Skip to main content

Pulsedive

This Integration is part of the Pulsedive Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Enrich and analyze any domain, URL, or IP. Pivot to search on data points and linked indicators to investigate risky properties. This integration was integrated and tested with version 5.1.15 of Pulsedive

Configure Pulsedive on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Pulsedive.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyTrue
    Minimum severity of alerts to fetchTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
    Source ReliabilityReliability of the source providing the intelligence dataTrue
    False
    False
    Feed Fetch IntervalFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Return IP information and reputation

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
Pulsedive.IP.asnStringThe autonomous system name for the IP address.
Pulsedive.IP.asn_cidrStringThe ASN CIDR.
Pulsedive.IP.asn_country_codeStringThe ASN country code.
Pulsedive.IP.asn_dateDateThe date on which the ASN was assigned.
Pulsedive.IP.asn_descriptionStringThe ASN description.
Pulsedive.IP.asn_registryStringThe registry the ASN belongs to.
Pulsedive.IP.entitiesStringEntities associated to the IP.
Pulsedive.IP.ipStringThe actual IP address.
Pulsedive.IP.network.cidrStringNetwork CIDR for the IP address.
Pulsedive.IP.network.countryUnknownThe country of the IP address.
Pulsedive.IP.network.end_addressStringThe last IP address of the CIDR.
Pulsedive.IP.network.events.actionStringThe action that happened on the event.
Pulsedive.IP.network.events.actorUnknownThe actor that performed the action on the event.
Pulsedive.IP.network.events.timestampStringThe timestamp when the event occurred.
Pulsedive.IP.network.handleStringThe handle of the network.
Pulsedive.IP.network.ip_versionStringThe IP address version.
Pulsedive.IP.network.linksStringLinks associated to the IP address.
Pulsedive.IP.network.nameStringThe name of the network.
Pulsedive.IP.network.notices.descriptionStringThe description of the notice.
Pulsedive.IP.network.notices.linksUnknownLinks associated with the notice.
Pulsedive.IP.network.notices.titleStringTitle of the notice.
Pulsedive.IP.network.parent_handleStringHandle of the parent network.
Pulsedive.IP.network.rawUnknownAdditional raw data for the network.
Pulsedive.IP.network.remarksUnknownAdditional remarks for the network.
Pulsedive.IP.network.start_addressStringThe first IP address of the CIDR.
Pulsedive.IP.network.statusStringStatus of the network.
Pulsedive.IP.network.typeStringThe type of the network.
Pulsedive.IP.queryStringIP address that was queried.
Pulsedive.IP.rawUnknownAdditional raw data for the IP address.
Pulsedive.IP.scoreNumberReputation score from HelloWorld for this IP (0 to 100, where higher is worse).
IP.AddressStringIP address.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.ASNStringThe autonomous system name for the IP address.

domain#


Returns Domain information and reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.OrganizationStringThe organization of the domain.
Domain.CreationDateDateThe creation date of the domain. Format is ISO8601 (i.e. '2020-04-30T10:35:00.000Z').
Domain.ExpirationDateDateThe expiration date of the domain. Format is ISO8601 (i.e. '2020-04-30T10:35:00.000Z').
Domain.UpdatedDateDateThe date when the domain was last updated. Format is ISO8601 (i.e. '2020-04-30T10:35:00.000Z').
Domain.NameServersStringName servers of the domain.
Domain.WHOIS.NameServersStringA CSV string of name servers, for example 'ns1.bla.com, ns2.bla.com'.
Domain.WHOIS.CreationDateDateThe creation date of the domain. Format is ISO8601 (i.e. '2020-04-30T10:35:00.000Z').
Domain.WHOIS.UpdatedDateDateThe date when the domain was last updated. Format is ISO8601 (i.e. '2020-04-30T10:35:00.000Z').
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example 'GoDaddy'
IP.ASNStringThe autonomous system name for the IP address.
Pulsedive.Domain.addressStringDomain admin address.
Pulsedive.Domain.cityStringDomain admin city.
Pulsedive.Domain.countryStringDomain admin country.
Pulsedive.Domain.creation_dateDateDomain creation date. Format is ISO8601.
Pulsedive.Domain.dnssecStringDNSSEC status.
Pulsedive.Domain.domainStringThe domain name.
Pulsedive.Domain.domain_nameStringDomain name options.
Pulsedive.Domain.emailsStringContact emails.
Pulsedive.Domain.expiration_dateDateExpiration date. Format is ISO8601.
Pulsedive.Domain.nameStringDomain admin name.
Pulsedive.Domain.name_serversStringName server.
Pulsedive.Domain.orgStringDomain organization.
Pulsedive.Domain.referral_urlUnknownReferral URL.
Pulsedive.Domain.registrarStringDomain registrar.
Pulsedive.Domain.scoreNumberReputation score from HelloWorld for this domain (0 to 100, where higher is worse).
Pulsedive.Domain.stateStringDomain admin state.
Pulsedive.Domain.statusStringDomain status.
Pulsedive.Domain.updated_dateDateUpdated date. Format is ISO8601.
Pulsedive.Domain.whois_serverStringWHOIS server.
Pulsedive.Domain.zipcodeUnknownDomain admin zipcode.

url#


Returns URL information and reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of Urls.Required

Context Output#

PathTypeDescription
URL.DatastringThe URL.
URL.Malicious.VendorstringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionstringA description of the malicious URL.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
URL.DetectionEnginesstringThe total number of engines that checked the indicator.
URL.PositiveDetectionsstringThe number of engines that positively detected the indicator as malicious.

pulsedive-scan#


Scan an indicator (IP/URL/Domain)

Base Command#

pulsedive-scan

Input#

Argument NameDescriptionRequired
valueThe value to scan.Required
scan_typeYou can choose between passive and active scanning. Passive scans fetch data without reaching out directly to the indicator, including performing WHOIS and DNS requests. Active scans are more noisy; we'll do a quick port scan and reach out to the indicator with a web browser. Possible values are: active, passiv. Default is active.Optional

Context Output#

PathTypeDescription
Pulsedive.Scan.qidNumberQID of the scan.
Pulsedive.Scan.valuestringThe value which was scanned.
Pulsedive.Scan.successstringThe success message.

pulsedive-scan-result#


Retrieve the Result

Base Command#

pulsedive-scan-result

Input#

Argument NameDescriptionRequired
qidQID recieved from scan command.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
Pulsedive.ScanResultUnknownComplete data returned from the scan.
Domain.NameStringThe domain name.
Domain.DomainStatusStringThe status of the domain.
Domain.NameServersStringName servers of the domain.
Domain.WHOIS.NameServersStringA CSV string of name servers, for example 'ns1.bla.com, ns2.bla.com'.
Pulsedive.Scan.successstringThe success message.
IP.AddressStringIP address.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.PortStringPorts that are associated with the IP.
IP.ASNStringThe autonomous system name for the URL, for example: 'AS8948'.
URL.DATAStringThe URL.