IntSights (Deprecated)
Rapid7 - Threat Command (IntSights) Pack.#
This Integration is part of theDeprecated
Use Rapid7 Threat Command instead.
Use IntSights to manage and mitigate threats. This integration was tested with Intsights API version 3.
#
Configure IntSights in CortexParameter | Required |
---|---|
Server URL (e.g. https://192.168.0.1) | True |
Credentials | True |
Password | True |
Alert type to fetch as incidents, allowed: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP" | False |
Minimum Alert severity level to fetch incidents incidents from, allowed values are: 'All', 'Low', 'Medium','High'(Setting to All will fetch all incidents) | False |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Fetch incidents | False |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False |
Max fetch | False |
Incident type | False |
Sub Account ID (MSSP accounts only) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
intsights-get-alert-imageReturns an image of an alert by ID.
#
Base Commandintsights-get-alert-image
#
InputArgument Name | Description | Required |
---|---|---|
image-id | The ID of the image to return. | Required |
#
Context OutputThere is no context output for this command.
#
intsights-get-alert-activitiesReturns alert activities.
#
Base Commandintsights-get-alert-activities
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Activities.Type | string | The type of the activity. |
IntSights.Alerts.Activities.Initiator | string | The initiator of the alert. |
IntSights.Alerts.Activities.CreatedDate | date | The date the alert was created. |
IntSights.Alerts.Activities.UpdateDate | date | The date the alert was updated. |
IntSights.Alerts.Activities.RemediationBlocklistUpdate | string | The remediation blocked list update. |
IntSights.Alerts.Activities.AskTheAnalyst.Replies | string | The replies to questions of the analyst. |
IntSights.Alerts.Activities.Mail.Replies | string | The replies to an email. |
IntSights.Alerts.Activities.ReadBy | string | The alert that was read by. |
#
intsights-assign-alertAssigns an alert.
#
Base Commandintsights-assign-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the Alert. | Required |
assignee-email | The user email of the assignee. | Required |
is-mssp-optional | Whether the assigned user is an MSSP user. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Assignees.AssigneeID | string | The ID of the assignee. |
#
intsights-unassign-alertUnassigns an alert from a user.
#
Base Commandintsights-unassign-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
#
intsights-send-mailSends an email containing a question and details of the alert.
#
Base Commandintsights-send-mail
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
emails | The destination email addresses array (comma-separated). | Required |
content | The content added to the alert details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the Alert. |
IntSights.Alerts.Mail.EmailID | string | The ID of the email. |
IntSights.Alerts.Question | string | Details of the question. |
#
intsights-ask-the-analystSends a question to the IntSights analyst about the requested alert.
#
Base Commandintsights-ask-the-analyst
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
question | Question to ask the Intsights analyst about the requested alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the Alert. |
IntSights.Alerts.Question | string | Details of the question. |
#
intsights-add-tag-to-alertAdds a tag to the alert.
#
Base Commandintsights-add-tag-to-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the unique alert. | Required |
tag-name | The new tag string. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Tags.TagName | string | The name of the tag. |
IntSights.Alerts.Tags.ID | string | The ID of the Tag. |
#
intsights-remove-tag-from-alertRemoves a tag from the specified alert.
#
Base Commandintsights-remove-tag-from-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
tag-id | The unique ID of the tag to remove. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Tags.ID | string | The ID of the tag. |
#
intsights-add-comment-to-alertAdds a comment to a specified alert.
#
Base Commandintsights-add-comment-to-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
comment | The comment to add to the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Comment | string | The comment in the alert. |
#
intsights-update-alert-severityChanges the severity of a specified alert.
#
Base Commandintsights-update-alert-severity
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
severity | The severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
#
intsights-get-alert-by-idReturns the alert object by alert ID.
#
Base Commandintsights-get-alert-by-id
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
IntSights.Alerts.Type | string | The type of the alert. |
IntSights.Alerts.FoundDate | date | The date that the alert was found. |
IntSights.Alerts.SourceType | string | The source type of the alert. |
IntSights.Alerts.SourceURL | string | The source URL of the alert. |
IntSights.Alerts.SourceEmail | string | The source email of the alert. |
IntSights.Alerts.SourceNetworkType | string | The network type of the alert. |
IntSights.Alerts.IsClosed | boolean | Whether or not the alert is closed. |
IntSights.Alerts.IsFlagged | boolean | Whether or not the alert is flagged. |
IntSights.Alerts.Tags.CreatedBy | string | Name of the service for which the tag was created. |
IntSights.Alerts.Tag.Name | string | Name of the tag. |
IntSights.Alerts.Tag.ID | string | The ID of the tag. |
IntSights.Alerts.Images | string | The ID of the images. |
IntSights.Alerts.Description | string | The description of the alert. |
IntSights.Alerts.Title | string | The title of the alert. |
IntSights.Alerts.TakedownStatus | string | The TakedownStatus of the alert. |
IntSights.Alerts.SubType | string | The sub type of the alert. |
#
intsights-get-ioc-by-valueSearches for an exact IOC value.
#
Base Commandintsights-get-ioc-by-value
#
InputArgument Name | Description | Required |
---|---|---|
value | The IOC value for which to search. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Iocs.Value | string | The value of the IOC. |
IntSights.Iocs.Type | string | The type of the IOC. |
IntSights.Iocs.FirstSeen | date | The date the IOC was first seen. |
IntSights.Iocs.LastSeen | date | The date the IOC was last seen. |
IntSights.Iocs.LastUpdatedDate | date | The date the IOC was last updated. |
IntSights.Iocs.SourceID | string | The source ID of the IOC. |
IntSights.Iocs.SourceName | string | The source name of the IOC. |
IntSights.Iocs.SourceConfidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Severity | string | The severity of the IOC. |
IntSights.Iocs.Status | string | The status of the IOC. |
IntSights.Iocs.Sources.name | string | The source name of the IOC. |
IntSights.Iocs.Sources.confidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Sources.id | string | The source id of the IOC. |
IntSights.Iocs.tags | Array | The tags of the IOC. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name (including file extension). |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
URL.Malicious.Description | String | A description of the malicious URL. |
IP.Malicious.Vendor | String | The vendor reporting the IP address as malicious. |
IP.Malicious.Description | String | A description explaining why the IP address was reported as malicious. |
IP.Address | String | IP address. |
Domain.Name | String | The domain name. For example, "google.com". |
Domain.Malicious.Vendor | String | The vendor reporting the domain as malicious. |
Domain.Malicious.Description | String | A description explaining why the domain was reported as malicious. |
#
intsights-get-iocsReturns count totals of the available IOCs.
#
Base Commandintsights-get-iocs
#
InputArgument Name | Description | Required |
---|---|---|
type | The type of the IOC. Can be: "Urls", "Hashes", "IpAddresses", or "domains". Possible values are: Urls, Hashes, IpAddresses, Domains. | Optional |
limit | The maximum number of results from 1-1000. Default is 1000. | Optional |
severity | The severity level of the IOC. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Optional |
source-ID | The source of the IOC. | Optional |
first-seen-from | Beginning of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0. | Optional |
first-seen-to | End of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0. | Optional |
last-seen-from | Beginning of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0. | Optional |
last-updated-from | Beginning of the date range when the IOC was last updated (YYYY-MM-DD). | Optional |
last-seen-to | End of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Iocs.Value | string | The value of the IOC. |
IntSights.Iocs.Type | string | The type of the IOC. |
IntSights.Iocs.FirstSeen | date | The date the IOC was first seen. |
IntSights.Iocs.LastSeen | date | The date the IOC was last seen. |
IntSights.Iocs.LastUpdatedDate | date | The date the IOC was last updated. |
IntSights.Iocs.SourceID | string | The source ID of the IOC. |
IntSights.Iocs.SourceName | string | The source name of the IOC. |
IntSights.Iocs.SourceConfidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Severity | string | The severity of the IOC. |
IntSights.Iocs.Status | string | The status of the IOC. |
IntSights.Iocs.Sources.name | string | The source name of the IOC. |
IntSights.Iocs.Sources.confidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Sources.id | string | The source id of the IOC. |
IntSights.Iocs.tags | Array | The tags of the IOC. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name (including file extension). |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
URL.Malicious.Description | String | A description of the malicious URL. |
IP.Malicious.Vendor | String | The vendor reporting the IP address as malicious. |
IP.Malicious.Description | String | A description explaining why the IP address was reported as malicious. |
IP.Address | String | IP address. |
Domain.Name | String | The domain name. For example, "google.com". |
Domain.Malicious.Vendor | String | The vendor reporting the domain as malicious. |
Domain.Malicious.Description | String | A description explaining why the domain was reported as malicious. |
#
intsights-get-alertsReturns alerts.
#
Base Commandintsights-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
alert-type | The type of the alert. Can be: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP". Possible values are: AttackIndication, DataLeakage, Phishing, BrandSecurity, ExploitableData, VIP. | Optional |
severity | The severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Optional |
source-type | The source type of the alert. Can be: "ApplicationStores", "BlackMarkets", "HackingForums", "SocialMedia", "PasteSites", or "Others". Possible values are: ApplicationStores, BlackMarkets, HackingForums, SocialMedia, PasteSites, Others. | Optional |
network-type | The network type of the alert. Can be: "ClearWeb", or "DarkWeb". Possible values are: ClearWeb, DarkWeb. | Optional |
source-date-from | The start date for which to fetch in Millisecond Timestamp in UNIX. | Optional |
source-date-to | The end date for which to fetch in Millisecond Timestamp in UNIX. | Optional |
found-date-from | The start date for which fetch in Millisecond Timestamp in UNIX. | Optional |
found-date-to | The end date for which fetch in Millisecond Timestamp in UNIX. | Optional |
assigned | Whether to show assigned or unassigned alerts. | Optional |
is-flagged | Whether to show flagged or unflagged alerts. | Optional |
is-closed | Whether to show closed/open alerts. | Optional |
time-delta | Shows alerts within a specified time delta, given in days. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
IntSights.Alerts.Type | string | The type of the alert. |
IntSights.Alerts.FoundDate | date | The date that the alert was found. |
IntSights.Alerts.SourceType | string | The source type of the alert. |
IntSights.Alerts.SourceURL | string | The source URL of the alert. |
IntSights.Alerts.SourceEmail | string | The source email of the alert. |
IntSights.Alerts.SourceNetworkType | string | The network type of the alert. |
IntSights.Alerts.IsClosed | boolean | Whether or not the alert is closed. |
IntSights.Alerts.IsFlagged | boolean | Whether or not the alert is flagged. |
IntSights.Alerts.Tags.CreatedBy | string | Name of the service that the tag was created. |
IntSights.Alerts.Tag.Name | string | Name of the tag. |
IntSights.Alerts.Tag.ID | string | The ID of the tag. |
IntSights.Alerts.Images | string | The ID of each image. |
IntSights.Alerts.Description | string | The description of the alert. |
IntSights.Alerts.Title | string | The title of the alert. |
IntSights.Alerts.TakedownStatus | string | The TakedownStatus of the alert. |
IntSights.Alerts.SubType | string | The sub type of the alert. |
#
intsights-alert-takedown-requestRequests an alert takedown.
#
Base Commandintsights-alert-takedown-request
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
#
intsights-get-alert-takedown-statusReturns the alert takedown status.
#
Base Commandintsights-get-alert-takedown-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.TakedownStatus | string | The status of the takedown. |
#
intsights-update-ioc-blocklist-statusUpdates the IOC block list status.
#
Base Commandintsights-update-ioc-blocklist-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
type | A comma separated list of each type of IOC. Options: Domains, IPs, URLs. | Required |
value | A comma separated list of the value of the IOCs. | Required |
blocklist-status | A comma separated list of the IOCs block list status. Options: Sent, NotSent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Status | string | The status of the block list. |
#
intsights-get-ioc-blocklist-statusReturns the status of the IOC block list.
#
Base Commandintsights-get-ioc-blocklist-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Status | string | The status of the block list. |
#
intsights-close-alertCloses an alert
#
Base Commandintsights-close-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
reason | The reason to close the alert. Can be: "ProblemSolved", "InformationalOnly", "ProblemWeAreAlreadyAwareOf", "CompanyOwnedDomain", "LegitimateApplication/Profile", "NotRelatedToMyCompany", "FalsePositive", or "Other". Possible values are: ProblemSolved, InformationalOnly, ProblemWeAreAlreadyAwareOf, CompanyOwnedDomain, LegitimateApplication/Profile, NotRelatedToMyCompany, FalsePositive, Other. | Required |
free-text | The comments in the alert. | Optional |
is-hidden | The hidden status of the alert. Deletes an alert from the account instance - only when reason is a FalsePositive). Possible values are: True, False. Default is False. | Optional |
rate | The rate of the alert. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Closed.Reason | string | The closed reason of the alert. |
#
intsights-mssp-get-sub-accountsReturns all Managed Security Service Provider's (MSSP) sub accounts.
#
Base Commandintsights-mssp-get-sub-accounts
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.MsspAccount.ID | String | The ID of IntSights MSSP sub account. |
IntSights.MsspAccount.Status | String | The enabled status of IntSights MSSP sub account |
IntSights.MsspAccount.AssetsCount | Number | The assets count of IntSights MSSP sub account. |
IntSights.MsspAccount.AssetLimit | Number | The asset limit of IntSights MSSP sub account. |
IntSights.MsspAccount.CompanyName | String | The company name of IntSights MSSP sub account. |
#
intsights-request-ioc-enrichmentRequest and receive enrichment of an IOC.
#
Base Commandintsights-request-ioc-enrichment
#
InputArgument Name | Description | Required |
---|---|---|
value | The IOC value for which to enrich. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | domain name |
Domain.DNS | String | domain dns |
Domain.Resolutions | String | domain resolutions |
Domain.Subdomains | String | domain subdomains |
Domain.WHOIS/History | String | domain whois |
Domain.Malicious | String | domain malicious |
IP.Address | String | ip address |
IP.IpDetails | String | ip details |
IP.RelatedHashes | String | ip related hashes |
IP.WHOIS | String | ip whois |
IP.Malicious | String | ip malicious |
URL.Data | String | URL Data |
URL.AntivirusDetectedEngines | String | URL Antivirus Detected Engines |
URL.AntivirusDetectionRatio | String | URL Antivirus Detection Ratio |
URL.AntivirusDetections | String | URL Antivirus Detections |
URL.AntivirusScanDate | String | URL Antivirus Scan Date |
URL.RelatedHashes | String | URL Related Hashes |
URL.Malicious | String | URL Malicious |
File.Name | String | File Name |
File.AntivirusDetectedEngines | String | File Antivirus Detected Engines |
File.AntivirusDetectionRatio | String | File Antivirus Detection Ratio |
File.AntivirusDetections | String | File Antivirus Detections |
File.AntivirusScanDate | String | File Antivirus Scan Date |
File.Malicious | String | File Malicious |
IntSights.Iocs.Type | String | IntSights Iocs Type |
IntSights.Iocs.Value | String | IntSights Iocs Value |
IntSights.Iocs.FirstSeen | String | IntSights Iocs First Seen |
IntSights.Iocs.LastSeen | String | IntSights Iocs Last Seen |
IntSights.Iocs.Status | String | IntSights Iocs Status |
IntSights.Iocs.Severity | String | IntSights Iocs Severity |
IntSights.Iocs.RelatedMalwares | String | IntSights Iocs Related Malwares |
IntSights.Iocs.Sources | String | IntSights Iocs Sources |
IntSights.Iocs.IsKnownIoc | String | IntSights Iocs Is Known Ioc |
IntSightsIocs.RelatedThreatActors | String | IntSights Iocs Related Threat Actors |
IntSights.Iocs.SystemTags | String | IntSights Iocs SystemTags |
IntSights.Iocs.Tags | String | IntSights Iocs Tags |
IntSights.Iocs.Whitelisted | String | IntSights Iocs Whitelisted |
IntSights.Iocs.OriginalValue | String | IntSights Iocs Original Value |
Domain.WHOIS | String | Domain WHOIS |