HYAS Insight
HYAS Insight Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
#
HYAS InsightHYAS Insight is a threat investigation and attribution solution that uses exclusive data sources and non-traditional mechanisms to improve visibility and productivity for analysts, researchers, and investigators while increasing the accuracy of findings. HYAS Insight connects attack instances and campaigns to billions of indicators of compromise to deliver insights and visibility. With an easy-to-use user interface, transforms, and API access, HYAS Insight combines rich threat data into a powerful research and attribution solution. HYAS Insight is complemented by the HYAS Intelligence team that helps organizations to better understand the nature of the threats they face on a daily basis.
Use the HYAS Insight integration to interactively lookup PassiveDNS, DynamicDNS, WHOIS, Malware and C2 Attribution Information.
#
How to get a HYAS API KeyIn order to obtain a HYAS Insight API key to use with Cortex XSOAR, please contact your HYAS Insight Admin. If you are unsure who your Admin is, you can also contact HYAS Support via email at support@hyas.com, by visiting the HYAS website https://www.hyas.com/contact, or by using the HYAS Insight web UI by clicking the ‘help’ icon at the top right of the screen, to request a key.
#
Partner Contributed Integration#
Integration Author: HYASSupport and maintenance for this integration are provided by the author. Please use the following contact details: Email: support@hyas.com URL: https://www.hyas.com/contact
#
Configure HYAS Insight on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for HYAS Insight.
Click Add instance to create and configure a new integration instance.
Parameter Required HYAS Insight Api Key True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
hyas-get-passive-dns-records-by-indicatorReturns PassiveDNS records for the provided indicator value.
#
Base Commandhyas-get-passive-dns-records-by-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | Indicator Type. Possible values are: ipv4, domain. | Required |
indicator_value | Indicator value to query. | Required |
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.PassiveDNS.count | Number | The passive dns count |
HYAS.PassiveDNS.domain | String | The domain of the passive dns information requested |
HYAS.PassiveDNS.first_seen | Date | The first time this domain was seen |
HYAS.PassiveDNS.ip.geo.city_name | String | City of the ip organization |
HYAS.PassiveDNS.ip.geo.country_iso_code | String | Country ISO code of the ip organization |
HYAS.PassiveDNS.ip.geo.country_name | String | Country name of the ip organization |
HYAS.PassiveDNS.ip.geo.location_latitude | Number | The latitude of the ip organization |
HYAS.PassiveDNS.ip.geo.location_longitude | Number | The longitude of the ip organization |
HYAS.PassiveDNS.ip.geo.postal_code | String | The longitude of the ip organization |
HYAS.PassiveDNS.ip.ip | String | IP of the organization |
HYAS.PassiveDNS.ip.isp.autonomous_system_number | String | The ASN of the ip |
HYAS.PassiveDNS.ip.isp.autonomous_system_organization | String | The ASO of the ip |
HYAS.PassiveDNS.ip.isp.ip_address | String | The IP |
HYAS.PassiveDNS.ip.isp.isp | String | The Internet Service Provider |
HYAS.PassiveDNS.ip.isp.organization | String | The ISP organization |
HYAS.PassiveDNS.ipv4 | String | The ipv4 address of the passive dns record |
HYAS.PassiveDNS.last_seen | Date | The last time this domain was seen |
HYAS.PassiveDNS.sources | Unknown | A list of pDNS providers which the data came from |
#
Command Example!hyas-get-passive-dns-records-by-indicator indicator_type="domain" indicator_value="domain.org" limit="3"
#
Context Example#
Human Readable Output#
HYAS PassiveDNS records for domain : domain.org
Count Domain First seen City Name Country Code Country Name Latitude Longitude Postal Code IP ISP ASN ISP ASN Organization ISP IP Address ISP ISP Organization IPV4 Last Seen Sources 273983 domain.org 2015-06-08T19:16:18Z Boston US United States 42.3584 -71.0598 02108 65.254.244.180 AS29873 Newfold Digital, Inc. 65.254.244.180 Newfold Digital, Inc. Newfold Digital, Inc. 65.254.244.180 2021-11-08T22:39:59Z farsight 62645 domain.org 2010-07-13T17:29:58Z Tukwila US United States 47.4740 -122.2610 98178 216.34.94.184 AS3561 CenturyLink Communications, LLC 216.34.94.184 Dotster, Inc. Dotster, Inc. 216.34.94.184 2015-06-08T17:50:06Z farsight 1 biszhu.com.domain.org 2017-09-05T00:00:00Z Boston US United States 42.3584 -71.0598 02108 65.254.244.180 AS29873 Newfold Digital, Inc. 65.254.244.180 Newfold Digital, Inc. Newfold Digital, Inc. 65.254.244.180 2017-09-05T00:00:00Z zetalytics
#
hyas-get-dynamic-dns-records-by-indicatorReturns DynamicDNS records for the provided indicator value.
#
Base Commandhyas-get-dynamic-dns-records-by-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | Indicator Type. Possible values are: ip, domain, email. | Required |
indicator_value | Indicator value to query. | Required |
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.DynamicDNS.a_record | String | The A record for the domain |
HYAS.DynamicDNS.account | String | The account holder name |
HYAS.DynamicDNS.created | Date | The date which the domain was created |
HYAS.DynamicDNS.created_ip | String | The ip address of the account holder |
HYAS.DynamicDNS.domain | String | The domain associated with the dynamic dns information |
HYAS.DynamicDNS.domain_creator_ip | String | The ip address of the domain creator |
HYAS.DynamicDNS.email | String | The email address connected to the domain |
#
Command Example!hyas-get-dynamic-dns-records-by-indicator indicator_type="ip" indicator_value="4.4.4.4" limit="3"
#
Context Example#
Human Readable Output#
HYAS DynamicDNS records for ip : 4.4.4.4
A Record Account Created Date Account Holder IP Address Domain Domain Creator IP Address Email Address 4.4.4.4 free 2019-03-30T14:39:49Z 78.191.27.210 seyir.duckdns.org 78.191.25.0 halbayrak75@gmail.com 4.4.4.4 free 2020-05-09T03:39:28Z 42.3.24.108 tempoary.duckdns.org 42.3.24.36 benson877204@gmail.com 4.4.4.4 free 2020-05-09T03:39:24Z 42.3.24.108 bensonwonghk.duckdns.org 42.3.24.108 benson877204@gmail.com
#
hyas-get-whois-records-by-indicatorReturns WHOIS records for the provided indicator value.
#
Base Commandhyas-get-whois-records-by-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | Indicator Type. Possible values are: domain, email, phone. | Required |
indicator_value | Indicator value to query. | Required |
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.WHOIS.address | Unknown | address |
HYAS.WHOIS.city | Unknown | city |
HYAS.WHOIS.country | Unknown | country |
HYAS.WHOIS.domain | String | The domain of the registrant |
HYAS.WHOIS.domain_2tld | String | The second-level domain of the registrant |
HYAS.WHOIS.domain_created_datetime | Date | The date and time when the whois record was created |
HYAS.WHOIS.domain_expires_datetime | Date | The date and time when the whois record expires |
HYAS.WHOIS.domain_updated_datetime | Date | The date and time when the whois record was last updated |
HYAS.WHOIS.email | Unknown | |
HYAS.WHOIS.idn_name | String | The international domain name |
HYAS.WHOIS.nameserver | Unknown | nameserver |
HYAS.WHOIS.phone.phone | String | The phone number registrant contact in e164 format |
HYAS.WHOIS.phone.phone_info.carrier | String | Phone number carrier |
HYAS.WHOIS.phone.phone_info.country | String | Phone number country |
HYAS.WHOIS.phone.phone_info.geo | String | Phone number geo. Can be city, province, region or country |
HYAS.WHOIS.privacy_punch | Boolean | True if this record has additional information bypassing privacy protect |
HYAS.WHOIS.registrar | String | The domain registrar |
#
Command Example!hyas-get-whois-records-by-indicator indicator_type="domain" indicator_value="dulieuonline.net" limit="3"
#
Context Example#
Human Readable Output#
HYAS WHOIS records for domain : dulieuonline.net
Address City Country Domain Domain_2tld Domain Created Time Domain Expires Time Domain Updated Time Email Address IDN Name Nameserver Phone Info Privacy_punch Registrar 32 duong 885 kp 5 tt ba tri,
vnhcm VN dulieuonline.net dulieuonline.net 2019-10-29T09:48:04Z 2020-10-29T09:48:04Z None viendongonline@gmail.com,
dns@cloudflare.comNone {'phone': '+84909095309', 'phone_info': {'carrier': 'MobiFone', 'country': 'Vietnam', 'geo': 'Vietnam'}} true pdr ltd. d/b/a publicdomainregistry.com hcm VN dulieuonline.net None 2019-10-29T09:48:04Z 2020-10-29T09:48:04Z 2019-10-30T06:23:09.543083Z viendongonline@gmail.com,
hostmaster@dulieuonline.netNone {'phone': '+84909095309', 'phone_info': {'carrier': 'MobiFone', 'country': 'Vietnam', 'geo': 'Vietnam'}} true pdrltd.d/b/apublicdomainregistry.com hcm VN dulieuonline.net None 2019-10-29T09:48:04Z 2020-10-29T09:48:04Z 2019-10-31T09:04:17.873274Z viendongonline@gmail.com None viendong.mars.orderbox-dns.com,
viendong.venus.orderbox-dns.com,
viendong.mercury.orderbox-dns.com,
viendong.earth.orderbox-dns.com{'phone': '+84909095309', 'phone_info': {'carrier': 'MobiFone', 'country': 'Vietnam', 'geo': 'Vietnam'}} false pdr ltd. d/b/a publicdomainregistry.com
#
hyas-get-whois-current-records-by-domainReturns WHOIS Current records for the provided indicator value.
#
Base Commandhyas-get-whois-current-records-by-domain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain value to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.WHOISCurrent.abuse_emails | Unknown | abuse emails |
HYAS.WHOISCurrent.address | Unknown | address |
HYAS.WHOISCurrent.city | Unknown | city |
HYAS.WHOISCurrent.country | Unknown | country |
HYAS.WHOISCurrent.domain | String | The domain of the registrant |
HYAS.WHOISCurrent.domain_2tld | String | The second-level domain of the registrant |
HYAS.WHOISCurrent.domain_created_datetime | Date | The date and time when the whois record was created |
HYAS.WHOISCurrent.domain_expires_datetime | Date | The date and time when the whois record expires |
HYAS.WHOISCurrent.domain_updated_datetime | Date | The date and time when the whois record was last updated |
HYAS.WHOISCurrent.email | Unknown | |
HYAS.WHOISCurrent.idn_name | String | The international domain name |
HYAS.WHOISCurrent.nameserver | Unknown | nameserver |
HYAS.WHOISCurrent.organization | Unknown | organization |
HYAS.WHOISCurrent.phone | Unknown | The phone number |
HYAS.WHOISCurrent.registrar | String | The domain registrar |
HYAS.WHOISCurrent.state | Unknown | The state |
#
Command Example!hyas-get-whois-current-records-by-domain domain="www.hyas.com"
#
Context Example#
Human Readable Outputwww.hyas.com#
HYAS WHOISCurrent records for domain :
Abuse Emails Country Domain Domain_2tld Domain Created Time Domain Expires Time Domain Updated Time IDN Name Nameserver Organization Registrar State abuse@godaddy.com Canada hyas.com hyas.com 2001-05-01T23:42:14 2026-05-01T23:42:14 2020-06-30T22:43:34 146 ns09.domaincontrol.com,
ns10.domaincontrol.comHYAS Infosec Inc. GoDaddy.com, LLC British Columbia
#
hyas-get-malware-samples-records-by-indicatorReturns Malware Sample records for the provided indicator value.
#
Base Commandhyas-get-malware-samples-records-by-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | Indicator Type. Possible values are: domain, ipv4, md5. | Required |
indicator_value | Indicator value to query. | Required |
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.MalwareSamples.datetime | Date | The date which the sample was processed |
HYAS.MalwareSamples.domain | String | The domain of the sample |
HYAS.MalwareSamples.ipv4 | String | The ipv4 of the sample |
HYAS.MalwareSamples.ipv6 | String | The ipv6 of the sample |
HYAS.MalwareSamples.md5 | String | The md5 of the sample |
HYAS.MalwareSamples.sha1 | String | The sha1 of the sample |
HYAS.MalwareSamples.sha256 | String | The sha256 of the sample |
#
Command Example!hyas-get-malware-samples-records-by-indicator indicator_type="domain" indicator_value="butterfly.bigmoney.biz" limit="3"
#
Context Example#
Human Readable Output#
HYAS MalwareSamples records for domain : butterfly.bigmoney.biz
Datetime Domain IPV4 Address IPV6 Address MD5 Value SHA1 Value SHA256 Value 2021-11-06 butterfly.bigmoney.biz 106.187.43.98 None d3a107934774f288481a66d6a4c6b3f3 None None 2021-11-06 butterfly.bigmoney.biz 106.187.43.98 None af73babf3276037b2d662fda0e3e40b3 None None 2021-11-02 butterfly.bigmoney.biz 106.187.43.98 None 70d72fcb14219b3c4649b9b7cc14afa0 None None
#
hyas-get-associated-ips-by-hashReturns associated IP's for the provided hash value.
#
Base Commandhyas-get-associated-ips-by-hash
#
InputArgument Name | Description | Required |
---|---|---|
md5 | The md5 value to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.HASH-IP.md5 | String | The provided MD5 value |
HYAS.HASH-IP.ips | Unknown | Associated IPS for the provided MD5 value |
#
Command Example!hyas-get-associated-ips-by-hash md5="1d0a97c41afe5540edd0a8c1fb9a0f1c"
#
Context Example#
Human Readable Output#
HYAS HASH-IP records for md5 : 1d0a97c41afe5540edd0a8c1fb9a0f1c
Associated IPs 106.187.43.98
#
hyas-get-associated-domains-by-hashReturns associated Domain's for the provided hash value.
#
Base Commandhyas-get-associated-domains-by-hash
#
InputArgument Name | Description | Required |
---|---|---|
md5 | The md5 value to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.HASH-DOMAIN.domains | Unknown | Associated Domains for the provided MD5 value |
HYAS.HASH-DOMAIN.md5 | String | The provided MD5 value |
#
Command Example!hyas-get-associated-domains-by-hash md5="1d0a97c41afe5540edd0a8c1fb9a0f1c"
#
Context Example#
Human Readable Output#
HYAS HASH-DOMAIN records for md5 : 1d0a97c41afe5540edd0a8c1fb9a0f1c
Associated Domains butterfly.sinip.es qwertasdfg.sinip.es butterfly.bigmoney.biz
#
hyas-get-c2attribution-records-by-indicatorReturn C2 Attribution records for the provided indicator value.
#
Base Commandhyas-get-c2attribution-records-by-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | Indicator Type. Possible values are: ip, domain, sha256, email. | Required |
indicator_value | Indicator Value. | Required |
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
HYAS.C2_Attribution.actor_ipv4 | String | The actor ipv4 |
HYAS.C2_Attribution.c2_domain | String | The c2 domain |
HYAS.C2_Attribution.c2_ip | String | The c2 ip |
HYAS.C2_Attribution.c2_url | String | The C2 panel url |
HYAS.C2_Attribution.datetime | String | C2 Attribution datetime |
HYAS.C2_Attribution.email | String | The actor email |
HYAS.C2_Attribution.email_domain | String | The email domain |
HYAS.C2_Attribution.referrer_domain | String | The referrer domain |
HYAS.C2_Attribution.referrer_ipv4 | String | The referrer ipv4 |
HYAS.C2_Attribution.referrer_url | String | The referrer url |
HYAS.C2_Attribution.sha256 | String | The sha256 malware hash |
#
Command Example!hyas-get-c2attribution-records-by-indicator indicator_type=domain indicator_value=himionsa.com limit=3
#
Context Example#
Human Readable Output#
HYAS C2_Attribution records for domain : himionsa.com
Actor IPv4 C2 Domain C2 IP C2 URL Datetime Email Domain Referrer Domain Referrer IPv4 Referrer URL SHA256 197.210.53.224 himionsa.com 89.208.229.55 http://himionsa.com/rich/panel/pvqdq929bsx_a_d_m1n_a.php?mazm=report 2020-02-21T10:16:06Z None None None None None None 197.210.84.26 himionsa.com 89.208.229.55 http://himionsa.com/rich/panel/pvqdq929bsx_a_d_m1n_a.php?mazm=report 2020-02-20T13:08:36Z None None None None None None 197.210.53.79 himionsa.com 89.208.229.55 http://himionsa.com/rich/panel/pvqdq929bsx_a_d_m1n_a.php?mazm=report 2020-02-21T09:03:46Z None None None None None None