Skip to main content

MS-ISAC

This Integration is part of the MS-ISAC Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform This integration was integrated and tested with version 1.2 (7/1/25) of the MS-ISAC API.

Configure MS-ISAC in Cortex#

ParameterDescriptionRequired
API KeyKey provided by MS-ISAC according to the detailed InstructionsTrue
Server URLThis is the URL provided by MS-ISAC for the base of all endpointsTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

msisac-get-alert#


Retrieve alert data by its ID

Base Command#

msisac-get-alert

Input#

Argument NameDescriptionRequired
alert_idThe ID of the MS-ISAC alert.True

Context Output#

PathTypeDescription
MSISAC.Alert.alertIdstringThe id for this alert
MSISAC.Alert.affectedIpstringThe internal IP that is associated with the traffic
MSISAC.Alert.alertedAtstringThe timestamp when the alert happened
MSISAC.Alert.applicationProtocolstringThe protocol associated with the traffic
MSISAC.Alert.categorystringThe category of the alert
MSISAC.Alert.createdAtstringThe timestamp when the alert was created
MSISAC.Alert.destinationIpstringThe destination IP of the traffic
MSISAC.Alert.destinationPortnumberThe destination port number of the traffic
MSISAC.Alert.encodedPayloadstringThe encoded payload of the traffic
MSISAC.Alert.httpHostnamestringThe HTTP hostname of the traffic
MSISAC.Alert.httpMethodstringThe HTTP method of the traffic
MSISAC.Alert.httpStatusnumberThe HTTP status code of the traffic
MSISAC.Alert.httpUrlstringThe HTTP url of the traffic
MSISAC.Alert.logicalSensorstringThe name for the sensor that triggered the event
MSISAC.Alert.mitreTacticstringThe mitre tactic associated with the traffic
MSISAC.Alert.mitreTechniquestringThe mitre technique associated with the traffic
MSISAC.Alert.signatureDirectionstringThe direction of the traffic flow
MSISAC.Alert.signatureIdnumberThe signature id of the traffic
MSISAC.Alert.signatureNamestringThe signature name of the traffic
MSISAC.Alert.sourceIpstringThe source IP of the traffic
MSISAC.Alert.sourcePortnumberThe source port number of the traffic
MSISAC.Alert.transportProtocolstringThe transport protocol of the traffic

msisac-retrieve-cases#


Retrieves a list of MS-ISAC cases created since the given timestamp.

Base Command#

msisac-retrieve-cases

Input#

Argument NameDescriptionRequired
timestampNeeds to be in "2025-07-01T00:00:00" format, in UTC. If no timestamp is given, command will return cases from the last 72 hours.False

Context Output#

PathTypeDescription
MSISAC.RetrievedCases.caseIdstringID for the retrieved MS-ISAC case
MSISAC.RetrievedCases.affectedIpstringThe internal IP that is associated with the traffic
MSISAC.RetrievedCases.alertIdslistThe MSISAC alert ids associated with the case
MSISAC.RetrievedCases.createdAtstringThe timestamp when the case was created. This is associated with the timestamp input parameter
MSISAC.RetrievedCases.logicalSensorNamestringThe name for the sensor that triggered the event
MSISAC.RetrievedCases.modifiedAtstringThe timestamp for when the case was last modified
MSISAC.RetrievedCases.severitystringThe severity of the case