SEKOIAIntelligenceCenter
SEKOIAIntelligenceCenter Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. To use this integration, please create an API Key with the right permissions.
This integration was integrated and tested with version 2.20220712 of SEKOIA Intelligence Center
#
Configure SEKOIAIntelligenceCenter on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for SEKOIAIntelligenceCenter.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Your server URL True None The API Key to use for connection True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
GetObservableQuery SEKOIA.IO Intelligence Center for information about this observable.
#
Base CommandGetObservable
#
InputArgument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GetObservable.Output | String | SEKOIA.IO returned data |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
SEKOIAIntelligenceCenter.total | Number | Total number of object returned |
SEKOIAIntelligenceCenter.items.x_inthreat_short_display | String | Short display name of the observable |
SEKOIAIntelligenceCenter.items.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.created | Date | Observable creation date |
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.value | String | Value of the item |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
#
Command example!GetObservable value="eicar@sekoia.io" type="email-addr"
#
Context Example#
Human Readable Outputeicar@sekoia.io#
Observable
modified created 2020-11-04T00:27:15.9801Z 2020-11-04T00:27:15.9801Z #
Associated tagsNo entries. Please consult the dedicated page for more information.
#
GetIndicatorQuery SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC).
#
Base CommandGetIndicator
#
InputArgument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
SEKOIAIntelligenceCenter.items.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refs | String | Source references of the observable |
SEKOIAIntelligenceCenter.items.spec_version | String | STIX specification version used |
SEKOIAIntelligenceCenter.items.description | String | Item description |
SEKOIAIntelligenceCenter.items.modified | Date | Last modification date of the item |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.pattern | String | STIX pattern of the item |
SEKOIAIntelligenceCenter.items.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.object_marking_refs | String | Unique identifier of the marking reference (TLP) |
SEKOIAIntelligenceCenter.items.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.indicator_types | String | STIX indicator types |
#
Command example!GetIndicator value="eicar@sekoia.io" type="email-addr"
#
Context Example#
Human Readable Outputeicar@sekoia.io is categorized as ['benign']#
IndicatorSEKOIA EICAR unit is known to have used in the past this email address to distribute EICAR dropper during phishing campaign.
#
Kill chain
kill_chain_name phase_name lockheed-martin-cyber-kill-chain delivery Please consult the dedicated page for more information.
#
GetIndicatorContextQuery SEKOIA.IO Intelligence Center for context around this indicator
#
Base CommandGetIndicatorContext
#
InputArgument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
IP.Address | String | IP address |
DBotScore.Indicator | String | The indicator name. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
#
Command example!GetIndicatorContext value="eicar@sekoia.io" type="email-addr"
#
Context Example#
Human Readable Outputeicar@sekoia.io is linked to the following:#
Indicator
name description type aliases goals revoked created modified more_info EICAR Unit of SEKOIA This Intrusion Set is known to be operated by SEKOIA by its EICAR unit. This unit aims at creating fictitious environment mimicking real attackers to present how threat intelligence can help real organizations to protect themselves. intrusion-set EICAR,
TEST EICAR SEKOIA.IO,
EICAR Unit of SEKOIASimulation of real Threat Actor for Test purpose false 2020-05-26T13:18:26.429787Z 2020-06-02T13:28:51.131904Z More info about EICAR Unit of SEKOIA on SEKOIA.IO