Skip to main content

SOCRadar ThreatFusion

This Integration is part of the SOCRadar Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar. This integration was integrated and tested with version 1.0 of SOCRadarThreatFusion

Configure SOCRadarThreatFusion on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SOCRadarThreatFusion.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyThe API Key to use for connection to SOCRadar ThreatFusion API.True
    insecureTrust any certificate (not secure).False
    proxyWhether to use XSOAR’s system proxy settings to connect to the API.False
  4. Click Test to validate API key and connection to SOCRadar ThreatFusion API.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

How to obtain SOCRadar ThreatFusion API key?#

To obtain your SOCRadar ThreatFusion API key please contact with the SOCRadar operation team via operation@socradar.io

After obtaining the SOCRadar ThreatFusion API key insert it into API Key field and start using the SOCRadar ThreatFusion integration by creating the instance.

ip#


Scores provided IP entities' reputation in SOCRadar ThreatFusion.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP entities to score. (IPv4 or IPv6).Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.IP.Risk ScoreNumberReputation score of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Score DetailsJSONRisk score details of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried IP address in its threat sources.
SOCRadarThreatFusion.Reputation.IP.IPStringQueried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asnStringASN field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_cidrStringASN CIDR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_country_codeStringASN country code field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_dateDateASN date field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_descriptionStringASN description field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_registryStringASN registry field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.addressStringNets>address field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.cidrStringNets>CIDR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.cityStringNets>city field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.countryStringNets>country field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.createdStringNets>created field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.descriptionStringNets>description field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.emailsStringNets>emails field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.handleStringNets>handle field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.nameStringNets>name field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.postal_codeNumberNets>postal code field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.rangeStringNets>range field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.stateStringNets>state field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.updatedDateNets>updated field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nirStringNIR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.queryStringQuery field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.raw_referralStringRaw referral field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.referralStringReferral field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.DNS DetailsJSONDNS information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.ASNNumberASN field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.AsnCodeNumberASN code field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.AsnNameStringASN name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CidrStringCIDR field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CityNameStringCity name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CountryCodeStringCountry code field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CountryNameStringCountry name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.LatitudeNumberLatitude field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.LongitudeNumberLongitude field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.RegionNameStringRegion name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.TimezoneStringTimezone field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.ZipCodeStringZip code field Geographical location information of queried IP address.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.
IP.AddressStringIP address
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
IP.Geo.CountryStringThe country in which the IP address is located.

Command Example#

!ip ip="1.1.1.1"

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 1,
"Type": "ip",
"Vendor": "SOCRadar ThreatFusion"
},
"IP": {
"ASN": "[13335] CLOUDFLARENET, US",
"Address": "1.1.1.1",
"Geo": {
"Country": "US",
"Location": "0.0:0.0"
},
"Region": "California"
},
"SOCRadarThreatFusion": {
"Reputation": {
"IP": {
"DNS Details": {
"PTR": [
"one.one.one.one"
]
},
"Geo Location": {
"ASN": "[13335] CLOUDFLARENET, US",
"AsnCode": 13335,
"AsnName": "CloudFlare Inc",
"Cidr": "1.1.1.0/24",
"CityName": "Los Angeles",
"CountryCode": "US",
"CountryName": "United States of America",
"Latitude": 0.0,
"Longitude": 0.0,
"RegionName": "California",
"Timezone": "-07:00",
"ZipCode": "90001"
},
"IP": "1.1.1.1",
"Risk Score (Out of 1000)": 0,
"Score Details": {},
"Total Encounters": 0,
"Whois Details": {
"asn": "13335",
"asn_cidr": "1.1.1.0/24",
"asn_country_code": "AU",
"asn_date": "2011-08-11",
"asn_description": "CLOUDFLARENET, US",
"asn_registry": "apnic",
"nets": [
{
"address": "PO Box 3646\nSouth Brisbane, QLD 4101\nAustralia",
"cidr": "1.1.1.0/24",
"city": null,
"country": "AU",
"created": null,
"description": "APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs",
"emails": [
"resolver-abuse@cloudflare.com"
],
"handle": "AA1412-AP",
"name": "APNIC-LABS",
"postal_code": null,
"range": "1.1.1.0 - 1.1.1.255",
"state": null,
"updated": null
},
{
"address": null,
"cidr": "1.1.1.0/24",
"city": null,
"country": null,
"created": null,
"description": "APNIC Research and Development\n 6 Cordelia St",
"emails": null,
"handle": null,
"name": null,
"postal_code": null,
"range": "1.1.1.0 - 1.1.1.255",
"state": null,
"updated": null
}
],
"nir": null,
"query": "1.1.1.1",
"raw_referral": null,
"referral": null
}
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for IP: 1.1.1.1#

DNS DetailsGeo LocationIPRisk Score (Out of 1000)Score DetailsTotal EncountersWhois Details
PTR: one.one.one.oneCidr: 1.1.1.0/24
AsnCode: 13335
AsnName: CloudFlare Inc
ZipCode: 90001
CityName: Los Angeles
Latitude: 0.0
Timezone: -07:00
Longitude: 0.0
RegionName: California
CountryCode: US
CountryName: United States of America
ASN: [13335] CLOUDFLARENET, US
1.1.1.100asn: 13335
nir: null
nets: {'cidr': '1.1.1.0/24', 'city': None, 'name': 'APNIC-LABS', 'range': '1.1.1.0 - 1.1.1.255', 'state': None, 'emails': ['resolver-abuse@cloudflare.com'], 'handle': 'AA1412-AP', 'address': 'PO Box 3646\nSouth Brisbane, QLD 4101\nAustralia', 'country': 'AU', 'created': None, 'updated': None, 'description': 'APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs', 'postal_code': None},
{'cidr': '1.1.1.0/24', 'city': None, 'name': None, 'range': '1.1.1.0 - 1.1.1.255', 'state': None, 'emails': None, 'handle': None, 'address': None, 'country': None, 'created': None, 'updated': None, 'description': 'APNIC Research and Development\n 6 Cordelia St', 'postal_code': None}
query: 1.1.1.1
asn_cidr: 1.1.1.0/24
asn_date: 2011-08-11
referral: null
asn_registry: apnic
raw_referral: null
asn_description: CLOUDFLARENET, US
asn_country_code: AU

domain#


Scores provided domain entities' reputation in SOCRadar ThreatFusion.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain entities to score.Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.Domain.Risk ScoreNumberReputation score of queried domain.
SOCRadarThreatFusion.Reputation.IP.Score DetailsJSONRisk score details of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried domain in its threat sources.
SOCRadarThreatFusion.Reputation.Domain.DomainStringQueried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.orgStringOrg field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.cityStringCity field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.nameStringName field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.stateStringState field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.dnssecStringDnssec field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.emailsStringEmails field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.statusStringStatus field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.addressStringAddress field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.countryStringCountry field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.zipcodeNumberZip code field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.registrarStringRegistrar field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.domain_nameStringDomain name field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.name_serversStringName servers field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.referral_urlStringReferral URL field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.updated_dateDateUpdated date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.whois_serverStringWhois server field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.creation_dateDateCreation date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.expiration_dateDateExpiration date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.DNS DetailsStringDNS information of queried domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.
Domain.NameStringThe domain name, for example: "google.com".
Domain.DNSStringA list of IP objects resolved by DNS.
Domain.CreationDateDateThe date that the domain was created.
Domain.UpdatedDateStringThe date that the domain was last updated.
Domain.ExpirationDateDateThe expiration date of the domain.
Domain.NameServersUnknown(List<String>) Name servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersString(List<String>) Name servers of the domain.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy"
Domain.Geo.CountryStringThe country in which the domain address is located.
Domain.SubdomainsUnknown(List<String>) Subdomains of the domain.
Domain.Registrant.CountryStringThe country of the registrant.

Command Example#

!domain domain="paloaltonetworks.com"

Context Example#

{
"DBotScore": {
"Indicator": "paloaltonetworks.com",
"Score": 1,
"Type": "domain",
"Vendor": "SOCRadar ThreatFusion"
},
"Domain": {
"CreationDate": "Mon, 21 Feb 2005 02:42:10 GMT",
"DNS": "1.1.1.1",
"ExpirationDate": "Wed, 21 Feb 2024 02:42:10 GMT",
"Geo": {
"Country": "US"
},
"Name": "paloaltonetworks.com",
"NameServers": [
"ns record"
],
"Organization": "Palo Alto Networks, Inc.",
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "Thu, 01 Jul 2021 00:32:38 GMT",
"WHOIS": {
"CreationDate": "Mon, 21 Feb 2005 02:42:10 GMT",
"ExpirationDate": "Wed, 21 Feb 2024 02:42:10 GMT",
"NameServers": [
"ns record"
],
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "Thu, 01 Jul 2021 00:32:38 GMT"
}
},
"SOCRadarThreatFusion": {
"Reputation": {
"Domain": {
"DNS Details": {
"A": [
"1.1.1.1"
],
"MX": [
"mx record"
],
"NS": [
"ns record"
],
"SOA": [
"domains.paloaltonetworks.com. 1627343953 3600 600 604800 3600"
],
"TXT": [
"txt record"
]
},
"Domain": "paloaltonetworks.com",
"Risk Score (Out of 1000)": 0,
"Score Details": {},
"Subdomains": [],
"Total Encounters": 0,
"Whois Details": {
"address": null,
"city": null,
"country": "US",
"creation_date": "Mon, 21 Feb 2005 02:42:10 GMT",
"dnssec": "signedDelegation",
"domain_name": "PALOALTONETWORKS.COM",
"emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"expiration_date": "Wed, 21 Feb 2024 02:42:10 GMT",
"name": null,
"name_servers": [
"ns record"
],
"org": "Palo Alto Networks, Inc.",
"referral_url": null,
"registrar": "MarkMonitor Inc.",
"state": "CA",
"status": [
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited"
],
"updated_date": "Thu, 01 Jul 2021 00:32:38 GMT",
"whois_server": "whois.markmonitor.com",
"zipcode": null
}
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for domain: paloaltonetworks.com#

DNS DetailsDomainRisk Score (Out of 1000)Score DetailsSubdomainsTotal EncountersWhois Details
A: 1.1.1.1
MX: mx record
NS: ns record
SOA: domains.paloaltonetworks.com. 1627343953 3600 600 604800 3600
TXT: txt record
paloaltonetworks.com00org: Palo Alto Networks, Inc.
city: null
name: null
state: CA
dnssec: signedDelegation
emails: abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com
status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited,
clientTransferProhibited https://icann.org/epp#clientTransferProhibited,
clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited,
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
address: null
country: US
zipcode: null
registrar: MarkMonitor Inc.
domain_name: PALOALTONETWORKS.COM
name_servers: ns record
referral_url: null
updated_date: Thu, 01 Jul 2021 00:32:38 GMT
whois_server: whois.markmonitor.com
creation_date: Mon, 21 Feb 2005 02:42:10 GMT
expiration_date: Wed, 21 Feb 2024 02:42:10 GMT

file#


Scores provided hash entities' reputation in SOCRadar ThreatFusion.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHash entities to score. (MD5 or SHA1).Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.Hash.Risk ScoreNumberReputation score of queried hash.
SOCRadarThreatFusion.Reputation.Hash.Score DetailsJSONRisk score details of queried hash.
SOCRadarThreatFusion.Reputation.Hash.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried hash in its threat sources.
SOCRadarThreatFusion.Reputation.Hash.FileStringQueried hash.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.

Command Example#

!file file="3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792"

Context Example#

{
"DBotScore": {
"Indicator": "3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792",
"Score": 1,
"Type": "file",
"Vendor": "SOCRadar ThreatFusion"
},
"File": {
"MD5": "3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792"
},
"SOCRadarThreatFusion": {
"Reputation": {
"Hash": {
"File": "3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792",
"Risk Score (Out of 1000)": 360,
"Score Details": {
"Maldatabase": 360
},
"Total Encounters": 1
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for hash: 3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792#

FileRisk Score (Out of 1000)Score DetailsTotal Encounters
3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792360.0Maldatabase: 360.01

socradar-score-ip#


Scores provided IP entity's reputation in SOCRadar ThreatFusion.

Base Command#

socradar-score-ip

Input#

Argument NameDescriptionRequired
ipIP entity to score. (IPv4 or IPv6).Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.IP.Risk ScoreNumberReputation score of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Score DetailsJSONRisk score details of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried IP address in its threat sources.
SOCRadarThreatFusion.Reputation.IP.IPStringQueried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asnStringASN field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_cidrStringASN CIDR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_country_codeStringASN country code field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_dateDateASN date field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_descriptionStringASN description field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.asn_registryStringASN registry field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.addressStringNets>address field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.cidrStringNets>CIDR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.cityStringNets>city field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.countryStringNets>country field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.createdStringNets>created field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.descriptionStringNets>description field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.emailsStringNets>emails field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.handleStringNets>handle field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.nameStringNets>name field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.postal_codeNumberNets>postal code field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.rangeStringNets>range field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.stateStringNets>state field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nets.updatedDateNets>updated field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.nirStringNIR field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.queryStringQuery field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.raw_referralStringRaw referral field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Whois Details.referralStringReferral field Whois information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.DNS DetailsJSONDNS information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.ASNNumberASN field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.AsnCodeNumberASN code field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.AsnNameStringASN name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CidrStringCIDR field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CityNameStringCity name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CountryCodeStringCountry code field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.CountryNameStringCountry name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.LatitudeNumberLatitude field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.LongitudeNumberLongitude field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.RegionNameStringRegion name field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.TimezoneStringTimezone field Geographical location information of queried IP address.
SOCRadarThreatFusion.Reputation.IP.Geo Location.ZipCodeStringZip code field Geographical location information of queried IP address.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.

Command Example#

!socradar-score-ip ip="1.1.1.1"

Context Example#

{
"SOCRadarThreatFusion": {
"Reputation": {
"IP": {
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 1,
"Type": "ip",
"Vendor": "SOCRadar ThreatFusion"
},
"DNS Details": {
"PTR": [
"one.one.one.one"
]
},
"Geo Location": {
"ASN": "[13335] CLOUDFLARENET, US",
"AsnCode": 13335,
"AsnName": "CloudFlare Inc",
"Cidr": "1.1.1.0/24",
"CityName": "Los Angeles",
"CountryCode": "US",
"CountryName": "United States of America",
"Latitude": 0.0,
"Longitude": 0.0,
"RegionName": "California",
"Timezone": "-07:00",
"ZipCode": "90001"
},
"IP": "1.1.1.1",
"Risk Score (Out of 1000)": 0,
"Score Details": {},
"Total Encounters": 0,
"Whois Details": {
"asn": "13335",
"asn_cidr": "1.1.1.0/24",
"asn_country_code": "AU",
"asn_date": "2011-08-11",
"asn_description": "CLOUDFLARENET, US",
"asn_registry": "apnic",
"nets": [
{
"address": "PO Box 3646\nSouth Brisbane, QLD 4101\nAustralia",
"cidr": "1.1.1.0/24",
"city": null,
"country": "AU",
"created": null,
"description": "APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs",
"emails": [
"resolver-abuse@cloudflare.com"
],
"handle": "AA1412-AP",
"name": "APNIC-LABS",
"postal_code": null,
"range": "1.1.1.0 - 1.1.1.255",
"state": null,
"updated": null
},
{
"address": null,
"cidr": "1.1.1.0/24",
"city": null,
"country": null,
"created": null,
"description": "APNIC Research and Development\n 6 Cordelia St",
"emails": null,
"handle": null,
"name": null,
"postal_code": null,
"range": "1.1.1.0 - 1.1.1.255",
"state": null,
"updated": null
}
],
"nir": null,
"query": "1.1.1.1",
"raw_referral": null,
"referral": null
}
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for IP: 1.1.1.1#

DNS DetailsGeo LocationIPRisk Score (Out of 1000)Score DetailsTotal EncountersWhois Details
PTR: one.one.one.oneAsnCode: 13335
AsnName: CloudFlare Inc
Cidr: 1.1.1.0/24
CityName: Los Angeles
CountryCode: US
CountryName: United States of America
ASN: [13335] CLOUDFLARENET, US
Latitude: 0.0
Longitude: 0.0
RegionName: California
Timezone: -07:00
ZipCode: 90001
1.1.1.100asn: 13335
asn_cidr: 1.1.1.0/24
asn_country_code: AU
asn_date: 2011-08-11
asn_description: CLOUDFLARENET, US
asn_registry: apnic
nets: {'address': 'PO Box 3646\nSouth Brisbane, QLD 4101\nAustralia', 'cidr': '1.1.1.0/24', 'city': None, 'country': 'AU', 'created': None, 'description': 'APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs', 'emails': ['resolver-abuse@cloudflare.com'], 'handle': 'AA1412-AP', 'name': 'APNIC-LABS', 'postal_code': None, 'range': '1.1.1.0 - 1.1.1.255', 'state': None, 'updated': None},
{'address': None, 'cidr': '1.1.1.0/24', 'city': None, 'country': None, 'created': None, 'description': 'APNIC Research and Development\n 6 Cordelia St', 'emails': None, 'handle': None, 'name': None, 'postal_code': None, 'range': '1.1.1.0 - 1.1.1.255', 'state': None, 'updated': None}
nir: null
query: 1.1.1.1
raw_referral: null
referral: null

socradar-score-domain#


Scores provided domain entity's reputation in SOCRadar ThreatFusion.

Base Command#

socradar-score-domain

Input#

Argument NameDescriptionRequired
domainDomain entity to score.Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.Domain.Risk ScoreNumberReputation score of queried domain.
SOCRadarThreatFusion.Reputation.IP.Score DetailsJSONRisk score details of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried domain in its threat sources.
SOCRadarThreatFusion.Reputation.Domain.DomainStringQueried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.orgStringOrg field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.cityStringCity field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.nameStringName field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.stateStringState field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.dnssecStringDnssec field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.emailsStringEmails field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.statusStringStatus field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.addressStringAddress field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.countryStringCountry field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.zipcodeNumberZip code field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.registrarStringRegistrar field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.domain_nameStringDomain name field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.name_serversStringName servers field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.referral_urlStringReferral URL field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.updated_dateDateUpdated date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.whois_serverStringWhois server field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.creation_dateDateCreation date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.Whois Details.expiration_dateDateExpiration date field Whois information of queried domain.
SOCRadarThreatFusion.Reputation.Domain.DNS DetailsStringDNS information of queried domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.

Command Example#

!socradar-score-domain domain="paloaltonetworks.com"

Context Example#

{
"SOCRadarThreatFusion": {
"Reputation": {
"Domain": {
"DBotScore": {
"Indicator": "paloaltonetworks.com",
"Score": 1,
"Type": "domain",
"Vendor": "SOCRadar ThreatFusion"
},
"DNS Details": {
"A": [
"1.1.1.1"
],
"MX": [
"mx record"
],
"NS": [
"ns record"
],
"SOA": [
"domains.paloaltonetworks.com. 1627343953 3600 600 604800 3600"
],
"TXT": [
"txt record"
]
},
"Domain": "paloaltonetworks.com",
"Risk Score (Out of 1000)": 0,
"Score Details": {},
"Subdomains": [],
"Total Encounters": 0,
"Whois Details": {
"address": null,
"city": null,
"country": "US",
"creation_date": "Mon, 21 Feb 2005 02:42:10 GMT",
"dnssec": "signedDelegation",
"domain_name": "PALOALTONETWORKS.COM",
"emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"expiration_date": "Wed, 21 Feb 2024 02:42:10 GMT",
"name": null,
"name_servers": [
"ns record"
],
"org": "Palo Alto Networks, Inc.",
"referral_url": null,
"registrar": "MarkMonitor Inc.",
"state": "CA",
"status": [
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited"
],
"updated_date": "Thu, 01 Jul 2021 00:32:38 GMT",
"whois_server": "whois.markmonitor.com",
"zipcode": null
}
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for domain: paloaltonetworks.com#

DNS DetailsDomainRisk Score (Out of 1000)Score DetailsSubdomainsTotal EncountersWhois Details
A: 1.1.1.1
MX: mx record
NS: ns record
SOA: domains.paloaltonetworks.com. 1627343953 3600 600 604800 3600
TXT: txt record
paloaltonetworks.com00org: Palo Alto Networks, Inc.
city: null
name: null
state: CA
dnssec: signedDelegation
emails: abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com
status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited,
clientTransferProhibited https://icann.org/epp#clientTransferProhibited,
clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited,
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
address: null
country: US
zipcode: null
registrar: MarkMonitor Inc.
domain_name: PALOALTONETWORKS.COM
name_servers: ns record
referral_url: null
updated_date: Thu, 01 Jul 2021 00:32:38 GMT
whois_server: whois.markmonitor.com
creation_date: Mon, 21 Feb 2005 02:42:10 GMT
expiration_date: Wed, 21 Feb 2024 02:42:10 GMT

socradar-score-hash#


Scores provided hash entity's reputation in SOCRadar ThreatFusion.

Base Command#

socradar-score-hash

Input#

Argument NameDescriptionRequired
hashHash entity to score. (MD5 or SHA1).Required

Context Output#

PathTypeDescription
SOCRadarThreatFusion.Reputation.Hash.Risk ScoreNumberReputation score of queried hash.
SOCRadarThreatFusion.Reputation.Hash.Score DetailsJSONRisk score details of queried hash.
SOCRadarThreatFusion.Reputation.Hash.Total EncountersNumberNumber of times that SOCRadar has encountered with the queried hash in its threat sources.
SOCRadarThreatFusion.Reputation.Hash.FileStringQueried hash.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the indicator score.

Command Example#

!socradar-score-hash hash="3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792"

Context Example#

{
"SOCRadarThreatFusion": {
"Reputation": {
"Hash": {
"DBotScore": {
"Indicator": "3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792",
"Score": 1,
"Type": "file",
"Vendor": "SOCRadar ThreatFusion"
},
"File": "3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792",
"Risk Score (Out of 1000)": 360,
"Score Details": {
"Maldatabase": 360
},
"Total Encounters": 1
}
}
}
}

Human Readable Output#

SOCRadar - Analysis results for hash: 3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792#

FileRisk Score (Out of 1000)Score DetailsTotal Encounters
3b7b359ea17ac76341957573e332a2d6bcac363401ac71c8df94dac93df6d792360.0Maldatabase: 360.01