Skip to main content


This Integration is part of the MS-ISAC Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform This integration was integrated and tested with version 1.1 of MS-ISAC

Configure MS-ISAC on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MS-ISAC.

  3. Click Add instance to create and configure a new integration instance.

    API KeyKey provided by MS-ISAC according to the detailed InstructionsTrue
    Server URLThis is the URL provided by MS-ISAC for the base of all endpointsTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Retrieve alert data by its ID

Base Command#



Argument NameDescriptionRequired
event_idThe ID of the MS-ISAC event.Optional

Context Output#

MSISAC.Event.EventIDstringThe event ID for this specific retrieval
MSISAC.Event.StreamunknownA list of data streams that were pulled from this MS-ISAC event. These lists of dictionaries contain more detailed information
MSISAC.Event.Stream.flow_idnumberThe ID for this specific data flow
MSISAC.Event.Stream.startdateThe start data for this stream
MSISAC.Event.Stream.src_ipstringThe source IP of the event
MSISAC.Event.Stream.vlanunknownA list of all the VLANs configured for this interface
MSISAC.Event.Stream.pkts_toservernumberThe number of packets sent
MSISAC.Event.Stream.dest_ipstringThe destination IP for this flow
MSISAC.Event.Stream.lengthnumberThe length of this flow
MSISAC.Event.Stream.streamdataasciistringA string representation of the flow data that is granularly displayed
MSISAC.Event.Stream.hoststringThe Albert sensor that detected the traffic
MSISAC.Event.Stream.protostringTCP or UDP communication
MSISAC.Event.Stream.app_protostringThe application protocol that was used in this communication
MSISAC.Event.Stream.logical_sensor_idstringThe ID for the sensor that detected the traffic
MSISAC.Event.Stream.streamdatalenstringThe total data sent in the request
MSISAC.Event.Stream.pkts_toclientnumberThe total amount of packets sent
MSISAC.Event.Stream.flow_idnumberThe specific ID for this flow
MSISAC.Event.Stream.in_ifacestringThe physical interface that this traffic traversed
MSISAC.Event.Stream.timedateThe time that this traffic occured in a more human readable format than 'start'
MSISAC.Event.Stream.urlstringThe URL that was attempted with this traffic
MSISAC.Event.Stream.bytes_toservernumberThe size of the data sent to the server
MSISAC.Event.Stream.statusnumberThe status code for this data stream
MSISAC.Event.Stream.hostnamestringThe hostname (not URL) of the attempted traffic
MSISAC.Event.Stream.http_content_typestringThe content encoding used for the response traffic
MSISAC.Event.Stream.http_methodstringThe method used to send the traffic (GET, POST, etc)
MSISAC.Event.Stream.protocolstringWhat web protocol was used (HTTP/1.1 etc)
MSISAC.Event.Stream.bytes_toclientnumberThe size of the data sent to the client
MSISAC.Event.Stream.src_portnumberThe source port for the traffic
MSISAC.Event.Stream.dest_portstringThe destination port for the traffic
MSISAC.Event.Stream.event_typeunknownThe type of event submitted from MS-ISAC


Retrieves a list of MS-ISAC events for a given number of days (one or greater)

Base Command#



Argument NameDescriptionRequired
daysThe number of days worth of events to return. Must be one or greater. Default is 1.Required
event_idIf you want to search the list of events for a specific event, specify this optional command to return just those results.Optional

Context Output#

MSISAC.RetrievedEvents.event_idnumberID for the retrieved MS-ISAC event
MSISAC.RetrievedEvents.stimedateThe time that the traffic started
MSISAC.RetrievedEvents.sourceipstringThe IP that originated the traffic
MSISAC.RetrievedEvents.analyzed_tsdateThe time that this traffic was analyzed by MS-ISAC
MSISAC.RetrievedEvents.logical_sensor_idstringThe ID for the sensor that triggered the event
MSISAC.RetrievedEvents.ticket_idstringString representation of event_id
MSISAC.RetrievedEvents.queuestringThe group that originated the event
MSISAC.RetrievedEvents.statusstringThe current state of the event
MSISAC.RetrievedEvents.previous_escalationsstringHow many times this alert has been escalated
MSISAC.RetrievedEvents.last_stimedateThe last time that this traffic was observed (stop time)
MSISAC.RetrievedEvents.sensorstringThe hostname of the sensor that triggered the event
MSISAC.RetrievedEvents.analysisstringThe analysis provided by MS-ISAC
MSISAC.RetrievedEvents.descriptionstringThe description of the event
MSISAC.RetrievedEvents.severitystringThe severity assigned to the MS-ISAC alert