Skip to main content

HYAS Insight

This Integration is part of the HYAS Insight Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

HYAS Insight#

HYAS Insight is a threat investigation and attribution solution that uses exclusive data sources and non-traditional mechanisms to improve visibility and productivity for analysts, researchers, and investigators while increasing the accuracy of findings. HYAS Insight connects attack instances and campaigns to billions of indicators of compromise to deliver insights and visibility. With an easy-to-use user interface, transforms, and API access, HYAS Insight combines rich threat data into a powerful research and attribution solution. HYAS Insight is complemented by the HYAS Intelligence team that helps organizations to better understand the nature of the threats they face on a daily basis.

Use the HYAS Insight integration to interactively lookup PassiveDNS, DynamicDNS, WHOIS, Malware Information โ€“ either as playbook tasks or through API calls in the War Room. This integration was integrated and tested with version 1.0.0 of HYAS Insight

Configure HYAS Insight on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for HYAS Insight.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    HYAS Insight Api KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

hyas-get-passive-dns-records-by-indicator#


Returns PassiveDNS records for the provided indicator value.

Base Command#

hyas-get-passive-dns-records-by-indicator

Input#

Argument NameDescriptionRequired
indicator_typeIndicator Type. Possible values are: ipv4, domain.Required
indicator_valueIndicator value to query.Required
limitThe maximum number of results to return.Optional

Context Output#

PathTypeDescription
HYAS.PassiveDNS.countNumberThe passive dns count
HYAS.PassiveDNS.domainStringThe domain of the passive dns information requested
HYAS.PassiveDNS.first_seenDateThe first time this domain was seen
HYAS.PassiveDNS.ip.geo.city_nameStringCity of the ip organization
HYAS.PassiveDNS.ip.geo.country_iso_codeStringCountry ISO code of the ip organization
HYAS.PassiveDNS.ip.geo.country_nameStringCountry name of the ip organization
HYAS.PassiveDNS.ip.geo.location_latitudeNumberThe latitude of the ip organization
HYAS.PassiveDNS.ip.geo.location_longitudeNumberThe longitude of the ip organization
HYAS.PassiveDNS.ip.geo.postal_codeStringThe longitude of the ip organization
HYAS.PassiveDNS.ip.ipStringIP of the organization
HYAS.PassiveDNS.ip.isp.autonomous_system_numberStringThe ASN of the ip
HYAS.PassiveDNS.ip.isp.autonomous_system_organizationStringThe ASO of the ip
HYAS.PassiveDNS.ip.isp.ip_addressStringThe IP
HYAS.PassiveDNS.ip.isp.ispStringThe Internet Service Provider
HYAS.PassiveDNS.ip.isp.organizationStringThe ISP organization
HYAS.PassiveDNS.ipv4StringThe ipv4 address of the passive dns record
HYAS.PassiveDNS.last_seenDateThe last time this domain was seen
HYAS.PassiveDNS.sourcesUnknownA list of pDNS providers which the data came from

Command Example#

!hyas-get-passive-dns-records-by-indicator indicator_type="domain" indicator_value="domain.org" limit="3"

Context Example#

{
"HYAS": {
"PassiveDNS": [
{
"count": "10571",
"domain": "domain.org",
"first_seen": "2019-03-14T23:36:40Z",
"ip": {
"geo": {
"city_name": "Cutlerville",
"country_iso_code": "US",
"country_name": "United States",
"location_latitude": "42.8409",
"location_longitude": "-85.6636",
"postal_code": "12345"
},
"ip": "",
"isp": {
"autonomous_system_number": "AS12345",
"autonomous_system_organization": "System LLX",
"ip_address": "",
"isp": "System LLX",
"organization": "System LLX"
}
},
"ipv4": "",
"last_seen": "2021-07-16T15:29:13.033000Z",
"sources": [
"hyas",
"farsight"
]
},
{
"count": "151",
"domain": "domain.org",
"first_seen": "2011-08-02T12:15:17Z",
"ip": {
"geo": {
"city_name": "Chicago",
"country_iso_code": "US",
"country_name": "United States",
"location_latitude": "41.8500",
"location_longitude": "-87.6500",
"postal_code": "60666"
},
"ip": "",
"isp": {
"autonomous_system_number": "AS12345",
"autonomous_system_organization": "System LLX",
"ip_address": "",
"isp": "System LLX",
"organization": "System LLX"
}
},
"ipv4": "",
"last_seen": "2012-06-18T08:36:11Z",
"sources": [
"farsight"
]
},
{
"count": "7439",
"domain": "domain.org",
"first_seen": "2014-04-08T03:30:41Z",
"ip": {
"geo": {
"city_name": "Denver",
"country_iso_code": "US",
"country_name": "United States",
"location_latitude": "39.7392",
"location_longitude": "-104.9847",
"postal_code": "80208"
},
"ip": "",
"isp": {
"autonomous_system_number": "AS46606",
"autonomous_system_organization": "Unified Layer",
"ip_address": "",
"isp": "Unified Layer",
"organization": "Unified Layer"
}
},
"ipv4": "",
"last_seen": "2018-11-25T08:06:47Z",
"sources": [
"farsight"
]
}
]
}
}

Human Readable Output#

HYAS PassiveDNS records for domain : domain.org#

CountDomainFirst seenCity NameCountry CodeCountry NameLatitudeLongitudePostal CodeIPISP ASNISP ASN OrganizationISP IP AddressISPISP OrganizationIPV4Last SeenSources
10571domain.org2019-03-14T23:36:40ZCutlervilleUSUnited States42.8409-85.663612345AS12345System LLXSystem LLXSystem LLX2021-07-16T15:29:13.033000Zhyas,
farsight
151domain.org2011-08-02T12:15:17ZChicagoUSUnited States41.8500-87.650060666AS12345System LLXSystem LLXSystem LLX2012-06-18T08:36:11Zfarsight
7439domain.org2014-04-08T03:30:41ZDenverUSUnited States39.7392-104.984780208AS46606Unified LayerUnified LayerUnified Layer2018-11-25T08:06:47Zfarsight

hyas-get-dynamic-dns-records-by-indicator#


Returns DynamicDNS records for the provided indicator value.

Base Command#

hyas-get-dynamic-dns-records-by-indicator

Input#

Argument NameDescriptionRequired
indicator_typeIndicator Type. Possible values are: ip, domain, email.Required
indicator_valueIndicator value to query.Required
limitThe maximum number of results to return.Optional

Context Output#

PathTypeDescription
HYAS.DynamicDNS.a_recordStringThe A record for the domain
HYAS.DynamicDNS.accountStringThe account holder name
HYAS.DynamicDNS.createdDateThe date which the domain was created
HYAS.DynamicDNS.created_ipStringThe ip address of the account holder
HYAS.DynamicDNS.domainStringThe domain associated with the dynamic dns information
HYAS.DynamicDNS.domain_creator_ipStringThe ip address of the domain creator
HYAS.DynamicDNS.emailStringThe email address connected to the domain

Command Example#

!hyas-get-dynamic-dns-records-by-indicator indicator_type="ip" indicator_value="4.4.4.4" limit="3"

Context Example#

{
"HYAS": {
"DynamicDNS": [
{
"a_record": "4.4.4.4",
"account": "free",
"created": "2019-03-30T14:39:49Z",
"created_ip": "",
"domain": "domain.org",
"domain_creator_ip": "",
"email": ""
},
{
"a_record": "4.4.4.4",
"account": "free",
"created": "2020-05-09T03:39:28Z",
"created_ip": "",
"domain": "domain.org",
"domain_creator_ip": "",
"email": ""
},
{
"a_record": "4.4.4.4",
"account": "free",
"created": "2020-05-09T03:39:24Z",
"created_ip": "",
"domain": "bensonwonghk.duckdns.org",
"domain_creator_ip": "",
"email": ""
}
]
}
}

Human Readable Output#

HYAS DynamicDNS records for ip : 4.4.4.4#

A RecordAccountCreated DateAccount Holder IP AddressDomainDomain Creator IP AddressEmail Address
4.4.4.4free2019-03-30T14:39:49Zdomain.org
4.4.4.4free2020-05-09T03:39:28Zdomain.org
4.4.4.4free2020-05-09T03:39:24Zbensonwonghk.duckdns.org

hyas-get-whois-records-by-indicator#


Returns WHOIS records for the provided indicator value.

Base Command#

hyas-get-whois-records-by-indicator

Input#

Argument NameDescriptionRequired
indicator_typeIndicator Type. Possible values are: domain, email, phone.Required
indicator_valueIndicator value to query.Required
limitThe maximum number of results to return.Optional

Context Output#

PathTypeDescription
HYAS.WHOIS.addressUnknownaddress
HYAS.WHOIS.cityUnknowncity
HYAS.WHOIS.countryUnknowncountry
HYAS.WHOIS.domainStringThe domain of the registrant
HYAS.WHOIS.domain_2tldStringThe second-level domain of the registrant
HYAS.WHOIS.domain_created_datetimeDateThe date and time when the whois record was created
HYAS.WHOIS.domain_expires_datetimeDateThe date and time when the whois record expires
HYAS.WHOIS.domain_updated_datetimeDateThe date and time when the whois record was last updated
HYAS.WHOIS.emailUnknownemail
HYAS.WHOIS.idn_nameStringThe international domain name
HYAS.WHOIS.nameserverUnknownnameserver
HYAS.WHOIS.phone.phoneStringThe phone number registrant contact in e164 format
HYAS.WHOIS.phone.phone_info.carrierStringPhone number carrier
HYAS.WHOIS.phone.phone_info.countryStringPhone number country
HYAS.WHOIS.phone.phone_info.geoStringPhone number geo. Can be city, province, region or country
HYAS.WHOIS.privacy_punchBooleanTrue if this record has additional information bypassing privacy protect
HYAS.WHOIS.registrarStringThe domain registrar

Command Example#

!hyas-get-whois-records-by-indicator indicator_type="domain" indicator_value="domain.net" limit="3"

Context Example#

{
"HYAS": {
"WHOIS": [
{
"address": [],
"city": [
"ha noi"
],
"country": [],
"domain": "domain.net",
"domain_2tld": "None",
"domain_created_datetime": "2015-05-22T00:00:00Z",
"domain_expires_datetime": "2016-05-22T00:00:00Z",
"domain_updated_datetime": "2017-06-14T19:06:36.577650Z",
"email": [
"ngoc.mycomputer@gmail.com"
],
"idn_name": "None",
"nameserver": [
"ns2.inet.vn",
"ns1.inet.vn"
],
"phone": [
{
"phone": "+123456789123",
"phone_info": {
"carrier": "Viettel",
"country": "Vietnam",
"geo": "Vietnam"
}
}
],
"privacy_punch": false,
"registrar": "onlinenic, inc."
},
{
"address": [],
"city": [
"hcm"
],
"country": [
"VN"
],
"domain": "domain.net",
"domain_2tld": "None",
"domain_created_datetime": "2019-10-29T09:48:04Z",
"domain_expires_datetime": "2020-10-29T09:48:04Z",
"domain_updated_datetime": "2019-10-31T01:09:53.933724Z",
"email": [
"",
"abuse-contact@publicdomainregistry.com"
],
"idn_name": "None",
"nameserver": [
"viendong.mars.orderbox-dns.com",
"viendong.venus.orderbox-dns.com",
"viendong.earth.orderbox-dns.com",
"viendong.mercury.orderbox-dns.com"
],
"phone": [
{
"phone": "+84909095309",
"phone_info": {
"carrier": "MobiFone",
"country": "Vietnam",
"geo": "Vietnam"
}
}
],
"privacy_punch": false,
"registrar": "pdr ltd. d/b/a publicdomainregistry.comvien dong co., ltd."
},
{
"address": [
"32 duong 885 kp 5 tt ba tri",
"vn"
],
"city": [
"hcm"
],
"country": [
"VN"
],
"domain": "domain.net",
"domain_2tld": "domain.net",
"domain_created_datetime": "2019-10-29T09:48:04Z",
"domain_expires_datetime": "2020-10-29T09:48:04Z",
"domain_updated_datetime": "None",
"email": [
"",
"dns@cloudflare.com"
],
"idn_name": "None",
"nameserver": [],
"phone": [
{
"phone": "+84909095309",
"phone_info": {
"carrier": "MobiFone",
"country": "Vietnam",
"geo": "Vietnam"
}
}
],
"privacy_punch": true,
"registrar": "pdr ltd. d/b/a publicdomainregistry.com"
}
]
}
}

Human Readable Output#

HYAS WHOIS records for domain : domain.net#

AddressCityCountryDomainDomain_2tldDomain Created TimeDomain Expires TimeDomain Updated TimeEmail AddressIDN NameNameserverPhone InfoPrivacy_punchRegistrar
ha noidomain.netNone2015-05-22T00:00:00Z2016-05-22T00:00:00Z2017-06-14T19:06:36.577650Zngoc.mycomputer@gmail.comNonens2.inet.vn,
ns1.inet.vn
{'phone': '+123456789123', 'phone_info': {'carrier': 'Viettel', 'country': 'Vietnam', 'geo': 'Vietnam'}}falseonlinenic, inc.
hcmVNdomain.netNone2019-10-29T09:48:04Z2020-10-29T09:48:04Z2019-10-31T01:09:53.933724Z"",
abuse-contact@publicdomainregistry.com
Noneviendong.mars.orderbox-dns.com,
viendong.venus.orderbox-dns.com,
viendong.earth.orderbox-dns.com,
viendong.mercury.orderbox-dns.com
{'phone': '+84909095309', 'phone_info': {'carrier': 'MobiFone', 'country': 'Vietnam', 'geo': 'Vietnam'}}falsepdr ltd. d/b/a publicdomainregistry.comvien dong co., ltd.
32 duong 885 kp 5 tt ba tri,
vn
hcmVNdomain.netdomain.net2019-10-29T09:48:04Z2020-10-29T09:48:04ZNone"",
dns@cloudflare.com
None{'phone': '+84909095309', 'phone_info': {'carrier': 'MobiFone', 'country': 'Vietnam', 'geo': 'Vietnam'}}truepdr ltd. d/b/a publicdomainregistry.com

hyas-get-whois-current-records-by-domain#


Returns WHOIS Current records for the provided indicator value.

Base Command#

hyas-get-whois-current-records-by-domain

Input#

Argument NameDescriptionRequired
domainDomain value to query.Required

Context Output#

PathTypeDescription
HYAS.WHOISCurrent.abuse_emailsUnknownabuse emails
HYAS.WHOISCurrent.addressUnknownaddress
HYAS.WHOISCurrent.cityUnknowncity
HYAS.WHOISCurrent.countryUnknowncountry
HYAS.WHOISCurrent.domainStringThe domain of the registrant
HYAS.WHOISCurrent.domain_2tldStringThe second-level domain of the registrant
HYAS.WHOISCurrent.domain_created_datetimeDateThe date and time when the whois record was created
HYAS.WHOISCurrent.domain_expires_datetimeDateThe date and time when the whois record expires
HYAS.WHOISCurrent.domain_updated_datetimeDateThe date and time when the whois record was last updated
HYAS.WHOISCurrent.emailUnknownemail
HYAS.WHOISCurrent.idn_nameStringThe international domain name
HYAS.WHOISCurrent.nameserverUnknownnameserver
HYAS.WHOISCurrent.organizationUnknownorganization
HYAS.WHOISCurrent.phoneUnknownThe phone number
HYAS.WHOISCurrent.registrarStringThe domain registrar
HYAS.WHOISCurrent.stateUnknownThe state

Command Example#

!hyas-get-whois-current-records-by-domain domain="www.hyas.com"

Context Example#

{
"HYAS": {
"WHOISCurrent": {
"abuse_emails": [
""
],
"address": [],
"city": [],
"country": [
"Canada"
],
"domain": "hyas.com",
"domain_2tld": "hyas.com",
"domain_created_datetime": "2001-05-01T23:42:14",
"domain_expires_datetime": "2026-05-01T23:42:14",
"domain_updated_datetime": "2020-06-30T15:43:39",
"email": [],
"idn_name": "None",
"nameserver": [
"n1.domaincontrol.com",
"n2.domaincontrol.com"
],
"organization": [
"HYAS Infosec Inc."
],
"phone": [],
"registrar": "GoDaddy.com, LLC",
"state": [
"British Columbia"
]
}
}
}

Human Readable Output#

HYAS WHOISCurrent records for domain : www.hyas.com#

Abuse EmailsAddressCityCountryDomainDomain_2tldDomain Created TimeDomain Expires TimeDomain Updated TimeEmail AddressIDN NameNameserverOrganizationPhone InfoRegistrarState
Canadahyas.comhyas.com2001-05-01T23:42:142026-05-01T23:42:142020-06-30T15:43:39Nonen1.domaincontrol.com,
n2.domaincontrol.com
HYAS Infosec Inc.GoDaddy.com, LLCBritish Columbia

hyas-get-malware-samples-records-by-indicator#


Returns Malware Sample records for the provided indicator value.

Base Command#

hyas-get-malware-samples-records-by-indicator

Input#

Argument NameDescriptionRequired
indicator_typeIndicator Type. Possible values are: domain, ipv4, md5.Required
indicator_valueIndicator value to query.Required
limitThe maximum number of results to return.Optional

Context Output#

PathTypeDescription
HYAS.MalwareSamples.datetimeDateThe date which the sample was processed
HYAS.MalwareSamples.domainStringThe domain of the sample
HYAS.MalwareSamples.ipv4StringThe ipv4 of the sample
HYAS.MalwareSamples.ipv6StringThe ipv6 of the sample
HYAS.MalwareSamples.md5StringThe md5 of the sample
HYAS.MalwareSamples.sha1StringThe sha1 of the sample
HYAS.MalwareSamples.sha256StringThe sha256 of the sample

Command Example#

!hyas-get-malware-samples-records-by-indicator indicator_type="domain" indicator_value="butterfly.bigmoney.biz" limit="3"

Context Example#

{
"HYAS": {
"MalwareSamples": [
{
"datetime": "2021-06-03",
"domain": "butterfly.bigmoney.biz",
"ipv4": "",
"ipv6": null,
"md5": "f8e537c178999f4ab1609576c6f5751e",
"sha1": null,
"sha256": null
},
{
"datetime": "2021-05-18",
"domain": "butterfly.bigmoney.biz",
"ipv4": "",
"ipv6": null,
"md5": "5fb3ee62c7bd0d801d76e272f51fe137",
"sha1": null,
"sha256": null
},
{
"datetime": "2021-05-18",
"domain": "butterfly.bigmoney.biz",
"ipv4": "",
"ipv6": null,
"md5": "a20473e3a24c52ac3d89d7489b500189",
"sha1": null,
"sha256": null
}
]
}
}

Human Readable Output#

HYAS MalwareSamples records for domain : butterfly.bigmoney.biz#

DatetimeDomainIPV4 AddressIPV6 AddressMD5 ValueSHA1 ValueSHA256 Value
2021-06-03butterfly.bigmoney.bizNonef8e537c178999f4ab1609576c6f5751eNoneNone
2021-05-18butterfly.bigmoney.bizNone5fb3ee62c7bd0d801d76e272f51fe137NoneNone
2021-05-18butterfly.bigmoney.bizNonea20473e3a24c52ac3d89d7489b500189NoneNone

hyas-get-associated-ips-by-hash#


Returns associated IP's for the provided hash value.

Base Command#

hyas-get-associated-ips-by-hash

Input#

Argument NameDescriptionRequired
md5The md5 value to query.Required

Context Output#

PathTypeDescription
HYAS.HASH-IP.md5StringThe provided MD5 value
HYAS.HASH-IP.ipsStringAssociated IPS for the provided MD5 value

Command Example#

!hyas-get-associated-ips-by-hash md5="1d0a97c41afe5540edd0a8c1fb9a0f2d"

Context Example#

{
"HYAS": {
"HASH-IP": {
"ips": [
"106.187.43.98"
],
"md5": "1d0a97c41afe5540edd0a8c1fb9a0f2d"
}
}
}

Human Readable Output#

HYAS HASH-IP records for md5 : 1d0a97c41afe5540edd0a8c1fb9a0f2d#

Associated IPs
106.187.43.98

hyas-get-associated-domains-by-hash#


Returns associated Domain's for the provided hash value.

Base Command#

hyas-get-associated-domains-by-hash

Input#

Argument NameDescriptionRequired
md5The md5 value to query.Required

Context Output#

PathTypeDescription
HYAS.HASH-DOMAIN.domainsStringAssociated Domains for the provided MD5 value
HYAS.HASH-DOMAIN.md5StringThe provided MD5 value

Command Example#

!hyas-get-associated-domains-by-hash md5="1d0a97c41afe5540edd0a8c1fb9a0f2d"

Context Example#

{
"HYAS": {
"HASH-DOMAIN": {
"domains": [
"domain.es",
"qwertasdfg.sinip.es",
"butterfly.bigmoney.biz"
],
"md5": "1d0a97c41afe5540edd0a8c1fb9a0f2d"
}
}
}

Human Readable Output#

HYAS HASH-DOMAIN records for md5 : 1d0a97c41afe5540edd0a8c1fb9a0f2d#

Associated Domains
domain.es
qwertasdfg.sinip.es
butterfly.bigmoney.biz