Intezer v2
Intezer Pack.#
This Integration is part of theUse the Intezer v2 integration to detect and analyze malware, based on code reuse.
#
Configure Intezer v2 in CortexParameter | Description | Required |
---|---|---|
API Key | True | |
Intezer Analyze Base URL | The API address to intezer Analyze - i.e. https://analyze.intezer.com/api/ | False |
Use system proxy settings | False | |
Trust any certificate (not secure) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
intezer-analyze-by-hashChecks file reputation of the given hash, supports SHA256, SHA1 and MD5
#
Base Commandintezer-analyze-by-hash
#
InputArgument Name | Description | Required |
---|---|---|
file_hash | Hash of the file to query. Supports SHA256, MD5 and SHA1. | Required |
wait_for_result | Waits for analysis result, support polling | Optional |
interval | Number of seconds between poll requests | Optional |
timeout | Number of seconds until polling timeout | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis id |
Intezer.Analysis.Status | string | status of the analysis |
Intezer.Analysis.Type | string | type of the analysis |
#
Command Example#
Context Example#
Human Readable Output#
intezer-analyze-urlChecks file reputation of the given URL
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandintezer-analyze-url
#
InputArgument Name | Description | Required |
---|---|---|
Url | Url to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis id |
Intezer.Analysis.Status | string | status of the analysis |
Intezer.Analysis.Type | string | type of the analysis |
URL.Data | string | The submitted Url |
URL.Malicious.Vendor | string | For malicious Url, the vendor that made the decision |
URL.Metadata | Unknown | Metadata returned from Intezer analysis |
URL.ExistsInIntezer | Boolean | Does the url exists on intezer |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-latest-reportChecks file reputation of the given hash, supports SHA256, SHA1 and MD5 by looking at the latest available report
#
Base Commandintezer-get-latest-report
#
InputArgument Name | Description | Required |
---|---|---|
file_hash | Hash of the file to query. Supports SHA256, MD5 and SHA1. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.SHA256 | string | Hash SHA256 |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metadata will be returned only for supported files. |
File.ExistsInIntezer | Boolean | Does the file exists on intezer genome database |
#
Command Example#
Context Example#
Human Readable Output#
intezer-analyze-by-fileChecks file reputation for uploaded file (up to 150MB)
#
Base Commandintezer-analyze-by-file
#
InputArgument Name | Description | Required |
---|---|---|
file_entry_id | The file entry id to upload. | Required |
related_alert_ids | An array of alert ids to associate with the file analysis. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis id |
Intezer.Analysis.Status | string | status of the analysis |
Intezer.Analysis.Type | string | type of the analysis |
File.SHA256 | string | Hash SHA256 |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metadata will be returned only for supported files. |
File.ExistsInIntezer | Boolean | Does the file exists on intezer genome database |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-endpoint-analysis-resultCheck the endpoint analysis status and get analysis result, supports polling.
#
Base Commandintezer-get-endpoint-analysis-result
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get results for. | Required |
wait_for_result | Waits for analysis result, support polling | Optional |
interval | Number of seconds between poll requests | Optional |
timeout | Number of seconds until polling timeout | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
Endpoint.Metadata | Unknown | Metadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name) |
#
Command Example#
intezer-get-url-analysis-resultCheck the url analysis status and get analysis result, supports polling.
#
Base Commandintezer-get-url-analysis-result
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get results for. | Required |
wait_for_result | Waits for analysis result, support polling | Optional |
interval | Number of seconds between poll requests | Optional |
timeout | Number of seconds until polling timeout | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
URL.Data | string | The submitted Url |
URL.Malicious.Vendor | string | For malicious Url, the vendor that made the decision |
URL.Metadata | Unknown | Metadata returned from Intezer analysis |
URL.ExistsInIntezer | Boolean | Does the url exists on intezer |
#
Command Example#
intezer-get-file-analysis-resultCheck the file analysis status and get analysis result, supports polling.
#
Base Commandintezer-get-file-analysis-result
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get results for. | Required |
wait_for_result | Waits for analysis result, support polling | Optional |
interval | Number of seconds between poll requests | Optional |
timeout | Number of seconds until polling timeout | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
File.SHA256 | string | Hash SHA256 |
File.SHA1 | string | Hash SHA1 |
File.MD5 | string | Hash MD5 |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metadata will be returned only for supported files. |
File.ExistsInIntezer | Boolean | Does the file exists on intezer genome database |
#
Command Example#
intezer-get-analysis-resultCheck the analysis status and get analysis result, support file and endpoint analysis
#
Base Commandintezer-get-analysis-result
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get results for. | Optional |
analysis_type | The type of the analysis. Possible values are: File, Endpoint, Url. Default is File. | Optional |
indicator_name | indicator to classify. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
File.SHA256 | string | Hash SHA256 |
File.SHA1 | string | Hash SHA1 |
File.MD5 | string | Hash MD5 |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
File.Metadata | Unknown | Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metadata will be returned only for supported files. |
File.ExistsInIntezer | Boolean | Does the file exists on intezer genome database |
URL.Data | string | The submitted Url |
Url.URL | string | The submitted Url (deprecated) |
URL.Malicious.Vendor | string | For malicious Url, the vendor that made the decision |
Url.Malicious.Vendor | string | For malicious Url, the vendor that made the decision (deprecated) |
URL.Metadata | Unknown | Metadata returned from Intezer analysis |
Url.Metadata | Unknown | Metadata returned from Intezer analysis (deprecated) |
URL.ExistsInIntezer | Boolean | Does the url exists on intezer |
Url.ExistsInIntezer | Boolean | Does the url exists on intezer (deprecated) |
Endpoint.Metadata | Unknown | Metadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name) |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-sub-analysesGet a list of the analysis sub analyses
#
Base Commandintezer-get-sub-analyses
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get the sub analyses for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | Intezer analysis id |
Intezer.Analysis.SubAnalysesIDs | Unknown | List of all sub analyses of the give analysis |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-family-infoGet family information from Intezer Analyze
#
Base Commandintezer-get-family-info
#
InputArgument Name | Description | Required |
---|---|---|
family_id | The Family ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Family.ID | string | Family id in intezer genome database |
Intezer.Family.Name | string | Family name |
Intezer.Family.Type | string | Family Type |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-analysis-code-reuseGet All code reuse report for an analysis or sub analysis To get the code reuse results of a sub analysis you also must specify the "parent analysis",
For example - If you ran the command intezer-get-sub-analyses analysis_id=123
and got the sub analysis 456
, you need to specify both in the command
#
Base Commandintezer-get-analysis-code-reuse
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID (parent analysis in case we're trying to get sub abalysis) we want to get the code reuse for. | Required |
sub_analysis_id | The Sub Analysis we want to get the code reuse for. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | The composed analysis ID |
Intezer.Analysis.CodeReuse | Unknown | General Code Reuse of the analysis |
Intezer.Analysis.CodeReuseFamilies | Unknown | List of the families appearing in the code reuse |
Intezer.Analysis.SubAnalyses.CodeReuse | Unknown | General Code Reuse of the analysis |
Intezer.Analysis.SubAnalyses.CodeReuseFamilies | Unknown | List of the families appearing in the code reuse |
Intezer.Analysis.SubAnalyses.RootAnalysis | string | The Composed analysis id |
#
Command Example#
Context Example#
Human Readable OutputThis will show information about the analysis code reuse and families
#
intezer-get-analysis-metadataGet metadata for an analysis or sub analysis To get the metadata of a sub analysis you also must specify the "parent analysis",
For example - If you ran the command intezer-get-sub-analyses analysis_id=123
and got the sub analysis 456
, you need to specify both in the command
#
Base Commandintezer-get-analysis-metadata
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get the metadata for. | Required |
sub_analysis_id | The Sub Analysis we want to get the metadata for. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | The composed analysis ID |
Intezer.Analysis.Metadata | Unknown | The Analysis metadata |
Intezer.Analysis.SubAnalyses.Metadata | Unknown | The Sub Analysis metadata |
#
Command Example#
Context Example#
Human Readable Output#
intezer-get-analysis-iocsGets the list of network and files IOCs of a specific analysis id.
#
Base Commandintezer-get-analysis-iocs
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | The analysis ID we want to get the IOCs for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Analysis.ID | string | The composed analysis ID |
Intezer.Analysis.IOCs | Dict | The Analysis IOCs |
#
Context Example#
Human Readable Output#
intezer-submit-alertSubmit a new alert, including the raw alert information, to Intezer for processing.
#
Base Commandintezer-submit-alert
#
InputArgument Name | Description | Required |
---|---|---|
raw_alert | The raw alert as it stored in the context. | Required |
mapping | The mapping for the raw alert data. | Required |
source | The source of the alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Alert.ID | string | The Alert ID |
Intezer.Alert.Status | string | The status of the Alert |
#
Context Example#
intezer-submit-suspected-phishing-emailSubmit a suspicious phishing email in a raw format (.MSG or .EML) to Intezer for processing.
#
Base Commandintezer-submit-suspected-phishing-email
#
InputArgument Name | Description | Required |
---|---|---|
email_file_entry_id | The email file entry id to upload. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Alert.ID | string | The Alert ID |
Intezer.Alert.Status | string | The status of the Alert |
#
Context Example#
intezer-get-alert-resultGet an ingested alert triage and response information using alert ID.
#
Base Commandintezer-get-alert-result
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | The alert id to query. | Required |
wait_for_result | Waits for alert result, support polling. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Intezer.Alert.ID | string | The Alert ID |
Intezer.Alert.Status | string | The Alert status |
Intezer.Alert.Result | Object | The full report of the alert |
Intezer.Alert.Result.intezer_alert_url | Object | The url for the alert result on Intezer Analyze |
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | string | The actual score |
File.SHA256 | string | Hash SHA256 |
File.SHA1 | string | Hash SHA1 |
File.MD5 | string | Hash MD5 |
URL.Data | string | The tested URL |
URL.Malicious.Vendor | string | For malicious URL, the vendor that made the decision |
URL.Relationships | object | The relationships between two urls |
Intezer.Alert.Result.raw_alert | object | The raw alert as submitted to Intezer |
Intezer.Alert.Result.triage_result.alert_verdict_display | string | The verdict of the alert |
Intezer.Alert.Result.source_display | string | The calculated verdict of the Alert |
Intezer.Alert.Result.triage_result.risk_category_display | string | The risk category of the Alert |
Intezer.Alert.Result.response.user_recommended_actions_display | string | The actions recommended by Intezer to be taken |