InfoArmor VigilanteATI
This Integration is part of the InfoArmor VigilanteATI Pack.#
Overview
VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team.
Configure InfoArmor VigilanteATI on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for InfoArmor VigilanteATI.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL
- API Key
- API Secret
- Trust any certificate (not secure)
- Use system proxy
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Query infected host data: vigilante-query-infected-host-data
- Get vulnerable host data: vigilante-get-vulnerable-host-data
- Query the eCrime intelligence database: vigilante-query-ecrime-db
- Get a list of leaks: vigilante-search-leaks
- Get a list of account credentials for a leak: vigilante-get-leak
- Search for an account in the leaked credentials database: vigilante-query-accounts
- Search for a domain in the leaked credentials database: vigilante-query-domains
- Add account details to a watchlist: vigilante-watchlist-add-accounts
- Remove account details from a watchlist: vigilante-watchlist-remove-accounts
- Get a list of identifiers on a watchlist: vigilante-get-watchlist
- Get usage data for your account: vigilante-account-usage-info
1. Query infected host data
Query all infected host data. This is the API call you want to use to lookup infected host data using an IP address or a network range.
Base Command
vigilante-query-infected-host-data
Input
| Argument Name | Description | Required |
|---|---|---|
| days_ago | Specifies how many days ago (in history) we should go back to fetch data for. By default, this parameter is set to 1 which means it returns all infected host data added to the database within the last 1 day. To return data for all infected hosts you can set this value to be equal to 0, or set it a high value such as 3650 days (or 10 years). | Optional |
| limit | Specifies the maximum number of entries to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 infected hosts. The valid range for value of limit is from 1 (minimum) to 50,000 (maximum). | Optional |
| token | The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. | Optional |
| q_address | Query parameter specifying the alphanumeric version of the IPv4 address that will be used to query the database. | Optional |
| cc_ipaddress | Query parameter specifying the IP address of the infected host was seen communicating with. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.InfectedHosts.ip | string | Alphanumeric version of the IPv4 address belonging to this infected host. |
| VigilanteATI.InfectedHosts.port | number | Port number used by the infected host. |
| VigilanteATI.InfectedHosts.domain | string | Domain name associated with the infected host. (e.g sample.com) |
| VigilanteATI.InfectedHosts.country | string | Country code representing the country the host is located in. (e.g US) |
| VigilanteATI.InfectedHosts.malware | string | Name of the malware family we believe has infected the host. (e.g c_zeroaccess) |
| VigilanteATI.InfectedHosts.c_and_c | string | IP address of the C&C the infected host was seen communicating with. |
| VigilanteATI.InfectedHosts.timestamp | date | Timestamp of when we last saw this infected host and imported it into our database. (e.g 2015-10-10 12:01:01) |
| VigilanteATI.GetInfectedHostsToken | string | Token required to paginate the next set of results in. This is only provided if host number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. If empty, it means there is no next page |
| VigilanteATI.InfectedHosts | unknown | Container for infected host objects. This is basically a list of dictionaries (hosts). |
Command Example
!vigilante-query-infected-host-data days_ago="10" limit="4"
Context Example
{
"VigilanteATI": {
"InfectedHost": [
{
"c&c": "184.105.192.2",
"country": "Asia",
"domain": "sancharnet.in",
"ip": "117.194.21.62",
"malware": "s_gamarue",
"timestamp": "2018-12-01T12:57:22"
},
{
"c&c": "184.105.192.2",
"country": "Asia",
"domain": "airtel.in",
"ip": "122.175.240.173",
"malware": "s_gamarue",
"timestamp": "2018-12-01T12:57:22"
},
{
"c&c": "184.105.192.2",
"country": "Asia",
"domain": "vnnic.net.vn",
"ip": "113.186.213.226",
"malware": "s_gamarue",
"timestamp": "2018-12-01T12:57:22"
},
{
"c&c": "184.105.192.2",
"country": "Asia",
"domain": "parsonline.net",
"ip": "37.27.67.92",
"malware": "s_gamarue",
"timestamp": "2018-12-01T12:57:22"
}
]
}
}
Human Readable Output
2. Get vulnerable host data
Returns all vulnerable host data from VI feed for the given query. This is the API call you want to use to download the entire feed of vulnerable hosts that matches the query.
Base Command
vigilante-get-vulnerable-host-data
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | Specifies the maximum number of entries to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 cards. The valid range for value of limit is from 1 (minimum) to 1,000 (maximum). (optional) | Optional |
| re_token | The re_token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a re_token along with the response so the client can request the next page of results appropriately with the next API request. (optional) | Optional |
| q_address | The q_address is IP address of the vulnerable one wishes to search. If not provided, by default this parameter is set to '*', and thus, will not have any constrains on q_address. (optional) | Optional |
| q_mask | The q_mask is mask one wishes to apply to the IP while searching. If not provided, by default this parameter is set to '32', and thus, will not have any constrains on q_address. (optional) | Optional |
| q_type | The q_type is type of the vulnerable one wishes to search. If not provided, by default this parameter is set to '*', and thus, will not have any constrains on q_type. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Hosts | unknown | Container for vulnerable host objects. This is basically a list of dictionaries (hosts). |
| VigilanteATI.Hosts.ip | unknown | Alphanumeric version of the IPv4 address belonging to this vulnerable host. |
| VigilanteATI.Hosts.hostname | unknown | Hostname of the host. Obtained by doing a lookup using the given IPv4 address. (e.g "sample.hostname.com") |
| VigilanteATI.Hosts.type | unknown | Vulnerability type/name. (e.g heartbleed) |
| VigilanteATI.Hosts.port | unknown | Port numbers that this might affect. (e.g 443) |
| VigilanteATI.Hosts.protocols | unknown | Protocols that this might affect. (e.g "ssh") |
| VigilanteATI.Hosts.url | unknown | URL field. Only applicable with certain vulnerability types such as web shell. |
| VigilanteATI.Hosts.geoip | unknown | JSon of all the data we have about the IP and its location. |
| VigilanteATI.Hosts.geoip.timezone | unknown | Timezone (e.g Asia/Tokyo) |
| VigilanteATI.Hosts.geoip.ip | string | IPv4 addresss |
| VigilanteATI.Hosts.geoip.continent_code | string | Contient Code (e.g AS) |
| VigilanteATI.Hosts.geoip.city_name | string | City Name (e.g Tokyo) |
| VigilanteATI.Hosts.geoip.country_code2 | string | Country Code (e.g JP) |
| VigilanteATI.Hosts.geoip.country_name | string | Country Name (e.g Japan) |
| VigilanteATI.Hosts.geoip.country_code3 | string | Country Code (e.g JP) |
| VigilanteATI.Hosts.geoip.region_name | unknown | Region Name(e.g Tokyo) |
| VigilanteATI.Hosts.geoip.latitude | number | Latitude (e.g 35.6502) |
| VigilanteATI.Hosts.geoip.longitude | number | Longitude (e.g 139.6939) |
| VigilanteATI.Hosts.geoip.postal_code | string | Postal Code (e.g 153-0042) |
| VigilanteATI.Hosts.geoip.region_code | string | Region Code (e.g 13) |
| VigilanteATI.Hosts.timestamp | date | Timestamp of when we found this vulnerable host and imported it into our database. (e.g 2015-10-10 12:01:01) |
| VigilanteATI.GetVulnerableHostsToken | unknown | The re_token parameter value required to retrieve the next page of results. The token is valid for 5 minutes. The value is null if count is equal to either 0 or total. |
Command Example
!vigilante-get-vulnerable-host-data limit="5" q_address="9.9.9.9"
Context Example
{
"VigilanteATI": {
"Hosts": [
{
"geoip": {
"postal_code": "27709",
"ip": "9.9.9.9",
"latitude": 35.994,
"longitude": -78.8986,
"dma_code": 560,
"country_name": "United States",
"location": {
"lat": 35.994,
"lon": -78.8986
},
"region_name": "North Carolina",
"region_code": "NC",
"continent_code": "NA",
"timezone": "America/New_York",
"country_code2": "US",
"country_code3": "US",
"city_name": "Durham"
},
"hostname": [
"dns.quad9.net"
],
"ip": "9.9.9.9",
"port": 53,
"protocols": "udp",
"timestamp": "2018-03-27 08:33:42",
"type": "accessible port 53",
"url": [
"quad9.net"
]
}
]
}
}
Human Readable Output
3. Query the eCrime intelligence database
Queries the eCrime intelligence database. This is the API call you want to use to do a full text search on eCrime intelligence data, such as hacker chatter.
Base Command
vigilante-query-ecrime-db
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Specifies the search query; may be a lucene query. | Required |
| q_forum | Specifies a specific forum to search. | Optional |
| q_start_date | Specifies the search start date; only posts on or after q_start_date are retrieved. e.g 2017-10-01) | Optional |
| q_end_date | Specifies the search end date; only posts on or before q_end_date are retrieved. (e.g 2017-10-03) | Optional |
| limit | Specifies the maximum number of posts to return. By default limit is set to 10, which means the result set is limited to the first 10 posts. limit must be between 1 and 100, inclusive. | Optional |
| re_token | The re_token required to retrieve the next page of results when the result set is larger than limit. If this parameter is specified, all other parameters are ignored. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.ECrimeQueryToken | string | The re_token parameter value required to retrieve the next page of results. The token is valid for 5 minutes. The value is null if count is equal to either 0 or total. |
| VigilanteATI.ECrimePosts.title | string | base64 encoded, matching search terms highlighted via tags |
| VigilanteATI.ECrimePosts.date | date | Post date (format YYYY-MM-DD) |
| VigilanteATI.ECrimePosts.forum | string | Forum (e.g rstforums.com) |
| VigilanteATI.ECrimePosts.author | string | Author |
| VigilanteATI.ECrimePosts.post | string | base64 encoded, matching search terms highlighted via tags |
Command Example
!vigilante-query-ecrime-db query="netflix" q_start_date="2018-05-20" limit="5"
Context Example
{
"VigilanteATI": {
"ECrimePosts": [
{
"author": "fb_official2",
"date": "2018-12-10",
"forum": "bcbm4y7yusdxthg3.onion",
"post": "<mark>NETFLIX</mark> TODAY\n\nACCOUNT: example@gmail.com\nPASS: THEdonbone",
"thread_url": "http://bcbm4y7yusdxthg3.onion/showthread.php?t=28120",
"title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
},
{
"author": "fb_official2",
"date": "2018-12-10",
"forum": "bcbm4y7yusdxthg3.onion",
"post": "https://ibb.co/miywTp\nhttps://ibb.co/g6xZEU",
"thread_url": "http://bcbm4y7yusdxthg3.onion/showthread.php?t=28120",
"title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
},
{
"author": "fb_official2",
"date": "2018-12-09",
"forum": "sky-fraud",
"post": "https://www.lifewire.com/thmb/3AYgoV...f77283d151.jpg\n\n\n\n\n<mark>NETFLIX</mark> TODAY\n\nACCOUNT: example.gmail.com\nPASS: THEdonbone",
"thread_url": "https://sky-fraud.ru/showthread.php?t=28120",
"title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
},
{
"author": "piscedor",
"date": "2018-12-09",
"forum": "https://bitshacking.com",
"post": "grosspam@msn.com:dylan1\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Pam\r\nLastname: Gross\r\nCountry: US\n\n\example.gmail.com:matthew\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Jim\r\nLastname: Dutton\r\nCountry: US\n\n\example.gmail.com:axleaxle\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Berni\r\nLastname: Hartford\r\nCountry: CA\n\n\example@gmail.com:jtrocks\r\nCaptured Keys:\r\n<------------>\r\nFirstname: James\r\nLastname: Roselle\r\nCountry: US\n\n\example.gmail.com:helpme\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Jessica\r\nLastname: Cacciola\r\nCountry: US\n\n\njbur1111@yahoo.com:wilson\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Colleen\r\nLastname: Burke\r\nCountry: US\n\n\example.gmail.com:callie\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Donald\r\nLastname: Graves\r\nCountry: US\n\n\nglennzenner@yahoo.com:colorado\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Glenn\r\nLastname: Zenner\r\nCountry: US\n\n\example@gmail.com:anthony13\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Anthony D.\r\nLastname: ORTIZ\r\nCountry: US\n\n\example.gmail.com:goodguys1\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Garrick\r\nLastname: Lew\r\nCountry: US",
"thread_url": "http://www.bitshacking.com/forum/accounts-database-section/146703-10-x-netflix-premium-accounts.html",
"title": "10 x <mark>Netflix</mark> premium accounts"
},
{
"author": "piscedor",
"date": "2018-12-09",
"forum": "https://bitshacking.com",
"post": "example.gmail.com|alphadog666\example.gmail.com|slamdunk1991\example@gmail.com|dennick6892",
"thread_url": "http://www.bitshacking.com/forum/accounts-database-section/146705-3x-netflix-account.html",
"title": "3x <mark>netflix</mark> account"
}
]
}
}
Human Readable Output
4. Get a list of leaks
Retrieves the list of leaks from database.
Base Command
vigilante-search-leaks
Input
| Argument Name | Description | Required |
|---|---|---|
| leak_id | If set this parameter determines which leak the user wants to return metadata for. This is used primarily when you want to get information on just a single leak instead of a set of leaks. | Optional |
| days_ago | Specifies how many days ago (in history) we should go back to fetch leak data for. By default this parameter is set to 7 which means it returns all leaks added to the database within the last 7 days. To return data for all leaks you can set this value to be equal to 0. | Optional |
| keyword | Allows you to specify a string keyword to search for. The keyword specified is used to search metadata associated with a leak and return any matching results. You can search by domain names, hacker groups, affected companies, etc. | Optional |
| limit | Specifies the maximum number of leaks to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 leaks. The valid range for value of limit is from 1 (minimum) to 1,000 (maximum). (optional) | Optional |
| token | The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Leaks.leak_id | string | Unique identifier for the leak. We internally use MD5 sums to identify leaks, so this will be a MD5 sum |
| VigilanteATI.Leaks.title | unknown | Title of the leak. |
| VigilanteATI.Leaks.description | unknown | A short leak description |
| VigilanteATI.Leaks.leak_type | unknown | Type of the leak. Currently we feature the following leak designations: "Database dump", "Credentials dump" or "Credit card dump". As our service grows we will add new leak types into the system. |
| VigilanteATI.Leaks.source_refs | string | List of sources (URIs) where this leak was available at the time VigilanteATI team harvested it. |
| VigilanteATI.Leaks.import_date | date | The date the leak was first imported into the VigilanteATI database. |
| VigilanteATI.Leaks.attackers | string | A list of attackers (hackers) who claimed responsibility for the breach/leak. |
| VigilanteATI.Leaks.score | number | An integer, in a range of 0 to 100, of how confident we are this leak is legitimate. |
| VigilanteATI.Leaks.num_domains_affected | number | Number of domains affected by the leak. |
| VigilanteATI.Leaks.target_industries | string | A list of target industry verticals affected by the leak. |
| VigilanteATI.Leaks.attack_method | string | The method of attack on the target; if published. This is usually "SQLi", "phishing", "social engineering", etc. |
| VigilanteATI.Leaks.media_refs | unknown | A list of media articles covering the data leak. |
| VigilanteATI.Leaks.targets | string | List of entities targeted by this leak. |
| VigilanteATI.Leaks.num_entries | number | Total number of account credentials (email/password pairs) harvested from this leak. |
| VigilanteATI.Leaks.password_hash | string | Type of password hash; only present if leaked passwords have been hashed. |
| VigilanteATI.LeakInfoToken | string | Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. |
Command Example
!vigilante-search-leaks days_ago="100" keyword="apple" limit="5"
Context Example
{
"VigilanteATI": {
"Leaks": [
{
"leak_id": "aa66573902ed4f4bfb2ae08ebac390c3",
"password_type": null,
"description": "part of solenya collection of dumps www.shareapple.com.txt. Many smaller breaches from smaller websites. Original breach dates unknown, but most likely happened before Jan 2017. Often repacked in to larger combolists. ",
"source_refs": [],
"attack_method": "",
"title": "www.shareapple.com.txt solenya collection leak",
"import_date": "2018-03-17 00:00:00",
"breach_date": "",
"targets": [
"www.shareapple.com.txt"
],
"attackers": [],
"num_entries": 5669,
"score": 30,
"num_domains_affected": 5669,
"leak_type": "Database dump",
"target_industries": "",
"password_hash": "",
"leak_date": "2017-01-01 00:00:00",
"media_refs": []
},
{
"leak_id": "5892cc3edb5ee8463a6ebbfd54b1b2ad",
"password_type": null,
"description": "part of solenya collection of dumps www.applebeebook.co.kr.txt. Many smaller breaches from smaller websites. Original breach dates unknown, but most likely happened before Jan 2017. Often repacked in to larger combolists. ",
"source_refs": [],
"attack_method": "",
"title": "www.applebeebook.co.kr.txt solenya collection leak",
"import_date": "2018-03-16 00:00:00",
"breach_date": "",
"targets": [
"www.applebeebook.co.kr.txt"
],
"attackers": [],
"num_entries": 64147,
"score": 30,
"num_domains_affected": 64147,
"leak_type": "Database dump",
"target_industries": "",
"password_hash": "",
"leak_date": "2017-01-01 00:00:00",
"media_refs": []
},
{
"leak_id": "a6eb0ca9fb47777aa81ce58d71a30495",
"password_type": "plaintext",
"description": "An unknown hacker or hacker group posted what they're claiming is a listing of Apple ID accounts, with email addresses and passwords. The listing also denotes the location of the users.",
"source_refs": [
"http://pastebin.com/raw.php?i=E8n5cBRf"
],
"attack_method": "",
"title": "Alleged dump of Apple accounts",
"import_date": "2015-09-14 00:00:00",
"breach_date": "",
"targets": [],
"attackers": [],
"num_entries": 14,
"score": 60,
"num_domains_affected": 14,
"leak_type": "Credentials dump",
"target_industries": "",
"password_hash": "",
"leak_date": "2015-09-14 00:00:00",
"media_refs": []
},
{
"leak_id": "ff2fe066c6f6289e70be0157d3b2e24e",
"password_type": "hashes",
"description": "A hacker group calling themselves Kim Jong-Cracks have supposedly breached the database of Insanelyi, a product of Cydia. Cydia is the jailbraker's App Store alternative for iOS apps on Apple devices. The hacker group posted a CSV file containing usernames, email addresses, MD5 password hashes, password salts and more. ",
"source_refs": [
"http://apt.ripbigboss.com/insanelyi.nfo"
],
"attack_method": "",
"title": "Cydia database dumped",
"import_date": "2014-07-30 00:00:00",
"breach_date": "",
"targets": [],
"attackers": [],
"num_entries": 104079,
"score": 90,
"num_domains_affected": 104079,
"leak_type": "Credentials dump",
"target_industries": "",
"password_hash": "MD5",
"leak_date": "2014-07-29 00:00:00",
"media_refs": [
"http://www.technobuffalo.com/2014/07/20/cydias-popular-bigboss-repo-allegedly-gets-hacked/"
]
},
{
"leak_id": "128e4664c1712016e80678dad86c7a7b",
"password_type": "plaintext",
"description": "A hacker or hacker group named An0nGhost posted a data dump from store.apple.com. The leak contains what appears to be emails and passwords.",
"source_refs": [
"http://pastebin.com/raw.php?i=BBXjnNxj"
],
"attack_method": "",
"title": "store.apple.com accounts hacked",
"import_date": "2014-06-02 00:00:00",
"breach_date": "",
"targets": [
"store.apple.com"
],
"attackers": [
"An0nGhost"
],
"num_entries": 210,
"score": 60,
"num_domains_affected": 210,
"leak_type": "Credentials dump",
"target_industries": "",
"password_hash": "",
"leak_date": "2014-06-02 00:00:00",
"media_refs": []
}
],
"LeakInfoToken": "Bwz/okTPVNIldyAYJQ6bFanwA/VYIAjy2BjSuSuceCv0Xi/pEVbsniqOYZP61tLbSxjkTAcgTpfDdaJqy8Eu3Q=="
}
}
Human Readable Output
5. Get a list of account credentials for a leak
Retrieves the list of account credentials that belong to a particular leak.
Base Command
vigilante-get-leak
Input
| Argument Name | Description | Required |
|---|---|---|
| leak_id | An identifier (MD5 sum) that uniquely represents this leak in our database. | Required |
| limit | Specifies the maximum number of account credentials to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 accounts harvested from this leak. The valid range for value of limit is from 1 (minimum) to 10,000 (maximum). (optional) | Optional |
| domains | A comma delimited list of domains to use a filter for returning the harvested credentials. This parameter is used to return only a subset of the leak that matches a particular email domain, rather than the whole leak. By default this parameter is set to empty string which means it returns all harvested credentials, regardless of the email domain they belong to. (optional) | Optional |
| token | The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Leaks.leak_id | string | Unique identifier for the leak from which the accounts come from. (MD5 sum) |
| VigilanteATI.Leaks.accounts | unknown | Container for account objects. This is just a list of dictionaries. |
| VigilanteATI.Leaks.accounts.domain | string | Email domain which the account belongs to. |
| VigilanteATI.Leaks.accounts.type_id | number | Type of account. At the moment we only support accounts of type 1, which are email addresses. As we expand our service we will add support for additional types such as usernames. |
| VigilanteATI.Leaks.accounts.email | string | A plaintext form of the email address from the account. The email address will always be lowercased. |
| VigilanteATI.Leaks.accounts.password | string | The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you. |
| VigilanteATI.LeakAccountsToken | string | Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. |
Command Example
!vigilante-get-leak leak_id="aa66573902ed4f4bfb2ae08ebac390c3" limit="3" domains="hotmail.com,sina.com"
Context Example
{
"VigilanteATI": {
"LeakAccountsToken": "p2V99rXakNhn3mafVJ6WJ6MEEfcPGh+q+DY9sO1SlNo2AR3D4akFOWTY+8T53rX4FJWc4LjylGORXKKp9Zl52PYhViNR1P3+Z1Sn3pYKrvC5iDTXwXVe5eqcomd44qbx",
"Leaks": {
"leak_id": "aa66573902ed4f4bfb2ae08ebac390c3",
"accounts": [
{
"leak_id": "aa66573902ed4f4bfb2ae08ebac390c3",
"domain": "hotmail.com",
"password": "dummypassword",
"email": "dummy1@hotmail.com",
"type_id": 1
},
{
"leak_id": "aa66573902ed4f4bfb2ae08ebac390c3",
"domain": "sina.com",
"password": "dummypassword",
"email": "dummy2@sina.com",
"type_id": 1
},
{
"leak_id": "aa66573902ed4f4bfb2ae08ebac390c3",
"domain": "hotmail.com",
"password": "dummypassword",
"email": "dummy3@hotmail.com",
"type_id": 1
}
]
}
}
}
Human Readable Output
6. Search for an account in the leaked credentials database
Performs a query to match the given account identifier against database of leaked credentials.
Base Command
vigilante-query-accounts
Input
| Argument Name | Description | Required |
|---|---|---|
| emails | The string (or comma delimited list of strings) that uniquely identifier the account we are trying to match on. In the current version of the API the only acceptable types of account identifiers are email address and SHA-512 hashes of email addresses. Please note that if you're populating this argument with a list of email addresses or SHA-512 hashes we do not allow mixing of the two types. The list must be either only email addresses, or only hashes. Any email address provided in account_identifier must adhere to RFC 2822. (required) | Required |
| limit | Upper bounds for how many results we will return. By default this is set to 20. (optional) | Optional |
| days_ago | Used to specify a time range on matching against the given account identifier. By default we will run the query against our entire database, without restricting results to a time range. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Account.leak_id | string | Leak ID related to that account |
| VigilanteATI.Account.type_id | number | Type of account. At the moment we only support accounts of type 1, which are email addresses. As we expand our service we will add support for additional types such as usernames. |
| VigilanteATI.Account.source_type | number | Denotes type of data. Value of 1 indicates compromised credentials. Value of 2 means that these are Endangered Credentials, and the password field contains a JSON dictionary instead of a password. |
| VigilanteATI.Account.email | string | A plaintext form of the email address from the account. The email address will always be lowercased. |
| VigilanteATI.Account.password | string | The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you. |
| VigilanteATI.AccountQueryToken | string | Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. |
Command Example
!vigilante-query-accounts emails="example@gmail.com,example.gmail.com" limit="3"
Context Example
{
"VigilanteATI": {
"Account": [
{
"email": "16@gmail.com",
"leak_id": "792b3740220e53017d3d0c16b87b5750",
"password": "6FQS8sui06wUvI1voAEupvgMip30C+WqGjqQpIh/oC4YJSD2yPv8xpNVgCULgkGPQs6SYcnSrcIT4+qFB0mu/Q==",
"source_type": 1,
"type_id": 1
},
{
"email": "16@gmail.com",
"leak_id": "a657545e1ee7e4f1c4d2cc8aed217f3b",
"password": "lW/it+jISMOKXK1DIE8Q3w==",
"source_type": 1,
"type_id": 1
},
{
"email": "16@gmail.com",
"leak_id": "a657545e1ee7e4f1c4d2cc8aed217f3b",
"password": "rVWiTDWzwulB2HZPYv+3Ng==",
"source_type": 1,
"type_id": 1
}
]
}
}
Human Readable Output
7. Search for a domain in the leaked credentials database
Performs a query to match the given domain name against our database of leaked credentials.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
vigilante-query-domains
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The string that uniquely identifies the domain we are trying to match on. Domain names provided as domain_identifier must adhere to RFC 1035. | Required |
| days_ago | If this parameter is supplied, the API will only search the previous n days for the domains. The maximum value allowed is 365 days if supplied. If this parameter is not included, the will not be restricted by time. | Optional |
| limit | Upper bounds for how many results we will return. By default this is set to 20. | Optional |
| token | The token required to retrieve the next page of results; if necessary. When the result set is larger than our max page size the API returns a token along with the response so the client can request the next page appropriately with the next API request. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Domain.domain | string | The domain name you queried for. |
| VigilanteATI.Domain.accounts | unknown | Container for results. List of dictionaries, each representing a single pair of account credentials with associated metadata. |
| VigilanteATI.Domain.accounts.source_type | number | Denotes type of data. Value of 1 indicates compromised credentials. Value of 2 means that these are Endangered Credentials, and the password field contains a JSON dictionary instead of a password. |
| VigilanteATI.Domain.accounts.email | string | A plaintext form of the email address from the account. The email address will always be lowercased. |
| VigilanteATI.Domain.accounts.password | string | The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you. |
| VigilanteATI.DomainQueryToken | string | Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. |
| VigilanteATI.Domain.accounts.leak_id | string | Identifier of the leak where this account came from. You can use this ID to correlate account data to the leak. |
Command Example
!vigilante-query-domains domain="yahoo.com" limit="3"
Context Example
{
"VigilanteATI": {
"Domain": [
{
"accounts": [
{
"email": "foo4@yahoo.com",
"leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
"password": "//dummypass==",
"source_type": 1,
"type_id": 1
},
{
"email": "foo6@yahoo.com",
"leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
"password": "dummypass/stw==",
"source_type": 1,
"type_id": 1
},
{
"email": "foo7@yahoo.com",
"leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
"password": "dummypass==",
"source_type": 1,
"type_id": 1
}
],
"domain": "yahoo.com"
}
]
}
}
Human Readable Output
8. Add account identifiers to a watchlist
Adds account identifiers to your watchlist.
Base Command
vigilante-watchlist-add-accounts
Input
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Command separated string containing account identifiers to add to your watchlist. All identifiers must be of the same type as specified by the type parameter. Identifiers cannot be longer than 255 characters. Multiple occurrences of an identifier in the array are treated as a single identifier. The maximum number of account identifiers allowed per request is 100. Email addresses must adhere to RFC 2822. | Required |
| type | The type of each account identifier, either "email" or "domain" | Required |
| tag | A textual note to associate with each account identifier. Tags cannot be longer than 255 characters. (optional) | Optional |
Context Output
There is no context output for this command.
Command Example
!vigilante-watchlist-add-accounts account_identifiers="demisto.com" type="domain"
Context Example
N/A
Human Readable Output
9. Remove account identifiers from a watchlist
Removes account identifiers from your watchlist.
Base Command
vigilante-watchlist-remove-accounts
Input
| Argument Name | Description | Required |
|---|---|---|
| account_identifiers | Comma-separated string containing account identifiers to remove from your watchlist. Multiple occurrences of an identifier in the array are treated as a single identifier. The maximum number of account identifiers allowed per request is 100. (required) | Required |
Context Output
There is no context output for this command.
Command Example
!vigilante-watchlist-remove-accounts account_identifiers="demisto.com"
Context Example
N/A
Human Readable Output
10. Get a list of account identifiers on a watchlist
Retrieve account identifiers on your watchlist.
Base Command
vigilante-get-watchlist
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | Specifies the maximum number of identifiers to return. By default limit is set to 20, which means the result set is limited to the most recently added 20 identifiers. limit must be between 1 and 5000, inclusive. (optional) | Optional |
| token | The token required to retrieve the next page of results. If this parameter is specified, the limit parameter is ignored. (optional) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VigilanteATI.Watchlist | unknown | Watchlist of accounts |
| VigilanteATI.Watchlist.identifier | unknown | account identifier (e.g " john@domain.com ") |
| VigilanteATI.Watchlist.type | unknown | identifer type ("email" or "domain") |
| VigilanteATI.Watchlist.date_added | unknown | date identifier added to watchlist (YYYY-MM-DD) |
| VigilanteATI.Watchlist.date_notified | unknown | latest matching intelligence date (YYYY-MM-DD) |
| VigilanteATI.Watchlist.tag | unknown | identifier tag |
| VigilanteATI.WatchlistQueryToken | string | The token parameter value required to retrieve the next page of results. The value is null if there are no more pages of results to retrieve. |
11. Get usage data for your account
Returns the usage data for your account.
Base Command
vigilante-account-usage-info
Input
There is no input for this command.
Context Output
There is no context output for this command.
Command Example
!vigilante-get-watchlist limit="1"
Context Example
{
"VigilanteATI": {
"Watchlist": [
{
"date added": "2018-06-19",
"date notified": "",
"identifier": "example.gmail.com",
"tag": "",
"type": "email"
}
]
}
}
Human Readable Output
