iDefense (Deprecated)
Deprecated
Use the iDefense v2 integration instead.
Use the iDefense integration to manage cyber threats and security issues in the iDefense security platform.
Configure iDefense on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for iDefense.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL
- API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check IP address: ip
- Check a domain: domain
- Check a URL: url
- Get threats from the iDefense database: idefence-general
- Get the reputation of an indicator: uuid
1. Check an IP address
Checks the reputation of an IP address.
Base Command
ip
Input
Argument Name | Description | Required |
---|---|---|
ip | The IP address to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
IP.Address | unknown | The address of the bad IP. |
IP.Malicious.Vendor | unknown | For malicious IPs, the name of the vendor that made the decision. |
IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor to made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The type of indicator. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | unknown | The actual score. |
Command Example
!ip ip=256.256.256.256 using=iDefense_instance_1
Context Example
{ "IP": [ { "Malicious": { "Vendor": "iDefense", "Description": "last seen as MALWARE_C2" }, "Address": "256.256.256.256" } ], "DBotScore": [ { "Vendor": "iDefense", "Indicator": "256.256.256.256", "Score": 2, "Type": "ip" } ] }
Human Readable Output
iDefense IP Reputation
Dbot Reputation | Name | Threat Types | confidence |
---|---|---|---|
Suspicious | 256.256.256.256 | Cyber Espionage | 50 |
2. Check a domain
Checks the reputation of a domain.
Base Command
domain
Input
Argument Name | Description | Required |
---|---|---|
domain | The name of the domain to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
Domain.Name | unknown | The name of the bad domain. |
Domain.Malicious.Vendor | unknown | For malicious domains, the name of the vendor that made the decision. |
Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The type of the indicator. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | unknown | The actual score. |
Command Example
!domain domain=example.com using=iDefense_instance_1
Context Example
{ "Domain": [ { "Malicious": { "Vendor": "iDefense", "Description": "last seen as MALWARE_DOWNLOAD" }, "Name": "example.com" } ], "DBotScore": [ { "Vendor": "iDefense", "Indicator": "example.com", "Score": 2, "Type": "domain" } ] }
Human Readable Output
iDefense Domain Reputation
Dbot Reputation | Name | Threat Types | confidence |
---|---|---|---|
Suspicious | example.com | Cyber Espionage |
3. Check a URL
Checks the reputation of a URL.
Base Command
url
Input
Argument Name | Description | Required |
---|---|---|
url | The name of the URL to check (must start with http://). | Required |
Context Output
Path | Type | Description |
---|---|---|
URL.Data | unknown | The name of the bad URL. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The type of indicator. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | unknown | The actual score. |
Command Example
!url url=http://example.com using=iDefense_instance_1
Context Example
{ "URL": [ { "Malicious": { "Vendor": "iDefense", "Description": "last seen as MALWARE_C2" }, "Data": "http://example.com" } ], "DBotScore": [ { "Vendor": "iDefense", "Indicator": "http://example.com", "Score": 2, "Type": "url" } ] }
Human Readable Output
iDefense URL Reputation
Dbot Reputation | Name | Threat Types | confidence |
---|---|---|---|
Suspicious | http://example.com | Cyber Crime | 50 |
4. Get threats from the iDefense database
Returns threat information, such as IP address, URL and domain from the iDefense database.
Base Command
idefense-general
Input
Argument Name | Description | Required |
---|---|---|
max_result | The maximum amount of results to return. | Optional |
Context Output
Path | Type | Description |
---|---|---|
IP.Address | unknown | The name of the bad IP Address. |
IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
Domain.Name | unknown | The name of the bad domain. |
Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
URL.Data | unknown | The bad URL found. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The type of indicator. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | unknown | The actual score. |
Command Example
!idefense-general max_result=1
Context Example
{ "URL": [ { "Malicious": { "Vendor": "iDefense", "Description": "last seen as MALWARE_DOWNLOAD" }, "Data": "http://example.com/malicious_file.exe" }, { "Vendor": "iDefense", "Indicator": "http://example.com/suspicious_file.exe", "Score": 2, "Type": "url" } ] }
Human Readable Output
iDefense Reputations
Dbot Reputation | Name | Threat Types | confidence |
---|---|---|---|
Malicious | http://example.com/malicious_file.exe | Cyber Crime | 100 |
Suspicious | http://example.com/suspicious_file.exe | Cyber Crime | 50 |
5. Get the reputation of an indicator
Returns the reputation of a specific indicator.
Base Command
uuid
Input
Argument Name | Description | Required |
---|---|---|
uuid | The unique ID of the user. | Required |
Context Output
Path | Type | Description |
---|---|---|
IP.Address | unknown | The name of the bad IP Address. |
IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
Domain.Name | unknown | The name of the bad domain. |
Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
URL.Data | unknown | The name of the bad URL. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The type of indicator. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | unknown | The actual score. |
Command Example
!uuid uuid=44a7d565-a260-9oc6-b7f4-2368dc3a4a67 using=iDefense_instance_1
Context Example
{ "Domain": [ { "Malicious": { "Vendor": "iDefense", "Description": "last seen as MALWARE_C2" }, "Name": "example.com" } ], "DBotScore": [ { "Vendor": "iDefense", "Indicator": "example.com", "Score": 2, "Type": "domain" } ] }
Human Readable Output
iDefense Reputations
Dbot Reputation | Name | Threat Types | confidence |
---|---|---|---|
Suspicious | example.com | Cyber Espionage |