malware.engines_report.15.scan_result | String | Analysis Result |
GCenter.Alert.Single.malware.magic_details | String | The File Magic |
GCenter.Alert.Single.malware.total_found | String | The Malcore Number Of Engines That Found The File Suspicious / The Total Number Of Engines |
GCenter.Alert.Single.sigflow.alert.action | String | Action |
GCenter.Alert.Single.sigflow.alert.signature_id | String | Signature Id |
GCenter.Alert.Single.sigflow.alert.gid | String | Gid |
GCenter.Alert.Single.sigflow.alert.category | String | Category |
GCenter.Alert.Single.sigflow.packet | String | Packet |
GCenter.Alert.Single.sigflow.in_iface | String | In Which Interface The Alert Occurred |
GCenter.Alert.Single.sigflow.stream | Number | Is It Streaming (!= 0) |
GCenter.Alert.Single.sigflow.payload | String | Payload |
GCenter.Alert.Single.sigflow.payload_printable | String | Payload Printable |
#
Command Example!gw-get-alert uid="d7e612cb-567a-431b-a14b-9f9f4e88c9a4"
#
Context Example#
Human Readable Output#
Elasticsearch alert entry
alert_type app_proto dest_geoip dest_ip dest_port domain_name flow_id gcap host id malware matched_event powershell probability proto retrohunt severity sha256 shellcode sigflow src_geoip src_ip src_port state timestamp_analyzed timestamp_detected type malware http 192.168.0.1 35168 nzpzxcox.com 1544096072809159 test.domain.com test.domain.com 45e6ed3c-1082-4d33-9514-162748d7d41f analyzed_clean: 11
analyzed_infected: 5
analyzed_suspicious: 0
analyzed_other: 0
analyzed_error: 0
code: 1
def_time: 2022-05-31T21:45:33Z
scan_time: 3785
threats_found: Infected : Gen:Variant.Ulise.315566 (B)
reporting_token: No GBOX
engines_report: {"0": {"id": "XXX", "threat_details": "Gen:Variant.Ulise.315566 (B)", "scan_result": "INFECTED"}, "1": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "2": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "3": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "4": {"id": "XXX", "threat_details": "WinGo/TrojanDownloader.Agent.BD trojan", "scan_result": "INFECTED"}, "5": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "6": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "7": {"id": "XXX", "threat_details": "Trojan.Donut.Win64.545", "scan_result": "INFECTED"}, "8": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "9": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "10": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "11": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "12": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "13": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "14": {"id": "XXX", "threat_details": "W64/Donut.B.gen!Eldorado", "scan_result": "INFECTED"}, "15": {"id": "XXX", "threat_details": "Trojan.Win64.Crypt", "scan_result": "INFECTED"}}
magic_details: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
total_found: 5/163d35e491-cfc8-4271-815b-ff018a036c7c file_id: 06-08-2022T11:37:11_1348935773_gcap-dean.org
scores: {"proba_obfuscated": 0.2, "analysis": 241, "analysis_detailed": {}}0.55555555 TCP timestamp_package: 2022-06-06T22:00:01.632829+0000
ioc_creation_date: 2022-05-27T18:37:30+00:00
ioc_updated_date: 2022-06-06T21:05:12+00:00
description: 'test.domain.com' is a Suspicious Host.
ioc_type: Host
ioc_value: test.domain.com
matched_app_proto: http
matched_event_type: http
meta_data: {}
targeted_organizations:
targeted_platforms:
targeted_sectors:
threat_actor:
external_links:
relations:
campaigns:
categories:
families:
vulnerabilities:
ttp:
case_id: 1746d38d-58f3-4b43-b4ee-6f0b43527d49
ioc_id: 183abf8e-b0a5-4ed0-a93f-e5d7927648b8
risk: Suspicious
usage_mode: hunting
tlp: green1 f16d19ac9697d9892b0f910601a61d041d64 file_id: file_id
encodings: {'name': 'Bloxor', 'count': 2}
calls: {'call': 'ws2_32_recv', 'args': "{'sockfd': 'Socket_1-bind (4)', 'backlog': 19103712}", 'ret': '90137289', 'index': 0}alert: {"action": "allowed", "signature_id": "202", "gid": "1", "category": "A Network Trojan was detected"}
packet: XXXXXXXXXXXXXXXXXX
in_iface: mon5
stream: 0
payload: XXXXXXXXXXXXXXXXXX
payload_printable: XXXXXXXXXXXXXXXXXX
extra_keys: {}192.168.0.2 80 Infected 2022-03-21T13:58:42.742Z 2022-03-21T11:34:47.000Z malcore
#
gw-es-queryGet Elasticsearch data
#
Base Commandgw-es-query
#
InputArgument Name | Description | Required |
---|---|---|
index | Index to be queried. Possible values are: suricata, malware, codebreaker, netdata, syslog, machine_learning, retrohunt, iocs. Default is suricata. | Optional |
query | Elaticsearch query. Default is {}. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-es-query index="suricata" query="{}"
#
gw-add-malcore-list-entryAdd malcore whitelist/blacklist entry
#
Base Commandgw-add-malcore-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
sha256 | SHA256 to be added. | Required |
comment | Comment to be added. | Optional |
threat | Comment to be added. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Malcore.sha256 | String | Sha256 |
GCenter.Malcore.created | Date | Created |
GCenter.Malcore.comment | String | Comment |
GCenter.Malcore.threat | String | Name Of Threat For Reference |
#
Command Example!gw-add-malcore-list-entry type="white" sha256="d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e"
#
Context Example#
Human Readable Output#
Malcore whitelist/blacklist entry
comment created sha256 threat test 2022-03-21T16:36:58.957178Z d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e undefined
#
gw-del-malcore-list-entryDelete malcore whitelist/blacklist entry
#
Base Commandgw-del-malcore-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
sha256 | SHA256 to be deleted. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-malcore-list-entry type="white" sha256="d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e"
#
gw-add-dga-list-entryAdd dga whitelist/blacklist entry
#
Base Commandgw-add-dga-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
domain | Domain name to be added. | Required |
comment | Comment to be added. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Dga.domain_name | String | Domain Name |
GCenter.Dga.created | Date | Created |
GCenter.Dga.comment | String | Comment |
GCenter.Dga.is_wildcard | Boolean | Is Wildcard |
#
Command Example!gw-add-dga-list-entry type="white" domain="test.domain.com"
#
Context Example#
Human Readable Output#
DGA whitelist/blacklist entry
comment created domain_name is_wildcard test 2022-03-21T16:30:20.012035Z test.domain.com false
#
gw-del-dga-list-entryDelete dga whitelist/blacklist entry
#
Base Commandgw-del-dga-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
domain | Domain name to be deleted. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-dga-list-entry type="white" domain="test.domain.com"
#
gw-add-ignore-asset-nameIgnore asset name
#
Base Commandgw-add-ignore-asset-name
#
InputArgument Name | Description | Required |
---|---|---|
name | Name to be ignored. | Required |
start | Will be ignored if they start with this name. | Required |
end | Will be ignored if they end with this name. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.AssetName.id | String | Id |
GCenter.Ignore.AssetName.created_at | Date | Created At |
GCenter.Ignore.AssetName.created_by | String | Created By |
GCenter.Ignore.AssetName.name | String | Ignored Name For The Assets (Hostnames). Case Insensitive. |
GCenter.Ignore.AssetName.is_startswith_pattern | Boolean | Should The Assets (Hostnames) Be Ignored If They Start With This Name ? |
GCenter.Ignore.AssetName.is_endswith_pattern | Boolean | Should The Assets (Hostnames) Be Ignored If They End With This Name ? |
#
Command Example!gw-add-ignore-asset-name name="test_asset"
#
Context Example#
Human Readable Output#
Asset name entry
created_at created_by id is_endswith_pattern is_startswith_pattern name 2022-03-21T16:37:54.657263Z admin 1 false true test_asset
#
gw-add-ignore-kuser-ipIgnore kuser IP
#
Base Commandgw-add-ignore-kuser-ip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IP to be ignored. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.KuserIP.id | String | Id |
GCenter.Ignore.KuserIP.created_at | Date | Created At |
GCenter.Ignore.KuserIP.created_by | String | Created By |
GCenter.Ignore.KuserIP.ip | String | Ignored Ip For The Kerberos Users |
#
Command Example!gw-add-ignore-kuser-ip ip="10.10.10.0"
#
Context Example#
Human Readable Output#
Kuser IP entry
created_at created_by id ip 2022-03-21T16:38:35.484082Z admin 2 10.10.10.0
#
gw-add-ignore-kuser-nameIgnore kuser name
#
Base Commandgw-add-ignore-kuser-name
#
InputArgument Name | Description | Required |
---|---|---|
name | Name to be ignored. | Required |
start | Will be ignored if they start with this name. | Required |
end | Will be ignored if they end with this name. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.KuserName.id | String | Id |
GCenter.Ignore.KuserName.created_at | Date | Created At |
GCenter.Ignore.KuserName.created_by | String | Created By |
GCenter.Ignore.KuserName.name | String | Ignored Name For The Kerberos Users. Case Insensitive. |
GCenter.Ignore.KuserName.is_startswith_pattern | Boolean | Should The Kerberos Users Be Ignored If They Start With This Name ? |
GCenter.Ignore.KuserName.is_endswith_pattern | Boolean | Should The Kerberos Users Be Ignored If They End With This Name ? |
#
Command Example!gw-add-ignore-kuser-name name="test_kuser"
#
Context Example#
Human Readable Output#
Kuser name entry
created_at created_by id is_endswith_pattern is_startswith_pattern name 2022-03-21T16:39:18.435420Z admin 1 false true test_kuser
#
gw-add-ignore-mac-addressIgnore mac address
#
Base Commandgw-add-ignore-mac-address
#
InputArgument Name | Description | Required |
---|---|---|
mac | MAC address to be ignored. | Required |
start | Will be ignored if they start with this name. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.MacAddress.id | String | Id |
GCenter.Ignore.MacAddress.created_at | Date | Created At |
GCenter.Ignore.MacAddress.created_by | String | Created By |
GCenter.Ignore.MacAddress.address | String | Address |
GCenter.Ignore.MacAddress.is_startswith_pattern | Boolean | Should The Mac Addresses Be Ignored If They Start With This Address Value ? |
#
Command Example!gw-add-ignore-mac-address mac="50:50:50:50:50:50"
#
Context Example#
Human Readable Output#
MAC adrress entry
address created_at created_by id is_startswith_pattern 00:50:50:50:50:50 2022-03-21T16:39:48.363094Z admin 1 true
#
gw-del-ignore-asset-nameDelete an ignore asset ID
#
Base Commandgw-del-ignore-asset-name
#
InputArgument Name | Description | Required |
---|---|---|
ignore_id | Ignore asset ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-ignore-asset-name ignore_id=1
#
gw-del-ignore-kuser-ipDelete an ignore kuser IP ID
#
Base Commandgw-del-ignore-kuser-ip
#
InputArgument Name | Description | Required |
---|---|---|
ignore_id | Ignore kuser IP ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-ignore-kuser-ip ignore_id=1
#
gw-del-ignore-kuser-nameDelete an ignore kuser name ID
#
Base Commandgw-del-ignore-kuser-name
#
InputArgument Name | Description | Required |
---|---|---|
ignore_id | Ignore kuser name ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-ignore-kuser-name ignore_id=1
#
gw-del-ignore-mac-addressDelete an ignore mac address ID
#
Base Commandgw-del-ignore-mac-address
#
InputArgument Name | Description | Required |
---|---|---|
ignore_id | Ignore mac address ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-del-ignore-mac-address ignore_id=1
#
gw-send-malwareSend malware
#
Base Commandgw-send-malware
#
InputArgument Name | Description | Required |
---|---|---|
filename | Filename. | Required |
file_id | File entry id. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Gscan.Malware.id | String | The Id Of The Gscan History Message |
GCenter.Gscan.Malware.created | Date | Date Of Creation |
GCenter.Gscan.Malware.username | String | The User'S Username Who Uploaded The File |
GCenter.Gscan.Malware.user_agent | String | The Client'S User-Agent |
GCenter.Gscan.Malware.ip_address | String | The Ip Address Of The User Who Uploaded The File |
GCenter.Gscan.Malware.file_name | String | Original File Name |
GCenter.Gscan.Malware.sha256 | String | Sha256 |
GCenter.Gscan.Malware.is_clean | Unknown | Clean |
GCenter.Gscan.Malware.is_analysis_successful | Boolean | Scan Succes |
GCenter.Gscan.Malware.malcore_code_result | String | Malcore Code Result |
GCenter.Gscan.Malware.threat_name | String | Threat Name |
GCenter.Gscan.Malware.nb_alerts | Number | Number Or Malcore Alerts |
GCenter.Gscan.Malware.nb_engines | Number | Number Or Malcore Engines |
GCenter.Gscan.Malware.is_whiteblack_listed | Boolean | Is White Or Black Listed? |
GCenter.Gscan.Malware.malcore_code_result_name | String | Malcore Code Result Name |
GCenter.Gscan.Malware.status | String | The Malcore Status |
#
Command Example!gw-send-malware filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5"
#
Context Example#
Human Readable Output#
Malcore analysis result
created file_name id ip_address is_analysis_successful is_clean is_whiteblack_listed malcore_code_result malcore_code_result_name nb_alerts nb_engines sha256 status threat_name user_agent username 2022-03-21T16:42:11.996076Z Arch.jpg 1 10.10.10.10 false false 5 Unknown 0 0 1a9487d49d842ebdee5ad870065eb74dc7044 Unknown Mozilla/5.0 admin
#
gw-send-powershellSend powershell
#
Base Commandgw-send-powershell
#
InputArgument Name | Description | Required |
---|---|---|
filename | Filename. | Required |
file_id | File entry id. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Gscan.Powershell.id | String | The Id Of The Gscan History Message |
GCenter.Gscan.Powershell.created | Date | Date Of Creation |
GCenter.Gscan.Powershell.username | String | The User'S Username Who Uploaded The File |
GCenter.Gscan.Powershell.user_agent | String | The Client'S User-Agent |
GCenter.Gscan.Powershell.ip_address | String | The Ip Address Of The User Who Uploaded The File |
GCenter.Gscan.Powershell.file_name | String | Original File Name |
GCenter.Gscan.Powershell.sha256 | String | Sha256 |
GCenter.Gscan.Powershell.is_clean | Boolean | Clean |
GCenter.Gscan.Powershell.is_analysis_successful | Boolean | Scan Succes |
GCenter.Gscan.Powershell.status | String | Status |
GCenter.Gscan.Powershell.proba_obfuscated | Number | Proba_Obfuscated |
GCenter.Gscan.Powershell.analysis_score | Number | Analysis_Score |
GCenter.Gscan.Powershell.is_whiteblack_listed | Boolean | Is White Or Black Listed? |
#
Command Example!gw-send-powershell filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5"
#
Context Example#
Human Readable Output#
Powershell analysis result
analysis_score created file_name id ip_address is_analysis_successful is_clean is_whiteblack_listed proba_obfuscated sha256 status user_agent username 0 2022-03-21T16:43:35.591406Z Arch.jpg 2 10.10.10.10 true true false 0 1a9487d49d842ebdee5ad870065eb74dc7044 Clean Mozilla/5.0 admin
#
gw-send-shellcodeSend shellcode
#
Base Commandgw-send-shellcode
#
InputArgument Name | Description | Required |
---|---|---|
filename | Filename. | Required |
file_id | File entry id. | Required |
deep | Deep scan. | Optional |
timeout | Deep scan timeout. Default is 120. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Gscan.Shellcode.id | String | The Id Of The Gscan History Message |
GCenter.Gscan.Shellcode.created | Date | Date Of Creation |
GCenter.Gscan.Shellcode.username | String | The User'S Username Who Uploaded The File |
GCenter.Gscan.Shellcode.user_agent | String | The Client'S User-Agent |
GCenter.Gscan.Shellcode.ip_address | String | The Ip Address Of The User Who Uploaded The File |
GCenter.Gscan.Shellcode.file_name | String | Original File Name |
GCenter.Gscan.Shellcode.sha256 | String | Sha256 |
GCenter.Gscan.Shellcode.is_clean | Boolean | Clean |
GCenter.Gscan.Shellcode.is_analysis_successful | Boolean | Scan Succes |
GCenter.Gscan.Shellcode.status | String | Status |
GCenter.Gscan.Shellcode.architecture | Unknown | Architecture |
GCenter.Gscan.Shellcode.is_whiteblack_listed | Boolean | Is White Or Black Listed? |
#
Command Example!gw-send-shellcode filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5" deep=false timeout=120
#
Context Example#
Human Readable Output#
Shellcode analysis result
architecture created encodings file_name id ip_address is_analysis_successful is_clean is_whiteblack_listed sha256 status user_agent username 2022-03-21T16:44:26.214241Z Arch.jpg 3 10.10.10.10 true true false 1a9487d49d842ebdee5ad870065eb74dc7044 Clean Mozilla/5.0 admin
#
gw-es-wrapperGet Elasticsearch data using a wrapper
#
Base Commandgw-es-wrapper
#
InputArgument Name | Description | Required |
---|---|---|
index | index. Possible values are: suricata, codebreaker, malware, netdata, syslog, machine_learning, retrohunt, iocs. | Required |
aggs_term | List and count each distinct values of a document field using the terms aggregation If aggs_term is empty list hits value Exemple : "src_ip,dest_ip". Possible values are: src_ip, dest_ip, http.hostname, tls.sni, SHA256. | Optional |
must_match | Filter document that match the value using the term query Exemple : "alert.severity=1,app_proto=http". | Optional |
must_exists | Filter document with existing key using the exists query Exemple : "http.hostname,http.url". | Optional |
timerange | Set the lower timerange in hour based on the now keyword. Default is 24. | Optional |
formatted | True to get the list of aggregation value False to get entire response. Possible values are: True, False. Default is True. | Optional |
size | Set the number of aggregate or hits value that can be returned. Default is 100. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!gw-es-wrapper index="malware" aggs_term="src_ip" must_match="state=Infected" timerange="240" formatted="True"
#
Context Example#
Human Readable Output#
Elasticsearch wrapper result
src_ip 10.10.10.10
#
gw-get-malcore-list-entryGet the malcore whitelist/blacklist
#
Base Commandgw-get-malcore-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Malcore.List.sha256 | String | Sha256 |
GCenter.Malcore.List.created | Date | Created |
GCenter.Malcore.List.comment | String | Comment |
GCenter.Malcore.List.threat | String | Name Of Threat For Reference |
#
Command Example!gw-get-malcore-list-entry type=black
#
Context Example#
Human Readable Output#
Malcore whitelist/blacklist entry
comment created sha256 threat added by cortex 2022-09-13T08:16:21.400100Z d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351f undefined added by cortex 2022-09-13T08:16:09.880381Z d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e undefined
#
gw-get-dga-list-entryGet the dga whitelist/blacklist
#
Base Commandgw-get-dga-list-entry
#
InputArgument Name | Description | Required |
---|---|---|
type | List type. Possible values are: white, black. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Dga.List.domain_name | String | Domain Name |
GCenter.Dga.List.created | Date | Created |
GCenter.Dga.List.comment | String | Comment |
GCenter.Dga.List.is_wildcard | Boolean | Is Wildcard |
#
Command Example!gw-get-dga-list-entry type=black
#
Context Example#
Human Readable Output#
DGA whitelist/blacklist entry
comment created domain_name is_wildcard added by cortex 2022-03-21T16:30:20.012035Z test.domain.com false
#
gw-get-ignore-asset-nameGet all the ignored asset names
#
Base Commandgw-get-ignore-asset-name
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.AssetName.List.id | String | Id |
GCenter.Ignore.AssetName.List.created_at | Date | Created At |
GCenter.Ignore.AssetName.List.created_by | String | Created By |
GCenter.Ignore.AssetName.List.name | String | Ignored Name For The Assets (Hostnames). Case Insensitive. |
GCenter.Ignore.AssetName.List.is_startswith_pattern | Boolean | Should The Assets (Hostnames) Be Ignored If They Start With This Name ? |
GCenter.Ignore.AssetName.List.is_endswith_pattern | Boolean | Should The Assets (Hostnames) Be Ignored If They End With This Name ? |
#
Command Example!gw-get-ignore-asset-name
#
Context Example#
Human Readable Output#
Asset name entry
created_at created_by id is_endswith_pattern is_startswith_pattern name 2022-09-13T13:31:18.427519Z admin 1 true false test 2022-09-13T13:31:31.049593Z admin 2 false true test2
#
gw-get-ignore-kuser-ipGet all the ignored kuser IP
#
Base Commandgw-get-ignore-kuser-ip
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.KuserIP.List.id | String | Id |
GCenter.Ignore.KuserIP.List.created_at | Date | Created At |
GCenter.Ignore.KuserIP.List.created_by | String | Created By |
GCenter.Ignore.KuserIP.List.ip | String | Ignored Ip For The Kerberos Users |
#
Command Example!gw-get-ignore-kuser-ip
#
Context Example#
Human Readable Output#
Kuser IP entry
created_at created_by id ip 2022-09-13T12:06:29.575735Z admin 1 10.10.10.0 2022-09-13T13:30:26.791512Z admin 2 10.10.10.0
#
gw-get-ignore-kuser-nameGet all the ignored kuser name
#
Base Commandgw-get-ignore-kuser-name
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.KuserName.List.id | String | Id |
GCenter.Ignore.KuserName.List.created_at | Date | Created At |
GCenter.Ignore.KuserName.List.created_by | String | Created By |
GCenter.Ignore.KuserName.List.name | String | Ignored Name For The Kerberos Users. Case Insensitive. |
GCenter.Ignore.KuserName.List.is_startswith_pattern | Boolean | Should The Kerberos Users Be Ignored If They Start With This Name ? |
GCenter.Ignore.KuserName.List.is_endswith_pattern | Boolean | Should The Kerberos Users Be Ignored If They End With This Name ? |
#
Command Example!gw-get-ignore-kuser-name
#
Context Example#
Human Readable Output#
Kuser name entry
created_at created_by id is_endswith_pattern is_startswith_pattern name 2022-09-13T13:27:50.136561Z admin 1 false true test 2022-09-13T13:28:02.072013Z admin 2 true false test2
#
gw-get-ignore-mac-addressGet all the ignored mac addresses
#
Base Commandgw-get-ignore-mac-address
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
GCenter.Ignore.MacAddress.List.id | String | Id |
GCenter.Ignore.MacAddress.List.created_at | Date | Created At |
GCenter.Ignore.MacAddress.List.created_by | String | Created By |
GCenter.Ignore.MacAddress.List.address | String | Address |
GCenter.Ignore.MacAddress.List.is_startswith_pattern | Boolean | Should The Mac Addresses Be Ignored If They Start With This Address Value ? |
#
Command Example!gw-get-ignore-mac-address
#
Context Example#
Human Readable Output#
MAC adrress entry
address created_at created_by id is_startswith_pattern 00:50:50:50:50:50 2022-09-13T13:25:55.679624Z admin 1 true 00:40:40:40:40:40 2022-09-13T13:26:11.338296Z admin 2 true
#
gw-get-file-infectedGet a file from an uuid. If there is no uuid, get all the files infected from a time interval.
#
Base Commandgw-get-file-infected
#
InputArgument Name | Description | Required |
---|---|---|
timerange | Set the lower timerange in minute based on the now keyword when uuid is not given Default value to 60 minutes. | Optional |
size | Set the number of aggregate value that can be returned when uuid is not given Get all the values by default. | Optional |
uuid | The uuid of the file to get. | Optional |
state | The state of the files to get, in list, when uuid is not given Default value to Infected,Suspicious. Possible values are: . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Gcenter.File.Infected | String | File infected |
#
Command Example!gw-get-file-infected timerange="1440"
#
Context Example#
Human Readable Output#
Files infected entry
Contents ContentsFormat File FileID Type text malcore_b34fc6de9763e3640f93dda3f7a97470af6f009089bca588272a03807ae9f5bf_2022-12-12_18-21-40.zip f956f5cd-bad2-4f9c-ab75-cc6b16e58873 3