iDefense
Use the iDefense integration to manage cyber threats and security issues in the iDefense security platform.
This integration was integrated and tested with version xx of iDefense
Configure iDefense on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for iDefense.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL
- API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check IP address: ip
- Check a domain: domain
- Check a URL: url
- Get threats from the iDefense database: idefence-general
- Get the reputation of an indicator: uuid
1. Check an IP address
Checks the reputation of an IP address.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The address of the bad IP. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the name of the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor to made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!ip ip=256.256.256.256 using=iDefense_instance_1
Context Example
{
"IP": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Address": "256.256.256.256"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "256.256.256.256",
"Score": 2,
"Type": "ip"
}
]
}
Human Readable Output
iDefense IP Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | 256.256.256.256 | Cyber Espionage | 50 |
2. Check a domain
Checks the reputation of a domain.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The name of the domain to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the name of the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of the indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!domain domain=example.com using=iDefense_instance_1
Context Example
{
"Domain": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_DOWNLOAD"
},
"Name": "example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "example.com",
"Score": 2,
"Type": "domain"
}
]
}
Human Readable Output
iDefense Domain Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | example.com | Cyber Espionage |
3. Check a URL
Checks the reputation of a URL.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The name of the URL to check (must start with http://). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| URL.Data | unknown | The name of the bad URL. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!url url=http://example.com using=iDefense_instance_1
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Data": "http://example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "http://example.com",
"Score": 2,
"Type": "url"
}
]
}
Human Readable Output
iDefense URL Reputation
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | http://example.com | Cyber Crime | 50 |
4. Get threats from the iDefense database
Returns threat information, such as IP address, URL and domain from the iDefense database.
Base Command
idefense-general
Input
| Argument Name | Description | Required |
|---|---|---|
| max_result | The maximum amount of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The name of the bad IP Address. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| URL.Data | unknown | The bad URL found. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!idefense-general max_result=1
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_DOWNLOAD"
},
"Data": "http://example.com/malicious_file.exe"
},
{
"Vendor": "iDefense",
"Indicator": "http://example.com/suspicious_file.exe",
"Score": 2,
"Type": "url"
}
]
}
Human Readable Output
iDefense Reputations
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Malicious | http://example.com/malicious_file.exe | Cyber Crime | 100 |
| Suspicious | http://example.com/suspicious_file.exe | Cyber Crime | 50 |
5. Get the reputation of an indicator
Returns the reputation of a specific indicator.
Base Command
uuid
Input
| Argument Name | Description | Required |
|---|---|---|
| uuid | The unique ID of the user. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | unknown | The name of the bad IP Address. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
| Domain.Name | unknown | The name of the bad domain. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| URL.Data | unknown | The name of the bad URL. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The type of indicator. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example
!uuid uuid=44a7d565-a260-9oc6-b7f4-2368dc3a4a67 using=iDefense_instance_1
Context Example
{
"Domain": [
{
"Malicious": {
"Vendor": "iDefense",
"Description": "last seen as MALWARE_C2"
},
"Name": "example.com"
}
],
"DBotScore": [
{
"Vendor": "iDefense",
"Indicator": "example.com",
"Score": 2,
"Type": "domain"
}
]
}
Human Readable Output
iDefense Reputations
| Dbot Reputation | Name | Threat Types | confidence |
|---|---|---|---|
| Suspicious | example.com | Cyber Espionage |