/
CreateHashIndicatorWrapper.yml
242 lines (239 loc) · 11.7 KB
/
CreateHashIndicatorWrapper.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
args:
- default: false
description: 'Array of SHA256 hashes.'
isArray: true
name: hash
required: true
secret: false
- default: false
description: 'The action to apply to the hash - allow or block.'
isArray: false
name: action
required: true
secret: false
auto: PREDEFINED
predefined:
- 'allow'
- 'block'
comment: 'This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike.'
commonfields:
id: CreateHashIndicatorWrapper
version: -1
enabled: false
name: CreateHashIndicatorWrapper
outputs:
# MSDE outputs
- contextPath: MicrosoftATP.Indicators.id
description: Created by the system when the indicator is ingested. Generated GUID/unique identifier.
type: String
- contextPath: MicrosoftATP.Indicators.action
description: 'The action to apply if the indicator is matched within the targetProduct security tool. Possible values: "unknown", "allow", "block", or "alert".'
type: String
- contextPath: MicrosoftATP.Indicators.additionalInformation
description: A catchall area where extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation is typically not utilized by the targetProduct security tool.
type: String
- contextPath: MicrosoftATP.Indicators.azureTenantId
description: Stamped by the system when the indicator is ingested. The Azure Active Directory submitting client tenant ID.
type: String
- contextPath: MicrosoftATP.Indicators.confidence
description: An integer representing confidence the indicator data accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
type: Number
- contextPath: MicrosoftATP.Indicators.description
description: Brief description (100 characters or less) of the threat represented by the indicator.
type: String
- contextPath: MicrosoftATP.Indicators.diamondModel
description: 'The area of the Diamond Model in which this indicator exists. Possible values: "unknown", "adversary", "capability", "infrastructure", and "victim".'
type: String
- contextPath: MicrosoftATP.Indicators.domainName
description: Domain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
type: String
- contextPath: MicrosoftATP.Indicators.expirationDateTime
description: 'DateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ''2014-01-01T00:00:00Z'''
type: Date
- contextPath: MicrosoftATP.Indicators.externalId
description: An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key).
type: String
- contextPath: MicrosoftATP.Indicators.fileCompileDateTime
description: 'DateTime the file was compiled. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ''2014-01-01T00:00:00Z'''
type: Date
- contextPath: MicrosoftATP.Indicators.fileCreatedDateTime
description: 'DateTime the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ''2014-01-01T00:00:00Z'''
type: Date
- contextPath: MicrosoftATP.Indicators.fileHashType
description: 'The type of hash stored in fileHashValue. Possible values: "unknown", "sha1", "sha256", "md5", "authenticodeHash256", "lsHash", and "ctph".'
type: String
- contextPath: MicrosoftATP.Indicators.fileHashValue
description: The file hash value.
type: String
- contextPath: MicrosoftATP.Indicators.fileMutexName
description: The Mutex name used in file-based detections.
type: String
- contextPath: MicrosoftATP.Indicators.fileName
description: The name of the file if the indicator is file-based. Multiple file names may be delimited by commas.
type: String
- contextPath: MicrosoftATP.Indicators.filePacker
description: The packer used to build the file in question.
type: String
- contextPath: MicrosoftATP.Indicators.filePath
description: The path of the file indicating a compromise. Can be a Windows or *nix style path.
type: String
- contextPath: MicrosoftATP.Indicators.fileSize
description: The size of the file in bytes.
type: Number
- contextPath: MicrosoftATP.Indicators.fileType
description: The text description of the type of file. For example, “Word Document” or “Binary”.
type: String
- contextPath: MicrosoftATP.Indicators.ingestedDateTime
description: 'The timestamp the indicator was ingested into the system. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ''2014-01-01T00:00:00Z'''
type: Date
- contextPath: MicrosoftATP.Indicators.isActive
description: Used to deactivate indicators within the system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
type: Boolean
- contextPath: MicrosoftATP.Indicators.knownFalsePositives
description: Scenarios in which the indicator may cause false positives. This should be human-readable text.
type: String
- contextPath: MicrosoftATP.Indicators.lastReportedDateTime
description: 'The last time the indicator was seen. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ''2014-01-01T00:00:00Z'''
type: Date
- contextPath: MicrosoftATP.Indicators.networkCidrBlock
description: The CIDR Block notation representation of the network referenced in this indicator. Use only if the source and destination cannot be identified.
type: String
- contextPath: MicrosoftATP.Indicators.networkDestinationAsn
description: The destination autonomous system identifier of the network referenced in the indicator.
type: Number
- contextPath: MicrosoftATP.Indicators.networkDestinationCidrBlock
description: The CIDR Block notation representation of the destination network in this indicator.
type: String
- contextPath: MicrosoftATP.Indicators.networkDestinationIPv4
description: The IPv4 IP address destination.
type: String
- contextPath: MicrosoftATP.Indicators.networkDestinationIPv6
description: The IPv6 IP address destination.
type: String
- contextPath: MicrosoftATP.Indicators.networkDestinationPort
description: The TCP port destination.
type: Number
- contextPath: MicrosoftATP.Indicators.networkIPv4
description: The IPv4 IP address.
type: String
- contextPath: MicrosoftATP.Indicators.networkIPv6
description: The IPv6 IP address.
type: String
- contextPath: MicrosoftATP.Indicators.networkPort
description: The TCP port.
type: Number
- contextPath: MicrosoftATP.Indicators.networkProtocol
description: The decimal representation of the protocol field in the IPv4 header.
type: Number
- contextPath: MicrosoftATP.Indicators.networkSourceAsn
description: The source autonomous system identifier of the network referenced in the indicator.
type: Number
- contextPath: MicrosoftATP.Indicators.networkSourceCidrBlock
description: The CIDR Block notation representation of the source network in this indicator.
type: String
- contextPath: MicrosoftATP.Indicators.networkSourceIPv4
description: The IPv4 IP address source.
type: String
- contextPath: MicrosoftATP.Indicators.networkSourceIPv6
description: The IPv6 IP address source.
type: String
- contextPath: MicrosoftATP.Indicators.networkSourcePort
description: The TCP port source.
type: Number
- contextPath: MicrosoftATP.Indicators.passiveOnly
description: Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools do not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they simply log that a match occurred but do not perform the action. Default value is false.
type: Boolean
- contextPath: MicrosoftATP.Indicators.severity
description: 'An integer representing the severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "MediumLow", "MediumHigh", and "High", where High is the most severe and Informational is not severe at all.'
type: Number
- contextPath: MicrosoftATP.Indicators.targetProduct
description: A string representing a single security product to which the indicator should be applied.
type: String
- contextPath: MicrosoftATP.Indicators.threatType
description: 'Each indicator must have a valid Indicator Threat Type. Possible values: "Botnet", "C2", "CryptoMining", "Darknet", "DDoS", "MaliciousUrl", "Malware", "Phishing", "Proxy", "PUA", and "WatchList".'
type: String
- contextPath: MicrosoftATP.Indicators.tlpLevel
description: 'Traffic Light Protocol value for the indicator. Possible values: "unknown", "white", "green", "amber", and "red".'
type: String
- contextPath: MicrosoftATP.Indicators.url
description: Uniform Resource Locator. This URL complies with RFC 1738.
type: String
- contextPath: MicrosoftATP.Indicators.userAgent
description: User-Agent string from a web request that could indicate compromise.
type: String
- contextPath: MicrosoftATP.Indicators.vendorInformation
description: Information about the vendor.
type: String
- contextPath: File.Name
description: The full file name (including file extension).
type: String
- contextPath: File.Size
description: The size of the file in bytes.
type: Number
- contextPath: File.MD5
description: The MD5 hash of the file.
type: String
- contextPath: File.SHA1
description: The SHA1 hash of the file.
type: String
- contextPath: File.SHA256
description: The SHA256 hash of the file.
type: String
- contextPath: File.SHA512
description: The SHA512 hash of the file.
type: String
- contextPath: File.Type
description: The file type, as determined by libmagic (same as displayed in file entries).
type: String
- contextPath: File.Path
description: The path where the file is located.
type: String
# XDR outputs
# CrowdStrike outputs
- contextPath: CrowdStrike.IOC.Type
description: The type of the IOC.
type: string
- contextPath: CrowdStrike.IOC.Value
description: The string representation of the indicator.
type: string
- contextPath: CrowdStrike.IOC.ID
description: The full ID of the indicator (type:value).
type: string
- contextPath: CrowdStrike.IOC.Policy
description: The policy of the indicator.
type: string
- contextPath: CrowdStrike.IOC.Source
description: The source of the IOC.
type: string
- contextPath: CrowdStrike.IOC.ShareLevel
description: The level at which the indicator will be shared.
type: string
- contextPath: CrowdStrike.IOC.Expiration
description: The datetime the indicator will expire.
type: string
- contextPath: CrowdStrike.IOC.Description
description: The description of the IOC.
type: string
- contextPath: CrowdStrike.IOC.CreatedTime
description: The datetime the IOC was created.
type: string
- contextPath: CrowdStrike.IOC.CreatedBy
description: The identity of the user/process who created the IOC.
type: string
- contextPath: CrowdStrike.IOC.ModifiedTime
description: The date and time the indicator was last modified.
type: string
- contextPath: CrowdStrike.IOC.ModifiedBy
description: The identity of the user/process who last updated the IOC.
type: string
script: '-'
system: false
tags:
- basescript
timeout: '0'
type: python
subtype: python3
dockerimage: demisto/python3:3.10.10.48392
fromversion: 6.0.0
tests:
- No tests (auto formatted)