Skip to main content

RaDark

This Integration is part of the KELA RaDark Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This integration enables you to fetch incidents and manage your RaDark monitor from Cortex XSOAR. This integration was integrated and tested with version 2 of RaDark

Configure RaDark on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for RaDark.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyAPI Key generated from RaDark by your user.True
    First time fetchingStart fetching incidents from the specified time.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Monitor IDSet your monitor ID in RaDark.True
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
    Max incidents to fetch each fetchingMaximum supported: 1000False
    Incident types to fetchSet which incident types to fetch from RaDark.True
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

radark-incident-get-items#


Fetch all items for an incident by the given incident ID.

Base Command#

radark-incident-get-items

Input#

Argument NameDescriptionRequired
incident_idThe unique ID of an incident that requires enrichment.Required

Context Output#

PathTypeDescription
Radark.itemDetails.items.item_idstringThe ID of the item on RaDark.
Radark.itemDetails.items.emailstringThe email of the item.
Radark.itemDetails.items.domainstringThe domain of the item.
Radark.itemDetails.items.passwordstringThe password of the item.
Radark.itemDetails.items.password_typestringThe password type of the item.
Radark.itemDetails.items.sourcestringThe source of the item.
Radark.itemDetails.items.servicestringThe service of the item.
Radark.itemDetails.items.dump_post_datestringThe dump post date of the item.
Radark.itemDetails.items.compromised_websitestringThe compromised website of the item.
Radark.itemDetails.items.bot_idstringThe bot ID of the item.
Radark.itemDetails.items.resourcestringThe resource of the item.
Radark.itemDetails.items.countrystringThe country of the item.
Radark.itemDetails.items.source_ipstringThe source IP of the item.
Radark.itemDetails.items.infection_typestringThe infection type of the item.
Radark.itemDetails.items.updated_datestringThe updated date of the item.
Radark.itemDetails.items.usernamestringThe username of the item.
Radark.itemDetails.items.additional_datastringThe additional data of the item.
Radark.itemDetails.items.pricestringThe price of the item.
Radark.itemDetails.items.ispstringThe ISP of the item.
Radark.itemDetails.detailsstringGeneral details of the incident.

Command Example#

!radark-incident-get-items incident_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Context Example#

{
"Radark": {
"itemDetails": {
"items": [
{
"item_id": "<ITEM_ID>",
"email": "testa@test.com",
"domain": "test.com",
"password": "-",
"password_type": "-",
"service": "-"
}
],
"details": "Incident contains 44 items. Full details can be found on \"items\" tab."
}
}
}

*Items are flexible (base on incident type).

Human Readable Output#

No data found for item ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

radark-email-enrich#


Search a specific email address to get all exposed leaked credentials collected by RaDark.

Base Command#

radark-email-enrich

Input#

Argument NameDescriptionRequired
emailThe email address tested for leaked credentials.Required

Context Output#

PathTypeDescription
Radark.emailDetails.emails.emailstringThe email to enrich from RaDark.
Radark.emailDetails.emails.domainstringThe domain of the email.
Radark.emailDetails.emails.password_typestringThe password type of the email.
Radark.emailDetails.emails.passwordstringThe password of the email.
Radark.emailDetails.emails.servicestringThe service of the email.
Radark.emailDetails.emails.sourcestringThe source of the email.
Radark.emailDetails.emails.sourcestringThe posted date of the email.

Command Example#

!radark-email-enrich email=testa@test.com

Context Example#

{
"Radark": {
"emailDetails": {
"emails": [
{
"date": "2017-01-12T19:43:00Z",
"domain": "test.com",
"email": "testa@test.com",
"password": "-",
"password_type": "-",
"service": "-",
"source": "ss"
}
]
}
}
}

Human Readable Output#

EmailDomainPassword TypePasswordServiceSourceDate
testa@test.comtest.com---ss2017-01-12T19:43:00Z

radark-item-handle#


Mark item as handled on RaDark.

Base Command#

radark-item-handle

Input#

Argument NameDescriptionRequired
item_idThe unique ID of an item that should be marked as handled on RaDark.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

Item ID (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) marked as handled

radark-item-purchase#


Request to purchase an item offered for sale on an automated store.

Base Command#

radark-item-purchase

Input#

Argument NameDescriptionRequired
item_idThe unique ID of an item that should requires purchase.Required

Context Output#

There is no context output for this command.

Command Example#

!radark-item-purchase item_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Human Readable Output#

Bot ID (<BOT_ID>) marked for purchasing