DeepSight
Integration version: 6.0
Configure DeepSight integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Ping
Description
Test Connectivity.
Parameters
This action runs on all entities.
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | True/False | null:False |
JSON Result
N/A
Scan Domain
Description
Scan a domain.
Parameters
N/A
Run On
This action runs on the following entities:
- User
- Hostname
- URL
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| whitelisted | Returns if it exists in JSON result |
| schemaVersion | Returns if it exists in JSON result |
| whois | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
[{
"EntityResult":
{
"domain": "example.com",
"whitelisted": true,
"schemaVersion": 2,
"whois":
{
"city": "Reno",
"updated": "2014-04-30T00: 00: 00Z",
"created": "1994-11-01T00: 00: 00Z",
"nameServers": ["NS1.P31.DYNECT.NET",
"NS2.P31.DYNECT.NET",
"NS3.P31.DYNECT.NET"],
"country": "Us",
"expires": "2022-10-31T00: 00: 00Z",
"person": "Hostmaster,AmazonLegalDept.",
"registrar": "MarkmonitorInc.",
"postalCode": "89507",
"organization": "AmazonTechnologies,Inc.",
"email":"john_doe@example.com"
}
},
"Entity": "example.com"
}]
Scan Email
Description
Scan an email.
Parameters
N/A
Run On
This action runs on the User entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| date | Returns if it exists in JSON result |
| title | Returns if it exists in JSON result |
| uri | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
[{
"EntityResult":
{
"date": "2015-04-27T01:10Z",
"title": "Laziok Trojan Activity and Infrastructure\\u2014January to April 2015",
"uri": "/v1/mati/reports/300156",
"id": 300156
},
"Entity": "john_doe@example.com"
}]
Scan File Name
Description
Scan the name of the that was involved in an event.
Parameters
N/A
Run On
This action runs on the Filename entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| date | Returns if it exists in JSON result |
| title | Returns if it exists in JSON result |
| uri | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | True/False | null:False |
JSON Result
[{
"EntityResult":
{
"date": "2015-04-27T01:10Z",
"title": "Laziok Trojan Activity and Infrastructure\\u2014January to April 2015",
"uri": "/v1/mati/reports/300156",
"id": 300156
},
"Entity": "BadGuy1"
}]
Scan Hash
Description
Scan a hash.
Parameters
N/A
Run On
This action runs on the Filename entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| matiReports | Returns if it exists in JSON result |
| intelligence | Returns if it exists in JSON result |
| detection_name | Returns if it exists in JSON result |
| Activity | Returns if it exists in JSON result |
| schemaVersion | Returns if it exists in JSON result |
| sha256 | Returns if it exists in JSON result |
| events | Returns if it exists in JSON result |
| md5 | Returns if it exists in JSON result |
| reputation | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
[{
"EntityResult":
{
"matiReports":
[{
"date": "2015-04-27T01:10:47Z",
"title": "Laziok Trojan Activity and Infrastructure\\u2014January to April 2015",
"uri": "/v1/mati/reports/300156",
"id": 300156
}],
"intelligence":
{
"countries": ["kor", "Gtm","are"],
"paths": ["CSIDL_PROFILE\\\\appdata\\\\local\\\\searchlike"],
"fileNames": ["SEARCHLIKE.EXE"],
"parentProcesses": ["f8403ce30c3a2a42b4604c2cf952533ed828a3d7bdb289b0cec82b8844a72a5a"],
"filesCreated": [{"path": "CSIDL_PROFILE\\\\appdata\\\\local\\\\searchlike",
"sha256": "6d873e6198f7aca685b4c697dfbf82e3450ed5277c5f3c55b1b6fb0338521e0f",
"fileName": "B_SEARCHLIKEEX.EXE"
}]
},
"detection_name": "Trojan.Mdropper",
"Activity":
{
"dns": [{"type": "A",
"target": "acroipm2.adobe.com"}],
"urls": [{"url":
"http://acroipm.adobe.com/assets/102.zip"}]
},
"schemaVersion": 3,
"sha256": "e46d5472e49793017892cb18a0aa174ff9c5b79cec0a9451f1b70e21b19855c2",
"events":
[{
"pid": 2528,
"type": "PROCESS:CURRENT",
"target": "C:\\\\Windows\\\\SysWOW64\\\\cmd.exe",
"severity": 1,
"details": "B41859D39D786D32B23A9D2E00F4011DEC7A02402AE"
}],
"md5": "a77e89bf60e931477f5858a004fb5e0a",
"reputation": "Malicious"
},
"Entity": "a77e89bf60e931477f5858a004fb5e0a"
}]
Scan IP
Description
Scan an IP address.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| geolocation | Returns if it exists in JSON result |
| Network | Returns if it exists in JSON result |
| targetIndustries | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| whitelisted | Returns if it exists in JSON result |
| behaviours | Returns if it exists in JSON result |
| targetCountries | Returns if it exists in JSON result |
| lastSeen | Returns if it exists in JSON result |
| urls | Returns if it exists in JSON result |
| domains | Returns if it exists in JSON result |
| Organization | Returns if it exists in JSON result |
| schemaVersion | Returns if it exists in JSON result |
| firstSeen | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
[{
"EntityResult":
{
"geolocation":
{
"latitude": 39.91176055,
"city": "Beijing",
"longitude": 116.3792325,
"country": "China"
},
"Network":
{
"carrier": "ChinaUnicomBeijingProvinceNetwork",
"asn": 4808,
"lineSpeed": "High",
"ipRouting": "Fixed"
},
"targetIndustries":
[{
"name": "Utilities",
"naics": 221
},{
"name": "Telecommunications",
"naics": 517
}],
"ip": "1.1.1.1",
"whitelisted": false,
"behaviours":
[{
"behaviour": "Attacks",
"type": "WWWAttacks",
"description": "FakeBrowserUpdate"
}],
"targetCountries": ["fra", "tur", "twn"],
"lastSeen": "2019-01-20T00: 00: 00Z",
"urls":
[{
"url": "http: //iremedypro.com/assets/img/jQuery/014/LOGS/c1dabc02e7c9c23688fcdccb9c94379f",
"uri": "/v1/urls/http: //iremedypro.com/assets/img/jQuery/014/LOGS/c1dabc02e7c9c23688fcdccb9c94379f"
}],
"domains":
[{
"domain": "iremedypro.com",
"uri": "/v1/domains/iremedypro.com"
}],
"Organization":
{
"isic": "J6110",
"type": "InternetServiceProvider",
"name": "ChinaUnicomBeijingProvinceNetwork",
"naics": 517110
},
"schemaVersion": 2,
"firstSeen": "2016-01-01T00: 00: 00Z"
},
"Entity": "1.1.1.1"
}]
Scan URL
Description
Scan a URL.
Parameters
N/A
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| url | Returns if it exists in JSON result |
| host | Returns if it exists in JSON result |
| whitelisted | Returns if it exists in JSON result |
| schemaVersion | Returns if it exists in JSON result |
| whois | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
[{
"EntityResult":
{
"url": "https: //www.facebook.com",
"host":
{
"domain": "facebook.com",
"uri": "/v1/domains/facebook.com"
},
"whitelisted": true,
"schemaVersion": 2,
"whois":
{
"city": "MenloPark",
"updated": "2015-08-25T00: 00: 00Z",
"created": "1997-03-29T00: 00: 00Z",
"nameServers": ["A.NS.FACEBOOK.COM", "B.NS.FACEBOOK.COM"],
"country": "Us",
"expires": "2020-03-30T00: 00: 00Z",
"person": "DomainAdministrator",
"registrar": "MarkmonitorInc.",
"postalCode": "94025",
"organization": "Facebook,Inc.",
"email": "john_doe@example.com"
}
},
"Entity": "https: //www.facebook.com"
}]