MS-ISAC
MS-ISAC Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform This integration was integrated and tested with version 1.2 (7/1/25) of the MS-ISAC API.
#
Configure MS-ISAC in CortexParameter | Description | Required |
---|---|---|
API Key | Key provided by MS-ISAC according to the detailed Instructions | True |
Server URL | This is the URL provided by MS-ISAC for the base of all endpoints | True |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
msisac-get-alertRetrieve alert data by its ID
#
Base Commandmsisac-get-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | The ID of the MS-ISAC alert. | True |
#
Context OutputPath | Type | Description |
---|---|---|
MSISAC.Alert.alertId | string | The id for this alert |
MSISAC.Alert.affectedIp | string | The internal IP that is associated with the traffic |
MSISAC.Alert.alertedAt | string | The timestamp when the alert happened |
MSISAC.Alert.applicationProtocol | string | The protocol associated with the traffic |
MSISAC.Alert.category | string | The category of the alert |
MSISAC.Alert.createdAt | string | The timestamp when the alert was created |
MSISAC.Alert.destinationIp | string | The destination IP of the traffic |
MSISAC.Alert.destinationPort | number | The destination port number of the traffic |
MSISAC.Alert.encodedPayload | string | The encoded payload of the traffic |
MSISAC.Alert.httpHostname | string | The HTTP hostname of the traffic |
MSISAC.Alert.httpMethod | string | The HTTP method of the traffic |
MSISAC.Alert.httpStatus | number | The HTTP status code of the traffic |
MSISAC.Alert.httpUrl | string | The HTTP url of the traffic |
MSISAC.Alert.logicalSensor | string | The name for the sensor that triggered the event |
MSISAC.Alert.mitreTactic | string | The mitre tactic associated with the traffic |
MSISAC.Alert.mitreTechnique | string | The mitre technique associated with the traffic |
MSISAC.Alert.signatureDirection | string | The direction of the traffic flow |
MSISAC.Alert.signatureId | number | The signature id of the traffic |
MSISAC.Alert.signatureName | string | The signature name of the traffic |
MSISAC.Alert.sourceIp | string | The source IP of the traffic |
MSISAC.Alert.sourcePort | number | The source port number of the traffic |
MSISAC.Alert.transportProtocol | string | The transport protocol of the traffic |
#
msisac-retrieve-casesRetrieves a list of MS-ISAC cases created since the given timestamp.
#
Base Commandmsisac-retrieve-cases
#
InputArgument Name | Description | Required |
---|---|---|
timestamp | Needs to be in "2025-07-01T00:00:00" format, in UTC. If no timestamp is given, command will return cases from the last 72 hours. | False |
#
Context OutputPath | Type | Description |
---|---|---|
MSISAC.RetrievedCases.caseId | string | ID for the retrieved MS-ISAC case |
MSISAC.RetrievedCases.affectedIp | string | The internal IP that is associated with the traffic |
MSISAC.RetrievedCases.alertIds | list | The MSISAC alert ids associated with the case |
MSISAC.RetrievedCases.createdAt | string | The timestamp when the case was created. This is associated with the timestamp input parameter |
MSISAC.RetrievedCases.logicalSensorName | string | The name for the sensor that triggered the event |
MSISAC.RetrievedCases.modifiedAt | string | The timestamp for when the case was last modified |
MSISAC.RetrievedCases.severity | string | The severity of the case |