IntSights
IntSights Pack.#
This Integration is part of theUse IntSights to manage and mitigate threats. This integration was tested with Intsights API version 3.
#
Configure IntSights on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for IntSights.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL (e.g. https://192.168.0.1) True Credentials True Password True Alert type to fetch as incidents, allowed: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP" False Minimum Alert severity level to fetch incidents incidents from, allowed values are: 'All', 'Low', 'Medium','High'(Setting to All will fetch all incidents) False Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Last date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Max fetch False Incident type False Sub Account ID (MSSP accounts only) False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
intsights-get-alert-imageReturns an image of an alert by ID.
#
Base Commandintsights-get-alert-image
#
InputArgument Name | Description | Required |
---|---|---|
image-id | The ID of the image to return. | Required |
#
Context OutputThere is no context output for this command.
#
intsights-get-alert-activitiesReturns alert activities.
#
Base Commandintsights-get-alert-activities
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Activities.Type | string | The type of the activity. |
IntSights.Alerts.Activities.Initiator | string | The initiator of the alert. |
IntSights.Alerts.Activities.CreatedDate | date | The date the alert was created. |
IntSights.Alerts.Activities.UpdateDate | date | The date the alert was updated. |
IntSights.Alerts.Activities.RemediationBlocklistUpdate | string | The remediation blocked list update. |
IntSights.Alerts.Activities.AskTheAnalyst.Replies | string | The replies to questions of the analyst. |
IntSights.Alerts.Activities.Mail.Replies | string | The replies to an email. |
IntSights.Alerts.Activities.ReadBy | string | The alert that was read by. |
#
intsights-assign-alertAssigns an alert.
#
Base Commandintsights-assign-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the Alert. | Required |
assignee-email | The user email of the assignee. | Required |
is-mssp-optional | Whether the assigned user is an MSSP user. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Assignees.AssigneeID | string | The ID of the assignee. |
#
intsights-unassign-alertUnassigns an alert from a user.
#
Base Commandintsights-unassign-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
#
intsights-send-mailSends an email containing a question and details of the alert.
#
Base Commandintsights-send-mail
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
emails | The destination email addresses array (comma-separated). | Required |
content | The content added to the alert details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the Alert. |
IntSights.Alerts.Mail.EmailID | string | The ID of the email. |
IntSights.Alerts.Question | string | Details of the question. |
#
intsights-ask-the-analystSends a question to the IntSights analyst about the requested alert.
#
Base Commandintsights-ask-the-analyst
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
question | Question to ask the Intsights analyst about the requested alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the Alert. |
IntSights.Alerts.Question | string | Details of the question. |
#
intsights-add-tag-to-alertAdds a tag to the alert.
#
Base Commandintsights-add-tag-to-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the unique alert. | Required |
tag-name | The new tag string. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Tags.TagName | string | The name of the tag. |
IntSights.Alerts.Tags.ID | string | The ID of the Tag. |
#
intsights-remove-tag-from-alertRemoves a tag from the specified alert.
#
Base Commandintsights-remove-tag-from-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
tag-id | The unique ID of the tag to remove. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Tags.ID | string | The ID of the tag. |
#
intsights-add-comment-to-alertAdds a comment to a specified alert.
#
Base Commandintsights-add-comment-to-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
comment | The comment to add to the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Comment | string | The comment in the alert. |
#
intsights-update-alert-severityChanges the severity of a specified alert.
#
Base Commandintsights-update-alert-severity
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
severity | The severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
#
intsights-get-alert-by-idReturns the alert object by alert ID.
#
Base Commandintsights-get-alert-by-id
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The unique ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
IntSights.Alerts.Type | string | The type of the alert. |
IntSights.Alerts.FoundDate | date | The date that the alert was found. |
IntSights.Alerts.SourceType | string | The source type of the alert. |
IntSights.Alerts.SourceURL | string | The source URL of the alert. |
IntSights.Alerts.SourceEmail | string | The source email of the alert. |
IntSights.Alerts.SourceNetworkType | string | The network type of the alert. |
IntSights.Alerts.IsClosed | boolean | Whether or not the alert is closed. |
IntSights.Alerts.IsFlagged | boolean | Whether or not the alert is flagged. |
IntSights.Alerts.Tags.CreatedBy | string | Name of the service for which the tag was created. |
IntSights.Alerts.Tag.Name | string | Name of the tag. |
IntSights.Alerts.Tag.ID | string | The ID of the tag. |
IntSights.Alerts.Images | string | The ID of the images. |
IntSights.Alerts.Description | string | The description of the alert. |
IntSights.Alerts.Title | string | The title of the alert. |
IntSights.Alerts.TakedownStatus | string | The TakedownStatus of the alert. |
IntSights.Alerts.SubType | string | The sub type of the alert. |
#
intsights-get-ioc-by-valueSearches for an exact IOC value.
#
Base Commandintsights-get-ioc-by-value
#
InputArgument Name | Description | Required |
---|---|---|
value | The IOC value for which to search. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Iocs.Value | string | The value of the IOC. |
IntSights.Iocs.Type | string | The type of the IOC. |
IntSights.Iocs.FirstSeen | date | The date the IOC was first seen. |
IntSights.Iocs.LastSeen | date | The date the IOC was last seen. |
IntSights.Iocs.LastUpdatedDate | date | The date the IOC was last updated. |
IntSights.Iocs.SourceID | string | The source ID of the IOC. |
IntSights.Iocs.SourceName | string | The source name of the IOC. |
IntSights.Iocs.SourceConfidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Severity | string | The severity of the IOC. |
IntSights.Iocs.Status | string | The status of the IOC. |
IntSights.Iocs.Sources.name | string | The source name of the IOC. |
IntSights.Iocs.Sources.confidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Sources.id | string | The source id of the IOC. |
IntSights.Iocs.tags | Array | The tags of the IOC. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name (including file extension). |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
URL.Malicious.Description | String | A description of the malicious URL. |
IP.Malicious.Vendor | String | The vendor reporting the IP address as malicious. |
IP.Malicious.Description | String | A description explaining why the IP address was reported as malicious. |
IP.Address | String | IP address. |
Domain.Name | String | The domain name. For example, "google.com". |
Domain.Malicious.Vendor | String | The vendor reporting the domain as malicious. |
Domain.Malicious.Description | String | A description explaining why the domain was reported as malicious. |
#
intsights-get-iocsReturns count totals of the available IOCs.
#
Base Commandintsights-get-iocs
#
InputArgument Name | Description | Required |
---|---|---|
type | The type of the IOC. Can be: "Urls", "Hashes", "IpAddresses", or "domains". Possible values are: Urls, Hashes, IpAddresses, Domains. | Optional |
limit | The maximum number of results from 1-1000. Default is 1000. | Optional |
severity | The severity level of the IOC. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Optional |
source-ID | The source of the IOC. | Optional |
first-seen-from | Beginning of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0. | Optional |
first-seen-to | End of the date range when the IOC was first seen (MM/DD/YYYY). Default is 0. | Optional |
last-seen-from | Beginning of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0. | Optional |
last-updated-from | Beginning of the date range when the IOC was last updated (YYYY-MM-DD). | Optional |
last-seen-to | End of the date range when the IOC was last seen (MM/DD/YYYY). Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Iocs.Value | string | The value of the IOC. |
IntSights.Iocs.Type | string | The type of the IOC. |
IntSights.Iocs.FirstSeen | date | The date the IOC was first seen. |
IntSights.Iocs.LastSeen | date | The date the IOC was last seen. |
IntSights.Iocs.LastUpdatedDate | date | The date the IOC was last updated. |
IntSights.Iocs.SourceID | string | The source ID of the IOC. |
IntSights.Iocs.SourceName | string | The source name of the IOC. |
IntSights.Iocs.SourceConfidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Severity | string | The severity of the IOC. |
IntSights.Iocs.Status | string | The status of the IOC. |
IntSights.Iocs.Sources.name | string | The source name of the IOC. |
IntSights.Iocs.Sources.confidenceLevel | string | The confidence level of the IOC source. |
IntSights.Iocs.Sources.id | string | The source id of the IOC. |
IntSights.Iocs.tags | Array | The tags of the IOC. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.Name | String | The full file name (including file extension). |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | The vendor reporting the URL as malicious. |
URL.Malicious.Description | String | A description of the malicious URL. |
IP.Malicious.Vendor | String | The vendor reporting the IP address as malicious. |
IP.Malicious.Description | String | A description explaining why the IP address was reported as malicious. |
IP.Address | String | IP address. |
Domain.Name | String | The domain name. For example, "google.com". |
Domain.Malicious.Vendor | String | The vendor reporting the domain as malicious. |
Domain.Malicious.Description | String | A description explaining why the domain was reported as malicious. |
#
intsights-get-alertsReturns alerts.
#
Base Commandintsights-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
alert-type | The type of the alert. Can be: "AttackIndication", "DataLeakage", "Phishing", "BrandSecurity", "ExploitableData", "VIP". Possible values are: AttackIndication, DataLeakage, Phishing, BrandSecurity, ExploitableData, VIP. | Optional |
severity | The severity of the alert. Can be: "High", "Medium", or "Low". Possible values are: High, Medium, Low. | Optional |
source-type | The source type of the alert. Can be: "ApplicationStores", "BlackMarkets", "HackingForums", "SocialMedia", "PasteSites", or "Others". Possible values are: ApplicationStores, BlackMarkets, HackingForums, SocialMedia, PasteSites, Others. | Optional |
network-type | The network type of the alert. Can be: "ClearWeb", or "DarkWeb". Possible values are: ClearWeb, DarkWeb. | Optional |
source-date-from | The start date for which to fetch in Millisecond Timestamp in UNIX. | Optional |
source-date-to | The end date for which to fetch in Millisecond Timestamp in UNIX. | Optional |
found-date-from | The start date for which fetch in Millisecond Timestamp in UNIX. | Optional |
found-date-to | The end date for which fetch in Millisecond Timestamp in UNIX. | Optional |
assigned | Whether to show assigned or unassigned alerts. | Optional |
is-flagged | Whether to show flagged or unflagged alerts. | Optional |
is-closed | Whether to show closed/open alerts. | Optional |
time-delta | Shows alerts within a specified time delta, given in days. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Severity | string | The severity of the alert. |
IntSights.Alerts.Type | string | The type of the alert. |
IntSights.Alerts.FoundDate | date | The date that the alert was found. |
IntSights.Alerts.SourceType | string | The source type of the alert. |
IntSights.Alerts.SourceURL | string | The source URL of the alert. |
IntSights.Alerts.SourceEmail | string | The source email of the alert. |
IntSights.Alerts.SourceNetworkType | string | The network type of the alert. |
IntSights.Alerts.IsClosed | boolean | Whether or not the alert is closed. |
IntSights.Alerts.IsFlagged | boolean | Whether or not the alert is flagged. |
IntSights.Alerts.Tags.CreatedBy | string | Name of the service that the tag was created. |
IntSights.Alerts.Tag.Name | string | Name of the tag. |
IntSights.Alerts.Tag.ID | string | The ID of the tag. |
IntSights.Alerts.Images | string | The ID of each image. |
IntSights.Alerts.Description | string | The description of the alert. |
IntSights.Alerts.Title | string | The title of the alert. |
IntSights.Alerts.TakedownStatus | string | The TakedownStatus of the alert. |
IntSights.Alerts.SubType | string | The sub type of the alert. |
#
intsights-alert-takedown-requestRequests an alert takedown.
#
Base Commandintsights-alert-takedown-request
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
#
intsights-get-alert-takedown-statusReturns the alert takedown status.
#
Base Commandintsights-get-alert-takedown-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.TakedownStatus | string | The status of the takedown. |
#
intsights-update-ioc-blocklist-statusUpdates the IOC block list status.
#
Base Commandintsights-update-ioc-blocklist-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
type | A comma separated list of each type of IOC. Options: Domains, IPs, URLs. | Required |
value | A comma separated list of the value of the IOCs. | Required |
blocklist-status | A comma separated list of the IOCs block list status. Options: Sent, NotSent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Status | string | The status of the block list. |
#
intsights-get-ioc-blocklist-statusReturns the status of the IOC block list.
#
Base Commandintsights-get-ioc-blocklist-status
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Status | string | The status of the block list. |
#
intsights-close-alertCloses an alert
#
Base Commandintsights-close-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert-id | The ID of the alert. | Required |
reason | The reason to close the alert. Can be: "ProblemSolved", "InformationalOnly", "ProblemWeAreAlreadyAwareOf", "CompanyOwnedDomain", "LegitimateApplication/Profile", "NotRelatedToMyCompany", "FalsePositive", or "Other". Possible values are: ProblemSolved, InformationalOnly, ProblemWeAreAlreadyAwareOf, CompanyOwnedDomain, LegitimateApplication/Profile, NotRelatedToMyCompany, FalsePositive, Other. | Required |
free-text | The comments in the alert. | Optional |
is-hidden | The hidden status of the alert. Deletes an alert from the account instance - only when reason is a FalsePositive). Possible values are: True, False. Default is False. | Optional |
rate | The rate of the alert. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.Alerts.ID | string | The ID of the alert. |
IntSights.Alerts.Closed.Reason | string | The closed reason of the alert. |
#
intsights-mssp-get-sub-accountsReturns all Managed Security Service Provider's (MSSP) sub accounts.
#
Base Commandintsights-mssp-get-sub-accounts
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
IntSights.MsspAccount.ID | String | The ID of IntSights MSSP sub account. |
IntSights.MsspAccount.Status | String | The enabled status of IntSights MSSP sub account |
IntSights.MsspAccount.AssetsCount | Number | The assets count of IntSights MSSP sub account. |
IntSights.MsspAccount.AssetLimit | Number | The asset limit of IntSights MSSP sub account. |
IntSights.MsspAccount.CompanyName | String | The company name of IntSights MSSP sub account. |
#
intsights-request-ioc-enrichmentRequest and receive enrichment of an IOC.
#
Base Commandintsights-request-ioc-enrichment
#
InputArgument Name | Description | Required |
---|---|---|
value | The IOC value for which to enrich. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | domain name |
Domain.DNS | String | domain dns |
Domain.Resolutions | String | domain resolutions |
Domain.Subdomains | String | domain subdomains |
Domain.WHOIS/History | String | domain whois |
Domain.Malicious | String | domain malicious |
IP.Address | String | ip address |
IP.IpDetails | String | ip details |
IP.RelatedHashes | String | ip related hashes |
IP.WHOIS | String | ip whois |
IP.Malicious | String | ip malicious |
URL.Data | String | URL Data |
URL.AntivirusDetectedEngines | String | URL Antivirus Detected Engines |
URL.AntivirusDetectionRatio | String | URL Antivirus Detection Ratio |
URL.AntivirusDetections | String | URL Antivirus Detections |
URL.AntivirusScanDate | String | URL Antivirus Scan Date |
URL.RelatedHashes | String | URL Related Hashes |
URL.Malicious | String | URL Malicious |
File.Name | String | File Name |
File.AntivirusDetectedEngines | String | File Antivirus Detected Engines |
File.AntivirusDetectionRatio | String | File Antivirus Detection Ratio |
File.AntivirusDetections | String | File Antivirus Detections |
File.AntivirusScanDate | String | File Antivirus Scan Date |
File.Malicious | String | File Malicious |
IntSights.Iocs.Type | String | IntSights Iocs Type |
IntSights.Iocs.Value | String | IntSights Iocs Value |
IntSights.Iocs.FirstSeen | String | IntSights Iocs First Seen |
IntSights.Iocs.LastSeen | String | IntSights Iocs Last Seen |
IntSights.Iocs.Status | String | IntSights Iocs Status |
IntSights.Iocs.Severity | String | IntSights Iocs Severity |
IntSights.Iocs.RelatedMalwares | String | IntSights Iocs Related Malwares |
IntSights.Iocs.Sources | String | IntSights Iocs Sources |
IntSights.Iocs.IsKnownIoc | String | IntSights Iocs Is Known Ioc |
IntSightsIocs.RelatedThreatActors | String | IntSights Iocs Related Threat Actors |
IntSights.Iocs.SystemTags | String | IntSights Iocs SystemTags |
IntSights.Iocs.Tags | String | IntSights Iocs Tags |
IntSights.Iocs.Whitelisted | String | IntSights Iocs Whitelisted |
IntSights.Iocs.OriginalValue | String | IntSights Iocs Original Value |
Domain.WHOIS | String | Domain WHOIS |