Skip to main content

IntSights (Deprecated)

This Integration is part of the Rapid7 - Threat Command (IntSights) Pack.#

Deprecated

Use Rapid7 Threat Command instead.

Use IntSights to manage and mitigate threats. This integration was tested with Intsights API version 3.

Configure IntSights in Cortex#

ParameterRequired
Server URL (e.g. https://192.168.0.1)True
CredentialsTrue
PasswordTrue
Alert type to fetch as incidents, allowed: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP"False
Minimum Alert severity level to fetch incidents incidents from, allowed values are: 'All', 'Low', 'Medium','High'(Setting to All will fetch all incidents)False
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Max fetchFalse
Incident typeFalse
Sub Account ID (MSSP accounts only)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

intsights-get-alert-image#


Returns an image of an alert by ID.

Base Command#

intsights-get-alert-image

Input#

Argument NameDescriptionRequired
image-idThe ID of the image to return.Required

Context Output#

There is no context output for this command.

intsights-get-alert-activities#


Returns alert activities.

Base Command#

intsights-get-alert-activities

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.Activities.TypestringThe type of the activity.
IntSights.Alerts.Activities.InitiatorstringThe initiator of the alert.
IntSights.Alerts.Activities.CreatedDatedateThe date the alert was created.
IntSights.Alerts.Activities.UpdateDatedateThe date the alert was updated.
IntSights.Alerts.Activities.RemediationBlocklistUpdatestringThe remediation blocked list update.
IntSights.Alerts.Activities.AskTheAnalyst.RepliesstringThe replies to questions of the analyst.
IntSights.Alerts.Activities.Mail.RepliesstringThe replies to an email.
IntSights.Alerts.Activities.ReadBystringThe alert that was read by.

intsights-assign-alert#


Assigns an alert.

Base Command#

intsights-assign-alert

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the Alert.Required
assignee-emailThe user email of the assignee.Required
is-mssp-optionalWhether the assigned user is an MSSP user. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.Assignees.AssigneeIDstringThe ID of the assignee.

intsights-unassign-alert#


Unassigns an alert from a user.

Base Command#

intsights-unassign-alert

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.

intsights-send-mail#


Sends an email containing a question and details of the alert.

Base Command#

intsights-send-mail

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required
emailsThe destination email addresses array (comma-separated).Required
contentThe content added to the alert details.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the Alert.
IntSights.Alerts.Mail.EmailIDstringThe ID of the email.
IntSights.Alerts.QuestionstringDetails of the question.

intsights-ask-the-analyst#


Sends a question to the IntSights analyst about the requested alert.

Base Command#

intsights-ask-the-analyst

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required
questionQuestion to ask the Intsights analyst about the requested alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the Alert.
IntSights.Alerts.QuestionstringDetails of the question.

intsights-add-tag-to-alert#


Adds a tag to the alert.

Base Command#

intsights-add-tag-to-alert

Input#

Argument NameDescriptionRequired
alert-idThe ID of the unique alert.Required
tag-nameThe new tag string.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.Tags.TagNamestringThe name of the tag.
IntSights.Alerts.Tags.IDstringThe ID of the Tag.

intsights-remove-tag-from-alert#


Removes a tag from the specified alert.

Base Command#

intsights-remove-tag-from-alert

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required
tag-idThe unique ID of the tag to remove.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.Tags.IDstringThe ID of the tag.

intsights-add-comment-to-alert#


Adds a comment to a specified alert.

Base Command#

intsights-add-comment-to-alert

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required
commentThe comment to add to the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.CommentstringThe comment in the alert.

intsights-update-alert-severity#


Changes the severity of a specified alert.

Base Command#

intsights-update-alert-severity

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required
severityThe severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.SeveritystringThe severity of the alert.

intsights-get-alert-by-id#


Returns the alert object by alert ID.

Base Command#

intsights-get-alert-by-id

Input#

Argument NameDescriptionRequired
alert-idThe unique ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.SeveritystringThe severity of the alert.
IntSights.Alerts.TypestringThe type of the alert.
IntSights.Alerts.FoundDatedateThe date that the alert was found.
IntSights.Alerts.SourceTypestringThe source type of the alert.
IntSights.Alerts.SourceURLstringThe source URL of the alert.
IntSights.Alerts.SourceEmailstringThe source email of the alert.
IntSights.Alerts.SourceNetworkTypestringThe network type of the alert.
IntSights.Alerts.IsClosedbooleanWhether or not the alert is closed.
IntSights.Alerts.IsFlaggedbooleanWhether or not the alert is flagged.
IntSights.Alerts.Tags.CreatedBystringName of the service for which the tag was created.
IntSights.Alerts.Tag.NamestringName of the tag.
IntSights.Alerts.Tag.IDstringThe ID of the tag.
IntSights.Alerts.ImagesstringThe ID of the images.
IntSights.Alerts.DescriptionstringThe description of the alert.
IntSights.Alerts.TitlestringThe title of the alert.
IntSights.Alerts.TakedownStatusstringThe TakedownStatus of the alert.
IntSights.Alerts.SubTypestringThe sub type of the alert.

intsights-get-ioc-by-value#


Searches for an exact IOC value.

Base Command#

intsights-get-ioc-by-value

Input#

Argument NameDescriptionRequired
valueThe IOC value for which to search.Required

Context Output#

PathTypeDescription
IntSights.Iocs.ValuestringThe value of the IOC.
IntSights.Iocs.TypestringThe type of the IOC.
IntSights.Iocs.FirstSeendateThe date the IOC was first seen.
IntSights.Iocs.LastSeendateThe date the IOC was last seen.
IntSights.Iocs.LastUpdatedDatedateThe date the IOC was last updated.
IntSights.Iocs.SourceIDstringThe source ID of the IOC.
IntSights.Iocs.SourceNamestringThe source name of the IOC.
IntSights.Iocs.SourceConfidenceLevelstringThe confidence level of the IOC source.
IntSights.Iocs.SeveritystringThe severity of the IOC.
IntSights.Iocs.StatusstringThe status of the IOC.
IntSights.Iocs.Sources.namestringThe source name of the IOC.
IntSights.Iocs.Sources.confidenceLevelstringThe confidence level of the IOC source.
IntSights.Iocs.Sources.idstringThe source id of the IOC.
IntSights.Iocs.tagsArrayThe tags of the IOC.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe type of the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.NameStringThe full file name (including file extension).
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
URL.DataStringThe URL.
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringA description of the malicious URL.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.AddressStringIP address.
Domain.NameStringThe domain name. For example, "google.com".
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.

intsights-get-iocs#


Returns count totals of the available IOCs.

Base Command#

intsights-get-iocs

Input#

Argument NameDescriptionRequired
typeThe type of the IOC. Can be: "Urls", "Hashes", "IpAddresses", or "domains". Possible values are: Urls, Hashes, IpAddresses, Domains.Optional
limitThe maximum number of results from 1-1000. Default is 1000.Optional
severityThe severity level of the IOC. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low.Optional
source-IDThe source of the IOC.Optional
first-seen-fromBeginning of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0.Optional
first-seen-toEnd of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0.Optional
last-seen-fromBeginning of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0.Optional
last-updated-fromBeginning of the date range when the IOC was last updated (YYYY-MM-DD).Optional
last-seen-toEnd of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0.Optional

Context Output#

PathTypeDescription
IntSights.Iocs.ValuestringThe value of the IOC.
IntSights.Iocs.TypestringThe type of the IOC.
IntSights.Iocs.FirstSeendateThe date the IOC was first seen.
IntSights.Iocs.LastSeendateThe date the IOC was last seen.
IntSights.Iocs.LastUpdatedDatedateThe date the IOC was last updated.
IntSights.Iocs.SourceIDstringThe source ID of the IOC.
IntSights.Iocs.SourceNamestringThe source name of the IOC.
IntSights.Iocs.SourceConfidenceLevelstringThe confidence level of the IOC source.
IntSights.Iocs.SeveritystringThe severity of the IOC.
IntSights.Iocs.StatusstringThe status of the IOC.
IntSights.Iocs.Sources.namestringThe source name of the IOC.
IntSights.Iocs.Sources.confidenceLevelstringThe confidence level of the IOC source.
IntSights.Iocs.Sources.idstringThe source id of the IOC.
IntSights.Iocs.tagsArrayThe tags of the IOC.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe type of the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.NameStringThe full file name (including file extension).
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
URL.DataStringThe URL.
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringA description of the malicious URL.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.AddressStringIP address.
Domain.NameStringThe domain name. For example, "google.com".
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.

intsights-get-alerts#


Returns alerts.

Base Command#

intsights-get-alerts

Input#

Argument NameDescriptionRequired
alert-typeThe type of the alert. Can be: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP". Possible values are: AttackIndication, DataLeakage, Phishing, BrandSecurity, ExploitableData, VIP.Optional
severityThe severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low.Optional
source-typeThe source type of the alert. Can be: "ApplicationStores", "BlackMarkets", "HackingForums", "SocialMedia", "PasteSites", or "Others". Possible values are: ApplicationStores, BlackMarkets, HackingForums, SocialMedia, PasteSites, Others.Optional
network-typeThe network type of the alert. Can be: "ClearWeb", or "DarkWeb". Possible values are: ClearWeb, DarkWeb.Optional
source-date-fromThe start date for which to fetch in Millisecond Timestamp in UNIX.Optional
source-date-toThe end date for which to fetch in Millisecond Timestamp in UNIX.Optional
found-date-fromThe start date for which fetch in Millisecond Timestamp in UNIX.Optional
found-date-toThe end date for which fetch in Millisecond Timestamp in UNIX.Optional
assignedWhether to show assigned or unassigned alerts.Optional
is-flaggedWhether to show flagged or unflagged alerts.Optional
is-closedWhether to show closed/open alerts.Optional
time-deltaShows alerts within a specified time delta, given in days.Optional

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.SeveritystringThe severity of the alert.
IntSights.Alerts.TypestringThe type of the alert.
IntSights.Alerts.FoundDatedateThe date that the alert was found.
IntSights.Alerts.SourceTypestringThe source type of the alert.
IntSights.Alerts.SourceURLstringThe source URL of the alert.
IntSights.Alerts.SourceEmailstringThe source email of the alert.
IntSights.Alerts.SourceNetworkTypestringThe network type of the alert.
IntSights.Alerts.IsClosedbooleanWhether or not the alert is closed.
IntSights.Alerts.IsFlaggedbooleanWhether or not the alert is flagged.
IntSights.Alerts.Tags.CreatedBystringName of the service that the tag was created.
IntSights.Alerts.Tag.NamestringName of the tag.
IntSights.Alerts.Tag.IDstringThe ID of the tag.
IntSights.Alerts.ImagesstringThe ID of each image.
IntSights.Alerts.DescriptionstringThe description of the alert.
IntSights.Alerts.TitlestringThe title of the alert.
IntSights.Alerts.TakedownStatusstringThe TakedownStatus of the alert.
IntSights.Alerts.SubTypestringThe sub type of the alert.

intsights-alert-takedown-request#


Requests an alert takedown.

Base Command#

intsights-alert-takedown-request

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.

intsights-get-alert-takedown-status#


Returns the alert takedown status.

Base Command#

intsights-get-alert-takedown-status

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.TakedownStatusstringThe status of the takedown.

intsights-update-ioc-blocklist-status#


Updates the IOC block list status.

Base Command#

intsights-update-ioc-blocklist-status

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required
typeA comma separated list of each type of IOC. Options: Domains, IPs, URLs.Required
valueA comma separated list of the value of the IOCs.Required
blocklist-statusA comma separated list of the IOCs block list status. Options: Sent, NotSent.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.StatusstringThe status of the block list.

intsights-get-ioc-blocklist-status#


Returns the status of the IOC block list.

Base Command#

intsights-get-ioc-blocklist-status

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.StatusstringThe status of the block list.

intsights-close-alert#


Closes an alert

Base Command#

intsights-close-alert

Input#

Argument NameDescriptionRequired
alert-idThe ID of the alert.Required
reasonThe reason to close the alert. Can be: "ProblemSolved", "InformationalOnly", "ProblemWeAreAlreadyAwareOf", "CompanyOwnedDomain", "LegitimateApplication/Profile", "NotRelatedToMyCompany", "FalsePositive", or "Other". Possible values are: ProblemSolved, InformationalOnly, ProblemWeAreAlreadyAwareOf, CompanyOwnedDomain, LegitimateApplication/Profile, NotRelatedToMyCompany, FalsePositive, Other.Required
free-textThe comments in the alert.Optional
is-hiddenThe hidden status of the alert. Deletes an alert from the account instance - only when reason is a FalsePositive). Possible values are: True, False. Default is False.Optional
rateThe rate of the alert.Optional

Context Output#

PathTypeDescription
IntSights.Alerts.IDstringThe ID of the alert.
IntSights.Alerts.Closed.ReasonstringThe closed reason of the alert.

intsights-mssp-get-sub-accounts#


Returns all Managed Security Service Provider's (MSSP) sub accounts.

Base Command#

intsights-mssp-get-sub-accounts

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
IntSights.MsspAccount.IDStringThe ID of IntSights MSSP sub account.
IntSights.MsspAccount.StatusStringThe enabled status of IntSights MSSP sub account
IntSights.MsspAccount.AssetsCountNumberThe assets count of IntSights MSSP sub account.
IntSights.MsspAccount.AssetLimitNumberThe asset limit of IntSights MSSP sub account.
IntSights.MsspAccount.CompanyNameStringThe company name of IntSights MSSP sub account.

intsights-request-ioc-enrichment#


Request and receive enrichment of an IOC.

Base Command#

intsights-request-ioc-enrichment

Input#

Argument NameDescriptionRequired
valueThe IOC value for which to enrich.Required

Context Output#

PathTypeDescription
Domain.NameStringdomain name
Domain.DNSStringdomain dns
Domain.ResolutionsStringdomain resolutions
Domain.SubdomainsStringdomain subdomains
Domain.WHOIS/HistoryStringdomain whois
Domain.MaliciousStringdomain malicious
IP.AddressStringip address
IP.IpDetailsStringip details
IP.RelatedHashesStringip related hashes
IP.WHOISStringip whois
IP.MaliciousStringip malicious
URL.DataStringURL Data
URL.AntivirusDetectedEnginesStringURL Antivirus Detected Engines
URL.AntivirusDetectionRatioStringURL Antivirus Detection Ratio
URL.AntivirusDetectionsStringURL Antivirus Detections
URL.AntivirusScanDateStringURL Antivirus Scan Date
URL.RelatedHashesStringURL Related Hashes
URL.MaliciousStringURL Malicious
File.NameStringFile Name
File.AntivirusDetectedEnginesStringFile Antivirus Detected Engines
File.AntivirusDetectionRatioStringFile Antivirus Detection Ratio
File.AntivirusDetectionsStringFile Antivirus Detections
File.AntivirusScanDateStringFile Antivirus Scan Date
File.MaliciousStringFile Malicious
IntSights.Iocs.TypeStringIntSights Iocs Type
IntSights.Iocs.ValueStringIntSights Iocs Value
IntSights.Iocs.FirstSeenStringIntSights Iocs First Seen
IntSights.Iocs.LastSeenStringIntSights Iocs Last Seen
IntSights.Iocs.StatusStringIntSights Iocs Status
IntSights.Iocs.SeverityStringIntSights Iocs Severity
IntSights.Iocs.RelatedMalwaresStringIntSights Iocs Related Malwares
IntSights.Iocs.SourcesStringIntSights Iocs Sources
IntSights.Iocs.IsKnownIocStringIntSights Iocs Is Known Ioc
IntSightsIocs.RelatedThreatActorsStringIntSights Iocs Related Threat Actors
IntSights.Iocs.SystemTagsStringIntSights Iocs SystemTags
IntSights.Iocs.TagsStringIntSights Iocs Tags
IntSights.Iocs.WhitelistedStringIntSights Iocs Whitelisted
IntSights.Iocs.OriginalValueStringIntSights Iocs Original Value
Domain.WHOISStringDomain WHOIS