Digital Shadows
Integration version: 9.0
Use cases
Digital Shadows integration is used as a source for alerts and to enrich entities.
Prerequisites
To use the Digital Shadows API, the API key is required.
Requests to all operation endpoints require HTTP basic authentication and dedicated (high entropy) API credentials that normally consist of a 6-character key and a 32-character secret.
Integrate Digital Shadows with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
Instance Name |
Optional
Name of the Instance you intend to configure integration for. |
Description |
Optional
Instance description. |
API Key |
Required Digital Shadow API Key. |
API Secret |
Optional Digital Shadow API Secret. |
Run Remotely |
Optional Check the field to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). Unchecked by default. |
Actions
Enrich CVE
Enrich a CVE using Digital Shadows information.
Analysts may use this action to get more information about the particular CVE, which is useful for the investigation.
Entities
This action runs on the CVE entity.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | Available |
| Case wall table | N/A |
| Enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Entity enrichment
| Enrichment field | Source (JSON key) | Logic |
|---|---|---|
DigitalShadows_Exploit_title |
entity/title |
If available in JSON result. |
DigitalShadows_Exploit_type |
entity/type |
If available in JSON result. |
DigitalShadows_Exploit_platform |
entity/platform |
If available in JSON result. |
DigitalShadows_Exploit_source |
entity/sourceUri |
If available in JSON result. |
DigitalShadows_Vulnerability_sourceURL |
entity/sourceUri |
If available in JSON result. |
DigitalShadows_Vulnerability_description |
entity/description |
If available in JSON result. |
DigitalShadows_Vulnerability_score |
entity/cvss2Score/baseScore |
If available in JSON result. |
DigitalShadows_Vulnerability_authentication |
entity/cvss2Score/authentication |
If available in JSON result. |
DigitalShadows_Vulnerability_accessVector |
entity/cvss2Score/accessVector |
If available in JSON result. |
DigitalShadows_Vulnerability_accessComplexity |
entity/cvss2Score/accessComplexity |
If available in JSON result. |
DigitalShadows_Vulnerability_confidentialityImpact |
entity/cvss2Score/confidentialityImpact |
If available in JSON result. |
DigitalShadows_Vulnerability_integrityImpact |
entity/cvss2Score/integrityImpact |
If available in JSON result. |
DigitalShadows_Vulnerability_availabilityImpact |
entity/cvss2Score/availabilityImpact |
If available in JSON result. |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"content": [
{
"entity": {
"cveIdentifier": "CVE-2011-0489",
"created": "2011-01-18T18:03:00.000Z",
"updated": "2017-08-17T01:33:00.000Z",
"sourceUri": "https://nvd.nist.gov/vuln/detail/CVE-2011-0489",
"description": "The server components in Example_DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information.",
"relatedCPEs": [
"cpe:/a:example:example%2fdb:10.0"
],
"cvss2Score": {
"baseScore": 7.5,
"authentication": "NONE",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL"
}
},
"type": "VULNERABILITY",
"snippet": "CVE ID: CVE-2011-0489</em><br><br>",
"sortDate": "2017-08-17T01:33:00.000Z"
},
{
"entity": {
"id": "f75754b5-65a3-46ee-bea7-e0f015a5283d",
"uri": "http://example.com",
"pasted": "2018-01-05T09:10:02.000Z",
"observableCounts": {
"ipV4": {
"count": 0,
"exceededMaximum": false
},
"email": {
"count": 0,
"exceededMaximum": false
},
"md5": {
"count": 0,
"exceededMaximum": false
},
"sha1": {
"count": 0,
"exceededMaximum": false
},
"sha256": {
"count": 0,
"exceededMaximum": false
},
"host": {
"count": 0,
"exceededMaximum": false
},
"cve": {
"count": 100,
"exceededMaximum": true
}
},
"screenshot": {
"id": "3ab6b3cb-349d-4ed7-b150-773454a11908",
"link": "https://example.com"
},
"screenshotThumbnail": {
"id": "7529cf75-5ddb-4e2d-8fc9-f3531e33704e",
"link": "https://example.com"
}
},
"type": "PASTE",
"snippet": ""\n ], \n "CVE-2002-1656": [\n "3043"\n ], \n "CVE-2003-0347": [\n "23094"\n ], \n "<em>CVE</em>-<em>2011</em>-<em>0489</em>": [\n "15988",
"sortDate": "2018-01-05T09:10:02.000Z"
},
"type": "PASTE",
"snippet": ") sequences in a crafted request.\n| [<em>CVE</em>-<em>2011</em>-<em>0489</em>] The server components in Example_DB 10.0 do ... in a crafted request.\n| [<em>CVE</em>-<em>2011</em>-<em>0489</em>] The server components in Example_DB 10.0 do not require ... request.\n| [<em>CVE</em>-<em>2011</em>-<em>0489</em>] The server components in Example_DB 10.0 do not require ... files via "../\\" (dot dot forward-slash backslash) sequences in a crafted request.\n| [<em>CVE</em>-<em>2011</em>-<em>0489</em>",
"sortDate": "2019-07-23T21:35:39.000Z"
}
],
"currentPage": {
"offset": 0,
"size": 50
},
"total": 4,
"facets": {}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Enrich CVE".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Case wall links
If
TYPE=Exploitis available in the JSON response:Title: Exploit Source URL
Link:
entity/sourceUriIf
TYPE=Vulnerabilityis available in the JSON response:Title: Vulnerability Source URL:
Link:
entity/sourceUriFor all entities that returned data:
Title: Full Digital Shadow Search Result
Link:
https://portal-digitalshadows.com/search?q=ENTITY
Enrich Hash - Deprecated
Enrich a Hash using Digital Shadows information.
Use cases
Analysts may use this action to collect additional details, for example whether or not it is a safe hash that would be beneficial to the investigation.
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| DigitalShadows_CylanceFileHash_generalScore | entity/fileHashInfo/generalScore | If available in JSON Result. |
| DigitalShadows_CylanceFileHash_classifier_ml | entity/fileHashInfo/classifiers/ml | If available in JSON Result. |
| DigitalShadows_CylanceFileHash_classifier_industry | entity/fileHashInfo/classifiers/industry | If available in JSON Result. |
| DigitalShadows_CylanceFileHash_classifier_human | entity/fileHashInfo/classifiers/human | If available in JSON Result. |
| DigitalShadows_WebrootFileHash_category | entity/category | If available in JSON Result. |
| DigitalShadows_WebrootFileHash_malwareCategory | entity/malwareCategory | If available in JSON Result. |
| DigitalShadows_WebrootFileHash_fileSizeBytes | entity/fileSizeBytes | If available in JSON Result. |
| DigitalShadows_WebrootFileHash_fileLastSeen | entity/fileLastSeen | If available in JSON Result. |
| DigitalShadows_WebrootFileHash_sourceUrls | entity/sourceUrls | If data is available in JSON Result. Empty lists should be ignored. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"content": [
{
"entity": {
"requestedHash": "617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98",
"status": 0,
"fileHashInfo": {
"status": "COMPLETE",
"statusCode": 1,
"generalScore": -1.0,
"classifiers": {
"ml": 1.0,
"industry": -1.0,
"human": -1.0
},
"hashes": {
"sha256": "617F7301FD67E8B5D8AD42D4E94E02CB313FE5AD51770EF93323C6115E52FE98",
"sha1": "CF0743ED381ADE69BBA3D1DD3D357A8300BCD4AE",
"md5": "8FE94843A3E655209C57AF587849AC3A"
}
}
},
"type": "CYLANCE_FILE_HASH"
},
{
"entity": {
"id": "7ab729ab-2176-4072-8fcc-483410e7949d",
"uri": "http://example.com",
"title": "Malware hashes",
"pasted": "2019-12-07T04:01:21.000Z",
"observableCounts": {
"ipV4": {
"count": 0,
"exceededMaximum": false
},
"email": {
"count": 0,
"exceededMaximum": false
},
"md5": {
"count": 0,
"exceededMaximum": false
},
"sha1": {
"count": 0,
"exceededMaximum": false
},
"sha256": {
"count": 45,
"exceededMaximum": false
},
"host": {
"count": 0,
"exceededMaximum": false
},
"cve": {
"count": 0,
"exceededMaximum": false
}
},
"screenshot": {
"id": "a358a7fd-ce76-4ac0-a338-7a17c5affcca",
"link": "https://example.com"
},
"screenshotThumbnail": {
"id": "2a98b417-1846-47ca-835f-b4be580cfdc2",
"link": "https://example.com"
}
},
"type": "PASTE",
"snippet": "617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98\n137e17ed0c693f5ba23c3f3bf252f7edc29548d97f426625a4e0c5fea0558e45",
"sortDate": "2019-12-07T04:01:21.000Z"
},
{
"entity": {
"id": "e05f1f61-5996-4ff9-b656-5d7fe856e459",
"uri": "http://example.com",
"pasted": "2017-12-27T08:53:14.000Z",
"observableCounts": {
"ipV4": {
"count": 0,
"exceededMaximum": false
},
"email": {
"count": 0,
"exceededMaximum": false
},
"md5": {
"count": 0,
"exceededMaximum": false
},
"sha1": {
"count": 0,
"exceededMaximum": false
},
"sha256": {
"count": 100,
"exceededMaximum": true
},
"host": {
"count": 0,
"exceededMaximum": false
},
"cve": {
"count": 0,
"exceededMaximum": false
}
},
"screenshot": {
"id": "d41fd1d9-aa0c-411d-87f5-824d036e9843",
"link": "https://example.com"
},
"screenshotThumbnail": {
"id": "ab91eba6-f8fd-4a7e-a3b4-6b100ee50789",
"link": "https://example.com"
}
},
"type": "PASTE",
"snippet": "617F7301FD67E8B5D8AD42D4E94E02CB313FE5AD51770EF93323C6115E52FE98",
"sortDate": "2017-12-27T08:53:14.000Z"
}
],
"currentPage": {
"offset": 0,
"size": 25
},
"total": 4,
"facets": {}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: If no errors and returned data for entities:
If no errors and returned no data for
entities: The action should fail and stop a playbook execution: If error: Print "Error executing action "Enrich Hash". Reason: {0}''.format(error.Stacktrace) |
General |
| Links | For all entities that returned data: Title: Full Digital Shadows Search Result Link:
https://portal-digitalshadows.com/search?q= |
Entity |
Enrich IP - Deprecated
Enrich an IP using Digital Shadows information.
Use cases
Analysts may use this action to get more information about the IP address, which is useful for the investigation.
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| DigitalShadows_WebrootIP_reputationScore | entity/reputationScore | If available in JSON Result. |
| DigitalShadows_WebrootIP_asn | entity/asn | If available in JSON Result. |
| DigitalShadows_WebrootIP_currentlyClassifiedAsThreat | entity/currentlyClassifiedAsThreat | If available in JSON Result. |
| DigitalShadows_WebrootIP_ipThreatHistory | entity/ipThreatHistory | If available in JSON Result. |
| DigitalShadows_WebrootIP_country | entity/ipGeoInfo/country | If available in JSON Result. |
| DigitalShadows_WebrootIP_region | entity/ipGeoInfo/region | If available in JSON Result. |
| DigitalShadows_WebrootIP_state | entity/ipGeoInfo/state | If available in JSON Result. |
| DigitalShadows_WebrootIP_city | entity/ipGeoInfo/city | If available in JSON Result. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"content": [
{
"entity": {
"ipAddress": "192.0.2.1",
"updatedDateTime": "2020-02-21T01:10:01.000Z",
"reputationScore": 18,
"asn": 13335,
"currentlyClassifiedAsThreat": false,
"threatCategories": [],
"ipThreatHistory": [],
"ipReputationHistory": [
{
"timestamp": "2020-02-21T01:10:01.000Z",
"reputation": 18
},
{
"timestamp": "2020-02-07T01:10:02.000Z",
"reputation": 29
}
],
"ipIncidentHistory": [
{
"classifiedAsThreat": false,
"startDateTime": "2019-07-15T00:37:12.000Z",
"durationSeconds": 0,
"numberOfAttempts": 0,
"eventType": "Phishing IPs",
"threatType": "Phishing",
"eventDescription": "IP hosts phishing sites",
"applications": [],
"hostingPhishUrls": [
"example.net"
],
"scanDetails": [],
"attackDetails": []
},
{
"classifiedAsThreat": false,
"startDateTime": "2018-07-21T00:23:27.000Z",
"durationSeconds": 0,
"numberOfAttempts": 0,
"eventType": "Phishing IPs",
"threatType": "Phishing",
"eventDescription": "IP hosts phishing sites",
"applications": [],
"hostingPhishUrls": [
"example.net"
],
"scanDetails": [],
"attackDetails": []
}
],
"ipGeoInfo": {
"country": "united states",
"region": "mid atlantic",
"state": "new jersey",
"city": "newark",
"latitude": "40.73873",
"longitude": "-74.19453",
"organization": "example inc.",
"carrier": "example",
"tld": "",
"sld": "",
"asn": "example_isn"
}
},
"type": "WEBROOT_IP"
},
{
"entity": {
"id": "0007b64b-ef21-4b5f-a0c2-1e469ceb6896",
"uri": "http://example.com",
"pasted": "2019-10-23T13:32:46.000Z",
"observableCounts": {
"ipV4": {
"count": 100,
"exceededMaximum": true
},
"email": {
"count": 0,
"exceededMaximum": false
},
"md5": {
"count": 0,
"exceededMaximum": false
},
"sha1": {
"count": 0,
"exceededMaximum": false
},
"sha256": {
"count": 0,
"exceededMaximum": false
},
"host": {
"count": 0,
"exceededMaximum": false
},
"cve": {
"count": 0,
"exceededMaximum": false
}
},
"screenshot": {
"id": "b019cfcf-2d36-4bcd-9bf3-69fa67b5ec6d",
"link": "https://example.com"
},
"screenshotThumbnail": {
"id": "57af6550-6690-478f-8ba5-640a5560311a",
"link": "https://example.com"
}
},
"type": "PASTE",
"snippet": "192.0.2.1\n192.0.2.2\n192.0.2.3\n192.0.2.4\n192.0.2.5\n192.0.2.6\n192.0.2.7",
"sortDate": "2019-10-23T13:32:46.000Z"
}
],
"currentPage": {
"offset": 0,
"size": 50
},
"total": 10,
"facets": {}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: If no errors and returned data for entities: If no errors and returned no data for entities:
The action should fail and stop a playbook execution: If error: Print "Error executing action "Enrich IP". Reason: {0}''. format(error.Stacktrace) |
General |
| Links | For all entities that returned data: Title: Full Digital Shadows Search Result Link: https://portal-digitalshadows.com/search?q=
|
Entity |
Enrich URL
Enrich a URL using Digital Shadows information.
Analysts may use this action to get more information about the specific URL address, which is useful for the investigation.
Entities
This action runs on the URL entity.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | Available |
| Case wall table | N/A |
| Enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Entity enrichment
| Enrichment field | Source (JSON key) | Logic |
|---|---|---|
DigitalShadows_WebrootDomain_timesLabeledAsThreat |
entity/threatHistory |
If available in JSON result. |
DigitalShadows_WebrootDomain_age |
entity/age |
If available in JSON result. |
DigitalShadows_WebrootIP_popularity |
entity/popularity |
If available in JSON result. |
DigitalShadows_WebrootIP_reputation |
entity/reputation |
If available in JSON result. |
DigitalShadows_WebrootIP_threatCategories |
entity/threatCategories |
If available in JSON result. |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"content": [
{
"entity": {
"domainOrUrl": "www.example.com",
"lastUpdated": "2020-02-25T12:08:20.944Z",
"threatCategories": [
{
"confidence": 93,
"group": "Security",
"name": "Malware Sites"
}
],
"reputation": 10,
"popularity": "UNRANKED",
"age": 82,
"threatHistory": 1,
"webrootCrawlHistory": [],
"domainHostedHashes": []
},
"type": "WEBROOT_DOMAIN"
}
],
"currentPage": {
"offset": 0,
"size": 50
},
"total": 66,
"facets": {}
}
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Error executing action "Enrich URL".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Case wall link
For all entities that returned data:
Title: Full Digital Shadow Search Result
Link: https://portal-digitalshadows.com/search?q=ENTITY
Ping
Test connectivity to Digital Shadows with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
This action can be executed manually and isn't used playbooks.
Entities
This action doesn't run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | Available |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Digital Shadows with the provided
connection parameters! |
Action succeeded. |
Error executing action "Ping".
Reason: ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Case wall link
For all entities that returned data:
Title: Full Digital Shadow Search Result
Link: https://portal-digitalshadows.com/search?q=ENTITY
Connectors
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Digital Shadows - Incident Connector
Ingest incidents from Digital Shadows into Google Security Operations SOAR.
Connector inputs
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Input the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the default environment is used. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 180 seconds. |
API Key |
Required
Digital Shadow API Key. |
API secret |
Required
Digital Shadow API Secret. |
Client Secret |
Required
Client Secret of the CrowdStrike account. |
Fetch Max Hours Backwards |
Optional
Number of hours before now to retrieve incidents from. Default value is 1 hour. |
Lowest Severity To Fetch |
Required
Lowest severity score of the incidents to fetch. Possible values are:
Default value is |
Incident Type Filter |
Optional
Comma-separated list of incident types that should be ingested into Google Security Operations SOAR. By default, the connector retrieves all of the incident types. Possible values are:
|
Max Incidents To Fetch |
Optional
Number of incidents to process per one connector iteration. Default value is 50. |
Use whitelist as a blacklist |
Required
If checked, the dynamic list is used as a blocklist. Unchecked by default. |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid. Unchecked by default. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Connector rules
Connector supports proxy.