CreateHashIndicatorWrapper
This Script is part of the Malware Core Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike.
Script Data#
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | basescript |
| Cortex XSOAR Version | 6.0.0 |
Inputs#
| Argument Name | Description |
|---|---|
| hash | Array of SHA256 hashes. |
| action | The action to apply to the hash - allow or block. |
Outputs#
| Path | Description | Type |
|---|---|---|
| MicrosoftATP.Indicators.id | Created by the system when the indicator is ingested. Generated GUID/unique identifier. | String |
| MicrosoftATP.Indicators.action | The action to apply if the indicator is matched within the targetProduct security tool. Possible values: "unknown", "allow", "block", or "alert". | String |
| MicrosoftATP.Indicators.additionalInformation | A catchall area where extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation is typically not utilized by the targetProduct security tool. | String |
| MicrosoftATP.Indicators.azureTenantId | Stamped by the system when the indicator is ingested. The Azure Active Directory submitting client tenant ID. | String |
| MicrosoftATP.Indicators.confidence | An integer representing confidence the indicator data accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest. | Number |
| MicrosoftATP.Indicators.description | Brief description (100 characters or less) of the threat represented by the indicator. | String |
| MicrosoftATP.Indicators.diamondModel | The area of the Diamond Model in which this indicator exists. Possible values: "unknown", "adversary", "capability", "infrastructure", and "victim". | String |
| MicrosoftATP.Indicators.domainName | Domain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain. | String |
| MicrosoftATP.Indicators.expirationDateTime | DateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z' | Date |
| MicrosoftATP.Indicators.externalId | An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key). | String |
| MicrosoftATP.Indicators.fileCompileDateTime | DateTime the file was compiled. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z' | Date |
| MicrosoftATP.Indicators.fileCreatedDateTime | DateTime the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z' | Date |
| MicrosoftATP.Indicators.fileHashType | The type of hash stored in fileHashValue. Possible values: "unknown", "sha1", "sha256", "md5", "authenticodeHash256", "lsHash", and "ctph". | String |
| MicrosoftATP.Indicators.fileHashValue | The file hash value. | String |
| MicrosoftATP.Indicators.fileMutexName | The Mutex name used in file-based detections. | String |
| MicrosoftATP.Indicators.fileName | The name of the file if the indicator is file-based. Multiple file names may be delimited by commas. | String |
| MicrosoftATP.Indicators.filePacker | The packer used to build the file in question. | String |
| MicrosoftATP.Indicators.filePath | The path of the file indicating a compromise. Can be a Windows or *nix style path. | String |
| MicrosoftATP.Indicators.fileSize | The size of the file in bytes. | Number |
| MicrosoftATP.Indicators.fileType | The text description of the type of file. For example, “Word Document” or “Binary”. | String |
| MicrosoftATP.Indicators.ingestedDateTime | The timestamp the indicator was ingested into the system. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z' | Date |
| MicrosoftATP.Indicators.isActive | Used to deactivate indicators within the system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. | Boolean |
| MicrosoftATP.Indicators.knownFalsePositives | Scenarios in which the indicator may cause false positives. This should be human-readable text. | String |
| MicrosoftATP.Indicators.lastReportedDateTime | The last time the indicator was seen. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z' | Date |
| MicrosoftATP.Indicators.networkCidrBlock | The CIDR Block notation representation of the network referenced in this indicator. Use only if the source and destination cannot be identified. | String |
| MicrosoftATP.Indicators.networkDestinationAsn | The destination autonomous system identifier of the network referenced in the indicator. | Number |
| MicrosoftATP.Indicators.networkDestinationCidrBlock | The CIDR Block notation representation of the destination network in this indicator. | String |
| MicrosoftATP.Indicators.networkDestinationIPv4 | The IPv4 IP address destination. | String |
| MicrosoftATP.Indicators.networkDestinationIPv6 | The IPv6 IP address destination. | String |
| MicrosoftATP.Indicators.networkDestinationPort | The TCP port destination. | Number |
| MicrosoftATP.Indicators.networkIPv4 | The IPv4 IP address. | String |
| MicrosoftATP.Indicators.networkIPv6 | The IPv6 IP address. | String |
| MicrosoftATP.Indicators.networkPort | The TCP port. | Number |
| MicrosoftATP.Indicators.networkProtocol | The decimal representation of the protocol field in the IPv4 header. | Number |
| MicrosoftATP.Indicators.networkSourceAsn | The source autonomous system identifier of the network referenced in the indicator. | Number |
| MicrosoftATP.Indicators.networkSourceCidrBlock | The CIDR Block notation representation of the source network in this indicator. | String |
| MicrosoftATP.Indicators.networkSourceIPv4 | The IPv4 IP address source. | String |
| MicrosoftATP.Indicators.networkSourceIPv6 | The IPv6 IP address source. | String |
| MicrosoftATP.Indicators.networkSourcePort | The TCP port source. | Number |
| MicrosoftATP.Indicators.passiveOnly | Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools do not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they simply log that a match occurred but do not perform the action. Default value is false. | Boolean |
| MicrosoftATP.Indicators.severity | An integer representing the severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "MediumLow", "MediumHigh", and "High", where High is the most severe and Informational is not severe at all. | Number |
| MicrosoftATP.Indicators.targetProduct | A string representing a single security product to which the indicator should be applied. | String |
| MicrosoftATP.Indicators.threatType | Each indicator must have a valid Indicator Threat Type. Possible values: "Botnet", "C2", "CryptoMining", "Darknet", "DDoS", "MaliciousUrl", "Malware", "Phishing", "Proxy", "PUA", and "WatchList". | String |
| MicrosoftATP.Indicators.tlpLevel | Traffic Light Protocol value for the indicator. Possible values: "unknown", "white", "green", "amber", and "red". | String |
| MicrosoftATP.Indicators.url | Uniform Resource Locator. This URL complies with RFC 1738. | String |
| MicrosoftATP.Indicators.userAgent | User-Agent string from a web request that could indicate compromise. | String |
| MicrosoftATP.Indicators.vendorInformation | Information about the vendor. | String |
| File.Name | The full file name (including file extension). | String |
| File.Size | The size of the file in bytes. | Number |
| File.MD5 | The MD5 hash of the file. | String |
| File.SHA1 | The SHA1 hash of the file. | String |
| File.SHA256 | The SHA256 hash of the file. | String |
| File.SHA512 | The SHA512 hash of the file. | String |
| File.Type | The file type, as determined by libmagic (same as displayed in file entries). | String |
| File.Path | The path where the file is located. | String |
| CrowdStrike.IOC.Type | The type of the IOC. | string |
| CrowdStrike.IOC.Value | The string representation of the indicator. | string |
| CrowdStrike.IOC.ID | The full ID of the indicator (type:value). | string |
| CrowdStrike.IOC.Policy | The policy of the indicator. | string |
| CrowdStrike.IOC.Source | The source of the IOC. | string |
| CrowdStrike.IOC.ShareLevel | The level at which the indicator will be shared. | string |
| CrowdStrike.IOC.Expiration | The datetime the indicator will expire. | string |
| CrowdStrike.IOC.Description | The description of the IOC. | string |
| CrowdStrike.IOC.CreatedTime | The datetime the IOC was created. | string |
| CrowdStrike.IOC.CreatedBy | The identity of the user/process who created the IOC. | string |
| CrowdStrike.IOC.ModifiedTime | The date and time the indicator was last modified. | string |
| CrowdStrike.IOC.ModifiedBy | The identity of the user/process who last updated the IOC. | string |
Script Examples#
Example command#
!CreateHashIndicatorWrapper action=block hash=9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a
Context Example#
Human Readable Output#
Results Summary#
| Instance | Command | Result | Comment |
|---|---|---|---|
| Cortex XDR - IR: Cortex XDR - IR_instance_1_copy | command: xdr-blacklist-files args: hash_list: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a | Success | |
| Cortex XDR - IR: Cortex XDR - IR_instance_1 | command: xdr-blacklist-files args: hash_list: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a | Success | |
| Microsoft Defender Advanced Threat Protection: Microsoft Defender Advanced Threat Protection_instance_1 | command: microsoft-atp-sc-indicator-create args: indicator_value: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a indicator_type: FileSha256 action: AlertAndBlock indicator_description: XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 indicator_title: XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 | Success | |
| CrowdstrikeFalcon: CrowdstrikeFalcon_instance_1 | command: cs-falcon-upload-custom-ioc args: ioc_type: sha256 platforms: linux,mac,windows applied_globally: true value: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a action: prevent description: Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116 severity: high | Success |
Blacklist Files#
| File Hash |
|---|
| 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a |
Indicator 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a was updated successfully.#
| id | action | indicatorValue | indicatorType | severity | title | description |
|---|---|---|---|---|---|---|
| 5301 | BlockAndRemediate | 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a | FileSha256 | Informational | XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 | XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 |
Custom IOC 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a was created successfully#
| Action | CreatedBy | CreatedTime | Description | ID | ModifiedBy | ModifiedTime | Platforms | Severity | Type | Value |
|---|---|---|---|---|---|---|---|---|---|---|
| prevent | 2bf188d347e44e08946f2e61ef590c24 | 2022-03-27T10:00:24.023778625Z | Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116 | aaad9ddaf078c49f1d728fb0082a85efa6a9f413106ecca87f5dbdf33626178a | 2bf188d347e44e08946f2e61ef590c24 | 2022-03-27T10:00:24.023778625Z | linux, mac, windows | high | sha256 | 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a |