Skip to main content

USTA

This Integration is part of the USTA Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

USTA is an Cyber Intelligence Platform that responds directly and effectively to today's complex cyber threats.

Configure USTA in Cortex#

ParameterDescriptionRequired
Server URL (e.g. https://usta.prodaft.com)True
API KeyYou can reach out your access token : https://usta.prodaft.com/\#/api-documentsTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

usta-get-malicious-urls#


You can get malicious URLs with this command

Base Command#

usta-get-malicious-urls

Input#

Argument NameDescriptionRequired
formatFormat type of the returned result. Possible values are: json, stix, stix2, txt. Default is json.Optional
urlFiltering by URL Address.Optional
is_domainYou can search only those with or without domain name registration. Possible values are: true, false. Default is true.Optional
url_typeFiltering by malicious type.Optional
tagFiltering by tags. Example: tag=Keitaro.Optional
startStarting date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm).Optional
endEnd Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm).Optional

Context Output#

PathTypeDescription
Usta.MaliciousUrl.countryunknownCountry
Usta.MaliciousUrl.createdunknownCreated Date
Usta.MaliciousUrl.domainunknownDomain
Usta.MaliciousUrl.ip_addressesunknownIP Addresses
Usta.MaliciousUrl.is_domainunknownIs Domain
Usta.MaliciousUrl.modifiedunknownModified Date
Usta.MaliciousUrl.tagsunknownTags
Usta.MaliciousUrl.threat_typeunknownThreat Type
Usta.MaliciousUrl.urlunknownURL

Command Example#

#### Human Readable Output
### usta-get-malware-hashs
***
You can get malware hashs with this command
#### Base Command
`usta-get-malware-hashs`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| format | Format type of the returned result. Possible values are: json, stix, stix2. Default is json. | Optional |
| md5 | Filtering by md5. | Optional |
| sha1 | Filtering by sha1. | Optional |
| tag | Filtering by tags. Example: tag=Keitaro. | Optional |
| start | Starting Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm). | Optional |
| end | End Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm). | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Usta.MalwareHash.created | unknown | Created Date |
| Usta.MalwareHash.md5 | unknown | MD5 |
| Usta.MalwareHash.sha1 | unknown | SHA1 |
| Usta.MalwareHash.tags | unknown | Tags |
| Usta.MalwareHash.yara_rule | unknown | Yara Rule |
#### Command Example

Human Readable Output#

usta-get-phishing-sites#


You can get phishing sites with this command

Base Command#

usta-get-phishing-sites

Input#

Argument NameDescriptionRequired
statusFiltering by status. Possible values are: open, close, in_progress, out_of_scope, passive.Optional
sourceFiltering by source(URL).Optional
pagePaginiation.Optional

Context Output#

PathTypeDescription
Usta.PhishingSites.current_pageunknownCurrent page
Usta.PhishingSites.last_pageunknownLast page
Usta.PhishingSites.next_page_urlunknownNext page URL
Usta.PhishingSites.per_pageunknownContent count per page
Usta.PhishingSites.prev_page_urlunknownPrev page URL
Usta.PhishingSites.resultsunknownResults
Usta.PhishingSites.totalunknownContent count
Usta.PhishingSites.total_pagesunknownTotal Page

Command Example#

#### Human Readable Output
### usta-get-identity-leaks
***
With the Identity Leak API, you can access the hashed version of the credentials added to the platform.SHA256(MD5(Identity_Number))
#### Base Command
`usta-get-identity-leaks`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| start | Staring Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm). | Optional |
| end | End Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm). | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Usta.IdentityLeaks.created | unknown | Created date |
| Usta.IdentityLeaks. signature | unknown | Signature |
#### Command Example

Human Readable Output#

usta-get-stolen-client-accounts#


You can access stolen customer accounts via Stolen-Client-accounts API.

Base Command#

usta-get-stolen-client-accounts

Input#

Argument NameDescriptionRequired
usernameFiltering by username.Optional
passwordFiltering by password.Optional
sourceIt allows to filter the stolen customer accounts detected according to the source.Available values : malware, phishing_site, data_leak, clients. Possible values are: malware, phishing_site, data_leak, clients.Optional
startStarting Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm).Optional
endEnd Date(Example: 2021-03-18-13-59 / yy-mm-dd-hh-mm).Optional

Context Output#

PathTypeDescription
Usta.StolenClientAccounts.createdunknownCreated date
Usta.StolenClientAccounts.passwordunknownPassword
Usta.StolenClientAccounts.sourceunknownSource
Usta.StolenClientAccounts.urlunknownURL
Usta.StolenClientAccounts.usernameunknownUsername

Command Example#

#### Human Readable Output
### usta-get-domain
***
If you want to get more detailed information about malicious domain names, you can use this command.
#### Base Command
`usta-get-domain`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| domain | Search with domain name. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Usta.Domain.asn_records | unknown | ASN records |
| Usta.Domain.country | unknown | Country |
| Usta.Domain.dns_records | unknown | DNS records |
| Usta.Domain.domain | unknown | Domain |
| Usta.Domain.ip_addresses | unknown | IP addresses |
| Usta.Domain.ssl_records | unknown | SSL records |
| Usta.Domain.whois_records | unknown | Whois records |
#### Command Example

Human Readable Output#

usta-get-ip-address#


If you want to get more detailed information about specific IP Address, you can use this command.

Base Command#

usta-get-ip-address

Input#

Argument NameDescriptionRequired
ip_addressSearch with IP Address.Optional

Context Output#

PathTypeDescription
Usta.IPAddress.asn_recordsunknownASN records
Usta.IPAddress.countryunknownCountry
Usta.IPAddress.ip_addressunknownIP address
Usta.IPAddress.ssl_recordsunknownSSL records
Usta.IPAddress.whois_recordsunknownWhois records

Command Example#

#### Human Readable Output
### usta-send-referrer-url
***
You can search about the accuracy of the urls referring to your company's websites.
#### Base Command
`usta-send-referrer-url`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| address | URL Value. Example: http://www.google3.com. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Usta.Referrer.error | unknown | If any errors are received, it gives the details of the error |
#### Command Example

Human Readable Output#

usta-search-specific-identity-leaks#


With this command, you can search specific identity number that hashed in leaks

Base Command#

usta-search-specific-identity-leaks

Input#

Argument NameDescriptionRequired
identity_numberSearch with this identity number. You can search all identity number with "," .Required

Context Output#

PathTypeDescription
Usta.SpecificLeaks.existingunknownIf the identity is leaked, you can see it in existing.
Usta.SpecificLeaks.not_existingunknownIf the identity is not leaked, you can see it in not_existing

Command Example#

#### Human Readable Output
### usta-close-incident
***
You can close the notifications in the status of "In Progress" or "Open", which are currently opened to your institution, via API.
#### Base Command
`usta-close-incident`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| id | Incident ID. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Usta.CloseIncident.id | unknown | If the incident is closed, returns the id value that was closed. |
#### Command Example

Human Readable Output#