Intezer v2
Use the Intezer v2 integration to detect and analyze malware, based on code reuse.
Configure Intezer v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Intezer v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- API Key
- Use system proxy
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check file reputation by hash: intezer-analyze-by-hash
- Check file reputation by uploading a file: intezer-analyze-by-file
- Check analysis status and results: intezer-get-analysis-result
1. Check file reputation by hash
Checks file reputation of the given hash, supports SHA256, SHA1, and MD5.
Base Command
intezer-analyze-by-hash
Input
| Argument Name | Description | Required |
|---|---|---|
| file_hash | Hash of the file to query. Supports SHA256, MD5, and SHA1. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Intezer.Analysis.ID | string | Intezer analysis ID. |
| Intezer.Analysis.Status | string | Status of the analysis. |
| Intezer.Analysis.Type | string | Analysis type. |
Command Example
intezer-analyze-by-hash file_hash="8cbf90aeab2c93b2819fcfd6262b2cdb"
Context Example
{
"Intezer.Analysis": {
"Status": "Created",
"type": "File",
"ID": "59e2f081-45f3-4822-bf45-407670dcb4d7"
}
}
Human Readable Output
Analysis created successfully
2. Check the reputation of a file
Checks file reputation for an uploaded file. Maximum file size is 32 MB.
Base Command
intezer-analyze-by-file
Input
| Argument Name | Description | Required |
|---|---|---|
| file_entry_id | The entry ID of the file to upload. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Intezer.Analysis.ID | string | Intezer analysis ID. |
| Intezer.Analysis.Status | string | Status of the analysis. |
| Intezer.Analysis.Type | string | Analysis type. |
Command Example
intezer-analyze-by-file file_entry_id=1188@6
Context Example
{
"Intezer.Analysis": {
"Status": "Created",
"type": "File",
"ID": "675515a1-62e9-4d55-880c-fd46a7963a56"
}
}
Human Readable Output
Analysis created successfully
3. Check analysis status and results
Checks the analysis status and gets the analysis result, supports file and endpoint analysis.
Base Command
intezer-get-analysis-result
Input
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | The analysis ID for which to get results. | Optional |
| analysis_type | The type of analysis. | Optional |
| indicator_name | Indicator to classify. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | SHA256 hash of the file. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | Vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
| File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metedata will only be returned for supported files. |
| Endpoint.Metadata | Unknown | Metadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name). |
Command Example
intezer-get-analysis-result analysis_id="9e3acdc3-b7ea-412b-88ae-7103eebc9398"
Context Example
{
"DBotScore": {
"Vendor": "Intezer",
"Indicator": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387",
"Score": 0,
"Type": "hash"
},
"Intezer.Analysis": {
"Status": "Done",
"ID": "9e3acdc3-b7ea-412b-88ae-7103eebc9398"
},
"File": {
"ExistsInIntezer": true,
"SHA256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387",
"Metadata": {
"analysis_id": "9e3acdc3-b7ea-412b-88ae-7103eebc9398",
"sub_verdict": "file_type_not_supported",
"analysis_url": "https://analyze.intezer.com/#/analyses/9e3acdc3-b7ea-412b-88ae-7103eebc9398",
"verdict": "not_supported",
"sha256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387",
"is_private": true,
"analysis_time": "Wed, 19 Jun 2019 07:48:12 GMT"
}
}
}
Human Readable Output
Intezer File analysis result
SHA256: fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387
Verdict:
not_supported
(file_type_not_supported)
Analysis Link