/
FireEyeISIGHT.yml
193 lines (193 loc) · 5.51 KB
/
FireEyeISIGHT.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
commonfields:
id: FireEye iSIGHT
version: -1
name: FireEye iSIGHT
display: FireEye iSIGHT
category: Data Enrichment & Threat Intelligence
description: FireEye cyber threat intelligence
configuration:
- display: Public Key
name: publicKey
defaultvalue: ""
type: 0
required: true
- display: Private Key
name: privateKey
defaultvalue: ""
type: 4
required: false
hidden: true
- displaypassword: Private Key
name: credentials_private_key
required: false
hiddenusername: true
type: 9
- display: Version
name: version
defaultvalue: "2.5"
type: 0
required: true
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
- additionalinfo: Reliability of the source providing the intelligence data.
defaultvalue: B - Usually reliable
display: Source Reliability
name: integrationReliability
options:
- A+ - 3rd party enrichment
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: false
type: 15
- defaultvalue: indicatorType
name: feedExpirationPolicy
display: ''
options:
- never
- interval
- indicatorType
- suddenDeath
required: false
type: 17
- defaultvalue: '20160'
name: feedExpirationInterval
display: ''
required: false
type: 1
script:
script: ''
type: javascript
commands:
- name: ip
arguments:
- name: ip
required: true
default: true
description: ip to search by
outputs:
- contextPath: DBotScore.Indicator
description: The indicator we tested
- contextPath: DBotScore.Type
description: The type of the indicator
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score
- contextPath: DBotScore.Score
description: The actual score
- contextPath: IP.Address
description: The IP address
- contextPath: Report.ID
description: Report ID
- contextPath: Report.title
description: Report title
- contextPath: Report.publishDate
description: Report publish date
- contextPath: Report.intelligenceType
description: Report intelligence type (overview, vulnerability, malware, threat)
description: basic search reports by ip
- name: domain
arguments:
- name: domain
required: true
default: true
description: domain to search by
outputs:
- contextPath: DBotScore.Indicator
description: The indicator we tested
- contextPath: DBotScore.Type
description: The type of the indicator
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score
- contextPath: DBotScore.Score
description: The actual score
- contextPath: Domain.Name
description: The domain name.
- contextPath: Report.ID
description: Report ID
- contextPath: Report.title
description: Report title
- contextPath: Report.publishDate
description: Report publish date
- contextPath: Report.intelligenceType
description: Report intelligence type (overview, vulnerability, malware, threat)
description: basic search reports by domain
- name: file
arguments:
- name: file
description: md5 or sha1 to search by
outputs:
- contextPath: DBotScore.Indicator
description: The indicator we tested
- contextPath: DBotScore.Type
description: The type of the indicator
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score
- contextPath: DBotScore.Score
description: The actual score
- contextPath: Report.ID
description: Report ID
- contextPath: Report.title
description: Report title
- contextPath: Report.publishDate
description: Report publish date
- contextPath: Report.intelligenceType
description: Report intelligence type (overview, vulnerability, malware, threat)
description: basic search file report by md5/sha1. NOTE - specify only one of
md5/sha1 arguments
- name: isight-get-report
arguments:
- name: reportID
required: true
default: true
description: Report ID to search by
outputs:
- contextPath: Report.ID
description: Report ID
- contextPath: Report.title
description: Report title
- contextPath: Report.publishDate
description: Report publish date
- contextPath: Report.intelligenceType
description: Report intelligence type (overview, vulnerability, malware, threat)
- contextPath: Report.audience
description: Report audience
- contextPath: Report.ThreatScape
description: Report threat scape
- contextPath: Report.operatingSystems
description: Report operating systems
- contextPath: Report.riskRating
description: Report risk rating
- contextPath: Report.version
description: Report version
- contextPath: Report.tagSection
description: Report tag section
description: Get specific report
- name: isight-submit-file
arguments:
- name: entryID
required: true
default: true
description: entry-id of the file to submit (e.g. 41@18)
- name: description
required: true
description: file description
- name: type
description: "Type of the given file"
required: true
auto: PREDEFINED
predefined:
- malware
- other
description: Submission of malware and other files for community sharing
tests:
- No test
fromversion: 5.0.0