Skip to main content

SEKOIAIntelligenceCenter

This Integration is part of the SEKOIAIntelligenceCenter Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. To use this integration, please create an API Key with the right permissions.

This integration was integrated and tested with version 2.20220712 of SEKOIA Intelligence Center

Configure SEKOIAIntelligenceCenter on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SEKOIAIntelligenceCenter.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Your server URLTrue
    NoneThe API Key to use for connectionTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

GetObservable#


Query SEKOIA.IO Intelligence Center for information about this observable.

Base Command#

GetObservable

Input#

Argument NameDescriptionRequired
valueIndicator value.Required
typeIndicator type.Required

Context Output#

PathTypeDescription
GetObservable.OutputStringSEKOIA.IO returned data
SEKOIAIntelligenceCenter.has_moreBooleanIs more information available
SEKOIAIntelligenceCenter.totalNumberTotal number of object returned
SEKOIAIntelligenceCenter.items.x_inthreat_short_displayStringShort display name of the observable
SEKOIAIntelligenceCenter.items.modifiedDateModification date of the observable
SEKOIAIntelligenceCenter.items.spec_versionStringSTIX specification version
SEKOIAIntelligenceCenter.items.createdDateObservable creation date
SEKOIAIntelligenceCenter.items.typeStringObservable type
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refsStringUnique identifier of the observable source
SEKOIAIntelligenceCenter.items.valueStringValue of the item
SEKOIAIntelligenceCenter.items.idStringUnique identifier of the item

Command example#

!GetObservable value="eicar@sekoia.io" type="email-addr"

Context Example#

{
"SEKOIAIO": {
"Observable": {
"indicator": {
"type": "email-addr",
"value": "eicar@sekoia.io"
},
"items": [
{
"created": "2020-11-04T00:27:15.9801Z",
"id": "email-addr--cd6440d1-725c-5eb9-bff0-5e62c65ee263",
"modified": "2020-11-04T00:27:15.9801Z",
"spec_version": "2.1",
"type": "email-addr",
"value": "eicar@sekoia.io",
"x_inthreat_short_display": "eicar@sekoia.io",
"x_inthreat_sources_refs": [
"identity--357447d7-9229-4ce1-b7fa-f1b83587048e"
],
"x_inthreat_tags": []
}
]
}
}
}

Human Readable Output#

Observable eicar@sekoia.io#

modifiedcreated
2020-11-04T00:27:15.9801Z2020-11-04T00:27:15.9801Z

Associated tags#

No entries. Please consult the dedicated page for more information.

GetIndicator#


Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC).

Base Command#

GetIndicator

Input#

Argument NameDescriptionRequired
valueIndicator value.Required
typeIndicator type.Required

Context Output#

PathTypeDescription
SEKOIAIntelligenceCenter.has_moreBooleanIs more information available
SEKOIAIntelligenceCenter.items.langStringLanguage of the indicator data
SEKOIAIntelligenceCenter.items.x_ic_is_in_flintBooleanIs this indicator from a SEKOIA FLINT report
SEKOIAIntelligenceCenter.items.kill_chain_phases.kill_chain_nameStringName of the kill chain used
SEKOIAIntelligenceCenter.items.kill_chain_phases.phase_nameStringName of the kill chain phase
SEKOIAIntelligenceCenter.items.nameStringName of the item
SEKOIAIntelligenceCenter.items.valid_untilDateExpiration date of the item
SEKOIAIntelligenceCenter.items.x_ic_deprecatedBooleanIs the item deprecated
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refsStringSource references of the observable
SEKOIAIntelligenceCenter.items.spec_versionStringSTIX specification version used
SEKOIAIntelligenceCenter.items.descriptionStringItem description
SEKOIAIntelligenceCenter.items.modifiedDateLast modification date of the item
SEKOIAIntelligenceCenter.items.idStringUnique identifier of the item
SEKOIAIntelligenceCenter.items.created_by_refStringUnique identifier of the creator of the item
SEKOIAIntelligenceCenter.items.patternStringSTIX pattern of the item
SEKOIAIntelligenceCenter.items.pattern_typeStringSTIX pattern type
SEKOIAIntelligenceCenter.items.valid_fromDateBeginning of the item validity date
SEKOIAIntelligenceCenter.items.x_ic_observable_typesStringIntelligence Center observable types
SEKOIAIntelligenceCenter.items.typeStringSTIX Object type
SEKOIAIntelligenceCenter.items.revokedBooleanIs this item revoked
SEKOIAIntelligenceCenter.items.object_marking_refsStringUnique identifier of the marking reference (TLP)
SEKOIAIntelligenceCenter.items.createdDateCreation date of the item
SEKOIAIntelligenceCenter.items.indicator_typesStringSTIX indicator types

Command example#

!GetIndicator value="eicar@sekoia.io" type="email-addr"

Context Example#

{
"SEKOIAIntelligenceCenter": {
"Analysis": {
"indicator": {
"type": "email-addr",
"value": "eicar@sekoia.io"
},
"items": [
{
"created": "2020-05-25T07:18:29.384153Z",
"created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"description": "SEKOIA EICAR unit is known to have used in the past this email address to distribute EICAR dropper during phishing campaign.\n",
"id": "indicator--d394449b-6bc7-4d48-b392-6f898190bd2a",
"indicator_types": [
"benign"
],
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "delivery"
}
],
"lang": "en",
"modified": "2020-06-02T13:29:24.940899Z",
"name": "eicar@sekoia.io",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"pattern": "[email-addr:value = 'eicar@sekoia.io']",
"pattern_type": "stix",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2020-05-25T07:18:01.809Z",
"valid_until": "2022-11-20T23:00:00.000Z",
"x_ic_deprecated": false,
"x_ic_is_in_flint": false,
"x_ic_observable_types": [
"email-addr"
],
"x_inthreat_sources_refs": [
"identity--357447d7-9229-4ce1-b7fa-f1b83587048e"
]
}
]
}
}
}

Human Readable Output#

Indicator eicar@sekoia.io is categorized as ['benign']#

SEKOIA EICAR unit is known to have used in the past this email address to distribute EICAR dropper during phishing campaign.

Kill chain#

kill_chain_namephase_name
lockheed-martin-cyber-kill-chaindelivery

Please consult the dedicated page for more information.

GetIndicatorContext#


Query SEKOIA.IO Intelligence Center for context around this indicator

Base Command#

GetIndicatorContext

Input#

Argument NameDescriptionRequired
valueIndicator value.Required
typeIndicator type.Required

Context Output#

PathTypeDescription
SEKOIAIntelligenceCenter.items.typeStringObservable type
SEKOIAIntelligenceCenter.items.idStringUnique identifier of the item
SEKOIAIntelligenceCenter.items.objects.valid_fromDateBeginning of the item validity date
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refsStringUnique identifier of the observable source
SEKOIAIntelligenceCenter.items.objects.spec_versionStringSTIX specification version
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flintBooleanIs this indicator from a SEKOIA FLINT report
SEKOIAIntelligenceCenter.items.objects.langStringLanguage of the indicator data
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locationsStringUUID of the impacted locations
SEKOIAIntelligenceCenter.items.objects.idStringUUID of the objects
SEKOIAIntelligenceCenter.items.objects.created_by_refStringUnique identifier of the creator of the item
SEKOIAIntelligenceCenter.items.objects.modifiedDateModification date of the observable
SEKOIAIntelligenceCenter.items.objects.typeStringSTIX Object type
SEKOIAIntelligenceCenter.items.objects.revokedBooleanIs this item revoked
SEKOIAIntelligenceCenter.items.objects.createdDateCreation date of the item
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_typesStringIntelligence Center observable types
SEKOIAIntelligenceCenter.items.objects.pattern_typeStringSTIX pattern type
SEKOIAIntelligenceCenter.items.objects.nameStringName of the item
SEKOIAIntelligenceCenter.items.objects.patternStringSTIX pattern
SEKOIAIntelligenceCenter.items.objects.indicator_typesStringSTIX indicator types
SEKOIAIntelligenceCenter.items.objects.object_marking_refsStringUnique identifier of the Object Marking reference (TLP)
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectorsStringUUID of the impacted sectors
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_nameStringName of the kill chain used
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_nameStringName of the kill chain phase
SEKOIAIntelligenceCenter.items.objects.confidenceNumberIndicator confidence score
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecatedBooleanIs the item deprecated
SEKOIAIntelligenceCenter.items.objects.valid_untilDateExpiration date of the item
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refsStringExternal references
SEKOIAIntelligenceCenter.items.objects.first_seenDateItem first seen date
SEKOIAIntelligenceCenter.items.objects.aliasesStringItem aliases names
SEKOIAIntelligenceCenter.items.objects.is_familyBooleanIs the item part of a family
SEKOIAIntelligenceCenter.items.objects.external_references.descriptionStringObject external references description
SEKOIAIntelligenceCenter.items.objects.external_references.source_nameStringObject external references source name
SEKOIAIntelligenceCenter.items.objects.external_references.urlStringObject external references URL
SEKOIAIntelligenceCenter.items.objects.capabilitiesStringMalware capabilities
SEKOIAIntelligenceCenter.items.objects.malware_typesStringMalware type
SEKOIAIntelligenceCenter.items.objects.implementation_languagesStringMalware implementation languages
SEKOIAIntelligenceCenter.items.objects.descriptionStringItem description
SEKOIAIntelligenceCenter.items.objects.stop_timeDateStop time date
SEKOIAIntelligenceCenter.items.objects.relationship_typeStringSTIX object relationship type
SEKOIAIntelligenceCenter.items.objects.target_refStringTarget reference UUID
SEKOIAIntelligenceCenter.items.objects.source_refStringSource reference UUID
SEKOIAIntelligenceCenter.items.objects.start_timeDateObject start time
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sectorBooleanIs the object a sector
SEKOIAIntelligenceCenter.items.objects.contact_informationStringObject contact information
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sourceBooleanIs the object a source
SEKOIAIntelligenceCenter.items.objects.sectorsStringAssociated sectors
SEKOIAIntelligenceCenter.items.objects.identity_classStringObject identity class
SEKOIAIntelligenceCenter.items.objects.definition_typeStringObject definition type
SEKOIAIntelligenceCenter.items.objects.definition.tlpStringTLP type
SEKOIAIntelligenceCenter.has_moreBooleanIs more information available
IP.AddressStringIP address
DBotScore.IndicatorStringThe indicator name.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.

Command example#

!GetIndicatorContext value="eicar@sekoia.io" type="email-addr"

Context Example#

{
"SEKOIAIO": {
"IndicatorContext": {
"indicator": {
"type": "email-addr",
"value": "eicar@sekoia.io"
},
"items": [
{
"id": "bundle--31cfcb98-e910-44b2-8c7b-f87b581490c0",
"objects": [
{
"created": "2020-05-25T07:18:29.384153Z",
"created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"description": "SEKOIA EICAR unit is known to have used in the past this email address to distribute EICAR dropper during phishing campaign.\n",
"id": "indicator--d394449b-6bc7-4d48-b392-6f898190bd2a",
"indicator_types": [
"benign"
],
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "delivery"
}
],
"lang": "en",
"modified": "2020-06-02T13:29:24.940899Z",
"name": "eicar@sekoia.io",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"pattern": "[email-addr:value = 'eicar@sekoia.io']",
"pattern_type": "stix",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2020-05-25T07:18:01.809Z",
"valid_until": "2022-11-20T23:00:00.000Z",
"x_ic_deprecated": false,
"x_ic_is_in_flint": false,
"x_ic_observable_types": [
"email-addr"
],
"x_inthreat_sources_refs": [
"identity--357447d7-9229-4ce1-b7fa-f1b83587048e"
]
},
{
"aliases": [
"EICAR",
"TEST EICAR SEKOIA.IO",
"EICAR Unit of SEKOIA"
],
"created": "2020-05-26T13:18:26.429787Z",
"created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"description": "This Intrusion Set is known to be operated by SEKOIA by its EICAR unit. This unit aims at creating fictitious environment mimicking real attackers to present how threat intelligence can help real organizations to protect themselves.\n",
"external_references": [
{
"description": "",
"source_name": "SEKOIA",
"url": "www.sekoia.fr"
}
],
"goals": [
"Simulation of real Threat Actor for Test purpose"
],
"id": "intrusion-set--4d1fd514-d9a4-45f3-988a-d811df72df2f",
"lang": "en",
"modified": "2020-06-02T13:28:51.131904Z",
"more_info": "[More info about EICAR Unit of SEKOIA on SEKOIA.IO](https://app.sekoia.io/intelligence/objects/intrusion-set--4d1fd514-d9a4-45f3-988a-d811df72df2f)",
"name": "EICAR Unit of SEKOIA",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"resource_level": "organization",
"revoked": false,
"spec_version": "2.1",
"type": "intrusion-set",
"x_ic_deprecated": false,
"x_ic_is_in_flint": false,
"x_inthreat_sources_refs": [
"identity--357447d7-9229-4ce1-b7fa-f1b83587048e"
]
},
{
"created": "2020-05-26T13:24:33.119462Z",
"created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"id": "relationship--4b0306ef-f021-48b4-81e1-8de6c2cf1179",
"lang": "en",
"modified": "2020-05-29T09:00:40.635897Z",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"relationship_type": "indicates",
"revoked": false,
"source_ref": "indicator--d394449b-6bc7-4d48-b392-6f898190bd2a",
"spec_version": "2.1",
"start_time": "2020-05-25T07:18:01.809Z",
"stop_time": "2022-11-20T23:00:00.000Z",
"target_ref": "intrusion-set--4d1fd514-d9a4-45f3-988a-d811df72df2f",
"type": "relationship",
"x_ic_deprecated": false,
"x_ic_is_in_flint": false,
"x_inthreat_sources_refs": [
"identity--357447d7-9229-4ce1-b7fa-f1b83587048e"
]
},
{
"confidence": 95,
"contact_information": "threatintel@sekoia.fr",
"created": "2008-01-01T00:00:00Z",
"created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"description": "SEKOIA is a French company which applies intelligence-driven cybersecurity",
"external_references": [
{
"source_name": "SEKOIA website",
"url": "https://www.sekoia.fr"
}
],
"id": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
"identity_class": "organization",
"lang": "en",
"modified": "2019-09-30T07:54:40.149166Z",
"name": "SEKOIA",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity",
"x_ic_deprecated": false,
"x_ic_is_in_flint": true,
"x_ic_is_sector": false,
"x_ic_is_source": true
},
{
"created": "2019-10-09T16:10:07.239899Z",
"definition": {
"tlp": "green"
},
"definition_type": "tlp",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"name": "TLP:GREEN",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"spec_version": "2.1",
"type": "marking-definition",
"x_ic_deprecated": false
},
{
"created": "2019-10-31T16:57:02.018068Z",
"definition": {
"tlp": "white"
},
"definition_type": "tlp",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"name": "TLP:WHITE",
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"spec_version": "2.1",
"type": "marking-definition",
"x_ic_deprecated": false
}
],
"type": "bundle"
}
]
}
}
}

Human Readable Output#

Indicator eicar@sekoia.io is linked to the following:#

namedescriptiontypealiasesgoalsrevokedcreatedmodifiedmore_info
EICAR Unit of SEKOIAThis Intrusion Set is known to be operated by SEKOIA by its EICAR unit. This unit aims at creating fictitious environment mimicking real attackers to present how threat intelligence can help real organizations to protect themselves.
intrusion-setEICAR,
TEST EICAR SEKOIA.IO,
EICAR Unit of SEKOIA
Simulation of real Threat Actor for Test purposefalse2020-05-26T13:18:26.429787Z2020-06-02T13:28:51.131904ZMore info about EICAR Unit of SEKOIA on SEKOIA.IO