Intezer v2
Use the Intezer v2 integration to detect and analyze malware, based on code reuse.
Configure Intezer v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Intezer v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- API Key
- Use system proxy
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check file reputation by hash: intezer-analyze-by-hash
- Check file reputation by uploading a file: intezer-analyze-by-file
- Check analysis status and results: intezer-get-analysis-result
1. Check file reputation by hash
Checks file reputation of the given hash, supports SHA256, SHA1, and MD5.
Base Command
intezer-analyze-by-hash
Input
Argument Name | Description | Required |
---|---|---|
file_hash | Hash of the file to query. Supports SHA256, MD5, and SHA1. | Required |
Context Output
Path | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis ID. |
Intezer.Analysis.Status | string | Status of the analysis. |
Intezer.Analysis.Type | string | Analysis type. |
Command Example
intezer-analyze-by-hash file_hash="8cbf90aeab2c93b2819fcfd6262b2cdb"
Context Example
{ "Intezer.Analysis": { "Status": "Created", "type": "File", "ID": "59e2f081-45f3-4822-bf45-407670dcb4d7" } }
Human Readable Output
Analysis created successfully
2. Check the reputation of a file
Checks file reputation for an uploaded file. Maximum file size is 32 MB.
Base Command
intezer-analyze-by-file
Input
Argument Name | Description | Required |
---|---|---|
file_entry_id | The entry ID of the file to upload. | Required |
Context Output
Path | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis ID. |
Intezer.Analysis.Status | string | Status of the analysis. |
Intezer.Analysis.Type | string | Analysis type. |
Command Example
intezer-analyze-by-file file_entry_id=1188@6
Context Example
{ "Intezer.Analysis": { "Status": "Created", "type": "File", "ID": "675515a1-62e9-4d55-880c-fd46a7963a56" } }
Human Readable Output
Analysis created successfully
3. Check analysis status and results
Checks the analysis status and gets the analysis result, supports file and endpoint analysis.
Base Command
intezer-get-analysis-result
Input
Argument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID for which to get results. | Optional |
analysis_type | The type of analysis. | Optional |
indicator_name | Indicator to classify. | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metedata will only be returned for supported files. |
Endpoint.Metadata | Unknown | Metadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name). |
Command Example
intezer-get-analysis-result analysis_id="9e3acdc3-b7ea-412b-88ae-7103eebc9398"
Context Example
{ "DBotScore": { "Vendor": "Intezer", "Indicator": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", "Score": 0, "Type": "hash" }, "Intezer.Analysis": { "Status": "Done", "ID": "9e3acdc3-b7ea-412b-88ae-7103eebc9398" }, "File": { "ExistsInIntezer": true, "SHA256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", "Metadata": { "analysis_id": "9e3acdc3-b7ea-412b-88ae-7103eebc9398", "sub_verdict": "file_type_not_supported", "analysis_url": "https://analyze.intezer.com/#/analyses/9e3acdc3-b7ea-412b-88ae-7103eebc9398", "verdict": "not_supported", "sha256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", "is_private": true, "analysis_time": "Wed, 19 Jun 2019 07:48:12 GMT" } } }
Human Readable Output
Intezer File analysis result
SHA256: fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387
Verdict:
not_supported
(file_type_not_supported)
Analysis Link