Skip to main content

Intezer v2

This Integration is part of the Intezer Pack.#

Use the Intezer v2 integration to detect and analyze malware, based on code reuse.

Configure Intezer v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Intezer v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyTrue
    Intezer Analyze Base URLThe API address to intezer Analyze - i.e. https://analyze.intezer.com/api/False
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

intezer-analyze-by-hash#


Checks file reputation of the given hash, supports SHA256, SHA1 and MD5

Base Command#

intezer-analyze-by-hash

Input#

Argument NameDescriptionRequired
file_hashHash of the file to query. Supports SHA256, MD5 and SHA1.Required

Context Output#

PathTypeDescription
Intezer.Analysis.IDstringIntezer analysis id
Intezer.Analysis.Statusstringstatus of the analysis
Intezer.Analysis.Typestringtype of the analysis

Command Example#

!intezer-analyze-by-hash file_hash="<file hash>"

Context Example#

{
"Intezer.Analysis": {
"Status": "Created",
"type": "File",
"ID": "59e2f081-45f3-4822-bf45-407670dcb4d7"
}
}

Human Readable Output#

Analysis created successfully: 59e2f081-45f3-4822-bf45-407670dcb4d7

intezer-get-latest-report#


Checks file reputation of the given hash, supports SHA256, SHA1 and MD5 by looking at the latest available report

Base Command#

intezer-get-latest-report

Input#

Argument NameDescriptionRequired
file_hashHash of the file to query. Supports SHA256, MD5 and SHA1.Required

Context Output#

PathTypeDescription
File.SHA256stringHash SHA256
File.Malicious.VendorstringFor malicious files, the vendor that made the decision
DBotScore.IndicatorstringThe indicator we tested
DBotScore.TypestringThe type of the indicator
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
File.MetadataUnknownMetadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metedata will be retuned only for supported files.
File.ExistsInIntezerBooleanDoes the file exists on intezer genome database

Command Example#

intezer-get-latest-report file_hash="8cbf90aeab2c93b2819fcfd6262b2cdb"

Context Example#

{
"DBotScore": {
"Vendor": "Intezer",
"Indicator": "<some sha>>",
"Score": 0,
"Type": "hash"
},
"File": {
"ExistsInIntezer": true,
"SHA256": "<some sha256>",
"Metadata": {
"analysis_id": "006c54ba-3159-43a0-98a0-1c5032145f47",
"sub_verdict": "known_malicious",
"analysis_url": "https://analyze.intezer.com/analyses/006c54ba-3159-43a0-98a0-1c5032145f47",
"verdict": "malicious",
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"family_name": "WannaCry",
"sha256": "<some sha256>",
"is_private": true,
"analysis_time": "Wed, 19 Jun 2019 07:48:12 GMT"
}
}
}

Human Readable Output#

Intezer File analysis result
----
SHA256: some-sha256
Verdict: malicious (known_malicious)
Family: WannaCry
Analysis Report
---
analysis_id 006c54ba-3159-43a0-98a0-1c5032145f47
analysis_time Tue, 29 Jun 2021 13:40:01 GMT
analysis_url https://analyze.intezer.com/analyses/006c54ba-3159-43a0-98a0-1c5032145f47
family_id 0b13c0d4-7779-4c06-98fa-4d33ca98f8a9
family_name WannaCry
is_private false
sha256 some-sha256
sub_verdict known_malicious
verdict malicious

intezer-analyze-by-file#


Checks file reputation for uploaded file (up to 150MB)

Base Command#

intezer-analyze-by-file

Input#

Argument NameDescriptionRequired
file_entry_idThe file entry id to upload.Required

Context Output#

PathTypeDescription
Intezer.Analysis.IDstringIntezer analysis id
Intezer.Analysis.Statusstringstatus of the analysis
Intezer.Analysis.Typestringtype of the analysis

Command Example#

intezer-analyze-by-file file_entry_id=1188@6

Context Example#

{
"Intezer.Analysis": {
"Status": "Created",
"type": "File",
"ID": "675515a1-62e9-4d55-880c-fd46a7963a56"
}
}

Human Readable Output#

Analysis created successfully: 675515a1-62e9-4d55-880c-fd46a7963a56

intezer-get-analysis-result#


Check the analysis status and get analysis result, support file and endpoint analysis

Base Command#

intezer-get-analysis-result

Input#

Argument NameDescriptionRequired
analysis_idThe analysis ID we want to get results for.Optional
analysis_typeThe type of the analysis. Possible values are: File, Endpoint. Default is File.Optional
indicator_nameindicator to classify.Optional

Context Output#

PathTypeDescription
File.SHA256stringHash SHA256
File.Malicious.VendorstringFor malicious files, the vendor that made the decision
DBotScore.IndicatorstringThe indicator we tested
DBotScore.TypestringThe type of the indicator
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
File.MetadataUnknownMetadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metedata will be retuned only for supported files.
Endpoint.MetadataUnknownMetadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name)
File.ExistsInIntezerBooleanDoes the file exists on intezer genome database

Command Example#

intezer-get-analysis-result analysis_id="9e3acdc3-b7ea-412b-88ae-7103eebc9398"

Context Example#

{
"DBotScore": {
"Vendor": "Intezer",
"Indicator": "<some sha>>",
"Score": 0,
"Type": "hash"
},
"File": {
"ExistsInIntezer": true,
"SHA256": "<some sha256>",
"Metadata": {
"analysis_id": "006c54ba-3159-43a0-98a0-1c5032145f47",
"sub_verdict": "known_malicious",
"analysis_url": "https://analyze.intezer.com/analyses/006c54ba-3159-43a0-98a0-1c5032145f47",
"verdict": "malicious",
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"family_name": "WannaCry",
"sha256": "<some sha256>",
"is_private": true,
"analysis_time": "Wed, 19 Jun 2019 07:48:12 GMT"
}
}
}

Human Readable Output#

Intezer File analysis result
----
SHA256: some-sha256
Verdict: malicious (known_malicious)
Family: WannaCry
Analysis Report
---
analysis_id 006c54ba-3159-43a0-98a0-1c5032145f47
analysis_time Tue, 29 Jun 2021 13:40:01 GMT
analysis_url https://analyze.intezer.com/analyses/006c54ba-3159-43a0-98a0-1c5032145f47
family_id 0b13c0d4-7779-4c06-98fa-4d33ca98f8a9
family_name WannaCry
is_private false
sha256 some-sha256
sub_verdict known_malicious
verdict malicious

intezer-get-sub-analyses#


Get a list of the analysis sub analyses

Base Command#

intezer-get-sub-analyses

Input#

Argument NameDescriptionRequired
analysis_idThe analysis ID we want to get the sub analyses for.Required

Context Output#

PathTypeDescription
Intezer.Analysis.IDstringIntezer analysis id
Intezer.Analysis.SubAnalysesIDsUnknownList of all sub analyses of the give analysis

Command Example#

intezer-get-sub-analyses analysis_id=006c54ba-3159-43a0-98a0-1c5032145f47

Context Example#

{
"Intezer.Analysis": {
"Status": "Done",
"type": "File",
"ID": "675515a1-62e9-4d55-880c-fd46a7963a56",
"SubAnalysesIDs": [
"2bf5baa9-6964-4171-b060-5e3d8de8741f"
]
}
}

Human Readable Output#

Sub Analyses -
[
...
List of analyses ids
...
]

intezer-get-family-info#


Get family information from Intezer Analyze

Base Command#

intezer-get-family-info

Input#

Argument NameDescriptionRequired
family_idThe Family ID.Required

Context Output#

PathTypeDescription
Intezer.Family.IDstringFamily id in intezer genome database
Intezer.Family.NamestringFamily name
Intezer.Family.TypestringFamily Type

Command Example#

intezer-get-family-info family_id=006c54ba-3159-43a0-98a0-1c5032145f47

Context Example#

{
"Intezer.Family": {
"ID": "e710e4b3-3dd1-40ff-be74-9d8a95466ae4",
"Type": "malware",
"Name": "CobaltStrike"
}
}

Human Readable Output#

Family Info
---
FamilyId 006c54ba-3159-43a0-98a0-1c5032145f47
FamilyName Some Family Name
FamilyType Malware

intezer-get-analysis-code-reuse#


Get All code reuse report for an analysis or sub analysis To get the code reuse results of a sub analysis you also must specify the "parent analysis",

For example - If you ran the command intezer-get-sub-analyses analysis_id=123 and got the sub analysis 456, you need to specify both in the command

Base Command#

intezer-get-analysis-code-reuse

Input#

Argument NameDescriptionRequired
analysis_idThe analysis ID (parent analysis in case we're trying to get sub abalysis) we want to get the code reuse for.Required
sub_analysis_idThe Sub Analysis we want to get the code reuse for.Optional

Context Output#

PathTypeDescription
Intezer.Analysis.IDstringThe composed analysis ID
Intezer.Analysis.CodeReuseUnknownGeneral Code Reuse of the analysis
Intezer.Analysis.CodeReuseFamiliesUnknownList of the families appearing in the code reuse
Intezer.Analysis.SubAnalyses.CodeReuseUnknownGeneral Code Reuse of the analysis
Intezer.Analysis.SubAnalyses.CodeReuseFamiliesUnknownList of the families appearing in the code reuse
Intezer.Analysis.SubAnalyses.RootAnalysisstringThe Composed analysis id

Command Example#

# Get the code reuse of an analysis
intezer-get-analysis-code-reuse analysis_id=<Root analysis>
# Get the root analysis sub analyses
intezer-get-sub-analyses analysis_id=<Root analysis>
# Use one of the results to get the sub analysis code reuse
intezer-get-analysis-code-reuse analysis_id=<Root analysis> sub_analysis_id=<Sub Analysis Id>

Context Example#

{
"Intezer.Analysis": {
"Status": "Done",
"type": "File",
"ID": "675515a1-62e9-4d55-880c-fd46a7963a56",
"SubAnalyses": [
{
"ID": "Some sub analysis id",
"RootAnalysis": "675515a1-62e9-4d55-880c-fd46a7963a56",
"CodeReuse": {
"common_gene_count": 10,
"gene_count": 100,
"gene_type": "native_windows",
"unique_gene_count": 50
},
"CodeReuseFamilies": [
{
"family_id": "5be245ca-793c-4991-9329-c42d6365a530",
"family_name": "Microsoft Corporation",
"family_type": "application",
"reused_gene_count": 8
}
]
}
]
}
}

Human Readable Output#

This will show information about the analysis code reuse and families

Code Reuse
---
common_gene_count 544
gene_count 543
gene_type native_windows
unique_gene_count 0
Families:
---
WannaCry
family_id 0b13c0d4-7779-4c06-98fa-4d33ca98f8a9
family_name WannaCry
family_type malware
reused_gene_count 362
Lazarus
family_id 7ae9c0f1-5e81-4ed1-928d-d966a1b1525c
family_name Lazarus
family_type malware
reused_gene_count 33
... More Families if available

intezer-get-analysis-metadata#


Get metadata for an analysis or sub analysis To get the metadata of a sub analysis you also must specify the "parent analysis",

For example - If you ran the command intezer-get-sub-analyses analysis_id=123 and got the sub analysis 456, you need to specify both in the command

Base Command#

intezer-get-analysis-metadata

Input#

Argument NameDescriptionRequired
analysis_idThe analysis ID we want to get the metadata for.Required
sub_analysis_idThe Sub Analysis we want to get the metadata for.Optional

Context Output#

PathTypeDescription
Intezer.Analysis.IDstringThe composed analysis ID
Intezer.Analysis.MetadataUnknownThe Analysis metadata
Intezer.Analysis.SubAnalyses.MetadataUnknownThe Sub Analysis metadata

Command Example#

# Get the code reuse of an analysis
intezer-get-analysis-metadata analysis_id=<Root analysis>
# Get the root analysis sub analyses
intezer-get-sub-analyses analysis_id=<Root analysis>
# Use one of the results to get the sub analysis code reuse
intezer-get-analysis-metadata analysis_id=<Root analysis> sub_analysis_id=<Sub Analysis Id>

Context Example#

{
"Intezer.Analysis": {
"Status": "Done",
"type": "File",
"ID": "675515a1-62e9-4d55-880c-fd46a7963a56",
"SubAnalyses": [
{
"ID": "some sub analyses id",
"RootAnalysis": "675515a1-62e9-4d55-880c-fd46a7963a56",
"Metadata": {
"sha1": "<sha1>",
"sha256": "<sha256>",
"md5": "<md5>",
"product": "product name",
"product_version": "5.4",
"ssdeep": "<ssdeep>",
"size_in_bytes": 15540,
"architecture": "i386",
"original_filename": "myfile.exe",
"compilation_timestamp": "2019:07:26 18:23:19+00:00",
"file_type": "pe",
"company": "Microsoft"
}
}
]
}
}

Human Readable Output#

Analysis Metadata
---
architecture i386
company Microsoft Corporation
compilation_timestamp 2009:07:13 23:19:35+00:00
file_type pe
md5 md5
original_filename LODCTR.EXE
product Microsoft® Windows® Operating System
product_version 6.1.7600.16385 ^^^
sha1 sha1
sha256 sha256
size_in_bytes 245760
ssdeep ssdeep