Skip to main content

LastInfoSec

This Integration is part of the LastInfoSec Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This integration allow to interact with the Gatewatcher LastInfoSec product via API. This integration was integrated and tested with version 2 of LastInfoSec.

Configure LastInfoSec on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for LastInfoSec.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    LastInfoSec API tokenThe API Key to use for connectionTrue
    Check the TLS certificateFalse
    Use system proxy settingsFalse
    Integration ReliabilityReliability of the source providing the intelligence dataFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gw-lis-get-by-minute#


Retrieve the data from Gatewatcher CTI feed by minute. Max 1440 minutes.

Base Command#

gw-lis-get-by-minute

Input#

Argument NameDescriptionRequired
MinuteNumber of minutes to get.
Max 1440 minutes.
Required
CategoriesFilter IoC by categories. Possible values are: phishing, malware, trojan, exploit, ransom, ransomware, tool, keylogger, agent, backdoor.Optional
TypeFilter IoC by type. Possible values are: SHA1, SHA256, MD5, URL, Host.Optional
ModeFilter IoC by mode. Possible values are: detection, hunting.Optional
RiskFilter IoC by risk. Possible values are: Malicious, Suspicious, High suspicious.Optional
TLPFilter IoC by TLP. Possible values are: green, white.Optional

Context Output#

PathTypeDescription
LIS.GetByMinute.ValueStringValue.

Command example#

!gw-lis-get-by-minute Minute=10

Context Example#

{
"LIS": {
"GetByMinute": [
"http://103.182.16.23/900/HTMLcode.vbs",
"http://103.182.16.23/900/i0ioi0iooioo0IOI0OIOIOiooioi00IOIoioioio0ioi0iOIOioiiOIoiOIOIOioIO0IOIO0.doc",
"http://94.156.253.128/2144/io0Ioi0IOIOOIOi0i00ioioii0ioi0oiOII0OIO0OIOI0I0000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000.doc",
]
}
}

Human Readable Output#

Get IoC by minute#

Value
http://103.182.16.23/900/HTMLcode.vbs
http://103.182.16.23/900/i0ioi0iooioo0IOI0OIOIOiooioi00IOIoioioio0ioi0iOIOioiiOIoiOIOIOioIO0IOIO0.doc
http://94.156.253.128/2144/io0Ioi0IOIOOIOi0i00ioioii0ioi0oiOII0OIO0OIOI0I0000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000.doc

gw-lis-get-by-value#


Allows you to search for an IOC (url, hash, host) or a vulnerability in the Gatewatcher CTI database. If the data is known, only the IOC corresponding to the value will be returned.

Base Command#

gw-lis-get-by-value

Input#

Argument NameDescriptionRequired
ValueValue to be search.Required

Context Output#

PathTypeDescription
LIS.GetByValue.CategoriesStringCategories.
LIS.GetByValue.RiskStringRisk.
LIS.GetByValue.TLPStringTLP.
LIS.GetByValue.TypeStringType.
LIS.GetByValue.UsageModeStringUsageMode.
LIS.GetByValue.ValueStringValue.
LIS.GetByValue.VulnerabilitiesStringVulnerabilities.

Command example#

!gw-lis-get-by-value Value="58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f"

Context Example#

{
"LIS": {
"GetByValue": {
"Categories": [
"trojan",
"malware",
"agent"
],
"Risk": "Suspicious",
"TLP": "green",
"Type": "SHA256",
"UsageMode": "detection",
"Value": "58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f",
"Vulnerabilities": []
}
}
}

Human Readable Output#

Get IoC corresponding to the value#

CategoriesRiskTLPTypeUsageModeValueVulnerabilities
trojan,
malware,
agent
SuspiciousgreenSHA256detection58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f

gw-lis-leaked-email-by-domain#


Allows you to search for leaked emails via a domain in Gatewatcher's CTI database. If the data is found, a list of emails is returned. otherwise, nothing is returned.

Base Command#

gw-lis-leaked-email-by-domain

Input#

Argument NameDescriptionRequired
Domaindomain to be searched.Required
AfterOnly return emails that have leaked after this date (date format: 2023-01-15T10:00:00).Optional

Context Output#

PathTypeDescription
LIS.LeakedEmail.GetByDomainStringleaked emails.

Command example#

!gw-lis-leaked-email-by-domain Domain=foobar.com

Context Example#

{
"LIS": {
"LeakedEmail": {
"GetByDomain": [
"lucien@fr.foobar.com",
"valerie@fr.foobar.com",
"cyrille@nl.foobar.com",
"patrique@us.foobar.com",
]
}
}
}

Human Readable Output#

Leaked email#

Emails
lucien@fr.foobar.com
valerie@fr.foobar.com
cyrille@nl.foobar.com
patrique@us.foobar.com

gw-lis-is-email-leaked#


Allows you to search if a specific email was leaked in Gatewatcher's CTI database. If the data is found, the email is returned. otherwise, nothing is returned.

Base Command#

gw-lis-is-email-leaked

Input#

Argument NameDescriptionRequired
Emailemail to be searched.Required
AfterOnly return a value if the email has leaked after this date (date format: 2023-01-15T10:00:00).Optional

Context Output#

PathTypeDescription
LIS.LeakedEmail.GetByEmailStringleaked email.

Command example#

!gw-lis-is-email-leaked Email=lucien@fr.foobar.com

Context Example#

{
"LIS": {
"LeakedEmail": {
"GetByEmail": "lucien@fr.foobar.com"
}
}
}

Human Readable Output#

Is email leaked#

Value
lucien@fr.foobar.com

url#


search IOCs for URLs in Gatewatcher's CTI database.

Base Command#

url

Input#

Argument NameDescriptionRequired
urllist of URLs to search for, (comma separated values).Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DataStringThe URL.
URL.DescriptionStringDescription of the URL.
URL.TrafficLightProtocolStringTLP level.
LIS.URL.CategoriesStringCategories matching this url.
LIS.URL.RiskStringRisk associated to this URL.
LIS.URL.TLPStringTLP level.
LIS.URL.UsageModeStringUsage mode for LIS.
LIS.URL.ValueStringThe URL.
LIS.URL.VulnerabilitiesStringVulnerabilities associated to this URL.

Command example#

!url url=http://217.196.96.84/WatchDog.exe

Context Example#

{
"DBotScore": {
"Indicator": "http://217.196.96.84/WatchDog.exe",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "url",
"Vendor": "LastInfoSec"
},
"LIS": {
"URL": {
"Categories": [
"malware"
],
"Risk": "Suspicious",
"TLP": "green",
"Type": "URL",
"UsageMode": "detection",
"Value": "http://217.196.96.84/WatchDog.exe",
"Vulnerabilities": []
}
},
"URL": {
"Data": "http://217.196.96.84/WatchDog.exe",
"Description": "'http://217.196.96.84/WatchDog.exe' is a Suspicious URL. It is linked to a PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows file with a size of 62.0322265625 KB.\nThis URL is linked to a malware attack.\nThe related TTP is: T1027.002 .\nWe advised to use this IoC in detection mode.",
"TrafficLightProtocol": "green"
}
}

Human Readable Output#

Get IoC corresponding to the value#

CategoriesRiskTLPTypeUsageModeValueVulnerabilities
malwareSuspiciousgreenURLdetectionhttp://217.196.96.84/WatchDog.exe

file#


search IOCs for file hashes in Gatewatcher's CTI database.

Base Command#

file

Input#

Argument NameDescriptionRequired
filelist of files to search for, (comma separated values).Required

Context Output#

PathTypeDescription
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.HashesStringList of hashes for this file.
File.ImphashStringImphash of the file.
File.SSDeepStringSSDeep of the file.
File.TrafficLightProtocolStringTLP level.
File.TypeStringType of file.
File.MD5StringMD5 of the file.
File.SHA1StringSHA1 of the file.
File.SHA256StringSHA256 of the file.
File.SHA512StringSHA512 of the file.
LIS.File.CategoriesStringCategories matching this file.
LIS.File.RiskStringRisk associated to this file.
LIS.File.TLPStringTLP level.
LIS.File.UsageModeStringUsage mode for LIS.
LIS.File.ValueStringHash of the file.
LIS.File.VulnerabilitiesStringVulnerabilities associated to this file.
DBotScore.IndicatorStringThe indicator that was tested.

Command example#

!file file=58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f

Context Example#

{
"DBotScore": {
"Indicator": "58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "file",
"Vendor": "LastInfoSec"
},
"File": {
"Hashes": [
{
"type": "SHA256",
"value": "58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f"
},
{
"type": "SSDeep",
"value": "1536:zhu9D+Oy/Dn/hP8PGTzBwZ6YWKSO5T3rZvSwEKSK99jzpma:zhu9WL/hEPeGU5S5TbZawEKSK99jVH"
},
{
"type": "Imphash",
"value": "3:rGsLdAIEK:tf"
}
],
"Imphash": "3:rGsLdAIEK:tf",
"SHA256": "58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f",
"SSDeep": "1536:zhu9D+Oy/Dn/hP8PGTzBwZ6YWKSO5T3rZvSwEKSK99jzpma:zhu9WL/hEPeGU5S5TbZawEKSK99jVH",
"TrafficLightProtocol": "green",
"Type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
},
"LIS": {
"File": {
"Categories": [
"trojan",
"malware",
"agent"
],
"Risk": "Suspicious",
"TLP": "green",
"Type": "SHA256",
"UsageMode": "detection",
"Value": "58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f",
"Vulnerabilities": []
}
}
}

Human Readable Output#

Get IoC corresponding to the value#

CategoriesRiskTLPTypeUsageModeValueVulnerabilities
trojan,
malware,
agent
SuspiciousgreenSHA256detection58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f

domain#


search IOCs for domains in Gatewatcher's CTI database.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainlist of domains to search for, (comma separated values).Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NameStringDomain found.
Domain.DescriptionStringdescription of the domain.
Domain.TrafficLightProtocolStringTLP level.
LIS.Domain.CategoriesStringCategories matching this domain.
LIS.Domain.RiskStringRisk associated to this domain.
LIS.Domain.TLPStringTLP level.
LIS.Domain.TypeStringType of domain.
LIS.Domain.UsageModeStringUsage mode for LIS.
LIS.Domain.ValueStringThe domain name.
LIS.Domain.VulnerabilitiesStringVulnerabilities associated to this domain.

Command example#

!domain domain=kopabayport.co.tz

Context Example#

{
"DBotScore": {
"Indicator": "kopabayport.co.tz",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "LastInfoSec"
},
"Domain": {
"Description": "'kopabayport.co.tz' is a Suspicious Host.\nThis Host is linked to a malware attack.\nWe advised to use this IoC in detection mode.",
"Name": "kopabayport.co.tz",
"TrafficLightProtocol": "green"
},
"LIS": {
"Domain": {
"Categories": [
"malware"
],
"Risk": "Suspicious",
"TLP": "green",
"Type": "Host",
"UsageMode": "detection",
"Value": "kopabayport.co.tz",
"Vulnerabilities": []
}
}
}

Human Readable Output#

Get IoC corresponding to the value#

CategoriesRiskTLPTypeUsageModeValueVulnerabilities
malwareSuspiciousgreenHostdetectionkopabayport.co.tz