GreatHorn

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The only cloud-native security platform that stops targeted social engineering and phishing attacks on cloud email platforms like Office 365 and G Suite. This integration was integrated and tested with version 2.0 of GreatHorn

Configure GreatHorn on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for GreatHorn.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlBase URLTrue
    api_versionAPI VersionTrue
    apikeyAPI KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gh-get-message#


Return message details for the specified event

Base Command#

gh-get-message

Input#

Argument NameDescriptionRequired
idGreatHorn eventId, multiple values supported via CSV.Required
includeheadersWhether or not to include full message headers in the War Room output. Possible values are: true, false. Default is false.Optional
showalllinksWhether or not to show all links in the War Room output. When false only suspicious and malicious links will be returned to the War Room. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
GreatHorn.Message.eventIdNumberThe GreatHorn event id
GreatHorn.Message.originStringMailbox email was discovered
GreatHorn.Message.statusStringHas the system taken action on the event
GreatHorn.Message.xMailerUnknownX-Mailer header entry
GreatHorn.Message.sourcePathStringGreatHorn discovered domain of sender
GreatHorn.Message.ipStringGreatHorn discovered originating ip of sender
GreatHorn.Message.bodyOnlyWhitespaceNumberBody of email content is only whitespace
GreatHorn.Message.collectorUnknownEmail provider email discovered
GreatHorn.Message.dkimStringdmarc authentication result
GreatHorn.Message.spfStringspf authentication result
GreatHorn.Message.contentHashStringHash of email body conten
GreatHorn.Message.violationsNumberAll body of email policy matches
GreatHorn.Message.workflowStringCurrent action of event
GreatHorn.Message.targetsStringAll recepients of the email
GreatHorn.Message.sourceStringEmail sender address
GreatHorn.Message.locationStringLocation of sender ip origin
GreatHorn.Message.quarReleasedByUnknownWho released the quarantined email
GreatHorn.Message.quarDeletedUnknownHas the event been deleted from quarantined
GreatHorn.Message.quarDeletedByUnknownWho deleted the quarantined email
GreatHorn.Message.quarDeniedUnknownHas the event been denied released from quarantined
GreatHorn.Message.subjectStringEmail subject
GreatHorn.Message.xAuthResultsUnknownX-Original-Authentication-Results header entry
GreatHorn.Message.dmarcStringdmarc authentication result
GreatHorn.Message.returnPathStringReturn-Path header entry'
GreatHorn.Message.receivedStringReceived header entry
GreatHorn.Message.replyToStringReply-To header entry
GreatHorn.Message.timestampDatetimestamp of the event, usually receivedTime
GreatHorn.Message.flagNumberAll policies the event matched
GreatHorn.Message.homographScoreNumberGreatHorn homograph score
GreatHorn.Message.owlScoreNumberGreatHorn threat score
GreatHorn.Message.anomalyScoreNumberGreatHorn anomaly score
GreatHorn.Message.authScoreNumberGreatHorn illegitmacy score
GreatHorn.Message.remediationUnknownRemediation action taken
GreatHorn.Message.quarantinedUnknownHas the event been quarantined
GreatHorn.Message.quarExpiredUnknownHas the event been expired from quarantined
GreatHorn.Message.quarReleaseRequestedUnknownHas the event been requested to be relased from quarantined
GreatHorn.Message.quarReleasedUnknownHas the event been released from quarantined
GreatHorn.Message.displayNameStringDisplay name of sender
GreatHorn.Message.countryStringCountry of sender ip country
GreatHorn.Message.regionStringRegion of sender ip origin
GreatHorn.Message.authenticationResultsStringAuthentication-Results header entry
GreatHorn.Message.messageIdStringMessage-Id header entry
GreatHorn.Message.headersObjectFull set of headers for the email
GreatHorn.Message.links.resolvedUrlUnknownThe URL of the resolved link if it points elsewhere
GreatHorn.Message.links.textStringThe text showing for the link discovered in the body of the email
GreatHorn.Message.links.urlStringURL of link discovered in body of email
GreatHorn.Message.links.tagsStringList of tags describing the analysis of the event

Command Example#

!gh-get-message id="12345" includeheaders="true"

Context Example#

{}

Human Readable Output#

GreatHorn event not found

gh-search-message#


Search for message based on filtering input

Base Command#

gh-search-message

Input#

Argument NameDescriptionRequired
fieldsThe fields to include in the response. By default, all fields are returned.Optional
filtersThe criteria to use in filtering search results. This should be input as a dictionary.Optional
limitThe maximum number of entries to return per page of results. Default is 10; max is 200. Default is 10.Optional
offsetThe zero-based offset of the first item in the collection. Default is 0; max is 10000.Optional
sortThe field to use in sorting results. Default is eventId. Default is eventId.Optional
sortDirIndicates if the sort direction is ascending or descending. Default is descending. Possible values are: desc, asc. Default is desc.Optional

Context Output#

PathTypeDescription
GreatHorn.Message.eventIdNumberThe GreatHorn event id
GreatHorn.Message.originStringMailbox email was discovered
GreatHorn.Message.statusStringHas the system taken action on the event
GreatHorn.Message.xMailerUnknownX-Mailer header entry
GreatHorn.Message.sourcePathStringGreatHorn discovered domain of sender
GreatHorn.Message.ipStringGreatHorn discovered originating ip of sender
GreatHorn.Message.bodyOnlyWhitespaceNumberBody of email content is only whitespace
GreatHorn.Message.collectorUnknownEmail provider email discovered
GreatHorn.Message.dkimStringdmarc authentication result
GreatHorn.Message.spfStringspf authentication result
GreatHorn.Message.contentHashStringHash of email body conten
GreatHorn.Message.violationsNumberAll body of email policy matches
GreatHorn.Message.workflowStringCurrent action of event
GreatHorn.Message.targetsStringAll recepients of the email
GreatHorn.Message.sourceStringEmail sender address
GreatHorn.Message.locationStringLocation of sender ip origin
GreatHorn.Message.quarReleasedByUnknownWho released the quarantined email
GreatHorn.Message.quarDeletedUnknownHas the event been deleted from quarantined
GreatHorn.Message.quarDeletedByUnknownWho deleted the quarantined email
GreatHorn.Message.quarDeniedUnknownHas the event been denied released from quarantined
GreatHorn.Message.subjectStringEmail subject
GreatHorn.Message.xAuthResultsUnknownX-Original-Authentication-Results header entry
GreatHorn.Message.dmarcStringdmarc authentication result
GreatHorn.Message.returnPathStringReturn-Path header entry'
GreatHorn.Message.receivedStringReceived header entry
GreatHorn.Message.replyToStringReply-To header entry
GreatHorn.Message.timestampDatetimestamp of the event, usually receivedTime
GreatHorn.Message.flagNumberAll policies the event matched
GreatHorn.Message.homographScoreNumberGreatHorn homograph score
GreatHorn.Message.owlScoreNumberGreatHorn threat score
GreatHorn.Message.anomalyScoreNumberGreatHorn anomaly score
GreatHorn.Message.authScoreNumberGreatHorn illegitmacy score
GreatHorn.Message.remediationUnknownRemediation action taken
GreatHorn.Message.quarantinedUnknownHas the event been quarantined
GreatHorn.Message.quarExpiredUnknownHas the event been expired from quarantined
GreatHorn.Message.quarReleaseRequestedUnknownHas the event been requested to be relased from quarantined
GreatHorn.Message.quarReleasedUnknownHas the event been released from quarantined
GreatHorn.Message.displayNameStringDisplay name of sender
GreatHorn.Message.countryStringCountry of sender ip country
GreatHorn.Message.regionStringRegion of sender ip origin
GreatHorn.Message.authenticationResultsStringAuthentication-Results header entry
GreatHorn.Message.messageIdStringMessage-Id header entry
GreatHorn.Message.headersObjectFull set of headers for the email
GreatHorn.Message.links.resolvedUrlUnknownThe URL of the resolved link if it points elsewhere
GreatHorn.Message.links.textStringThe text showing for the link discovered in the body of the email
GreatHorn.Message.links.urlStringURL of link discovered in body of email
GreatHorn.Message.links.tagsStringList of tags describing the analysis of the event

Command Example#

!gh-search-message filters="[{\"targets\": [\"penguin@scuftysails.com\"], \"origin\": [\"action@ifttt.com\"]}]"

Context Example#

{
"GreatHorn": {
"Message": {
"Message": [],
"SearchCount": 0
}
}
}

Human Readable Output#

Events#

No entries.

gh-remediate-message#


Perform the specified remediation action on message

Base Command#

gh-remediate-message

Input#

Argument NameDescriptionRequired
actionThe action to take on the given message. Possible values are: archive, banner, delete, label, move, quarantine, delete, removeattachments, review, trash.Required
eventIdThe GreatHorn event ID.Required
hasButtonIf true, the banner will include a button enabling the end-user to remove the banner. Default is True. Possible values are: True, False. Default is True.Optional
messageThe text to display in the email's banner.Optional
labelThe name of the label to add. If the label name does not exist, it will be created.Optional
locationThe target location in the user's mailbox. If the location does not exist, it will be created.Optional

Context Output#

PathTypeDescription
GreatHorn.Remediation.actionStringRemediation action requested to be taken on the event
GreatHorn.Remediation.eventIdStringThe Greathorn event ID
GreatHorn.Remediation.reasonStringDetails of error seen if any
GreatHorn.Remediation.successNumberIndication if the request was successful

Command Example#

!gh-remediate-message action="banner" message="This email may be a phishing attempt" eventId="20128"

Context Example#

{
"GreatHorn": {
"Remediation": {
"action": "banner",
"eventId": "20128",
"reason": "completed",
"success": true
}
}
}

Human Readable Output#

Remediate action banner applied successfully to message 20128

gh-revert-remediate-message#


Revert the specified remediation action on the given message

Base Command#

gh-revert-remediate-message

Input#

Argument NameDescriptionRequired
actionRemediation action to revert. Possible values are: banner, quarantinerequest, quarantinerelease, quarantinedeny, removeattachments, review.Required
eventIdThe GreatHorn event ID.Required

Context Output#

PathTypeDescription
GreatHorn.Remediation.actionStringRemediation action that was reverted
GreatHorn.Remediation.eventIdStringThe GreatHorn event ID
GreatHorn.Remediation.reasonStringDetails of error seen if any
GreatHorn.Remediation.successNumberIndication if the request was successful

Command Example#

!gh-revert-remediate-message action="banner" eventId="20128"

Context Example#

{
"GreatHorn": {
"Remediation": {
"action": "banner",
"eventId": "20128",
"reason": "completed",
"success": true
}
}
}

Human Readable Output#

Revert action banner applied successfully to message 20128

gh-get-policy#


Retrieve details about the policy specified

Base Command#

gh-get-policy

Input#

Argument NameDescriptionRequired
policyidThe ID of the policy.Optional

Context Output#

PathTypeDescription
GreatHorn.Policy.nameStringThe user-defined name of the policy
GreatHorn.Policy.enabledNumberWhether the policy is enabled
GreatHorn.Policy.configStringThe match configuration of the policy
GreatHorn.Policy.idNumberThe ID of the policy
GreatHorn.Policy.descriptionStringThe user-defined description of the policy

Command Example#

!gh-get-policy policyid="16567"

Context Example#

{
"GreatHorn": {
"Policy": {
"actions": [
{
"addresses": [
""
],
"quarantineNotification": false,
"releaseNotification": false,
"type": "quarantine"
}
],
"config": [
"or",
[
"and",
{
"opt": "from",
"type": "regex",
"values": [
"asdf2@asdf2.com",
"asdf@asdf.com"
]
}
]
],
"description": "",
"enabled": true,
"id": 16567,
"name": "Penalty box policy"
}
}
}

Human Readable Output#

Policy#

IDNameEnabledDescriptionActions
16567Penalty box policytruequarantine

gh-set-policy#


Retrieve details about the policy specified.

Base Command#

gh-set-policy

Input#

Argument NameDescriptionRequired
updatemethodUpdate method for the given policy. Possible values are: patch, put.Required
policyidThe ID of the policy.Required
policyjsonPolicy defintion or policy change defintion. Input as a dictionary.Required

Context Output#

PathTypeDescription
GreatHorn.Policy.idNumberThe ID of the policy.

Command Example#

!gh-set-policy policyid="16567" updatemethod="patch" policyjson="{\"config\": [\"or\", [\"and\", {\"opt\": \"from\", \"values\": [\"asdf@asdf.com\",\"asdf2@asdf2.com\"], \"type\": \"regex\"}]]}"

Context Example#

{
"GreatHorn": {
"Policy": {
"id": "16567",
"success": true
}
}
}

Human Readable Output#

Update applied successfully to policy 16567