Rapid7 - Threat Command (IntSights)
Rapid7 - Threat Command (IntSights) Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
Rapid7 Insight - Threat Command allows managing alerts, CVEs, IOCs, and assets by accounts and MSSP accounts. This integration was integrated and tested with version 3.1.4 of rapid7_threat_command
#
Configure Rapid7 - Threat Command (IntSights) in CortexParameter | Description | Required |
---|---|---|
Server URL | URL of the Rapid7 platform. | True |
Account ID | True | |
API key | True | |
Source Reliability | Reliability of the source providing the intelligence data. | True |
Fetch incidents | False | |
First fetch timestamp. | Timestamp in ISO format or <number> <time unit>, e.g., 2023-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now. | False |
Maximum incidents per fetch | The maximum number of alerts to fetch each time. The default is 50. If the value is greater than 200, it will be considered as 200. | True |
Alert types to fetch as incidents | Alert types to fetch as incidents. | False |
Network types to fetch as incidents | Network types to fetch as incidents. | False |
Minimum Alert Severity Level | Alerts with the minimum level of severity to fetch. | False |
Source types to filter alerts by | Source types to filter alerts by. | False |
Fetch closed alerts | Fetch closed alerts from Rapid7 platform. | False |
Include CSV files of alerts | False | |
Include attachments of alerts | MSSP accounts must provide a sub-account ID to perform this action. | False |
Sub-account ID (for MSSP accounts). | False | |
Incident type | False | |
Use system proxy settings | False | |
Trust any certificate (not secure) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
threat-command-cyber-term-listList cyber terms by filter.
#
Base Commandthreat-command-cyber-term-list
#
InputArgument Name | Description | Required |
---|---|---|
search | Filter by free text, which can be the cyber term name or ID. | Optional |
types | A comma-separated list of cyber term types by which to filter the results. For example: ThreatActor,Campaign. Possible values are: Threat Actor, Malware, Campaign. | Optional |
severities | A comma-separated list of cyber term severities by which to filter the results. For example: High,Low. Possible values are: High, Medium, Low. | Optional |
sectors | A comma-separated list of targeted sectors by which to filter the results. For example: Education,Government. | Optional |
countries | A comma-separated list of targeted countries by which to filter the results. For example: Albania,Algeria. | Optional |
origins | A comma-separated list of nationalities by which to filter the results. For example: Egypt,Iraq. | Optional |
ttps | A comma-separated list of TTPs by which to filter the results. For example: Malware,Backdoor. | Optional |
last_update_from | Filter for results whose last update date is greater than the given value (in ISO 8601 format). For example: 2022-12-25T08:38:06Z. Default value: Last year. | Optional |
last_update_to | Filter for results whose last update date is less than the given value (in ISO 8601 format). For example: 2022-12-25T08:38:06Z. | Optional |
page | The page number of the results to retrieve (1-based). Default is 1. | Optional |
page_size | The number of objects per page. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.CyberTerm.id | String | The ID of the cyber term. |
ThreatCommand.CyberTerm.type | String | The type of the cyber term. |
ThreatCommand.CyberTerm.name | String | Name of the cyber term. |
ThreatCommand.CyberTerm.severity | String | The severity of the cyber term. |
ThreatCommand.CyberTerm.aliases | String | Aliases of the cyber term. |
ThreatCommand.CyberTerm.target_countries | String | List of targeted countries. |
ThreatCommand.CyberTerm.sectors | String | List of targeted sectors. |
ThreatCommand.CyberTerm.origins | String | List of origin nationalities. |
ThreatCommand.CyberTerm.created_date | Date | The date the cyber term was first reported. |
ThreatCommand.CyberTerm.updated_date | Date | The date the cyber term was last updated. |
ThreatCommand.CyberTerm.ttp | String | List of TTPs. |
ThreatCommand.CyberTerm.overview | String | Overview of the cyber term. |
ThreatCommand.CyberTerm.additional_information | String | Additional information about the cyber term. |
ThreatCommand.CyberTerm.related_malware | String | Related malware names. |
ThreatCommand.CyberTerm.related_threat_actor | String | Related threat actor names. |
ThreatCommand.CyberTerm.related_campaigns | String | Related campaign names. |
ThreatCommand.CyberTerm.MitreAttack.tactic | String | MITRE ATT&CK tactic name related to the cyber term. |
ThreatCommand.CyberTerm.MitreAttack.Techniques.name | String | MITRE ATT&CK technique names. |
ThreatCommand.CyberTerm.MitreAttack.Techniques.url | String | MITRE ATT&CK technique URLs. |
#
Command example!threat-command-cyber-term-list limit=1
#
Context Example#
Human Readable Output#
Cyber terms
Id Name Severity Overview Target Countries Sectors Related Campaigns 6278d77884709631217f2ead Curious Gorge Medium The Curious Gorge threat group was first reported by Google's Threat Analysis Group (TAG) in March 2022, amidst the Russo-Ukrainian War. The APT group, attributed to China’s Liberation Army Strategic Support Force (PLA SSF), targets government, military, logistics, and manufacturing organizations in Ukraine, Russia, and Central Asia. There is little information about Curious Gorge’s TTPs.
In March 2022, Curious Gorge was observed targeting government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.
In May 2022, Google reported that Curious Gorge attacked multiple government organizations in Russia, including the Ministry of Foreign Affairs as well as Russian defense contractors, manufacturers, and a logistics company.
The attacks of a Chinese state-sponsored group against Russian entities are interesting, as the two countries are allies. It may reflect a possible shift in China's intelligence collection objectives amidst the Russo-Ukrainian War.Kazakhstan,
Mongolia,
Russian Federation,
UkraineAerospace/Defense,
Government,
ManufacturingThe 2022 Russia-Ukraine Cyberwarfare
#
threat-command-cyber-term-cve-listList cyber term CVEs by cyber term ID.
#
Base Commandthreat-command-cyber-term-cve-list
#
InputArgument Name | Description | Required |
---|---|---|
cyber_term_id | Cyber term unique ID (dependencies - use threat-command-cyber-term-list command to get all the cyber term IDs). | Required |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_results | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.CVE.id | String | CVE ID. |
ThreatCommand.CVE.publish_date | String | CVE publish date. |
ThreatCommand.CVE.vendor_product | Number | CVE vendor product. |
#
Command example!threat-command-cyber-term-cve-list cyber_term_id=1234 limit=1
#
Context Example#
Human Readable Output#
Related CVEs to Cyber term 628223a9b8a7a90f3aca3d7d
Id Publish Date Vendor Product CVE-2015-8562 2015-12-16T21:59:00.000Z Joomla Joomla!
#
threat-command-cyber-term-ioc-listList cyber term IOCs by cyber term ID.
#
Base Commandthreat-command-cyber-term-ioc-list
#
InputArgument Name | Description | Required |
---|---|---|
cyber_term_id | Cyber term unique ID (dependencies - use threat-command-cyber-term-list command to get all the cyber term IDs). | Required |
ioc_type | IOC types to include. Possible values are: Ip Addresses, Urls, Domains, Hashes, Emails. | Optional |
page | The page number of the results to retrieve (1-based). Default is 1. | Optional |
page_size | The number of objects per page. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.IOC.value | String | The value of the IOC. |
ThreatCommand.IOC.type | String | The type of the IOC. |
ThreatCommand.IOC.updated_date | String | The date the IOC was last updated. |
ThreatCommand.IOC.status | String | The status of the IOC. |
ThreatCommand.IOC.is_whitelisted | String | Whether the IOC is whitelisted. |
ThreatCommand.IOC.severity | String | The severity of the IOC. |
ThreatCommand.IOC.reporting_feeds | String | List of reporting feeds in which the value appears. |
#
Command example!threat-command-cyber-term-ioc-list cyber_term_id=1234 limit=1
#
Context Example#
Human Readable Output#
Related IOCs to Cyber term 628223a9b8a7a90f3aca3d7d
Value Type Is Whitelisted Updated Date 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 Hashes false 2022-11-17T11:13:28.000Z
#
threat-command-source-listGets lists of IOC document sources.
#
Base Commandthreat-command-source-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_results | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Source.id | String | Source ID. |
ThreatCommand.Source.name | String | Source name. |
ThreatCommand.Source.confidence_level | Number | Source confidence level. |
ThreatCommand.Source.is_enable | Boolean | Whether the source is enabled. |
ThreatCommand.Source.type | String | Source type. |
#
Command example!threat-command-source-list limit=1
#
Context Example#
Human Readable Output#
IOC sources
Id Name Confidence Level Type 5b68306cf84f7c8696047fda AlienVault OTX 3 IntelligenceFeed
#
threat-command-source-document-createAdds a new IOC source document. At least one IOC is required.
#
Base Commandthreat-command-source-document-create
#
InputArgument Name | Description | Required |
---|---|---|
name | Source name. | Required |
description | Source description. | Required |
confidence_level | Source confidence level. Possible values are: 1, 2, 3. | Required |
share | Whether to share this source with all tenants (available for MSSP users only). Possible values are: true, false. | Optional |
severity | Source severity level. Possible values are: High, Medium, Low. | Optional |
tags | Comma-separated list of user tags for the document. | Optional |
domains | Comma-separated list of domain IOC values to add. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to add. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to add. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to add. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to add. For example: test@test.com. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Source.Files.id | String | Document source ID. |
ThreatCommand.Source.Files.name | String | Document source name. |
#
Command example!threat-command-source-document-create name=2023test description=test confidence_level=1 domains=test.com
#
Context Example#
Human Readable Output#
Source document successfully created.
Id Name 64538007a44a2f2d6740f6be 2023test
#
threat-command-source-document-deleteDeletes an existing IOC source document.
#
Base Commandthreat-command-source-document-delete
#
InputArgument Name | Description | Required |
---|---|---|
source_id | The ID of the source document (dependencies - use threat-command-source-ioc-get command with source_type="Files" to get all the document source IDs). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-source-document-delete source_id=6400a3289083fa5eab401cdd
#
Human Readable OutputSource document "6400a3289083fa5eab401cdd" successfully deleted.
#
threat-command-source-document-ioc-createCreate new IOCs to existing IOC source documents. At least one IOC is required.
#
Base Commandthreat-command-source-document-ioc-create
#
InputArgument Name | Description | Required |
---|---|---|
source_id | The ID of the source document (dependencies - use threat-command-source-ioc-get command with source_type="Files" to get all the document source IDs). | Required |
domains | Comma-separated list of domain IOC values to create. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to create. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to create. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to create. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to create. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-source-document-ioc-create source_id=6400a3289083fa5eab401cdd domains=test.com
#
Human Readable OutputIOC "['test.com']" successfully added to "6400a3289083fa5eab401cdd" document source.
#
threat-command-ioc-searchGets IOC details by value or IOC's full enrichment data. While using the enrichment flag, the command is scheduled and allows us to get full enrichment data. Note that enrichment has a quota. You can get the quota by using threat-command-quotas-usage-get.
#
Base Commandthreat-command-ioc-search
#
InputArgument Name | Description | Required |
---|---|---|
ioc_value | IOC value. Required when last_updated_from is not selected. Not supported for email addresses. While using this argument, all the other filtering arguments are not relevant. . | Optional |
page | The page number of the results to retrieve (1-based). Default is 1. | Optional |
page_size | The number of objects per page. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
enrichment | Enrichment flag. Use True to enrich the data about the IOC. Supported IOC types are: Domains, URLs, IP addresses and file hashes. While using this argument, all the other filtering arguments are not relevant (except ioc_value). . Possible values are: true, false. | Optional |
interval_in_seconds | The interval in seconds between each poll. Relevant while enrichment=true. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Relevant while enrichment=true. Default is 600. | Optional |
last_updated_from | Filter by last update date (IOC update date is greater than). For example: 2022-12-25T08:38:06Z. Required when ioc_value is not selected. | Optional |
last_updated_to | Filter by last update date (IOC update date is less than). For example: 2022-12-25T08:38:06Z. | Optional |
last_seen_from | Filter by last seen date (IOC last seen date is greater than). For example: 2022-12-25T08:38:06Z. | Optional |
last_seen_to | Filter by last seen date (IOC last seen date is less than). For example: 2022-12-25T08:38:06Z. | Optional |
first_seen_from | Filter by first seen date (IOC first seen date is greater than). For example: 2022-12-25T08:38:06Z. | Optional |
first_seen_to | Filter by first seen date (IOC first seen date is less than). For example: 2022-12-25T08:38:06Z. | Optional |
status | Filter by IOC status. Possible values are: Active, Retired. | Optional |
type_list | Comma-separated list of IOC types to filter. For example: Urls,Domains. Possible values are: Ip Addresses, Urls, Domains, Hashes, Emails. | Optional |
severity_list | Comma-separated list of IOC severities to filter. For example: Low,Medium. Possible values are: High, Medium, Low. | Optional |
whitelisted | Filter by whitelist status. Possible values are: true, false. | Optional |
source_ids | Comma-separated list of source IDs (dependencies - use threat-command-source-document-ioc-get command to get all the document source IDs). | Optional |
kill_chain_phases | Comma-separated list of the phase of the Lockheed-Martin kills chain. For example: Delivery,Exploitation. Possible values are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objective. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.IOC.value | String | IOC value. |
ThreatCommand.IOC.type | String | IOC type. |
ThreatCommand.IOC.Source.name | String | IOC source name (Relevant to enrichment only). |
ThreatCommand.IOC.Source.confindece_level | String | IOC source confidence level(Relevant to enrichment only). |
ThreatCommand.IOC.system_tags | String | IOC system tags (Relevant to enrichment only). |
ThreatCommand.IOC.tags | String | IOC tags. |
ThreatCommand.IOC.status | String | IOC status is determined based on how recently the IOC was last seen. (Active/Retired).The domain is active for 3 months, the Email address for 2 months, the File hash for 1 year, the IP address for 2 weeks, and the URL for 2 months. |
ThreatCommand.IOC.is_known_ioc | Boolean | Whether the IOC is known (Relevant to enrichment only). |
ThreatCommand.IOC.related_malware | String | Malware related to the IOC (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedThreatActors.value | String | Threat actors related to the IOC (Relevant to enrichment only). |
ThreatCommand.IOC.related_campaign | String | Related campaign (Relevant to enrichment only). |
ThreatCommand.IOC.first_seen | Date | IOC first seen date. |
ThreatCommand.IOC.last_seen | Date | IOC last seen date. |
ThreatCommand.IOC.update_seen | Date | IOC updated seen date (Relevant to enrichment only). |
ThreatCommand.IOC.is_whitelisted | Boolean | Whether the IOC is whitelisted. |
ThreatCommand.IOC.Severity.value | String | IOC severity value. |
ThreatCommand.IOC.Severity.score | Number | IOC severity score. |
ThreatCommand.IOC.Severity.origin | String | IOC severity origin (Relevant to enrichment only). |
ThreatCommand.IOC.DnsRecord.value | String | IOC DNS recorded value (Relevant to enrichment only). |
ThreatCommand.IOC.DnsRecord.type | String | IOC DNS recorded type (Relevant to enrichment only). |
ThreatCommand.IOC.DnsRecord.first_resolved | Date | IOC DNS recorded first resolved (Relevant to enrichment only). |
ThreatCommand.IOC.DnsRecord.last_resolved | Date | IOC DNS recorded last resolved (Relevant to enrichment only). |
ThreatCommand.IOC.DnsRecord.count | String | IOC DNS record count (Relevant to enrichment only). |
ThreatCommand.IOC.subdomains | String | IOC subdomain (Relevant to enrichment only). |
ThreatCommand.IOC.History.status | String | History statuses (Relevant to enrichment only). |
ThreatCommand.IOC.History.name_servers | String | History name servers (Relevant to enrichment only). |
ThreatCommand.IOC.Current.status | String | Current statuses (Relevant to enrichment only). |
ThreatCommand.IOC.Current.name_servers | String | Current name servers (Relevant to enrichment only). |
ThreatCommand.IOC.Resolution.resolved_ip_address | String | Resolved IP address (Relevant to domain IOC) (Relevant to enrichment only). |
ThreatCommand.IOC.Resolution.resolved_domain | String | Resolved domain (Relevant to IP IOC) (Relevant to enrichment only). |
ThreatCommand.IOC.Resolution.reporting_sources | String | Reporting sources (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedHash.downloaded | String | Download hashes (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedHash.communicating | String | Communicating hashes (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedHashes.referencing | String | Referencing hashes (Relevant to enrichment only). |
ThreatCommand.IOC.antivirus_scan_date | Date | Antivirus scan date (Relevant to enrichment only). |
ThreatCommand.IOC.file_name | String | File name (Relevant to enrichment only). |
ThreatCommand.IOC.file_type | String | File type (Relevant to enrichment only). |
ThreatCommand.IOC.file_author | String | File author (Relevant to enrichment only). |
ThreatCommand.IOC.file_description | String | File description (Relevant to enrichment only). |
ThreatCommand.IOC.file_size | Number | File size (the file size is shown in bytes) (Relevant to enrichment only). |
ThreatCommand.IOC.antivirus_detection_ratio | String | Antivirus detection ratio (Relevant to enrichment only). |
ThreatCommand.IOC.antivirus_detected_engines | String | Antivirus-detected engines (Relevant to enrichment only). |
ThreatCommand.IOC.AntivirusDetection.name | String | Detection name (Relevant to enrichment only). |
ThreatCommand.IOC.AntivirusDetection.version | String | Detection version (Relevant to enrichment only). |
ThreatCommand.IOC.AntivirusDetection.detected | Boolean | Whether the IOC is detected (Relevant to enrichment only). |
ThreatCommand.IOC.AntivirusDetection.result | String | Detection result (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedHash.type | String | Hash type (Relevant to enrichment only). |
ThreatCommand.IOC.RelatedHash.value | String | Hash value (Relevant to enrichment only). |
ThreatCommand.IOC.ip_range | String | IOC IP range (Relevant to enrichment only). |
ThreatCommand.IOC.last_update_date | Date | IOC last update date (Relevant to search mode only). |
ThreatCommand.IOC.geo_location | String | Geo location code (Relevant to search mode only). |
ThreatCommand.IOC.reportedFeeds.id | String | IOC reported feed ID (Relevant to search mode only). |
ThreatCommand.IOC.reportedFeeds.name | String | IOC reported feed name (Relevant to search mode only). |
ThreatCommand.IOC.reportedFeeds.confidence_level | Number | IOC reported feed confidence level (Relevant to search mode only). |
#
Command example!threat-command-ioc-search ioc_value=test.com
#
Context Example#
Human Readable Output#
IOC "test.com"
Value Type Status Is Whitelisted Score Severity Last Update Date test.com Domains Active true 85 High 2023-05-04T09:58:10.957Z
#
threat-command-ioc-tags-addAdds user tags to IOCs. This enables you to classify IOCs and later search for all IOCs with a specific tag. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC.
#
Base Commandthreat-command-ioc-tags-add
#
InputArgument Name | Description | Required |
---|---|---|
ioc_value | The IOC value. | Required |
tag_values | Comma-separated list of tags to add (Tag can be any word). For example: "Example Tag","Regional Alert". | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-ioc-tags-add ioc_value=test.com tag_values=test
#
Human Readable OutputThe tags "['test']" successfully added to "test.com" IOC.
#
threat-command-account-whitelist-updateYou can add an IOC to your user whitelist (even if it is already on the system whitelist). If you change your mind, you can then revert that decision to rely again on the system designation using the threat-command-account-whitelist-remove command. When an IOC is whitelisted, it will not be sent to integrated security to block. When an IOC is not whitelisted, it will be sent to integrated security devices to block. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
#
Base Commandthreat-command-account-whitelist-update
#
InputArgument Name | Description | Required |
---|---|---|
is_whitelisted | The whitelist status for the IOCs. Add to the user whitelist - The IOCs will not be passed to integrated devices. Do not whitelist - The IOCs will be passed to integrated devices, even if the IOCs are on the system whitelist. . Possible values are: Add to the user whitelist, Do not whitelist. | Required |
domains | Comma-separated list of domain IOC values to apply is_whitelisted to. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to apply is_whitelisted to. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to apply is_whitelisted to. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to apply is_whitelisted to. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to apply is_whitelisted to. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-account-whitelist-update is_whitelisted="Add to the user whitelist" domains=test.com
#
Human Readable OutputThe status "Add to the user whitelist" successfully updated to "['test.com']" IOCs in the account whitelist.
#
threat-command-account-whitelist-removeReverts IOC values to the system-default whitelist status. The ETP Suite automatically whitelists certain IOCs, such as company assets. You can override this designation or ensure that certain IOCs will not be system whitelisted using the threat-command-account-whitelist-update command. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
#
Base Commandthreat-command-account-whitelist-remove
#
InputArgument Name | Description | Required |
---|---|---|
domains | Comma-separated list of domain IOC values to be reverted back to the system whitelist default. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to be reverted back to the system whitelist default. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of domain IOC values to be reverted back to the system whitelist default. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of domain IOC values to be reverted back to the system whitelist default. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of domain IOC values to be reverted back to the system whitelist default. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-account-whitelist-remove domains=test.com
#
Human Readable OutputThe IOCs "['test.com']" successfully removed from the account whitelist.
#
threat-command-ioc-blocklist-addAdds an IOC to an internal Remediation Blocklist. By sending the blocklist to security devices, you can block the IOCs. At least one IOC is required.
#
Base Commandthreat-command-ioc-blocklist-add
#
InputArgument Name | Description | Required |
---|---|---|
domains | Comma-separated list of domain IOC values to add to the Remediation blocklist. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to add to the Remediation blocklist. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC valuesto add to the Remediation blocklist. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to add to the Remediation blocklist. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to add to the Remediation blocklist. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-ioc-blocklist-add domains=test.com
#
Human Readable OutputThe IOCs "['test.com']" successfully added to the remediation blocklist.
#
threat-command-ioc-blocklist-removeRemoves IOC values from the Remediation blocklist. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
#
Base Commandthreat-command-ioc-blocklist-remove
#
InputArgument Name | Description | Required |
---|---|---|
domains | Comma-separated list of domain IOC values to remove from the Remediation blocklist. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to remove from the Remediation blocklist. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to remove from the Remediation blocklist. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to remove from the Remediation blocklist. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to remove from the Remediation blocklist. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-ioc-blocklist-remove domains=test.com
#
Human Readable OutputThe IOCs "['test.com']" successfully removed from the remediation blocklist.
#
threat-command-ioc-severity-updateChanges the severity of existing IOCs for the requester account (overrides the system severity). At least one IOC is required.
#
Base Commandthreat-command-ioc-severity-update
#
InputArgument Name | Description | Required |
---|---|---|
severity | The severity of the IOCs. Possible values are: High, Medium, Low. | Required |
domains | Comma-separated list of domain IOC values to update the severity. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to update the severity. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to update the severity. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to update the severity. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to update the severity. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-ioc-severity-update severity=High domains=test.com
#
Human Readable OutputThe severity "High" successfully updated to "['test.com']" IOCs.
#
threat-command-ioc-comment-addAdds comments to IOCs. At least one IOC is required.
#
Base Commandthreat-command-ioc-comment-add
#
InputArgument Name | Description | Required |
---|---|---|
comment | The comment to add. | Required |
domains | Comma-separated list of domain IOC values to add the comment to. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to add the comment to. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to add the comment to. For example: 8.8.8.8,1.2.3.4. | Optional |
hashes | Comma-separated list of hash IOC values to add the comment to. For example: 8100f3d2668f0f61e6c7ea0dfda59458111238dfeeb9bf47d9fa7543abfb6fb7. | Optional |
emails | Comma-separated list of email IOC values to add the comment to. For example: test@test.com. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-ioc-comment-add comment=test domains=test.com
#
Human Readable OutputThe comment "test" successfully updated to "['test.com']" IOCs.
#
threat-command-enrichment-quota-usageGets the current API enrichment credits ("quota") usage for the requester account.
#
Base Commandthreat-command-enrichment-quota-usage
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-enrichment-quota-usage
#
Context Example#
Human Readable Output#
Current API enrichment credits (quota).
Time Period Total Remaining 2023-05-04 50 43
#
threat-command-alert-listGet a list of alerts with all details.
#
Base Commandthreat-command-alert-list
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Optional |
page | The page number of the results to retrieve (1-based). Default is 1. | Optional |
page_size | The number of objects per page. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
retrieve_ids_only | Retrieve alert IDs only. Set to False in order to get the alerts with complete data details, and set to True in order to get a list of alerts. Possible values are: true, false. | Optional |
last_updated_from | Start date to fetch from. For example: 2022-12-25T08:38:06Z. Default is 1970-01-01T00:00:00.000Z. | Optional |
alert_type | Alert's type. Possible values are: Attack Indication, Data Leakage, Phishing, Brand Security, Exploitable Data, vip. | Optional |
severity | Comma-separated list of alert severities. For example:High,Medium. Possible values are: High, Medium, Low. | Optional |
source_type | Comma-separated list of alert source types. For example:Others,Markets. Possible values are: Application Stores, Black Markets, Hacking Forums, Social Media, Paste Sites, Others. | Optional |
network_type | Comma-separated list of alert network types. For example:Clear Web,Dark Web. Possible values are: Clear Web, Dark Web. | Optional |
matched_asset_value | Comma-separated list of alert matched assets. | Optional |
last_updated_to | End date to fetch to. For example: 2022-12-25T08:38:06Z. | Optional |
source_date_from | Start date to fetch from. For example: 2022-12-25T08:38:06Z. | Optional |
source_date_to | End date to fetch to. For example: 2022-12-25T08:38:06Z. | Optional |
found_date_from | Start date to fetch from. For example: 2022-12-25T08:38:06Z. | Optional |
found_date_to | End date to fetch to. For example: 2022-12-25T08:38:06Z. | Optional |
assigned | Show assigned/unassigned alerts. Possible values are: true, false. | Optional |
is_flagged | Show flagged/unflagged alerts. Possible values are: true, false. | Optional |
is_closed | Show closed/open alerts. Possible values are: true, false. | Optional |
has_ioc | Show alerts with IOC results. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.assets.type | Date | Asset type. |
ThreatCommand.Alert.assets.value | String | Asset value. |
ThreatCommand.Alert.assignees | String | Assignees list. |
ThreatCommand.Alert.type | String | Alert type list. |
ThreatCommand.Alert.sub_type | String | Alert sub type. |
ThreatCommand.Alert.title | String | Alert title. |
ThreatCommand.Alert.description | String | Alert description. |
ThreatCommand.Alert.severity | String | Alert severity. |
ThreatCommand.Alert.images | String | Alert images list. |
ThreatCommand.Alert.source_type | String | Alert type. |
ThreatCommand.Alert.source_url | String | Alert URL source. |
ThreatCommand.Alert.source_email | String | Alert email source. |
ThreatCommand.Alert.source_network_type | String | Alert network type. |
ThreatCommand.Alert.source_date | Date | Alert date. |
ThreatCommand.Alert.Tags.created_by | String | Alert tag creator. |
ThreatCommand.Alert.Tags.name | String | Alert tag name. |
ThreatCommand.Alert.Tags.id | String | Alert tag ID. |
ThreatCommand.Alert.related_iocs | String | Alert related IOC list. |
ThreatCommand.Alert.found_date | String | Alert found date. |
ThreatCommand.Alert.update_date | String | Alert update date. |
ThreatCommand.Alert.takedown_status | String | Alert remediation status. |
ThreatCommand.Alert.is_closed | Boolean | Whether the alert is closed. |
ThreatCommand.Alert.is_flagged | Boolean | Whether the alert is flagged. |
ThreatCommand.Alert.related_threat_ids | String | Alert-related threat IDs. |
#
Command example!threat-command-alert-list limit=1
#
Context Example#
Human Readable Output#
Alert list
Id Type Sub Type Title Description Severity Found Date Is Closed 641b19b45d60c905560fc484 AttackIndication VulnerabilityInTechnologyInUse sdfsdf Asfsdfiption Low 2018-01-01T00:00:00.000Z false
#
threat-command-alert-takedown-requestSend a takedown request for the selected alert (Request that Threat Command will contact the host to request a takedown of a malicious domain, website, or mobile application).
#
Base Commandthreat-command-alert-takedown-request
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
target | Takedown target. Available for phishing scenarios only. If you have evidence of malicious activity associated with this domain, select Domain. Possible values are: Domain, Website. Default is Domain. | Optional |
close_alert_after_success | Whether to close the alert after successful remediation. Possible values are: true, false. | Optional |
#
Context OutputThere is no context output for this command.
#
threat-command-alert-takedown-request-status-getGet the alert's takedown status.
#
Base Commandthreat-command-alert-takedown-request-status-get
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.takedown_status | String | Alert's takedown status. |
#
Command example!threat-command-alert-takedown-request-status-get alert_id=1234
#
Context Example#
Human Readable Output#
Takedown status for alert "1234".
Takedown Status "NotSent"
#
threat-command-alert-createCreate a new alert. You have to insert scenario or type and sub_type.
#
Base Commandthreat-command-alert-create
#
InputArgument Name | Description | Required |
---|---|---|
found_date | Alert's found date. For example: 2022-12-25T08:38:06Z. The defaut value is the current time. | Optional |
title | Alert's title. | Required |
description | Alert's description. | Required |
type | Alert's type (dependencies - use threat-command-alert-type-list command to get all the alert types). Required while scenario not inserted. Possible values are: Attack Indication, Data Leakage, Phishing, Brand Security, Exploitable Data, vip. | Optional |
sub_type | Alert subtype (dependencies - use threat-command-alert-type-list command to get all the alert subtypes). Required while scenario not inserted. | Optional |
severity | Alert's severity. Possible values are: High, Medium, Low. | Required |
source_type | Alert source type (dependencies - use threat-command-alert-source-type-list command to get all the alert source types). | Required |
source_network_type | Source network type. Possible values are: Clear Web, Dark Web. | Required |
source_url | The source URL of the alert. . | Optional |
source_date | Alert's source date. For example: 2022-12-25T08:38:06Z. | Optional |
image_entry_ids | Comma-separated list of image entry IDs to attach to the alert. Allowed image types: gif,jpeg. | Optional |
scenario | If provided, the related values will override any type and sub_type parameters (dependencies - use the threat-command-alert-scenario-list command to get all the alert scenarios). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
#
Command example!threat-command-alert-create title="test" description="test" severity="Low" source_type="Application Store" source_network_type="Clear Web" source_url="test.com" scenario="ACompanyEmailAddressReportedAsMalicious"
#
Context Example#
Human Readable Output#
Alert successfully created
Id 64538b71ba5d3f7a8fb27ddc
#
threat-command-alert-closeClose alert.
#
Base Commandthreat-command-alert-close
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
reason | Alert's closed reason. Possible values are: Problem Solved, Informational Only, Problem We Are Already Aware Of, Company Owned Domain, Legitimate Application/Profile, Not Related To My Company, False Positive, Other. | Required |
comment | Alert's comments. | Optional |
is_hidden | Alerts' hidden status (Delete alert from the account instance only when reason is FalsePositive). Possible values are: true, false. | Optional |
rate | Alert's rate. Rate range: 0-5 (The range not officaly documented). Possible values are: 0, 1, 2, 3, 4, 5. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.is_closed | String | Whether the alert is closed. |
#
Command example!threat-command-alert-close alert_id=1234 reason=Other
#
Context Example#
Human Readable Output#
Alert "1234" successfully closed
Id Is Closed 1234 true
#
threat-command-alert-severity-updateChange the alert's severity. Changing the severity level of alerts can help to prioritize alert management.
#
Base Commandthreat-command-alert-severity-update
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
severity | The desired severity. Possible values are: High, Medium, Low. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.severity | String | Alert severity. |
#
Command example!threat-command-alert-severity-update alert_id=1234 severity=Medium
#
Context Example#
Human Readable Output#
Alert "1234" severity successfully updated to "Medium".
Id Severity 1234 Medium
#
threat-command-alert-blocklist-getGet alert's blocklist status.
#
Base Commandthreat-command-alert-blocklist-get
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.BlockList.value | String | Alert blocklist value. |
ThreatCommand.Alert.BlockList.status | String | Alert blocklist status. |
#
Command example!threat-command-alert-blocklist-get alert_id=1234
#
Context Example#
Human Readable Output#
Blocklist for alert "1234".
No entries.
#
threat-command-alert-blocklist-updateChange selected IOCs blocklist status.
#
Base Commandthreat-command-alert-blocklist-update
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
domains | Comma-separated list of domain IOC values to add. For example: securitywap.com,test.com. | Optional |
urls | Comma-separated list of URL IOC values to add. For example: "http://securitywap.com/path". | Optional |
ips | Comma-separated list of IP IOC values to add. For example: 8.8.8.8,1.2.3.4. | Optional |
emails | Comma-separated list of email IOC values to add. For example: test@test.com. | Optional |
blocklist_status | Blocklist status. Possible values are: Sent, Not Sent. | Required |
#
Context OutputThere is no context output for this command.
#
threat-command-alert-ioc-reportReport IOCs to external sources (Report the URLs and domains that are included in an alert to external sources. This can warn others of the potential danger of those IOCs).
#
Base Commandthreat-command-alert-ioc-report
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
external_sources | Comma-separated list of the desired source names (dependencies - use threat-command-source-ioc-get to get all the source names). For example:GoogleWebRisk,PhishTank.Since there are variety of sources that accept different types of IOCs, select only sources that accept the alert IOCs. | Required |
#
Context OutputThere is no context output for this command.
#
threat-command-alert-assignAssign an alert to other ETP Suite users. When an alert is assigned, the assignee will receive a notification. Mainly used to assign alerts.
#
Base Commandthreat-command-alert-assign
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
user_id | Assigned user ID (dependencies - use threat-command-mssp-user-list or threat-command-account-user-list to get user IDs). | Required |
is_mssp | If the assigned user is an MSSP user or not. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.assignees | String | Assignees list. |
#
Command example!threat-command-alert-assign alert_id=1234 user_id=1234
#
Context Example#
Human Readable Output#
Alert "1234" successfully assign to user "631ef479b675f72ec9309785".
Id Assignees 1234 1234
#
threat-command-alert-unassignUnassign an alert from all users.
#
Base Commandthreat-command-alert-unassign
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.assignees | String | Assignees list. |
#
Command example!threat-command-alert-unassign alert_id=1234
#
Context Example#
Human Readable Output#
Alert '1234' successfully unassigned from any user.
Id 1234
#
threat-command-alert-reopenReopen alert.
#
Base Commandthreat-command-alert-reopen
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-reopen alert_id=1234
#
Human Readable OutputAlert "1234" successfully re-opened.
#
threat-command-alert-tag-addAdds a tag to an alert. This enables you to classify alerts and later search for all alerts with a specific tag.
#
Base Commandthreat-command-alert-tag-add
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
tag_name | The new tag string. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-tag-add alert_id=1234 tag_name=test
#
Human Readable OutputThe tag "test" successfully added to "1234" Alert.
#
threat-command-alert-tag-removeRemoves a tag from the alert.
#
Base Commandthreat-command-alert-tag-remove
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
tag_id | Tag's unique ID to remove (dependencies - use threat-command-alert-list command to get all the tag IDs). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-tag-remove alert_id=6432e3aa6ff61aae819dc46b tag_id=1234
#
Human Readable OutputThe tag "6453871c0d771fdc938f18d5" successfully removed from "6432e3aa6ff61aae819dc46b" Alert.
#
threat-command-alert-send-mailSend mail with the alert details and a question.
#
Base Commandthreat-command-alert-send-mail
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
email_addresses | Comma-separated list of destinaions email addresses. | Required |
content | Content added to the alert details. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-send-mail alert_id=6432e3aa6ff61aae819dc46b email_addresses=test@test.com content=test
#
Human Readable OutputThe alert "6432e3aa6ff61aae819dc46b" successfully send to "['test@test.com']".
#
threat-command-alert-analyst-askSend a question to an analyst about the requested alert. Questions can revolve around an alert explanation, a request for more context, recommended remediation steps, or requests for threat actor engagement. In order to get the conversation with the analyst, use the threat-command-alert-analyst-conversation-list command.
#
Base Commandthreat-command-alert-analyst-ask
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
question | Question added to the alert details. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-analyst-ask alert_id=1234 question=test
#
Human Readable OutputThe alert "1234" successfully sent to the analyst.
#
threat-command-alert-analyst-conversation-listGet alert's analyst response
#
Base Commandthreat-command-alert-analyst-conversation-list
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.id | String | Alert ID. |
ThreatCommand.Alert.Message.date | String | Response date. |
ThreatCommand.Alert.Message.initiator | String | Response initiator. |
ThreatCommand.Alert.Message.message | String | Response message. |
#
Command example!threat-command-alert-analyst-conversation-list alert_id=1234
#
Context Example#
Human Readable Output#
Alert conversation with analyst:
Initiator Message Date test@test.com Hello 2023-04-03T15:02:34.641Z Intsights Hi 2023-04-03T15:40:56.195Z test@test.com thank you 2023-04-03T18:29:41.169Z
#
threat-command-alert-activity-log-getGet alert activity log.
#
Base Commandthreat-command-alert-activity-log-get
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Alert.ActivityLog.rate | Number | Alert rate. |
ThreatCommand.Alert.ActivityLog.type | String | Alert type. |
ThreatCommand.Alert.ActivityLog.sub_types | String | Alert subtypes. |
ThreatCommand.Alert.ActivityLog.initiator | String | Alert initiator. |
ThreatCommand.Alert.ActivityLog.created_date | Date | Alert created date. |
ThreatCommand.Alert.ActivityLog.update_date | Date | Alert update date. |
ThreatCommand.Alert.ActivityLog.read_by | String | Alert read by. |
ThreatCommand.Alert.ActivityLog.id | String | Alert created ID. |
ThreatCommand.Alert.ActivityLog.tag_names | String | Alert tag names. |
ThreatCommand.Alert.ActivityLog.tag_ids | String | Alert tag IDs. |
ThreatCommand.Alert.ActivityLog.Mail.note_id | String | Alert note ID. |
ThreatCommand.Alert.ActivityLog.Mail.question | String | Alert mail question. |
ThreatCommand.Alert.ActivityLog.Mail.Replies.email | String | Alert mail reply email. |
ThreatCommand.Alert.ActivityLog.Mail.Replies.token | String | Alert mail reply token. |
ThreatCommand.Alert.ActivityLog.Mail.Replies.date | Date | Alert mail reply date. |
ThreatCommand.Alert.ActivityLog.Mail.Replies.read_by | String | Alert mail read by. |
ThreatCommand.Alert.ActivityLog.Mail.Replies.is_token_valid | Boolean | Alert mail reply is token valid. |
ThreatCommand.Alert.ActivityLog.Messages.initiator_id | String | Alert message ID. |
ThreatCommand.Alert.ActivityLog.Messages.initiator_is_support | Boolean | Whether asking the analyst is supported. |
ThreatCommand.Alert.ActivityLog.Messages.date | Date | Alert message date. |
ThreatCommand.Alert.ActivityLog.Messages.content | String | Alert message content. |
#
Command example!threat-command-alert-activity-log-get alert_id=1234
#
Context Example#
Human Readable Output#
Alert "1234" activity log
Id Type Update Date Sub Types Initiator 641cbc73bade6cc1ed3a1a25 PolicyRule 2023-03-23T20:54:11.730Z PolicyClose,
PolicyTag59490cd818a3b902664b4ed7 642054d68d62709fc5a6ae9b AlertRead 2023-03-26T14:21:10.178Z 631ef479b675f72ec9309785 6421421b21f4e115ecc8c931 AlertReopened 2023-03-27T07:13:31.321Z 631ef479b675f72ec9309785 64214d318d62709fc5a99219 AlertRead 2023-03-27T08:00:49.244Z 64214c014c75609d09ebb767 6421980221f4e115ecca9660 RemoveTag 2023-03-27T13:20:02.865Z 631ef479b675f72ec9309785 6422c9db1b2080e62a5f60a0 AlertRead 2023-03-28T11:04:59.497Z 64214bc94c75609d09ebb56a 6422c9de071e6ceab7106a04 AddTag 2023-03-28T11:05:02.300Z 64214bc94c75609d09ebb56a 6422d3df28c6b34a7004b43d AddTag 2023-03-28T11:47:43.170Z 631ef479b675f72ec9309785 6425be860112b8035eedef2b ChangedSeverity 2023-03-30T16:53:26.193Z 631ef479b675f72ec9309785 642ade5b841e1c963048d9fe Assign 2023-04-03T14:10:35.277Z 631ef479b675f72ec9309785 642adea264ed2f6ce85abf13 Assign 2023-04-03T14:11:46.331Z 631ef479b675f72ec9309785 642adea664ed2f6ce85abf8c Assign 2023-04-03T14:11:50.358Z 631ef479b675f72ec9309785 642adeab841e1c963048dba1 Assign 2023-04-03T14:11:55.831Z 631ef479b675f72ec9309785 642aea8ababb12ffd004d60e AskTheAnalystRequest 2023-05-04T10:11:58.270Z 631ef479b675f72ec9309785 642aea8ababb12ffd004d610 AskTheAnalystQuestion 2023-04-03T15:02:34.795Z 631ef479b675f72ec9309785 642af388ffcc326df6ba58da AskTheAnalystAnswer 2023-04-03T15:40:56.199Z System 642b1b1549600a740c70b1c7 AskTheAnalystQuestion 2023-04-03T18:29:41.326Z 631ef479b675f72ec9309785 642b23c3128075fc8c55ad23 AskTheAnalystAnswer 2023-04-03T19:06:43.557Z System 642bfc42841e1c96304dd178 AskTheAnalystQuestion 2023-04-04T10:30:26.005Z 631ef479b675f72ec9309785 642c2d54128075fc8c564fdb AskTheAnalystAnswer 2023-04-04T13:59:48.026Z System 645384909b3179c05ca2ad41 AlertClosed 2023-05-04T10:10:24.478Z API 645384999b3179c05ca2adf6 ChangedSeverity 2023-05-04T10:10:33.304Z API 645384bbd3e54df9a593372b Assign 2023-05-04T10:11:07.781Z API 645384c4d3e54df9a59338b4 Unassign 2023-05-04T10:11:16.487Z API 645384cd08e4bc1e2948ec09 AlertReopened 2023-05-04T10:11:25.161Z API 645384d511ba24a35d0ab861 AddTag 2023-05-04T10:11:33.638Z API 645384ee6a6f7be836b95c00 AskTheAnalystQuestion 2023-05-04T10:11:58.271Z API
#
threat-command-alert-csv-getGet alert's CSV file in case of credentials leakage or leaked credit cards alerts.
#
Base Commandthreat-command-alert-csv-get
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.CSV.alert_id | String | Alert ID. |
ThreatCommand.CSV.content | Unknown | Content of CSV file. |
InfoFile.EntryID | string | The EntryID of the CSV file. |
InfoFile.Extension | string | The extension of the CSV file. |
InfoFile.Name | string | The name of the CSV file. |
InfoFile.Info | string | The info of the CSV file. |
InfoFile.Size | number | The size of the CSV file. |
InfoFile.Type | string | The type of the CSV file. |
#
Command example!threat-command-alert-csv-get alert_id=1234
#
Context Example#
Human Readable OutputAlert "1234" CSV file.
#
threat-command-alert-note-addAdd a note to the alert. You can add notes, as text or uploaded files, to an alert that can be seen by internal users. Each note is accompanied by the name of the note creator. Other users can reply to notes. Alert notes remain with the alert, even after it is closed or otherwise remediated.
#
Base Commandthreat-command-alert-note-add
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
note | Desired note. | Required |
entry_ids | Comma-separated list of file entry IDs. Allowed types: pdf,csv,doc,docx,png,txt,jpeg,jpg. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-note-add alert_id=1234 note=test
#
Human Readable OutputNote successfully add to alert "1234".
#
threat-command-alert-image-listList alert images by ID.
#
Base Commandthreat-command-alert-image-list
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert's unique ID (dependencies - use threat-command-alert-list command to get all the alert IDs). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-alert-image-list alert_id=1234
#
Human Readable OutputAlert "1234" does not contain images.
#
threat-command-cve-listGet CVE's list from account.
#
Base Commandthreat-command-cve-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
offset | This field is used for pagination. Each request is limited to 1000 results. To get the next page, send the returned "nextOffset" parameter back to the sever as "offset". | Optional |
publish_date_from | CVE's publish date minimum value. For example: 2022-12-25T08:38:06Z. | Optional |
publish_date_to | CVE's publish date maximum value. For example: 2022-12-25T08:38:06Z. | Optional |
update_date_from | CVE's update date minimum value. For example: 2022-12-25T08:38:06Z. | Optional |
update_date_to | CVE's update date maximum value. For example: 2022-12-25T08:38:06Z. | Optional |
severity_list | Comma-separated list of CVE severities. Possible values are: Critical, High, Medium, Low. | Optional |
cpe_list | Comma-separated list of CPEs. | Optional |
cve_ids | Comma-separated list of specific CVE IDs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.CVE.id | String | CVE ID. |
ThreatCommand.CVE.Cpe.value | String | CVE CPE value. |
ThreatCommand.CVE.Cpe.title | String | CVE CPE title. |
ThreatCommand.CVE.Cpe.vendor_product | String | CVE CPE vendor. |
ThreatCommand.CVE.published_date | Date | CVE CP publish date. |
ThreatCommand.CVE.update_date | Date | CVE update date. |
ThreatCommand.CVE.severity | String | CVE severity. |
ThreatCommand.CVE.intsights_score | Number | CVE insight score. |
ThreatCommand.CVE.cvss_score | Number | CVE CVSS score. |
ThreatCommand.CVE.mentions_amount | Number | CVE mentions amount. |
ThreatCommand.CVE.paste_site_mentions | Number | CVE paste site mentions. |
ThreatCommand.CVE.hacking_forum_mentions | Number | CVE hacking forum mentions. |
ThreatCommand.CVE.instant_message_mentions | Number | CVE instant message mentions. |
ThreatCommand.CVE.dark_web_mentions | Number | CVE dark web mentions. |
ThreatCommand.CVE.clear_web_cyber_blogs_mentions | Number | CVE clear web cyber blogs mentions. |
ThreatCommand.CVE.code_repositories_mentions | Number | CVE code repositories mentions. |
ThreatCommand.CVE.exploit_mentions | Number | CVE exploit mentions. |
ThreatCommand.CVE.social_media_mentions | Number | CVE social media mentions. |
ThreatCommand.CVE.first_mention_date | Date | CVE first mention date. |
ThreatCommand.CVE.last_mention_date | Date | CVE last mention date. |
ThreatCommand.CVE.exploit_availability | Boolean | CVE exploit availability. |
ThreatCommand.CVE.vulnerability_origin | String | CVE last vulnerability origin. |
ThreatCommand.CVE.related_threat_actors | String | Related threat actors. |
ThreatCommand.CVE.related_malware | String | Related malware. |
ThreatCommand.CVE.related_campaigns | String | Related campaigns. |
#
Command example!threat-command-cve-list limit=1
#
Context Example#
Human Readable Output#
CVE list.
Id Published Date Update Date Severity Intsights Score Cvss Score CVE-2014-5600 2014-09-09T01:55:00.000Z 2023-04-30T22:00:37.673Z Low 17 5.4
#
threat-command-cve-addAdd CVEs to account.
#
Base Commandthreat-command-cve-add
#
InputArgument Name | Description | Required |
---|---|---|
cve_ids | Comma-separated list of CVEs unique IDs. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-cve-add cve_ids=CVE-1999-0002
#
Human Readable OutputThe "CVE-1999-0002" CVEs successfully added.
#
threat-command-cve-deleteDelete CVEs from account.
#
Base Commandthreat-command-cve-delete
#
InputArgument Name | Description | Required |
---|---|---|
cve_ids | Comma-separated list of CVEs unique IDs (dependencies - use threat-command-cve-listto get all the CVE IDs). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-cve-delete cve_ids=CVE-1999-0002
#
Human Readable OutputThe "CVE-1999-0002" CVEs successfully deleted.
#
threat-command-asset-addAdd assets by type and value. Assets include any company resource that could lead to a potential security threat.
#
Base Commandthreat-command-asset-add
#
InputArgument Name | Description | Required |
---|---|---|
asset_type | The type of asset to add value. For example: asset_type="Domains" asset_value="example.com". (You can get the asset types with threat-command-asset-type-list command). | Required |
asset_value | Asset value. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Asset.type | String | The type of the asset. |
ThreatCommand.Asset.value | String | The value of the asset type. |
#
Command example!threat-command-asset-add asset_type=CompanyNames asset_value=test
#
Context Example#
Human Readable Output#
Asset "test" successfully added to "CompanyNames" asset list.
Type Value CompanyNames test
#
threat-command-asset-listGet account assets grouped by asset type.
#
Base Commandthreat-command-asset-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_results | Show all results if True. Possible values are: true, false. | Optional |
asset_types | Comma-separated list of alert source types (dependencies - use threat-command-asset-type-list command to get all the asset types). For example:Domains,CompanyNames. . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Asset.type | String | The type of the asset. |
ThreatCommand.Asset.value | String | The value of the asset type. |
#
Command example!threat-command-asset-list limit=4
#
Context Example#
Human Readable Output#
Asset list.
Type Value Domains com.com Domains google.com Domains moh.gov.il Domains qmasters.co
#
threat-command-asset-type-listGet all asset types. Mainly used to add or delete assets.
#
Base Commandthreat-command-asset-type-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_results | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.AssetType | String | Asset type. |
#
threat-command-asset-deleteDelete asset by type and value.
#
Base Commandthreat-command-asset-delete
#
InputArgument Name | Description | Required |
---|---|---|
asset_type | The type of asset to add value. For example: asset_type="Domains" asset_value="example.com". (You can get the asset types with threat-command-asset-type-list command). | Required |
asset_value | Asset value. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!threat-command-asset-delete asset_type=CompanyNames asset_value=test
#
Human Readable OutputAsset "test" successfully deleted from "CompanyNames" asset list.
#
threat-command-account-system-modules-listList the system modules of your account.
#
Base Commandthreat-command-account-system-modules-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.SystemModule.module_name | String | Module name. |
ThreatCommand.SystemModule.status | String | Whether the module module is enabled. |
#
Command example!threat-command-account-system-modules-list
#
Context Example#
Human Readable Output#
System modules
Module Name Status discovery true remediation true ioc true virtualappliance true investigationpage true threatlibrary false intellifind true cve true
#
threat-command-mention-searchSearch for strings in the scrapes database.
#
Base Commandthreat-command-mention-search
#
InputArgument Name | Description | Required |
---|---|---|
search | Search using simple keywords (you can choose the search keywords by the outputs keywords), basic operators, search operators, and by document type. Basic operators: Use AND, OR, NOT, and (). For example: Searching for "bin_number: 1234 AND email_user_name: john_smith" returns all results that contain this BIN number and that username as the email user name, Searching for "comment_number: 17 AND author: gyber" returns all results with 17 comments and the author is Gyber. . | Required |
report_date | Supply time-frame. For example: 2022-12-25T08:38:06Z. | Optional |
page_number | Zero-based page number. 15 results per page. Default is 0. | Optional |
source_types | A comma-separated list of source types to filter. Possible values are: Social Media, Paste Site, Hacking Forum, Instant Message, Black Market, Cyber Security Blog, Web Page. | Optional |
only_dark_web | Show only mentions from the dark web or not. Possible values are: true, false. | Optional |
highlight_tags | Show highlight tags (<em>) in the content or not. Possible values are: true, false. Default is True. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Mentions.author | String | Mention author. |
ThreatCommand.Mentions.comment_number | Number | Mentions comments number. |
ThreatCommand.Mentions.original_url | String | Mentions original URL. |
ThreatCommand.Mentions.source_date | Date | Mentions source date. |
ThreatCommand.Mentions.url | String | Mention URL. |
ThreatCommand.Mentions.insertion_date | Date | Mention insertion date. |
ThreatCommand.Mentions.type | String | Mention type. |
ThreatCommand.Mentions.Tags.is_product_for_sale | Boolean | Whether the product for sale. |
ThreatCommand.Mentions.Tags.credit_cards | Boolean | Whether the mention includes credit cards. |
ThreatCommand.Mentions.Tags.domains | Boolean | Whether the mention includes domains. |
ThreatCommand.Mentions.Tags.emails | Boolean | Whether the mention includes emails. |
ThreatCommand.Mentions.Tags.ips | Boolean | Whether the mention includes IPs. |
ThreatCommand.Mentions.Tags.ssns | Boolean | Whether the mention includes SSNs (Switched Service Networks). |
ThreatCommand.Mentions.Tags.urls | Boolean | Whether the mention includes URLs. |
ThreatCommand.Mentions.id | String | Mention ID. |
ThreatCommand.Mentions.short_content | String | Mention short content. |
ThreatCommand.Mentions.title | String | Mention title. |
ThreatCommand.Mentions.date | Date | Mention date. |
#
Command example!threat-command-mention-search search=test.com
#
Context Example#
Human Readable Output#
Mentions for "test.com" (page number 0).
Author Original Url Url Type Id Short Content Title Date jamedoefo https://cybercarders.com/threads/onlyfans-lana-rhoades-3gb-update.222455/unread https://cybercarders.com/threads/onlyfans-lana-rhoades-3gb-update.222455/page-33 comment 1234 i was here 2023-05-04T10:20:02 anon https://www.wilderssecurity.com/threads/brave-browser-discussion-update-thread.388288/unread https://www.wilderssecurity.com/threads/brave-browser-discussion-update-thread.388288/page-36 comment f15c68c9c4d8a4ccc7efc21373f228a7f9d7826a brave v1.51.110 (may 3, 2023)
https://brave.com/latest/
spoiler: release notes v1.51.110 (may 3, 2023)
release notes v1.51.110 (may 3, 2023)
web3
added the ability to set brave wallet permission duration when connecting to dapps. (#28841)
[security] prevent blind cross chain signing as reported o2023-05-04T10:17:00
#
threat-command-mssp-customer-listGet all Managed Security Service Provider's (MSSP) sub-accounts.
#
Base Commandthreat-command-mssp-customer-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.MsspCustomer.id | String | Customer ID. |
ThreatCommand.MsspCustomer.company_name | String | Customer company name. |
ThreatCommand.MsspCustomer.status | String | Customer status. |
ThreatCommand.MsspCustomer.note | String | Customer note. |
#
Command example!threat-command-mssp-customer-list limit=1
#
Context Example#
Human Readable Output#
MSSP customer list
Id Company Name Status Note 59490ca49b655c027458d115 Demo - Qmasters Enabled test
#
threat-command-mssp-user-listGet the details of the MSSPs users (In case you are an MSSP account).
#
Base Commandthreat-command-mssp-user-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.MsspUser.id | String | User ID. |
ThreatCommand.MsspUser.email | String | User email. |
ThreatCommand.MsspUser.role | String | User role. |
ThreatCommand.MsspUser.is_deleted | String | Whether the user was deleted. |
#
Command example!threat-command-mssp-user-list limit=1
#
Context Example#
Human Readable Output#
MSSP user list
Id Role Is Deleted 64214bc94c75609d09ebb56a test@test.com Admin false
#
threat-command-account-user-listList the users in your account. Mainly used to assign alerts.
#
Base Commandthreat-command-account-user-list
#
InputArgument Name | Description | Required |
---|---|---|
user_type | Type of the user. Possible values are: Admin, Analyst. | Optional |
user_email | Email of the user. | Optional |
user_id | The ID of the user. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.AccountUser.id | String | User ID. |
ThreatCommand.AccountUser.email | String | User email. |
ThreatCommand.AccountUser.first_name | String | User first name. |
ThreatCommand.AccountUser.last_name | String | User last name. |
ThreatCommand.AccountUser.role | String | User role. |
ThreatCommand.AccountUser.is_deleted | String | Whether the user was deleted. |
#
Command example!threat-command-account-user-list limit=1
#
Context Example#
Human Readable Output#
Account user list
Id First Name Last Name Role Is Deleted 59490cd818a3b902664b4ed7 test@test.com test test Admin false
#
threat-command-alert-type-listList alert types and sub-types. They are mainly used to add manual alerts.
#
Base Commandthreat-command-alert-type-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.AlertType.type | String | Type. |
ThreatCommand.AlertType.sub_type | String | Sub-type of the type. |
#
Command example!threat-command-alert-type-list limit=1
#
Context Example#
Human Readable Output#
Alert types
Type Sub Type ExploitableData VulnerabilityInTechnologyInUse
#
threat-command-alert-source-type-listList alert source types. They are mainly used to add manual alerts.
#
Base Commandthreat-command-alert-source-type-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.AlertSourceType | String | List of source types. |
#
Command example!threat-command-alert-source-type-list limit=1
#
Context Example#
Human Readable Output#
Alert source types
Source Type Application Store
#
threat-command-alert-scenario-listList alert scenarios. They are mainly used to add manual alerts.
#
Base Commandthreat-command-alert-scenario-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to retrieve. Default is 50. | Optional |
all_result | Show all results if True. Possible values are: true, false. | Optional |
type | Alert type (dependencies - use threat-command-alert-type-list command to get all the alert types). Possible values are: Attack Indication, Data Leakage, Phishing, Brand Security, Exploitable Data, vip. | Optional |
sub_type | Alert's sub-type (dependencies - use threat-command-alert-type-list command to get all the alert subtypes). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ThreatCommand.Scenario.type | String | Alert type. |
ThreatCommand.Scenario.subtype | String | Alert sub-type. |
ThreatCommand.Scenario.scenario | String | Name of the scenario. |
ThreatCommand.Scenario.description | String | Short description of the scenario. |
#
Command example!threat-command-alert-scenario-list limit=1
#
Context Example#
Human Readable Output#
Alert scenario list
Scenario Description Type Subtype ACompanyEmailAddressReportedAsMalicious A company email address reported as spamming AttackIndication AssetReportedAsMalicious
#
fileRuns reputation on files.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
unfinished_enriches | Unfinished IOCs number. Default is -1. | Required |
file | Hash of the file to query. Supports MD5, SHA1, and SHA256. | Required |
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.sha512 | String | The SHA512 hash of the file. |
File.name | String | The full file name (including file extension). |
File.description | String | The description of the file. |
File.size | String | The size of the file. |
File.file_type | String | The type of the file. |
File.tags | String | The tags of the file. |
File.actor | String | Related threat actors to the file. |
File.campaign | String | Related threat campaigns to the file. |
File.associated_file_names | String | Assosiated file names to the file. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Score | Number | The actual score. |
#
ipChecks the reputation of an IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
unfinished_enriches | Unfinished IOCs number. Default is -1. | Required |
ip | IP address to check. | Required |
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
IP.ASN | String | IP ASN. |
IP.Address | String | IP address. |
IP.Region | String | IP region. |
IP.UpdatedDate | String | IP updated date. |
ThreatCommand.IP.asn | String | IP ASN. |
ThreatCommand.IP.ip | String | IP address. |
ThreatCommand.IP.region | String | IP region. |
ThreatCommand.IP.updated_date | String | IP updated date. |
#
urlChecks the reputation of a URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
unfinished_enriches | Unfinished IOCs number. Default is -1. | Required |
url | A comma-separated list of URLs to check. This command will not work properly on URLs containing commas. | Required |
sampleSize | The number of samples from each type (resolutions, detections, etc.) to display for long format. Default is 10. | Optional |
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
URL.Data | String | The URL value. |
URL.DetectionEngines | String | URL detection engines. |
URL.PositiveDetections | Number | Number of positive engines. |
URL.Tags | Number | URL tags. |
ThreatCommand.URL.detection_engines | String | URL detection engines. |
ThreatCommand.URL.positive_detections | String | URL positive detection engines. |
ThreatCommand.URL.tags | String | URL tags. |
ThreatCommand.URL.url | Number | The URL value. |
#
domainChecks the reputation of a domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
unfinished_enriches | Unfinished IOCs number. Default is -1. | Required |
domain | Domain name to check. | Required |
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.domain | String | Domain found. |
Domain.Name | String | The name of the domain that was checked. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
Domain.DNSRecords | String | DNS records of the domain. |
ThreatCommand.Domain.domain | String | The domain value. |
ThreatCommand.Domain.sub_domains | Date | Sub domains of the domain. |
ThreatCommand.Domain.tags | String | Tags of the domain. |
ThreatCommand.Domain.updated_date | String | Domain updated date. |