iDefense (Deprecated)
Deprecated
Use the iDefense v2 integration instead.
Use the iDefense integration to manage cyber threats and security issues in the iDefense security platform.
Configure iDefense on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for iDefense.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL
- API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check IP address: ip
- Check a domain: domain
- Check a URL: url
- Get threats from the iDefense database: idefence-general
- Get the reputation of an indicator: uuid
1. Check an IP address
Checks the reputation of an IP address.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The address of the bad IP. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the name of the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor to made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!ip ip=256.256.256.256 using=iDefense_instance_1
Context Example
{
"IP": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Address": "256.256.256.256"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "256.256.256.256",
"Score": 2,
"Type": "ip"
}
]
}
Human Readable Output
iDefense IP Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | 256.256.256.256 | Cyber Espionage | 50 |
2. Check a domain
Checks the reputation of a domain.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The name of the domain to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the name of the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of the indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!domain domain=example.com using=iDefense_instance_1
Context Example
{
"Domain": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_DOWNLOAD"
},
"Name": "example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "example.com",
"Score": 2,
"Type": "domain"
}
]
}
Human Readable Output
iDefense Domain Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | example.com | Cyber Espionage |
3. Check a URL
Checks the reputation of a URL.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The name of the URL to check (must start with http://). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| URL.Data | unknown | The name of the bad URL. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!url url=http://example.com using=iDefense_instance_1
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Data": "http://example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "http://example.com",
"Score": 2,
"Type": "url"
}
]
}
Human Readable Output
iDefense URL Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | http://example.com | Cyber Crime | 50 |
4. Get threats from the iDefense database
Returns threat information, such as IP address, URL and domain from the iDefense database.
Base Command
idefense-general
Input
| Argument Name | Description | Required |
|---|---|---|
| max_result | The maximum amount of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The name of the bad IP Address. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| URL.Data | unknown | The bad URL found. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!idefense-general max_result=1
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_DOWNLOAD"
},
"Data": "http://example.com/malicious_file.exe"
},
{
"Vendor": "iDefense",
"Indicator": "http://example.com/suspicious_file.exe",
"Score": 2,
"Type": "url"
}
]
}
Human Readable Output
iDefense Reputations
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Malicious | http://example.com/malicious_file.exe | Cyber Crime | 100 |
| Suspicious | http://example.com/suspicious_file.exe | Cyber Crime | 50 |
5. Get the reputation of an indicator
Returns the reputation of a specific indicator.
Base Command
uuid
Input
| Argument Name | Description | Required |
|---|---|---|
| uuid | The unique ID of the user. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The name of the bad IP Address. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| URL.Data | unknown | The name of the bad URL. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!uuid uuid=44a7d565-a260-9oc6-b7f4-2368dc3a4a67 using=iDefense_instance_1
Context Example
{
"Domain": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Name": "example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "example.com",
"Score": 2,
"Type": "domain"
}
]
}
Human Readable Output
iDefense Reputations
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | example.com | Cyber Espionage |