Supported Cortex XSOAR versions: 6.0.0 and later.
QSentry queries help measure the likelihood that a user is masking their identity using publicly or privately available proxy or VPN services. The returns also flag any known fraud associations. QSentry aggregates data from Qintel’s proprietary Deep and DarkWeb research, as well as from commercially available anonymization services. This integration was integrated and tested with version 4.0 of Qintel QSentry
Navigate to Settings > Integrations > Servers & Services.
Search for QintelQSentry.
Click Add instance to create and configure a new integration instance.
Parameter Required QSentry API URL (optional) False Qintel Token True Trust any certificate (not secure) False Use system proxy settings False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Queries Qintel for IP reputation data
|ip||List of IPs.||Required|
|DBotScore.Indicator||String||The indicator that was tested|
|DBotScore.Type||String||The indicator type|
|DBotScore.Vendor||String||The vendor used to calculate the score|
|DBotScore.Score||Number||The actual score|
|IP.ASN||string||The autonomous system name for the IP address|
|IP.ASOwner||string||The autonomous system name for the IP address|
|IP.Malicious.Vendor||string||The vendor reporting the IP address as malicious|
|IP.Malicious.Description||string||A description explaining why the IP address was reported as malicious|
|Qintel.IP.LastObserved||string||Last observed time|
ASN AS Owner Tags Description Last Observed 65000 Some Service Provider
This ip address has been associated with a vpn network that offers paid access to users. it is advertised in online underground spaces.,
This ip address has been associated with a proxy network that offers paid access to users and is advertised within the online underground. it is commonly utilized by criminal actors to conduct compromised credential checking and the proxy network is hosted on a botnet infrastructure. ip address is likely an infected machine.