Publisher: IntSights
Connector Version: 4.0.0
Product Vendor: IntSights
Product Name: IntSights Cyber Intelligence
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.4
This app integrates with IntSights Cyber Intelligence
The app uses HTTP/ HTTPS protocol for communicating with the IntSights server. Below are the default ports used by the Splunk SOAR Connector.
| SERVICE NAME | TRANSPORT PROTOCOL | PORT |
|---|---|---|
| http | tcp | 80 |
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a IntSights Cyber Intelligence asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| account_id | required | string | User's Account ID |
| api_key | required | password | User's API Key |
test connectivity - Validate the asset configuration for connectivity
hunt file - Look for information about a file hash in the Intsights database
hunt domain - Look for information about a domain in the Intsights database
hunt ip - Look for information about an IP in the Intsights database
hunt url - Look for information about a URL in the Intsights database
on poll - Callback action for the on_poll ingest functionality
close alert - Close an alert in the IntSights dashboard
takedown request - Initiate a takedown request of an alert from the IntSights dashboard
Validate the asset configuration for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
Look for information about a file hash in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | Hash of the binary to hunt | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.data.*.Value | string | hash sha256 sha1 md5 |
| action_result.data.*.SourceName | string | |
| action_result.data.*.FirstSeen | string | |
| action_result.data.*.LastSeen | string | |
| action_result.data.*.Severity.Value | string | |
| action_result.data.*.InvestigationLink | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about a domain in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to hunt | string | domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.domain | string | domain |
| action_result.data.*.Value | string | domain |
| action_result.data.*.SourceName | string | |
| action_result.data.*.FirstSeen | string | |
| action_result.data.*.LastSeen | string | |
| action_result.data.*.Severity.Value | string | |
| action_result.data.*.InvestigationLink | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about an IP in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to hunt | string | ip |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.ip | string | ip |
| action_result.data.*.Value | string | ip |
| action_result.data.*.SourceName | string | |
| action_result.data.*.FirstSeen | string | |
| action_result.data.*.LastSeen | string | |
| action_result.data.*.Severity.Value | string | |
| action_result.data.*.InvestigationLink | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Look for information about a URL in the Intsights database
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to hunt | string | url |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.url | string | url |
| action_result.data.*.Value | string | url |
| action_result.data.*.SourceName | string | |
| action_result.data.*.FirstSeen | string | |
| action_result.data.*.LastSeen | string | |
| action_result.data.*.Severity.Value | string | |
| action_result.data.*.InvestigationLink | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Callback action for the on_poll ingest functionality
Type: ingest
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| container_id | optional | Parameter ignored in this app | string | |
| start_time | optional | Start of time range, in epoch time (milliseconds). Default: 10 days | numeric | |
| end_time | optional | End of time range, in epoch time (milliseconds). Default: Now | numeric | |
| container_count | optional | Maximum number of containers to ingest | numeric | |
| artifact_count | optional | Parameter ignored in this app | numeric |
No Output
Close an alert in the IntSights dashboard
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| alert_id | required | IntSights alert ID to close | string | intsights alert id |
| reason | required | IntSights alert's closure reason | string | |
| free_text | optional | IntSights alert's comments | string | |
| rate | optional | IntSights Alert's rate (0-5) | numeric | |
| is_hidden | optional | Alert's hidden status (Delete alert from the account instance - only when reason is FalsePositive) | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.rate | numeric | |
| action_result.parameter.free_text | string | |
| action_result.parameter.reason | string | |
| action_result.parameter.is_hidden | boolean | |
| action_result.parameter.alert_id | string | intsights alert id |
| action_result.data | string | |
| action_result.message | string | |
| action_result.status | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Initiate a takedown request of an alert from the IntSights dashboard
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| alert_id | required | IntSights alert ID to takedown | string | intsights alert id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.alert_id | string | intsights alert id |
| action_result.data | string | |
| action_result.message | string | |
| action_result.status | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |