Skip to main content

GCenter

This Integration is part of the Gatewatcher AionIQ Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This integration allows, via about twenty commands, to interact with the GCenter appliance via its API. This integration was integrated and tested with version v2.5.3.102 of GCenter. To simplify GCenter v2.5.3.102 is called GCenter in the Pack.

Configure GCenter in Cortex#

ParameterDescriptionRequired
GCenter IP addressTrue
GCenter VersionFalse
GCenter API tokenYou must provide either an API token or a username and a password.False
GCenter usernameFalse
GCenter passwordFalse
Check the TLS certificateFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gw-get-alert#


Get an alert by it's uid

Base Command#

gw-get-alert

Input#

Argument NameDescriptionRequired
uidAlert identifier.Required

Context Output#

PathTypeDescription
GCenter.Alert.Single.sha256StringThe 256 Shasum Of The File
GCenter.Alert.Single.idStringThe Id Of The Inspectra Alert
GCenter.Alert.Single.flow_idNumberThe Flow Id Of The Alert
GCenter.Alert.Single.severityNumberThe Severity Of The Alert
GCenter.Alert.Single.src_ipStringThe Ip Address Of The Alert'S Source
GCenter.Alert.Single.dest_ipStringThe Ip Address Of The Alert'S Target
GCenter.Alert.Single.src_portNumberThe Port Of The Alert'S Source
GCenter.Alert.Single.dest_portNumberThe Port Of The Alert'S Target
GCenter.Alert.Single.gcapStringThe Gcap That Raised The Alert
GCenter.Alert.Single.typeStringWhich Type Of Alert (Sigflow, Codebreaker...)
GCenter.Alert.Single.protoStringThe Protocol Used
GCenter.Alert.Single.hostStringThe Host Where The Alert Was Found
GCenter.Alert.Single.app_protoStringThe Malware Application Prototype
GCenter.Alert.Single.alert_typeStringWhich Event It Is ?
GCenter.Alert.Single.stateStringThe State Of The Alert
GCenter.Alert.Single.matched_eventStringValue Of The Id Of An Other Alert That Matched (Allows The Correlation Between Alerts)
GCenter.Alert.Single.domain_nameStringFor Dga Alerts Only
GCenter.Alert.Single.probabilityNumberThe Severity Probability
GCenter.Alert.Single.timestamp_detectedDateWhen The Alert Was Detected
GCenter.Alert.Single.timestamp_analyzedDateWhen The Alert Was Analysed
GCenter.Alert.Single.retrohunt.timestamp_packageStringUtc Date When The Ioc Was Added To The Lastinfosec Update Package
GCenter.Alert.Single.retrohunt.ioc_creation_dateDateThe Ioc Creation Date
GCenter.Alert.Single.retrohunt.ioc_updated_dateDateThe Ioc Updated Date
GCenter.Alert.Single.retrohunt.descriptionStringThe Alert Description
GCenter.Alert.Single.retrohunt.ioc_typeStringHost, Md5, Sha1, Sha256, Url
GCenter.Alert.Single.retrohunt.ioc_valueStringCharacteristic Value Of The Ioc
GCenter.Alert.Single.retrohunt.matched_app_protoStringThe Sigflow Protocol That Contains This Ioc
GCenter.Alert.Single.retrohunt.matched_event_typeStringThe Sigflow Event Type That Contains This Ioc
GCenter.Alert.Single.retrohunt.case_idStringUuid Of The Box To Which The Ioc Belongs
GCenter.Alert.Single.retrohunt.ioc_idStringUuid Of The Ioc
GCenter.Alert.Single.retrohunt.riskStringSuspicious, High Suspicious, Malicious
GCenter.Alert.Single.retrohunt.usage_modeStringUsage Mode
GCenter.Alert.Single.retrohunt.tlpStringTlp
GCenter.Alert.Single.powershell.file_idStringThe File Id
GCenter.Alert.Single.powershell.scores.proba_obfuscatedNumberThe Probability It Is Obfuscated
GCenter.Alert.Single.powershell.scores.analysisNumberThe Powershell Analysis Score
GCenter.Alert.Single.shellcode.file_idStringThe File Id
GCenter.Alert.Single.shellcode.encodings.nameStringThe Name Of The Encoding
GCenter.Alert.Single.shellcode.encodings.countNumberThe Number Of The Encoding Elements
GCenter.Alert.Single.shellcode.calls.callStringThe Name Of The Call Of The Alert
GCenter.Alert.Single.shellcode.calls.argsStringThe Argument Used For The Call
GCenter.Alert.Single.shellcode.calls.retStringThe Retention Of The Call
GCenter.Alert.Single.shellcode.calls.indexNumberThe Call Index
GCenter.Alert.Single.malware.analyzed_cleanNumberNumber Of Engines That Returned A Clean Status
GCenter.Alert.Single.malware.analyzed_infectedNumberNumber Of Engines That Returned An Infected Status
GCenter.Alert.Single.malware.analyzed_suspiciousNumberNumber Of Engines That Returned A Suspicious Status
GCenter.Alert.Single.malware.analyzed_otherNumberNumber Of Engines That Returned Other Statuses
GCenter.Alert.Single.malware.analyzed_errorNumberNumber Of Engines That Failed To Analyze The File
GCenter.Alert.Single.malware.codeNumberThe Global Code Result
GCenter.Alert.Single.malware.def_timeDateWhen The Last Engines Have Ended The Scan
GCenter.Alert.Single.malware.scan_timeNumberThe Scan Time In Ms.
GCenter.Alert.Single.malware.threats_foundStringThe Threats Found By The Engines
GCenter.Alert.Single.malware.reporting_tokenStringThe Reporting Token Returned By The Gbox.
GCenter.Alert.Single.malware.engines_report.0.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.0.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.0.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.1.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.1.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.1.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.2.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.2.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.2.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.3.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.3.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.3.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.4.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.4.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.4.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.5.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.5.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.5.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.6.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.6.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.6.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.7.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.7.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.7.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.8.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.8.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.8.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.9.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.9.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.9.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.10.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.10.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.10.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.11.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.11.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.11.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.12.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.12.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.12.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.13.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.13.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.13.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.14.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.14.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.14.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.engines_report.15.idStringThe Hash Pf The Engine
GCenter.Alert.Single.malware.engines_report.15.threat_detailsStringThe Threat Found By The Engine
GCenter.Alert.Single.malware.engines_report.15.scan_resultStringAnalysis Result
GCenter.Alert.Single.malware.magic_detailsStringThe File Magic
GCenter.Alert.Single.malware.total_foundStringThe Malcore Number Of Engines That Found The File Suspicious / The Total Number Of Engines
GCenter.Alert.Single.sigflow.alert.actionStringAction
GCenter.Alert.Single.sigflow.alert.signature_idStringSignature Id
GCenter.Alert.Single.sigflow.alert.gidStringGid
GCenter.Alert.Single.sigflow.alert.categoryStringCategory
GCenter.Alert.Single.sigflow.packetStringPacket
GCenter.Alert.Single.sigflow.in_ifaceStringIn Which Interface The Alert Occurred
GCenter.Alert.Single.sigflow.streamNumberIs It Streaming (!= 0)
GCenter.Alert.Single.sigflow.payloadStringPayload
GCenter.Alert.Single.sigflow.payload_printableStringPayload Printable
Command Example#

!gw-get-alert uid="d7e612cb-567a-431b-a14b-9f9f4e88c9a4"

Context Example#
{
"sha256": "f16d19ac9697d9892b0f910601a61d041d64",
"id": "45e6ed3c-1082-4d33-9514-162748d7d41f",
"flow_id": 1544096072809159,
"severity": 1,
"src_ip": "192.168.0.2",
"dest_ip": "192.168.0.1",
"src_port": 80,
"dest_port": 35168,
"gcap": "test.domain.com",
"type": "malcore",
"proto": "TCP",
"host": "test.domain.com",
"app_proto": "http",
"alert_type": "malware",
"state": "Infected",
"matched_event": "3d35e491-cfc8-4271-815b-ff018a036c7c",
"domain_name": "nzpzxcox.com",
"probability": 0.55555555,
"timestamp_detected": "2022-03-21T11:34:47.000Z",
"timestamp_analyzed": "2022-03-21T13:58:42.742Z",
"dest_geoip": {},
"src_geoip": {},
"retrohunt": {
"timestamp_package": "2022-06-06T22:00:01.632829+0000",
"ioc_creation_date": "2022-05-27T18:37:30+00:00",
"ioc_updated_date": "2022-06-06T21:05:12+00:00",
"description": "'test.domain.com' is a Suspicious Host.",
"ioc_type": "Host",
"ioc_value": "test.domain.com",
"matched_app_proto": "http",
"matched_event_type": "http",
"meta_data": {},
"targeted_organizations": [],
"targeted_platforms": [],
"targeted_sectors": [],
"threat_actor": [],
"external_links": [],
"relations": [],
"campaigns": [],
"categories": [],
"families": [],
"vulnerabilities": [],
"ttp": [],
"case_id": "1746d38d-58f3-4b43-b4ee-6f0b43527d49",
"ioc_id": "183abf8e-b0a5-4ed0-a93f-e5d7927648b8",
"risk": "Suspicious",
"usage_mode": "hunting",
"tlp": "green"
},
"powershell": {
"file_id": "06-08-2022T11:37:11_1348935773_gcap-dean.org",
"scores": {
"proba_obfuscated": 0.2,
"analysis": 241,
"analysis_detailed": {}
}
},
"shellcode": {
"file_id": "file_id",
"encodings": [
{
"name": "Bloxor",
"count": 2
}
],
"calls": [
{
"call": "ws2_32_recv",
"args": "{'sockfd': 'Socket_1-bind (4)', 'backlog': 19103712}",
"ret": "90137289",
"index": 0
}
]
},
"malware": {
"analyzed_clean": 11,
"analyzed_infected": 5,
"analyzed_suspicious": 0,
"analyzed_other": 0,
"analyzed_error": 0,
"code": 1,
"def_time": "2022-05-31T21:45:33Z",
"scan_time": 3785,
"threats_found": "Infected : Gen:Variant.Ulise.315566 (B)",
"reporting_token": "No GBOX",
"engines_report": {
"0": {
"id": "XXX",
"threat_details": "Gen:Variant.Ulise.315566 (B)",
"scan_result": "INFECTED"
},
"1": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"2": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"3": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"4": {
"id": "XXX",
"threat_details": "WinGo/TrojanDownloader.Agent.BD trojan",
"scan_result": "INFECTED"
},
"5": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"6": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"7": {
"id": "XXX",
"threat_details": "Trojan.Donut.Win64.545",
"scan_result": "INFECTED"
},
"8": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"9": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"10": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"11": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"12": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"13": {
"id": "XXX",
"threat_details": "",
"scan_result": "CLEAN"
},
"14": {
"id": "XXX",
"threat_details": "W64/Donut.B.gen!Eldorado",
"scan_result": "INFECTED"
},
"15": {
"id": "XXX",
"threat_details": "Trojan.Win64.Crypt",
"scan_result": "INFECTED"
}
},
"magic_details": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"total_found": "5/16"
},
"sigflow": {
"alert": {
"action": "allowed",
"signature_id": "202",
"gid": "1",
"category": "A Network Trojan was detected"
},
"packet": "XXXXXXXXXXXXXXXXXX",
"in_iface": "mon5",
"stream": 0,
"payload": "XXXXXXXXXXXXXXXXXX",
"payload_printable": "XXXXXXXXXXXXXXXXXX",
"extra_keys": {}
}
}
Human Readable Output#

Elasticsearch alert entry#

alert_typeapp_protodest_geoipdest_ipdest_portdomain_nameflow_idgcaphostidmalwarematched_eventpowershellprobabilityprotoretrohuntseveritysha256shellcodesigflowsrc_geoipsrc_ipsrc_portstatetimestamp_analyzedtimestamp_detectedtype
malwarehttp192.168.0.135168nzpzxcox.com1544096072809159test.domain.comtest.domain.com45e6ed3c-1082-4d33-9514-162748d7d41fanalyzed_clean: 11
analyzed_infected: 5
analyzed_suspicious: 0
analyzed_other: 0
analyzed_error: 0
code: 1
def_time: 2022-05-31T21:45:33Z
scan_time: 3785
threats_found: Infected : Gen:Variant.Ulise.315566 (B)
reporting_token: No GBOX
engines_report: {"0": {"id": "XXX", "threat_details": "Gen:Variant.Ulise.315566 (B)", "scan_result": "INFECTED"}, "1": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "2": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "3": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "4": {"id": "XXX", "threat_details": "WinGo/TrojanDownloader.Agent.BD trojan", "scan_result": "INFECTED"}, "5": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "6": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "7": {"id": "XXX", "threat_details": "Trojan.Donut.Win64.545", "scan_result": "INFECTED"}, "8": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "9": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "10": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "11": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "12": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "13": {"id": "XXX", "threat_details": "", "scan_result": "CLEAN"}, "14": {"id": "XXX", "threat_details": "W64/Donut.B.gen!Eldorado", "scan_result": "INFECTED"}, "15": {"id": "XXX", "threat_details": "Trojan.Win64.Crypt", "scan_result": "INFECTED"}}
magic_details: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
total_found: 5/16
3d35e491-cfc8-4271-815b-ff018a036c7cfile_id: 06-08-2022T11:37:11_1348935773_gcap-dean.org
scores: {"proba_obfuscated": 0.2, "analysis": 241, "analysis_detailed": {}}
0.55555555TCPtimestamp_package: 2022-06-06T22:00:01.632829+0000
ioc_creation_date: 2022-05-27T18:37:30+00:00
ioc_updated_date: 2022-06-06T21:05:12+00:00
description: 'test.domain.com' is a Suspicious Host.
ioc_type: Host
ioc_value: test.domain.com
matched_app_proto: http
matched_event_type: http
meta_data: {}
targeted_organizations:
targeted_platforms:
targeted_sectors:
threat_actor:
external_links:
relations:
campaigns:
categories:
families:
vulnerabilities:
ttp:
case_id: 1746d38d-58f3-4b43-b4ee-6f0b43527d49
ioc_id: 183abf8e-b0a5-4ed0-a93f-e5d7927648b8
risk: Suspicious
usage_mode: hunting
tlp: green
1f16d19ac9697d9892b0f910601a61d041d64file_id: file_id
encodings: {'name': 'Bloxor', 'count': 2}
calls: {'call': 'ws2_32_recv', 'args': "{'sockfd': 'Socket_1-bind (4)', 'backlog': 19103712}", 'ret': '90137289', 'index': 0}
alert: {"action": "allowed", "signature_id": "202", "gid": "1", "category": "A Network Trojan was detected"}
packet: XXXXXXXXXXXXXXXXXX
in_iface: mon5
stream: 0
payload: XXXXXXXXXXXXXXXXXX
payload_printable: XXXXXXXXXXXXXXXXXX
extra_keys: {}
192.168.0.280Infected2022-03-21T13:58:42.742Z2022-03-21T11:34:47.000Zmalcore

gw-es-query#


Get Elasticsearch data

Base Command#

gw-es-query

Input#

Argument NameDescriptionRequired
indexIndex to be queried. Possible values are: suricata, malware, codebreaker, netdata, syslog, machine_learning, retrohunt, iocs. Default is suricata.Optional
queryElaticsearch query. Default is {}.Optional

Context Output#

There is no context output for this command.

Command Example#

!gw-es-query index="suricata" query="{}"

gw-add-malcore-list-entry#


Add malcore whitelist/blacklist entry

Base Command#

gw-add-malcore-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required
sha256SHA256 to be added.Required
commentComment to be added.Optional
threatComment to be added.Optional

Context Output#

PathTypeDescription
GCenter.Malcore.sha256StringSha256
GCenter.Malcore.createdDateCreated
GCenter.Malcore.commentStringComment
GCenter.Malcore.threatStringName Of Threat For Reference
Command Example#

!gw-add-malcore-list-entry type="white" sha256="d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e"

Context Example#
{
"sha256": "d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e",
"created": "2022-03-21T16:36:58.957178Z",
"comment": "test",
"threat": "undefined"
}
Human Readable Output#

Malcore whitelist/blacklist entry#

commentcreatedsha256threat
test2022-03-21T16:36:58.957178Zd955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351eundefined

gw-del-malcore-list-entry#


Delete malcore whitelist/blacklist entry

Base Command#

gw-del-malcore-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required
sha256SHA256 to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-malcore-list-entry type="white" sha256="d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e"

gw-add-dga-list-entry#


Add dga whitelist/blacklist entry

Base Command#

gw-add-dga-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required
domainDomain name to be added.Required
commentComment to be added.Optional

Context Output#

PathTypeDescription
GCenter.Dga.domain_nameStringDomain Name
GCenter.Dga.createdDateCreated
GCenter.Dga.commentStringComment
GCenter.Dga.is_wildcardBooleanIs Wildcard
Command Example#

!gw-add-dga-list-entry type="white" domain="test.domain.com"

Context Example#
{
"domain_name": "test.domain.com",
"created": "2022-03-21T16:30:20.012035Z",
"comment": "test",
"is_wildcard": false
}
Human Readable Output#

DGA whitelist/blacklist entry#

commentcreateddomain_nameis_wildcard
test2022-03-21T16:30:20.012035Ztest.domain.comfalse

gw-del-dga-list-entry#


Delete dga whitelist/blacklist entry

Base Command#

gw-del-dga-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required
domainDomain name to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-dga-list-entry type="white" domain="test.domain.com"

gw-add-ignore-asset-name#


Ignore asset name

Base Command#

gw-add-ignore-asset-name

Input#

Argument NameDescriptionRequired
nameName to be ignored.Required
startWill be ignored if they start with this name.Required
endWill be ignored if they end with this name.Required

Context Output#

PathTypeDescription
GCenter.Ignore.AssetName.idStringId
GCenter.Ignore.AssetName.created_atDateCreated At
GCenter.Ignore.AssetName.created_byStringCreated By
GCenter.Ignore.AssetName.nameStringIgnored Name For The Assets (Hostnames). Case Insensitive.
GCenter.Ignore.AssetName.is_startswith_patternBooleanShould The Assets (Hostnames) Be Ignored If They Start With This Name ?
GCenter.Ignore.AssetName.is_endswith_patternBooleanShould The Assets (Hostnames) Be Ignored If They End With This Name ?
Command Example#

!gw-add-ignore-asset-name name="test_asset"

Context Example#
{
"id": "1",
"created_at": "2022-03-21T16:37:54.657263Z",
"created_by": "admin",
"name": "test_asset",
"is_startswith_pattern": true,
"is_endswith_pattern": false
}
Human Readable Output#

Asset name entry#

created_atcreated_byidis_endswith_patternis_startswith_patternname
2022-03-21T16:37:54.657263Zadmin1falsetruetest_asset

gw-add-ignore-kuser-ip#


Ignore kuser IP

Base Command#

gw-add-ignore-kuser-ip

Input#

Argument NameDescriptionRequired
ipIP to be ignored.Required

Context Output#

PathTypeDescription
GCenter.Ignore.KuserIP.idStringId
GCenter.Ignore.KuserIP.created_atDateCreated At
GCenter.Ignore.KuserIP.created_byStringCreated By
GCenter.Ignore.KuserIP.ipStringIgnored Ip For The Kerberos Users
Command Example#

!gw-add-ignore-kuser-ip ip="10.10.10.0"

Context Example#
{
"id": "2",
"created_at": "2022-03-21T16:38:35.484082Z",
"created_by": "admin",
"ip": "10.10.10.0"
}
Human Readable Output#

Kuser IP entry#

created_atcreated_byidip
2022-03-21T16:38:35.484082Zadmin210.10.10.0

gw-add-ignore-kuser-name#


Ignore kuser name

Base Command#

gw-add-ignore-kuser-name

Input#

Argument NameDescriptionRequired
nameName to be ignored.Required
startWill be ignored if they start with this name.Required
endWill be ignored if they end with this name.Required

Context Output#

PathTypeDescription
GCenter.Ignore.KuserName.idStringId
GCenter.Ignore.KuserName.created_atDateCreated At
GCenter.Ignore.KuserName.created_byStringCreated By
GCenter.Ignore.KuserName.nameStringIgnored Name For The Kerberos Users. Case Insensitive.
GCenter.Ignore.KuserName.is_startswith_patternBooleanShould The Kerberos Users Be Ignored If They Start With This Name ?
GCenter.Ignore.KuserName.is_endswith_patternBooleanShould The Kerberos Users Be Ignored If They End With This Name ?
Command Example#

!gw-add-ignore-kuser-name name="test_kuser"

Context Example#
{
"id": "1",
"created_at": "2022-03-21T16:39:18.435420Z",
"created_by": "admin",
"name": "test_kuser",
"is_startswith_pattern": true,
"is_endswith_pattern": false
}
Human Readable Output#

Kuser name entry#

created_atcreated_byidis_endswith_patternis_startswith_patternname
2022-03-21T16:39:18.435420Zadmin1falsetruetest_kuser

gw-add-ignore-mac-address#


Ignore mac address

Base Command#

gw-add-ignore-mac-address

Input#

Argument NameDescriptionRequired
macMAC address to be ignored.Required
startWill be ignored if they start with this name.Required

Context Output#

PathTypeDescription
GCenter.Ignore.MacAddress.idStringId
GCenter.Ignore.MacAddress.created_atDateCreated At
GCenter.Ignore.MacAddress.created_byStringCreated By
GCenter.Ignore.MacAddress.addressStringAddress
GCenter.Ignore.MacAddress.is_startswith_patternBooleanShould The Mac Addresses Be Ignored If They Start With This Address Value ?
Command Example#

!gw-add-ignore-mac-address mac="50:50:50:50:50:50"

Context Example#
{
"id": "1",
"created_at": "2022-03-21T16:39:48.363094Z",
"created_by": "admin",
"address": "00:50:50:50:50:50",
"is_startswith_pattern": true
}
Human Readable Output#

MAC adrress entry#

addresscreated_atcreated_byidis_startswith_pattern
00:50:50:50:50:502022-03-21T16:39:48.363094Zadmin1true

gw-del-ignore-asset-name#


Delete an ignore asset ID

Base Command#

gw-del-ignore-asset-name

Input#

Argument NameDescriptionRequired
ignore_idIgnore asset ID.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-ignore-asset-name ignore_id=1

gw-del-ignore-kuser-ip#


Delete an ignore kuser IP ID

Base Command#

gw-del-ignore-kuser-ip

Input#

Argument NameDescriptionRequired
ignore_idIgnore kuser IP ID.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-ignore-kuser-ip ignore_id=1

gw-del-ignore-kuser-name#


Delete an ignore kuser name ID

Base Command#

gw-del-ignore-kuser-name

Input#

Argument NameDescriptionRequired
ignore_idIgnore kuser name ID.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-ignore-kuser-name ignore_id=1

gw-del-ignore-mac-address#


Delete an ignore mac address ID

Base Command#

gw-del-ignore-mac-address

Input#

Argument NameDescriptionRequired
ignore_idIgnore mac address ID.Required

Context Output#

There is no context output for this command.

Command Example#

!gw-del-ignore-mac-address ignore_id=1

gw-send-malware#


Send malware

Base Command#

gw-send-malware

Input#

Argument NameDescriptionRequired
filenameFilename.Required
file_idFile entry id.Required

Context Output#

PathTypeDescription
GCenter.Gscan.Malware.idStringThe Id Of The Gscan History Message
GCenter.Gscan.Malware.createdDateDate Of Creation
GCenter.Gscan.Malware.usernameStringThe User'S Username Who Uploaded The File
GCenter.Gscan.Malware.user_agentStringThe Client'S User-Agent
GCenter.Gscan.Malware.ip_addressStringThe Ip Address Of The User Who Uploaded The File
GCenter.Gscan.Malware.file_nameStringOriginal File Name
GCenter.Gscan.Malware.sha256StringSha256
GCenter.Gscan.Malware.is_cleanUnknownClean
GCenter.Gscan.Malware.is_analysis_successfulBooleanScan Succes
GCenter.Gscan.Malware.malcore_code_resultStringMalcore Code Result
GCenter.Gscan.Malware.threat_nameStringThreat Name
GCenter.Gscan.Malware.nb_alertsNumberNumber Or Malcore Alerts
GCenter.Gscan.Malware.nb_enginesNumberNumber Or Malcore Engines
GCenter.Gscan.Malware.is_whiteblack_listedBooleanIs White Or Black Listed?
GCenter.Gscan.Malware.malcore_code_result_nameStringMalcore Code Result Name
GCenter.Gscan.Malware.statusStringThe Malcore Status
Command Example#

!gw-send-malware filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5"

Context Example#
{
"id": "1",
"created": "2022-03-21T16:42:11.996076Z",
"username": "admin",
"user_agent": "Mozilla/5.0",
"ip_address": "10.10.10.10",
"file_name": "Arch.jpg",
"sha256": "1a9487d49d842ebdee5ad870065eb74dc7044",
"is_clean": null,
"is_analysis_successful": false,
"malcore_code_result": "5",
"threat_name": "",
"nb_alerts": 0,
"nb_engines": 0,
"is_whiteblack_listed": false,
"malcore_code_result_name": "Unknown",
"status": "Unknown"
}
Human Readable Output#

Malcore analysis result#

createdfile_nameidip_addressis_analysis_successfulis_cleanis_whiteblack_listedmalcore_code_resultmalcore_code_result_namenb_alertsnb_enginessha256statusthreat_nameuser_agentusername
2022-03-21T16:42:11.996076ZArch.jpg110.10.10.10falsefalse5Unknown001a9487d49d842ebdee5ad870065eb74dc7044UnknownMozilla/5.0admin

gw-send-powershell#


Send powershell

Base Command#

gw-send-powershell

Input#

Argument NameDescriptionRequired
filenameFilename.Required
file_idFile entry id.Required

Context Output#

PathTypeDescription
GCenter.Gscan.Powershell.idStringThe Id Of The Gscan History Message
GCenter.Gscan.Powershell.createdDateDate Of Creation
GCenter.Gscan.Powershell.usernameStringThe User'S Username Who Uploaded The File
GCenter.Gscan.Powershell.user_agentStringThe Client'S User-Agent
GCenter.Gscan.Powershell.ip_addressStringThe Ip Address Of The User Who Uploaded The File
GCenter.Gscan.Powershell.file_nameStringOriginal File Name
GCenter.Gscan.Powershell.sha256StringSha256
GCenter.Gscan.Powershell.is_cleanBooleanClean
GCenter.Gscan.Powershell.is_analysis_successfulBooleanScan Succes
GCenter.Gscan.Powershell.statusStringStatus
GCenter.Gscan.Powershell.proba_obfuscatedNumberProba_Obfuscated
GCenter.Gscan.Powershell.analysis_scoreNumberAnalysis_Score
GCenter.Gscan.Powershell.is_whiteblack_listedBooleanIs White Or Black Listed?
Command Example#

!gw-send-powershell filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5"

Context Example#
{
"id": "2",
"created": "2022-03-21T16:43:35.591406Z",
"username": "admin",
"user_agent": "Mozilla/5.0",
"ip_address": "10.10.10.10",
"file_name": "Arch.jpg",
"sha256": "1a9487d49d842ebdee5ad870065eb74dc7044",
"is_clean": true,
"is_analysis_successful": true,
"status": "Clean",
"proba_obfuscated": 0,
"analysis_score": 0,
"is_whiteblack_listed": false
}
Human Readable Output#

Powershell analysis result#

analysis_scorecreatedfile_nameidip_addressis_analysis_successfulis_cleanis_whiteblack_listedproba_obfuscatedsha256statususer_agentusername
02022-03-21T16:43:35.591406ZArch.jpg210.10.10.10truetruefalse01a9487d49d842ebdee5ad870065eb74dc7044CleanMozilla/5.0admin

gw-send-shellcode#


Send shellcode

Base Command#

gw-send-shellcode

Input#

Argument NameDescriptionRequired
filenameFilename.Required
file_idFile entry id.Required
deepDeep scan.Optional
timeoutDeep scan timeout. Default is 120.Optional

Context Output#

PathTypeDescription
GCenter.Gscan.Shellcode.idStringThe Id Of The Gscan History Message
GCenter.Gscan.Shellcode.createdDateDate Of Creation
GCenter.Gscan.Shellcode.usernameStringThe User'S Username Who Uploaded The File
GCenter.Gscan.Shellcode.user_agentStringThe Client'S User-Agent
GCenter.Gscan.Shellcode.ip_addressStringThe Ip Address Of The User Who Uploaded The File
GCenter.Gscan.Shellcode.file_nameStringOriginal File Name
GCenter.Gscan.Shellcode.sha256StringSha256
GCenter.Gscan.Shellcode.is_cleanBooleanClean
GCenter.Gscan.Shellcode.is_analysis_successfulBooleanScan Succes
GCenter.Gscan.Shellcode.statusStringStatus
GCenter.Gscan.Shellcode.architectureUnknownArchitecture
GCenter.Gscan.Shellcode.is_whiteblack_listedBooleanIs White Or Black Listed?
Command Example#

!gw-send-shellcode filename="test" file_id="331@dfca9ea2-5198-4d64-8c36-5282ac3b2dc5" deep=false timeout=120

Context Example#
{
"id": "3",
"created": "2022-03-21T16:44:26.214241Z",
"username": "admin",
"user_agent": "Mozilla/5.0",
"ip_address": "10.10.10.10",
"file_name": "Arch.jpg",
"sha256": "1a9487d49d842ebdee5ad870065eb74dc7044",
"is_clean": true,
"is_analysis_successful": true,
"status": "Clean",
"architecture": null,
"encodings": [],
"is_whiteblack_listed": false
}
Human Readable Output#

Shellcode analysis result#

architecturecreatedencodingsfile_nameidip_addressis_analysis_successfulis_cleanis_whiteblack_listedsha256statususer_agentusername
2022-03-21T16:44:26.214241ZArch.jpg310.10.10.10truetruefalse1a9487d49d842ebdee5ad870065eb74dc7044CleanMozilla/5.0admin

gw-es-wrapper#


Get Elasticsearch data using a wrapper

Base Command#

gw-es-wrapper

Input#

Argument NameDescriptionRequired
indexindex. Possible values are: suricata, codebreaker, malware, netdata, syslog, machine_learning, retrohunt, iocs.Required
aggs_termList and count each distinct values of a document field using the terms aggregation
If aggs_term is empty list hits value
Exemple : "src_ip,dest_ip". Possible values are: src_ip, dest_ip, http.hostname, tls.sni, SHA256.
Optional
must_matchFilter document that match the value using the term query
Exemple : "alert.severity=1,app_proto=http".
Optional
must_existsFilter document with existing key using the exists query
Exemple : "http.hostname,http.url".
Optional
timerangeSet the lower timerange in hour based on the now keyword. Default is 24.Optional
formattedTrue to get the list of aggregation value False to get entire response. Possible values are: True, False. Default is True.Optional
sizeSet the number of aggregate or hits value that can be returned. Default is 100.Optional

Context Output#

There is no context output for this command.

Command Example#

!gw-es-wrapper index="malware" aggs_term="src_ip" must_match="state=Infected" timerange="240" formatted="True"

Context Example#
{
"src_ip": [
"10.10.10.10"
]
}
Human Readable Output#

Elasticsearch wrapper result#

src_ip
10.10.10.10

gw-get-malcore-list-entry#


Get the malcore whitelist/blacklist

Base Command#

gw-get-malcore-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required

Context Output#

PathTypeDescription
GCenter.Malcore.List.sha256StringSha256
GCenter.Malcore.List.createdDateCreated
GCenter.Malcore.List.commentStringComment
GCenter.Malcore.List.threatStringName Of Threat For Reference
Command Example#

!gw-get-malcore-list-entry type=black

Context Example#
[
{
"sha256": "d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351f",
"created": "2022-09-13T08:16:21.400100Z",
"comment": "added by cortex",
"threat": "undefined"
},
{
"sha256": "d955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351e",
"created": "2022-09-13T08:16:09.880381Z",
"comment": "added by cortex",
"threat": "undefined"
}
]
Human Readable Output#

Malcore whitelist/blacklist entry#

commentcreatedsha256threat
added by cortex2022-09-13T08:16:21.400100Zd955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351fundefined
added by cortex2022-09-13T08:16:09.880381Zd955e262d7a05fc436e65c2a312593e4c7031482d90cebd29e69059053b1351eundefined

gw-get-dga-list-entry#


Get the dga whitelist/blacklist

Base Command#

gw-get-dga-list-entry

Input#

Argument NameDescriptionRequired
typeList type. Possible values are: white, black.Required

Context Output#

PathTypeDescription
GCenter.Dga.List.domain_nameStringDomain Name
GCenter.Dga.List.createdDateCreated
GCenter.Dga.List.commentStringComment
GCenter.Dga.List.is_wildcardBooleanIs Wildcard
Command Example#

!gw-get-dga-list-entry type=black

Context Example#
[
{
"domain_name": "test.domain.com",
"created": "2022-03-21T16:30:20.012035Z",
"comment": "added by cortex",
"is_wildcard": false
}
]
Human Readable Output#

DGA whitelist/blacklist entry#

commentcreateddomain_nameis_wildcard
added by cortex2022-03-21T16:30:20.012035Ztest.domain.comfalse

gw-get-ignore-asset-name#


Get all the ignored asset names

Base Command#

gw-get-ignore-asset-name

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
GCenter.Ignore.AssetName.List.idStringId
GCenter.Ignore.AssetName.List.created_atDateCreated At
GCenter.Ignore.AssetName.List.created_byStringCreated By
GCenter.Ignore.AssetName.List.nameStringIgnored Name For The Assets (Hostnames). Case Insensitive.
GCenter.Ignore.AssetName.List.is_startswith_patternBooleanShould The Assets (Hostnames) Be Ignored If They Start With This Name ?
GCenter.Ignore.AssetName.List.is_endswith_patternBooleanShould The Assets (Hostnames) Be Ignored If They End With This Name ?
Command Example#

!gw-get-ignore-asset-name

Context Example#
[
{
"id": "1",
"created_at": "2022-09-13T13:31:18.427519Z",
"created_by": "admin",
"name": "test",
"is_startswith_pattern": false,
"is_endswith_pattern": true
},
{
"id": "2",
"created_at": "2022-09-13T13:31:31.049593Z",
"created_by": "admin",
"name": "test2",
"is_startswith_pattern": true,
"is_endswith_pattern": false
}
]
Human Readable Output#

Asset name entry#

created_atcreated_byidis_endswith_patternis_startswith_patternname
2022-09-13T13:31:18.427519Zadmin1truefalsetest
2022-09-13T13:31:31.049593Zadmin2falsetruetest2

gw-get-ignore-kuser-ip#


Get all the ignored kuser IP

Base Command#

gw-get-ignore-kuser-ip

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
GCenter.Ignore.KuserIP.List.idStringId
GCenter.Ignore.KuserIP.List.created_atDateCreated At
GCenter.Ignore.KuserIP.List.created_byStringCreated By
GCenter.Ignore.KuserIP.List.ipStringIgnored Ip For The Kerberos Users
Command Example#

!gw-get-ignore-kuser-ip

Context Example#
[
{
"id": "1",
"created_at": "2022-09-13T12:06:29.575735Z",
"created_by": "admin",
"ip": "10.10.10.0"
},
{
"id": "2",
"created_at": "2022-09-13T13:30:26.791512Z",
"created_by": "admin",
"ip": "10.10.10.0"
}
]
Human Readable Output#

Kuser IP entry#

created_atcreated_byidip
2022-09-13T12:06:29.575735Zadmin110.10.10.0
2022-09-13T13:30:26.791512Zadmin210.10.10.0

gw-get-ignore-kuser-name#


Get all the ignored kuser name

Base Command#

gw-get-ignore-kuser-name

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
GCenter.Ignore.KuserName.List.idStringId
GCenter.Ignore.KuserName.List.created_atDateCreated At
GCenter.Ignore.KuserName.List.created_byStringCreated By
GCenter.Ignore.KuserName.List.nameStringIgnored Name For The Kerberos Users. Case Insensitive.
GCenter.Ignore.KuserName.List.is_startswith_patternBooleanShould The Kerberos Users Be Ignored If They Start With This Name ?
GCenter.Ignore.KuserName.List.is_endswith_patternBooleanShould The Kerberos Users Be Ignored If They End With This Name ?
Command Example#

!gw-get-ignore-kuser-name

Context Example#
[
{
"id": "1",
"created_at": "2022-09-13T13:27:50.136561Z",
"created_by": "admin",
"name": "test",
"is_startswith_pattern": true,
"is_endswith_pattern": false
},
{
"id": "2",
"created_at": "2022-09-13T13:28:02.072013Z",
"created_by": "admin",
"name": "test2",
"is_startswith_pattern": false,
"is_endswith_pattern": true
}
]
Human Readable Output#

Kuser name entry#

created_atcreated_byidis_endswith_patternis_startswith_patternname
2022-09-13T13:27:50.136561Zadmin1falsetruetest
2022-09-13T13:28:02.072013Zadmin2truefalsetest2

gw-get-ignore-mac-address#


Get all the ignored mac addresses

Base Command#

gw-get-ignore-mac-address

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
GCenter.Ignore.MacAddress.List.idStringId
GCenter.Ignore.MacAddress.List.created_atDateCreated At
GCenter.Ignore.MacAddress.List.created_byStringCreated By
GCenter.Ignore.MacAddress.List.addressStringAddress
GCenter.Ignore.MacAddress.List.is_startswith_patternBooleanShould The Mac Addresses Be Ignored If They Start With This Address Value ?
Command Example#

!gw-get-ignore-mac-address

Context Example#
[
{
"id": "1",
"created_at": "2022-09-13T13:25:55.679624Z",
"created_by": "admin",
"address": "00:50:50:50:50:50",
"is_startswith_pattern": true
},
{
"id": "2",
"created_at": "2022-09-13T13:26:11.338296Z",
"created_by": "admin",
"address": "00:40:40:40:40:40",
"is_startswith_pattern": true
}
]
Human Readable Output#

MAC adrress entry#

addresscreated_atcreated_byidis_startswith_pattern
00:50:50:50:50:502022-09-13T13:25:55.679624Zadmin1true
00:40:40:40:40:402022-09-13T13:26:11.338296Zadmin2true

gw-get-file-infected#


Get a file from an uuid. If there is no uuid, get all the files infected from a time interval.

Base Command#

gw-get-file-infected

Input#

Argument NameDescriptionRequired
timerangeSet the lower timerange in minute based on the now keyword when uuid is not given
Default value to 60 minutes.
Optional
sizeSet the number of aggregate value that can be returned when uuid is not given
Get all the values by default.
Optional
uuidThe uuid of the file to get.Optional
stateThe state of the files to get, in list, when uuid is not given
Default value to Infected,Suspicious. Possible values are: .
Optional

Context Output#

PathTypeDescription
Gcenter.File.InfectedStringFile infected
Command Example#

!gw-get-file-infected timerange="1440"

Context Example#
[
{
"Content": "",
"ContentFormat": "text",
"File": "malcore_b34fc6de9763e3640f93dda3f7a97470af6f009089bca588272a03807ae9f5bf_2022-12-12_18-21-40.zip",
"FileID": "f956f5cd-bad2-4f9c-ab75-cc6b16e58873",
"Type": "3"
}
]
Human Readable Output#

Files infected entry#

ContentsContentsFormatFileFileIDType
textmalcore_b34fc6de9763e3640f93dda3f7a97470af6f009089bca588272a03807ae9f5bf_2022-12-12_18-21-40.zipf956f5cd-bad2-4f9c-ab75-cc6b16e588733