Perch
Use the Perch integration to manage alerts, indicators, and communities.
This integration was integrated and tested with the latest version of Perch.
Configure Perch on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Perch.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://api.perch.rocks/)
- API Token
- Trust any certificate (not secure)
- Use system proxy
- Previous days to fetch
- Credentials
- Incident Soc Statuses to Fetch
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for alerts: perch-search-alerts
- Get information for a community: perch-get-community
- Get a list of all communities: perch-list-communities
- Create an indicator: perch-create-indicator
1. Search for alerts
Searches for alerts in Perch.
Base Command
perch-search-alerts
Input
| Argument Name | Description | Required |
|---|---|---|
| page | Page of results to return. | Optional |
| page_size | Number of results to return per page. | Optional |
| closed | Whether the alert is closed. | Optional |
| closed_at | Time that the alert was closed. | Optional |
| community_id | Community ID that generated the alert. | Optional |
| created_at | Time that the alert was created. | Optional |
| dest_ip | Destination IP address. | Optional |
| dest_port | Destination port. | Optional |
| full_url | Full URL of the alert. | Optional |
| id | ID of the alert. | Optional |
| indicator_id | ID of the indicator. | Optional |
| indicator_loaded | Whether the indicator is loaded. | Optional |
| observable_id | Observable ID. | Optional |
| protocol | Protocol effected by the alert. | Optional |
| sensor_id | ID of the sensor that generated the alert. | Optional |
| sensor_name | Name of the sensor that generated the alert. | Optional |
| soc_status | Status in the SOC. | Optional |
| src_ip | Source IP address. | Optional |
| src_port | Source port. | Optional |
| status | Status of the alert. | Optional |
| status_updated_at | Time that the status was last updated. | Optional |
| team_id | ID of the team that generated the alert. | Optional |
| title | Title of the alert. | Optional |
| ts | Timestamp of the alert. | Optional |
| ordering | Order of the returned alerts. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Perch.Alert.DestPort | Number | Destination port of the alert. |
| Perch.Alert.SrcPort | Number | Source port of the alert. |
| Perch.Alert.DestIP | Number | Destination IP of the alert. |
| Perch.Alert.IndicatorID | Number | Indicator ID of the alert. |
| Perch.Alert.SrcIP | String | IP address of the source. |
| Perch.Alert.SrcGeo.Country | String | Country of the threat. |
| Perch.Alert.SrcGeo.Latitude | Number | Latitude of the detected threat. |
| Perch.Alert.SrcGeo.Longitude | Number | Longitude of the detected threat. |
| Perch.Alert.SensorID | Number | ID of the sensor that reported the threat. |
| Perch.Alert.Title | String | Title of the alert. |
| Perch.Alert.Protocol | String | Protocol on which the alert was detected. |
| Perch.Alert.ID | Number | ID of the alert. |
| Perch.Alert.ObservableID | Number | ID of the observable event. |
| Perch.Alert.TS | Date | Timestamp of the alert. |
Command Example
!perch-search-alerts page_size=1
Context Example
{
"Perch": {
"Alert": [
{
"Protocol": "TCP",
"Title": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82",
"SrcPort": 30834,
"TS": "2019-07-22T08:49:28.518216+0000",
"ID": 854408,
"ObservableID": 908757,
"DestIP": "172.31.46.243",
"IndicatorID": "EmergingThreats:Indicator-2522162",
"SrcIP": "77.247.181.163",
"SensorID": 9185,
"SrcGeo": {
"Latitude": 52.3824,
"Country": "Netherlands",
"Longitude": 4.8995
},
"DestPort": 22
}
]
}
}
Human Readable Output
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82
| Destination IP | Destination Port | ID | Indicator ID | Observable ID | Protocol | Sensor ID | Source Geo | Source IP | Source Port | Timestamp | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 172.31.46.243 | 22 | 854408 | EmergingThreats:Indicator-2522162 | 908757 | TCP | 9185 | Latitude: 52.3824<br>Longitude: 4.8995<br>Country Name: Netherlands | 77.247.181.163 | 30834 | 2019-07-22T08:49:28.518216+0000 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82 |
2. Get information for a community
Gets community information by ID.
Base Command
perch-get-community
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the community. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Perch.Community.Allsectors | Boolean | Indicates if the community covers all sectors. |
| Perch.Community.Credentialreq | Number | Credentials required to interact with the community. |
| Perch.Community.Desc | String | Description of the community. |
| Perch.Community.Id | Number | ID of the community. |
| Perch.Community.Name | String | Name of the community. |
| Perch.Community.Poweredby | String | Organization providing the feed. |
| Perch.Community.Selectablefeeds | Boolean | Whether the feeds are selectable. |
Command Example
!perch-get-community id=1
Context Example
{
"Perch": {
"Community": {
"Selectablefeeds": true,
"Allsectors": true,
"Name": "Hail-a-TAXII",
"Credentialreq": 2,
"Poweredby": "Soltra Edge",
"Id": 1,
"Desc": "A repository of Open Source Cyber Threat Intellegence feeds in STIX format"
}
}
}
Human Readable Output
Communities Found
| Allsectors | Credentialreq | Desc | Id | Name | Poweredby | Selectablefeeds |
|---|---|---|---|---|---|---|
| true | 2 | A repository of Open Source Cyber Threat Intelligence feeds in STIX format | 1 | Hail-a-TAXII | Soltra Edge | true |
3. Get a list of all communities
Returns a list of all communities.
Base Command
perch-list-communities
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Perch.Community.Allsectors | Boolean | Indicates if the community covers all sectors. |
| Perch.Community.Credentialreq | Number | Credentials required to interact with the community. |
| Perch.Community.Desc | String | Description of the community. |
| Perch.Community.Id | Number | ID of the community. |
| Perch.Community.Name | String | Name of the community. |
| Perch.Community.Poweredby | String | Organization providing the feed. |
| Perch.Community.Selectablefeeds | Boolean | Whether the feeds are selectable. |
Command Example
!perch-list-communities
Context Example
{
"Perch": {
"Community": [
{
"Selectablefeeds": true,
"Allsectors": true,
"Name": "Hail-a-TAXII",
"Credentialreq": 2,
"Poweredby": "Soltra Edge",
"Id": 1,
"Desc": "A repository of Open Source Cyber Threat Intellegence feeds in STIX format"
},
{
"Selectablefeeds": false,
"Allsectors": true,
"Name": "DHS AIS",
"Credentialreq": 2,
"Poweredby": "Flare",
"Id": 5,
"Desc": "Department of Homeland Security - Automated Indicator Sharing"
},
{
"Selectablefeeds": true,
"Allsectors": true,
"Name": "Emerging Threats",
"Credentialreq": 0,
"Poweredby": "Emerging Threats",
"Id": 8,
"Desc": "Open source intelligence data provided by Emerging Threats/ProofPoint"
}
]
}
}
Human Readable Output
Communities Found
| Allsectors | Credentialreq | Desc | Id | Name | Poweredby | Selectablefeeds |
|---|---|---|---|---|---|---|
| true | 2 | A repository of Open Source Cyber Threat Intellegence feeds in STIX format | 1 | Hail-a-TAXII | Soltra Edge | true |
| true | 2 | Department of Homeland Security - Automated Indicator Sharing | 5 | DHS AIS | Flare | false |
| true | 0 | Open source intelligence data provided by Emerging Threats/ProofPoint | 8 | Emerging Threats | Emerging Threats | true |
4. Create an indicator
Creates an indicator in Perch.
Base Command
perch-create-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| communities | Communities to report the indicator to. | Required |
| confidence | Confidence of the findings. | Required |
| type | Type of indicator. | Required |
| value | The value of the indicator. | Required |
| title | The title of the indicator. | Required |
| description | Description of the indicator. | Required |
| tlp | TLP of the Indicator. | Required |
| operator | Operator of the indicator. | Optional |
| first_sighting | When the indicator was first sighted. | Optional |
| email_summary | Sends an email with the summary of the indicator. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Perch.Indicator.Confidence | Unknown | Confidence of the indicator. |
| Perch.Indicator.UpdatedAt | Date | Date and time that the indicator was last updated. |
| Perch.Indicator.TLP | String | TLP of the Indicator. |
| Perch.Indicator.Title | String | Title of the indicator. |
| Perch.Indicator.ID | Number | ID of the indicator. |
| Perch.Indicator.CreatedAt | Date | Date that the indicator was created. |
| Perch.Indicator.Team | Number | ID of the team. |
| Perch.Indicator.PerchID | String | The Perch ID for the incident. |
| Perch.Indicator.CreatedBy | Number | ID of the user that created the incident. |
Command Example
!perch-create-indicator communities=8 confidence=LOW description="Sample Alert Generated via Demisto" title="Sample Alert" tlp=WHITE type=Domain value="sample.com"
Context Example
{
"Perch": {
"Indicator": [
{
"Description": "Sample Alert Generated via Demisto",
"Title": "Sample Alert",
"UpdatedAt": "2019-07-23T20:06:26.046774Z",
"PerchID": "41716ec9-4001-4d20-8aba-04137fa47c83",
"CreatedBy": 11728,
"Team": 5394,
"ID": 1236830,
"CreatedAt": "2019-07-23T20:06:26.046757Z"
}
]
}
}
Human Readable Output
Sample Alert
| Created At | Created By | Description | ID | Perch ID | Team | Title | Updated At |
|---|---|---|---|---|---|---|---|
| 2019-07-23T20:06:26.046757Z | 11728 | Sample Alert Generated via Demisto | 1236830 | 41716ec9-4001-4d20-8aba-04137fa47c83 | 5394 | Sample Alert | 2019-07-23T20:06:26.046774Z |