Publisher: IntSights
Connector Version: 4.2.0
Product Vendor: IntSights
Product Name: IntSights Cyber Intelligence
Product Version Supported (regex): ".*"
Minimum Product Version: 5.4.0
This app integrates with IntSights Cyber Intelligence
The app uses HTTP/ HTTPS protocol for communicating with the IntSights server. Below are the default ports used by the Splunk SOAR Connector.
| SERVICE NAME | TRANSPORT PROTOCOL | PORT |
|---|---|---|
| http | tcp | 80 |
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a IntSights Cyber Intelligence asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| account_id | required | string | User's Account ID |
| api_key | required | password | User's API Key |
test connectivity - Validate the asset configuration for connectivity
hunt ioc - Look for information about an ioc in the Intsights database
enrich ioc - Get enrichment information on IOC using the (paid) enrich API endpoint
hunt file - Look for information about a file hash in the Intsights database
hunt domain - Look for information about a domain in the Intsights database
hunt ip - Look for information about an IP in the Intsights database
hunt url - Look for information about a URL in the Intsights database
on poll - Callback action for the on_poll ingest functionality
close alert - Close an alert in the IntSights dashboard
takedown request - Initiate a takedown request of an alert from the IntSights dashboard
Validate the asset configuration for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
Look for information about an ioc in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hunting | required | Look for information about an ioc in the Intsights database | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.hunting | string | |
| action_result.message | string | |
| action_result.summary | string | |
| action_result.status | string | |
| action_result.data | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get enrichment information on IOC using the (paid) enrich API endpoint
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ioc | required | The IOC to enrich | string | |
| max_poll_cycles | required | The maximum amount of poll cycles to wait before erroring out | numeric | |
| sleep_seconds | required | The amount of seconds to sleep before trying to poll the endpoint again for results | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ioc | string | |
| action_result.parameter.max_poll_cycles | numeric | |
| action_result.parameter.sleep_seconds | numeric | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about a file hash in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | Hash of the binary to hunt | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.data.*.InvestigationLink | string | |
| action_result.data.*.firstSeen | string | |
| action_result.data.*.lastSeen | string | |
| action_result.data.*.lastUpdateDate | string | |
| action_result.data.*.reportedFeeds.*.confidenceLevel | numeric | |
| action_result.data.*.reportedFeeds.*.id | string | |
| action_result.data.*.reportedFeeds.*.name | string | |
| action_result.data.*.score | numeric | |
| action_result.data.*.severity | string | |
| action_result.data.*.status | string | |
| action_result.data.*.type | string | |
| action_result.data.*.value | string | hash sha256 sha1 md5 |
| action_result.data.*.whitelisted | boolean | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about a domain in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to hunt | string | domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.domain | string | domain |
| action_result.data.*.InvestigationLink | string | |
| action_result.data.*.firstSeen | string | |
| action_result.data.*.lastSeen | string | |
| action_result.data.*.lastUpdateDate | string | |
| action_result.data.*.reportedFeeds.*.confidenceLevel | numeric | |
| action_result.data.*.reportedFeeds.*.id | string | |
| action_result.data.*.reportedFeeds.*.name | string | |
| action_result.data.*.score | numeric | |
| action_result.data.*.severity | string | |
| action_result.data.*.status | string | |
| action_result.data.*.type | string | |
| action_result.data.*.value | string | domain |
| action_result.data.*.whitelisted | boolean | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about an IP in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to hunt | string | ip |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ip | string | ip |
| action_result.data.*.InvestigationLink | string | |
| action_result.data.*.firstSeen | string | |
| action_result.data.*.geolocation | string | |
| action_result.data.*.lastSeen | string | |
| action_result.data.*.lastUpdateDate | string | |
| action_result.data.*.reportedFeeds.*.confidenceLevel | numeric | |
| action_result.data.*.reportedFeeds.*.id | string | |
| action_result.data.*.reportedFeeds.*.name | string | |
| action_result.data.*.score | numeric | |
| action_result.data.*.severity | string | |
| action_result.data.*.status | string | |
| action_result.data.*.type | string | |
| action_result.data.*.value | string | ip |
| action_result.data.*.whitelisted | boolean | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about a URL in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to hunt | string | url |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.url | string | url |
| action_result.data.*.InvestigationLink | string | |
| action_result.data.*.firstSeen | string | |
| action_result.data.*.lastSeen | string | |
| action_result.data.*.lastUpdateDate | string | |
| action_result.data.*.reportedFeeds.*.confidenceLevel | numeric | |
| action_result.data.*.reportedFeeds.*.id | string | |
| action_result.data.*.reportedFeeds.*.name | string | |
| action_result.data.*.score | numeric | |
| action_result.data.*.severity | string | |
| action_result.data.*.status | string | |
| action_result.data.*.type | string | |
| action_result.data.*.value | string | url |
| action_result.data.*.whitelisted | boolean | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Callback action for the on_poll ingest functionality
Type: ingest
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| container_id | optional | Parameter ignored in this app | string | |
| start_time | optional | Start of time range, in epoch time (milliseconds). Default: 10 days | numeric | |
| end_time | optional | End of time range, in epoch time (milliseconds). Default: Now | numeric | |
| container_count | optional | Maximum number of containers to ingest | numeric | |
| artifact_count | optional | Parameter ignored in this app | numeric |
No Output
Close an alert in the IntSights dashboard
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| alert_id | required | IntSights alert ID to close | string | intsights alert id |
| reason | required | IntSights alert's closure reason | string | |
| free_text | optional | IntSights alert's comments | string | |
| rate | optional | IntSights Alert's rate (0-5) | numeric | |
| is_hidden | optional | Alert's hidden status (Delete alert from the account instance - only when reason is FalsePositive) | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.alert_id | string | intsights alert id |
| action_result.parameter.free_text | string | |
| action_result.parameter.is_hidden | boolean | |
| action_result.parameter.rate | numeric | |
| action_result.parameter.reason | string | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Initiate a takedown request of an alert from the IntSights dashboard
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| alert_id | required | IntSights alert ID to takedown | string | intsights alert id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.alert_id | string | intsights alert id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |