IntSights Tip 2.1.1

tags: Enrichment | Threat Intel | IntSight TIP | Adaptive Card Display | Clis

Description

Integration with IntSights' Threat Intelligence Platform (TIP) supports CDC users by providing IP/URL/domain and hash-based enrichments, consisting of IOCs and other threat indicator related information. This information enables CDC users to make informed decisions regarding incident response.

The TIP centralizes and operationalizes thousands of sources of intelligence for streamlined investigation and faster threat blocking. IOCs and other threat indicators are enriched using digital assets and prioritized by severity, bringing context and clarity to threat feeds.

CyberProof uses custom adaptive cards to display large amounts of complex threat intelligence data in a meaningful intuitive GUI, helping facilitate easy understanding of the data.

With the help of command line/automated enrichments, the detailed IOCs and other threat indicator information about IP/URL/domain and hash (MD5/SHA1/SHA256) will be obtained based on individual query parameters. For hash, we have provided an additional CLI to re-run the query to get the latest results.

CDC Command Lines

• get_rescan_enrich_cli
  This CLI provides the capability to rescan and enrich the hash value-related threat information from IntSight TIP. This is for the specific hash value provided as a parameter in the CLI.

• get_enrich_domain_cli
  This CLI provides the capability to enrich the domain-related threat information from IntSights TIP, for the specific domain provided as a parameter in the CLI.

• get_enrich_hash_cli
  This CLI provides the capability to enrich the hash-related threat information from IntSights TIP, for the specific hash provided as the parameter in the CLI.

• get_enrich_ip_cli
  This is a CLI used to enrich the IP-related threat information from IntSights TIP, for the specific IP provided as a parameter in the CLI. Note that Suspicious Rate is not returned for IP enrichment.

• get_enrich_url_cli
  This CLI provides the capability to enrich the URL-related threat information from IntSights TIP, for the specific URL provided as a parameter in the CLI.

Workflows

• get_enrich_domain
  This CLI provides the capability to enrich the domain-related threat information from IntSights TIP, for the specific domain provided as a parameter in the CLI.

• get_enrich_hash
  This CLI provides the capability to enrich the hash-related threat information from IntSights TIP, for the specific hash provided as the parameter in the CLI.

• get_enrich_ip
  This is a CLI used to enrich the IP-related threat information from IntSights TIP, for the specific IP provided as a parameter in the CLI. Note that Suspicious Rate is not returned for IP enrichment.

• get_enrich_tip
  Get enrich details of IP URL Domain Hash.

• get_enrich_url
  This CLI provides the capability to enrich the URL-related threat information from IntSights TIP, for the specific URL provided as a parameter in the CLI.

• wait_for_status_change
  Wait for time before enrich TIP.

• post_get_enrich_domain
  Post get_enrich_domain in the CDC, by the ID of the incident/message/channel.

• post_get_enrich_hash
  Post get_enrich_hash in the CDC, by the ID of the incident/message/channel.

• post_get_enrich_ip
  Post get_enrich_ip in the CDC, by the ID of the incident/message/channel.

• post_get_enrich_url
  Post get_enrich_url in the CDC, by the ID of the incident/message/channel.

Rules

No rules

Sensors

No sensors

Triggers

No triggers

Known Issues

No issues