CyberTotal Auto Enrichment - CyCraft

This playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • CyberTotal

Scripts

  • Exists

Commands

  • file
  • ip
  • domain
  • url

Playbook Inputs


NameDescriptionDefault ValueRequired
DomainThe input domain will be searched automatically on CyberTotal to retrieve reputation data.Domain.NameOptional
IPThe input IP will be searched automatically on CyberTotal and to retrieve reputation data.IP.AddressOptional
URLThe input URL will be searched automatically on CyberTotal to retrieve reputation data.URL.DataOptional
MD5The input MD5 will be searched automatically on CyberTotal to retrieve reputation data.File.MD5Optional
SHA1The input SHA1 will be searched automatically on CyberTotal to retrieve reputation data.File.SHA1Optional
SHA256The input SHA256 will be searched automatically on CyberTotal to retrieve reputation data.File.SHA256Optional
thresholdThreshold for reputation commands. default is 10.10Optional

Playbook Outputs


PathDescriptionType
CyberTotal.URL.scan_dateScan date format: ISO 8601unknown
CyberTotal.URL.resourceThe scan target sent to CyberTotal.unknown
CyberTotal.URL.task_idThe unique id of each scan in CyberTotal.unknown
CyberTotal.URL.permalinkThe link of this URL’s report in CyberTotal.unknown
CyberTotal.URL.severitySeverity of this URL. The range is from 0 to 10.unknown
CyberTotal.URL.confidenceConfidence of this URL. The range is from 0 to 10.unknown
CyberTotal.URL.threatThreat of this URL, which is a select from ‘High’, ‘Medium’ and ‘Low’.unknown
CyberTotal.URL.detection_enginesThe number of all antivirus vendors scanned.unknown
CyberTotal.URL.positive_detectionsThe number of antivirus vendors scanned with positive detection.unknown
CyberTotal.URL.detection_ratioThe ratio of positive_detections and detection_engines.unknown
CyberTotal.URL.messageMessage about this search.unknown
URL.DataThe URLunknown
URL.DetectionEnginesThe total number of engines that checked the indicator.unknown
URL.PositiveDetectionsThe number of engines that positively detected the indicator as malicious.unknown
URL.Malicious.VendorThe vendor reporting the URL as malicious.unknown
URL.Malicious.DescriptionA description of the malicious URL.unknown
DBotScore.IndicatorThe indicator that was tested.unknown
DBotScore.TypeThe indicator type.unknown
DBotScore.VendorThe vendor used to calculate the score.unknown
DBotScore.ScoreThe actual score.unknown
CyberTotal.IP.scan_dateScan date format: ISO 8601unknown
CyberTotal.IP.resourceThe scan target sent to CyberTotal.unknown
CyberTotal.IP.task_idThe unique id of each scan in CyberTotal.unknown
CyberTotal.IP.permalinkThe link of this IP’s report in CyberTotal.unknown
CyberTotal.IP.severitySeverity of this IP. The range is from 0 to 10.unknown
CyberTotal.IP.confidenceConfidence of this IP. The range is from 0 to 10.unknown
CyberTotal.IP.threatThreat of this IP, which is a select from ‘High’, ‘Medium’ and ‘Low’.unknown
CyberTotal.IP.detection_enginesThe number of all antivirus vendors scanned.unknown
CyberTotal.IP.positive_detectionsThe number of antivirus vendors scanned with positive detection.unknown
CyberTotal.IP.detection_ratioThe ratio of positive_detections and detection_engines.unknown
CyberTotal.IP.messageMessage about this search.unknown
IP.AddressIP addressunknown
IP.DetectionEnginesThe total number of engines that checked the indicator.unknown
IP.PositiveDetectionsThe number of engines that positively detected the indicator as malicious.unknown
IP.Malicious.VendorThe vendor reporting the IP address as malicious.unknown
IP.Malicious.DescriptionA description explaining why the IP address was reported as malicious.unknown
CyberTotal.Domain.scan_dateScan date format: ISO 8601unknown
CyberTotal.Domain.resourceThe scan target sent to CyberTotal.unknown
CyberTotal.Domain.permalinkThe link of this domain’s report in CyberTotal.unknown
CyberTotal.Domain.severitySeverity of this domain. The range is from 0 to 10.unknown
CyberTotal.Domain.confidenceConfidence of this domain. The range is from 0 to 10.unknown
CyberTotal.Domain.threatThreat of this domain, which is a select from ‘High’, ‘Medium’ and ‘Low’.unknown
CyberTotal.Domain.detection_enginesThe number of all antivirus vendors scanned.unknown
CyberTotal.Domain.positive_detectionsThe number of antivirus vendors scanned with positive detection.unknown
CyberTotal.Domain.detection_ratioThe ratio of positive_detections and detection_engines.unknown
CyberTotal.Domain.messageMessage about this search.unknown
Domain.NameThe domain name, for example: "google.com".unknown
Domain.DetectionEnginesThe total number of engines that checked the indicator.unknown
Domain.PositiveDetectionsThe number of engines that positively detected the indicator as malicious.unknown
Domain.Malicious.VendorThe vendor reporting the domain as malicious.unknown
Domain.Malicious.DescriptionA description explaining why the domain was reported as malicious.unknown
CyberTotal.File.scan_dateScan date format: ISO 8601unknown
CyberTotal.File.resourceThe scan target sent to CyberTotal.unknown
CyberTotal.File.task_idThe unique id of each scan in CyberTotal.unknown
CyberTotal.File.permalinkThe link of this HASH’s report in CyberTotal.unknown
CyberTotal.File.severitySeverity of this HASH. The range is from 0 to 10.unknown
CyberTotal.File.confidenceConfidence of this HASH. The range is from 0 to 10.unknown
CyberTotal.File.threatThreat of this HASH, which is a select from ‘High’, ‘Medium’ and ‘Low’.unknown
CyberTotal.File.detection_enginesThe number of all antivirus vendors scanned.unknown
CyberTotal.File.positive_detectionsThe number of antivirus vendors scanned with positive detection.unknown
CyberTotal.File.detection_ratioThe ratio of positive_detections and detection_engines.unknown
CyberTotal.File.messageMessage about this search.unknown
CyberTotal.File.sizeSize of this file.unknown
CyberTotal.File.md5This file’s md5 value.unknown
CyberTotal.File.sha1This file’s sha1 value.unknown
CyberTotal.File.sha256This file’s sha256 value.unknown
CyberTotal.File.extensionThis file’s extension type.unknown
CyberTotal.File.nameThis file’s name, separated by ‘,’ if more than 2 names.unknown
File.MD5The MD5 hash of the file.unknown
File.SHA1The SHA1 hash of the file.unknown
File.SHA256The SHA1 hash of the file.unknown
File.NameThe full file name (including file extension).unknown
File.ExtensionThe file extension, for example: 'xls'.unknown
File.SizeThe size of the file in bytes.unknown

Playbook Image


CyberTotal Auto Enrichment - CyCraft