iDefense (Deprecated)

Deprecated

Use the iDefense v2 integration instead

Use the iDefense integration to manage cyber threats and security issues in the iDefense security platform.
This integration was integrated and tested with version xx of iDefense

Configure iDefense on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for iDefense.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • URL
    • API Token
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check IP address: ip
  2. Check a domain: domain
  3. Check a URL: url
  4. Get threats from the iDefense database: idefence-general
  5. Get the reputation of an indicator: uuid

1. Check an IP address


Checks the reputation of an IP address.

Base Command

ip

Input
Argument Name Description Required
ip The IP address to check. Required

Context Output
Path Type Description
IP.Address unknown The address of the bad IP.
IP.Malicious.Vendor unknown For malicious IPs, the name of the vendor that made the decision.
IP.Malicious.Description unknown For malicious IPs, the reason that the vendor to made the decision.
DBotScore.Indicator unknown The indicator that was tested.
DBotScore.Type unknown The type of indicator.
DBotScore.Vendor unknown The vendor used to calculate the score.
DBotScore.Score unknown The actual score.

Command Example
  !ip ip=256.256.256.256 using=iDefense_instance_1
Context Example
{
    "IP": [
        {
            "Malicious": {
                "Vendor": "iDefense", 
                "Description": "last seen as MALWARE_C2"
            }, 
            "Address": "256.256.256.256"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "iDefense", 
            "Indicator": "256.256.256.256", 
            "Score": 2, 
            "Type": "ip"
        }
    ]
}
Human Readable Output

iDefense IP Reputation

Dbot Reputation Name Threat Types confidence
Suspicious 256.256.256.256 Cyber Espionage 50

2. Check a domain


Checks the reputation of a domain.

Base Command

domain

Input
Argument Name Description Required
domain The name of the domain to check. Required

Context Output
Path Type Description
Domain.Name unknown The name of the bad domain.
Domain.Malicious.Vendor unknown For malicious domains, the name of the vendor that made the decision.
Domain.Malicious.Description unknown For malicious domains, the reason that the vendor made the decision.
DBotScore.Indicator unknown The indicator that was tested.
DBotScore.Type unknown The type of the indicator.
DBotScore.Vendor unknown The vendor used to calculate the score.
DBotScore.Score unknown The actual score.

Command Example
!domain domain=example.com using=iDefense_instance_1
Context Example
{
    "Domain": [
        {
            "Malicious": {
                "Vendor": "iDefense", 
                "Description": "last seen as MALWARE_DOWNLOAD"
            }, 
            "Name": "example.com"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "iDefense", 
            "Indicator": "example.com", 
            "Score": 2, 
            "Type": "domain"
        }
    ]
}
Human Readable Output

iDefense Domain Reputation

Dbot Reputation Name Threat Types confidence
Suspicious example.com Cyber Espionage

3. Check a URL


Checks the reputation of a URL.

Base Command

url

Input
Argument Name Description Required
url The name of the URL to check (must start with http://). Required

Context Output
Path Type Description
URL.Data unknown The name of the bad URL.
URL.Malicious.Vendor unknown For malicious URLs, the vendor that made the decision.
URL.Malicious.Description unknown For malicious URLs, the reason that the vendor made the decision.
DBotScore.Indicator unknown The indicator that was tested.
DBotScore.Type unknown The type of indicator.
DBotScore.Vendor unknown The vendor used to calculate the score.
DBotScore.Score unknown The actual score.

Command Example
  !url url=http://example.com using=iDefense_instance_1
Context Example
{
    "URL": [
        {
            "Malicious": {
                "Vendor": "iDefense", 
                "Description": "last seen as MALWARE_C2"
            }, 
            "Data": "http://example.com"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "iDefense", 
            "Indicator": "http://example.com", 
            "Score": 2, 
            "Type": "url"
        }
    ]
}
Human Readable Output

iDefense URL Reputation

Dbot Reputation Name Threat Types confidence
Suspicious http://example.com Cyber Crime 50

4. Get threats from the iDefense database


Returns threat information, such as IP address, URL and domain from the iDefense database.

Base Command

idefense-general

Input
Argument Name Description Required
max_result The maximum amount of results to return. Optional

Context Output
Path Type Description
IP.Address unknown The name of the bad IP Address.
IP.Malicious.Vendor unknown For malicious IPs, the vendor that made the decision.
IP.Malicious.Description unknown For malicious IPs, the reason that the vendor made the decision.
Domain.Name unknown The name of the bad domain.
Domain.Malicious.Vendor unknown For malicious domains, the vendor that made the decision.
Domain.Malicious.Description unknown For malicious domains, the reason that the vendor made the decision.
URL.Data unknown The bad URL found.
URL.Malicious.Vendor unknown For malicious URLs, the vendor that made the decision.
URL.Malicious.Description unknown For malicious URLs, the reason that the vendor made the decision.
DBotScore.Indicator unknown The indicator that was tested.
DBotScore.Type unknown The type of indicator.
DBotScore.Vendor unknown The vendor used to calculate the score.
DBotScore.Score unknown The actual score.

Command Example
!idefense-general max_result=1
Context Example
{
    "URL": [
        {
            "Malicious": {
                "Vendor": "iDefense", 
                "Description": "last seen as MALWARE_DOWNLOAD"
            }, 
            "Data": "http://example.com/malicious_file.exe"
        }, 
        {
            "Vendor": "iDefense", 
            "Indicator": "http://example.com/suspicious_file.exe", 
            "Score": 2, 
            "Type": "url"
        }
    ]
}
Human Readable Output

iDefense Reputations

Dbot Reputation Name Threat Types confidence
Malicious http://example.com/malicious_file.exe Cyber Crime 100
Suspicious http://example.com/suspicious_file.exe Cyber Crime 50

5. Get the reputation of an indicator


Returns the reputation of a specific indicator.

Base Command

uuid

Input
Argument Name Description Required
uuid The unique ID of the user. Required

Context Output
Path Type Description
IP.Address unknown The name of the bad IP Address.
IP.Malicious.Vendor unknown For malicious IPs, the vendor that made the decision.
IP.Malicious.Description unknown For malicious IPs, the reason that the vendor made the decision.
Domain.Name unknown The name of the bad domain.
Domain.Malicious.Vendor unknown For malicious domains, the vendor that made the decision.
Domain.Malicious.Description unknown For malicious domains, the reason that the vendor made the decision.
URL.Data unknown The name of the bad URL.
URL.Malicious.Vendor unknown For malicious URLs, the vendor that made the decision.
URL.Malicious.Description unknown For malicious URLs, the reason that the vendor made the decision.
DBotScore.Indicator unknown The indicator that was tested.
DBotScore.Type unknown The type of indicator.
DBotScore.Vendor unknown The vendor used to calculate the score.
DBotScore.Score unknown The actual score.

Command Example
!uuid uuid=44a7d565-a260-9oc6-b7f4-2368dc3a4a67 using=iDefense_instance_1
Context Example
{
    "Domain": [
        {
            "Malicious": {
                "Vendor": "iDefense", 
                "Description": "last seen as MALWARE_C2"
            }, 
            "Name": "example.com"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "iDefense", 
            "Indicator": "example.com", 
            "Score": 2, 
            "Type": "domain"
        }
    ]
}
Human Readable Output

iDefense Reputations

Dbot Reputation Name Threat Types confidence
Suspicious example.com Cyber Espionage