IntSights 3.5.3

tags: python | Intsights | Threat Intelligence | External Threat Protection

Description

Integration with IntSights Threat Command supports CDC users by providing the extraction of threat logs as alerts and additional information on observables. This enables CDC users to make informed decisions regarding incident response.

The Threat Command monitors thousands of sources across the clear, deep, and dark web to identify threats that directly target clients’ unique digital footprints. Threat Command finds and reports on external threats targeting clients.

This pack supports two modes of operations: a single customer account operation, where it is mandatory to set the account_id field in the pack configuration; and an MSSP (multiple accounts) based operation, where it is mandatory to leave the account_id field as blank in the pack configuration. For multi-tenant usage, tenant information can be populated in the CDC as the company name as well.

All the read information is passed on to the CDC in the form of an alert, with the information stored as raw information and observables. These observables are also marked as Indicator of Compromise (IoC) based on inputs from the CyberProof Threat Intelligence team. Additional attachments are also available on IntSights. Alerts are read and uploaded and displayed under the File section of a CDC alert.

Customer Configuration

No customer configuration

CDC Command Lines

No CDC command lines

Workflows

* **automate_alert_closing**
Closes IntSights alerts.

* **automate_alert_creation**
Converts IntSights alerts into CDC alerts.

* **upload_image**
Uploads images to the CDC.

Rules

* **Intsights.cdc_closed_alert_listener_for_intsights**
Closes alerts in IntSights.

* **cdc_new_alert_from_intsights**
Triggers injecting new alerts to the CDC workflow when a new alert is created in IntSights.

Sensors

* **IntSightsSensor**
Sensors that pull alerts from IntSights.

Poll interval - 30s

Triggers

No triggers

Known Issues

No known issues