Intezer
This document provides guidance on how to integrate Intezer with the SOAR module of Google Security Operations.
Integration version: 7.0
Integrate Intezer with Google SecOps
The integration requires the following parameters:
| Parameters | Description |
|---|---|
API Root |
Required API root of the Intezer service. |
API Key |
Required API key of the Intezer service. |
Verify SSL |
Optional If selected, Google SecOps verifies that the SSL certificate for the connection to the Intezer server is valid. Not selected by default. |
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
Detonate File
Use Intezer to analyze a file.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
File Path |
Required The paths to the files that you want to analyze. You can provide multiple paths in a comma-separated string, such as
|
Related Alert ID |
Optional The alert ID related to the file. |
Action outputs
The following table describes the output types associated with the Detonate File action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Detonate File action:
[
{
"analysis_id":"6cd3347b-f5b2-4c98-a0bc-039a6386dc34",
"analysis_status":"created",
"analysis_type":"file",
"identifier":"/tmp/example.eml"
}
]
Output messages
The Detonate File action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the analysis ids for the following file
paths: PATH in Intezer |
Action succeeded. |
Action wasn't able to fetch the analysis ids for the following
file paths: PATH in Intezer
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Detonate File action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Detonate Hash
Analyze a file hash (SHA-1, SHA-256, or MD5) in Intezer Analyze.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
File Hash |
Required The hash of the reports that you want to analyze. You can provide multiple hashes in a comma-separated string. |
Action outputs
The following table describes the output types associated with Detonate File action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Detonate Hash action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Detonate Hash action:
[
{
"analysis_id":"7bbbec69-5764-479e-bb1c-c3686e992fbb",
"analysis_status":"created",
"analysis_type":"file",
"identifier":"6be971118951786bc7be55ef5656149504008a3e"
},
{
"analysis_id":"33ee6661-7435-4e0a-a606-0b7d1a644859",
"analysis_status":"created",
"analysis_type":"file",
"identifier":"5b97c39d87ad627c53023bfebb0ea1b5227c3f4e86e3bf06b23f3e4b0d6726e2"
}
]
Output messages
The Detonate Hash action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the analysis ids for the following hashes:
HASH_LIST |
Action succeeded. |
Action wasn't able to fetch the analysis ids for the following
hashes: HASH_LIST |
Action failed. Check the connection to the server, input parameters, or credentials. |
Detonate URL
Analyze a suspicious URL with Intezer.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Url |
Optional The URL that you want to analyze, such as
You can provide multiple URLs in a comma-separated string. |
Action outputs
The following table describes the output types associated with Detonate URL action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Detonate URL action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Detonate URL action:
[
{
"analysis_id":"d99b7317-02a3-4282-81e9-d27528a575c0",
"analysis_status":"created",
"analysis_type":"url",
"identifier":"www.example.com"
},
{
"analysis_id":"ee8d2e7e-950b-43f2-b0b7-cbfc3c20dfc5",
"analysis_status":"created",
"analysis_type":"url",
"identifier":"https://www.example.com/"
}
]
Output messages
The Detonate URL action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the analysis ids for the following urls:
URL_LIST in Intezer |
Action succeeded. |
Action wasn't able to fetch the analysis ids for the following
urls: URL_LIST in Intezer
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Get Alert
Get an ingested alert triage and response information using the alert ID.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Alert ID |
Required The alert ID to query. |
Wait For Completion |
Optional If selected, the action waits for the analysis to complete. |
Action outputs
The following table describes the output types associated with the Get Alert action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Get Alert action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Get Alert action:
{
"result":{
"alert_id":"ldt:91a1c5ef609ac479ba77f8ca5879c82fc:958686237274",
"source":"cs",
"sender":"cs",
"raw_alert":{
"cid":"27fe4e476ca3490b8476b2b6650e5a74",
"alert_type":"identify",
"created_timestamp":"2023-11-09T00:03:10.116556016Z",
"detection_id":"ldt:91a1c5ef609ac479ba77f8ca5879c82fc:958686237274",
"evidences":[
{
"evidence_type":"domain",
"evidence_value":"domain"
}
],
"device":{
"device_id":"6a1c5ef609ac479ba77f8ca5879c82fc",
"cid":"67fe4e476ca3490b8476b2b6650e5a74",
"agent_load_flags":"0",
"agent_local_time":"2023-10-18T23:01:49.681Z",
"agent_version":"7.03.15805.0",
"bios_manufacturer":"Example Technologies LTD",
"bios_version":"6.00",
"config_id_base":"65994753",
"config_id_build":"15805",
"config_id_platform":"8",
"external_ip":"35.246.203.0",
"hostname":"example-hostname",
"first_seen":"2023-06-14T10:50:40Z",
"last_seen":"2023-11-09T00:01:56Z",
"local_ip":"198.51.100.1",
"mac_address":"02-42-48-a3-7f-29",
"major_version":"3",
"minor_version":"10",
"os_version":"CentOS 7.9",
"platform_id":"3",
"platform_name":"Linux",
"product_type_desc":"Server",
"status":"normal",
"system_manufacturer":"Example, Inc.",
"system_product_name":"Example Virtual Platform",
"groups":[
"9489d65c343244169627d4a728389039"
],
"modified_timestamp":"2023-11-09T00:02:06Z"
},
"behaviors":[
{
"device_id":"6a1c5ef609ac479ba77f8ca5879c82fc",
"timestamp":"2023-11-09T00:03:02Z",
"template_instance_id":"1359",
"behavior_id":"10304",
"filename":"bash",
"filepath":"/usr/bin/bash",
"alleged_filetype":"",
"cmdline":"bash crowdstrike_test_high",
"scenario":"suspicious_activity",
"objective":"Falcon Detection Method",
"tactic":"Falcon Overwatch",
"tactic_id":"CSTA0006",
"technique":"Malicious Activity",
"technique_id":"CST0002",
"display_name":"TestTriggerHigh",
"description":"A high level detection was triggered on this process for testing purposes.",
"severity":70,
"confidence":100,
"ioc_type":"",
"ioc_value":"",
"ioc_source":"",
"ioc_description":"",
"user_name":"root",
"user_id":"0",
"control_graph_id":"ctg:6a1c5ef609ac479ba77f8ca5879c82fc:958686237274",
"triggering_process_graph_id":"pid:6a1c5ef609ac479ba77f8ca5879c82fc:46565404531105",
"sha256":"00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9",
"md5":"cfd65bed18a1fae631091c3a4c4dd533",
"parent_details":{
"parent_sha256":"00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9",
"parent_md5":"cfd65bed18a1fae631091c3a4c4dd533",
"parent_cmdline":"/bin/sh -c ./alert.sh",
"parent_process_graph_id":"pid:6a1c5ef609ac479ba77f8ca5879c82fc:46565400489930"
},
"pattern_disposition":0,
"pattern_disposition_details":{
"indicator":false,
"detect":false,
"inddet_mask":false,
"sensor_only":false,
"rooting":false,
"kill_process":false,
"kill_subprocess":false,
"quarantine_machine":false,
"quarantine_file":false,
"policy_disabled":false,
"kill_parent":false,
"operation_blocked":false,
"process_blocked":false,
"registry_operation_blocked":false,
"critical_process_disabled":false,
"bootup_safeguard_enabled":false,
"fs_operation_blocked":false,
"handle_operation_downgraded":false,
"kill_action_failed":false,
"blocking_unsupported_or_disabled":false,
"suspend_process":false,
"suspend_parent":false
}
}
],
"email_sent":false,
"first_behavior":"2023-11-09T00:03:02Z",
"last_behavior":"2023-11-09T00:03:02Z",
"max_confidence":100,
"max_severity":70,
"max_severity_displayname":"High",
"show_in_ui":true,
"status":"new",
"hostinfo":{
"domain":""
},
"seconds_to_triaged":0,
"seconds_to_resolved":0,
"behaviors_processed":[
"pid:6a1c5ef609ac479ba77f8ca5879c82fc:46565404531105:10304"
],
"date_updated":"2023-11-12T00:06:14Z"
},
"alert_sub_types":[
],
"alert":{
"alert_id":"ldt:91a1c5ef609ac479ba77f8ca5879c82fc:958686237274",
"alert_url":null,
"creation_time":"2023-11-12T00:06:14",
"alert_title":"ldt:91a1c5ef609ac479ba77f8ca5879c82fc:958686237274",
"device":{
},
"creation_time_display":"12 Nov 23 | 00:06 UTC"
},
"triage_result":{
"alert_verdict":"audited",
"risk_category":"audited",
"risk_level":"informational",
"risk_score":60,
"risk_level_display":"Informational",
"risk_category_display":"Audited",
"alert_verdict_display":"Audited"
},
"response":{
"status":"no_action_needed",
"automated_response_actions":[
],
"user_recommended_actions":[
],
"user_recommended_actions_display":"",
"status_display":"No Action Needed"
},
"note":"\ud83d\udfe6 Intezer Automated Triage\n===================================\nAudited - No Action Needed\n===================================\n\n- Title: ldt:alert-ID\n- Source: CrowdStrike\n- Creation time: 12 Nov 23 | 00:06 UTC\n\nView alert: \ud83d\udc49 https://analyze.intezer.com/alerts/ldt:alert_ID",
"source_display":"CrowdStrike",
"source_type":"edr",
"intezer_alert_url":"https://analyze.intezer.com/alerts/ldt:alert-ID"
},
"status":"succeeded"
}
Output messages
The Get Alert action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the alert details for the following alert
id: ALERT_ID in Intezer
|
Action succeeded. |
Action wasn't able to fetch the alert detail for the following
alert: ERROR_REASON in Intezer
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Get File Report
Get a file analysis report based on an analysis ID or a file hash.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Analysis ID |
Optional A comma-separated list of the file analysis IDs to run the action on. This parameter is case sensitive. If both Analysis ID and File Hash parameters are provided, the File Hash value has priority. |
File Hash |
Optional A comma-separated list of file hashes to run the action on. This parameter is case sensitive. If both Analysis ID and File Hash parameters are provided, the File Hash value has priority. |
Private Only |
Optional If selected, the action show only private reports (relevant only for hashes). |
Wait For Completion |
Optional If selected, the action waits for the analysis to complete before returning the report. |
Action outputs
The following table describes the output types associated with the Get Report action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Get Report action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Get Report action:
[
{
"analysis_id":"fdc18702-e308-43e5-9476-554501fb2009",
"analysis_type":"file",
"analysis_status":"succeeded",
"analysis_content":{
"analysis":{
"analysis_id":"fdc18702-e308-43e5-9476-554501fb2009",
"analysis_time":"Fri, 16 Feb 2024 08:16:20 GMT",
"analysis_url":"https://analyze.intezer.com/analyses/analysis-id",
"file_name":"file_name",
"is_private":true,
"sha256":"9baf8bb61b9ab2e28d9a2599bc8f524489845782097464edd20ad7d0353c3b6d",
"sub_verdict":"inconclusive",
"tags":[
"non_executable"
],
"verdict":"unknown"
},
"iocs":{
"files":[
{
"analysis_id":"fdc18702-e308-43e5-9476-554501fb2009",
"family":null,
"path":"file_name",
"sha256":"9baf8bb61b9ab2e28d9a2599bc8f524489845782097464edd20ad7d0353c3b6d",
"type":"main_file",
"verdict":"unknown"
}
],
"network":[
{
"classification":"suspicious",
"ioc":"198.51.100.161",
"source":[
"Network communication"
],
"type":"ip"
}
]
},
"ttps":[
{
"data":[
{
"cid":2793,
"pid":1996,
"type":"call"
},
{
"cid":5365,
"pid":1340,
"type":"call"
},
{
"cid":5366,
"pid":1340,
"type":"call"
},
{
"cid":5373,
"pid":1340,
"type":"call"
},
{
"cid":5375,
"pid":1340,
"type":"call"
}
],
"description":"Guard pages use detected - possible anti-debugging.",
"name":"antidebug_guardpages",
"severity":2,
"ttps":[
{
"name":"Native API",
"ttp":"Execution::Native API [T1106]"
}
]
}
],
"metadata":{
"file_type":"non executable",
"indicators":[
{
"classification":"informative",
"name":"non_executable"
}
],
"md5":"a01073d047bd9bb151b8509570ea44d6",
"sha1":"610742629fe7d7188042c8c427fc68723d53cd42",
"sha256":"9baf8bb61b9ab2e28d9a2599bc8f524489845782097464edd20ad7d0353c3b6d",
"size_in_bytes":21,
"ssdeep":"3:H0shRFCZ:HlS"
},
"root-code-reuse":null
}
}
]
Output messages
The Get File Report action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the file analysis for the following items:
ANALYSIS_ID_OR_HASH_LIST in
Intezer |
Action succeeded. |
No file analysis were found for the provided items |
Action failed. Check the connection to the server, input parameters, or credentials. |
Get URL Report
Get a URL analysis report based on the URL analysis ID.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Analysis ID |
Required A comma-separated list of the file analysis IDs to run the action on. This parameter is case sensitive. The analysis ID is returned when submitting a URL for analysis. |
Wait For Completion |
Optional If selected, the action waits for the analysis to complete. |
Action outputs
The following table describes the output types associated with the Get URL Report action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Get URL Report action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Get URL Report action:
[
{
"analysis_id":"Aef96e22-e0b1-45de-b7fa-2b9596ecb922",
"analysis_type":"url",
"analysis_status":"succeeded",
"analysis_content":{
"analysis":{
"analysis_id":"aef96e22-e0b1-45de-b7fa-2b9596ecb922",
"analysis_time":"Wed, 07 Feb 2024 06:16:42 GMT",
"analysis_url":"https://analyze.intezer.com/url/aef96e22-e0b1-45de-b7fa-2b9596ecb922",
"api_void_risk_score":0,
"certificate":{
"issuer":"Example Secure Certificate Authority",
"protocol":"TLS 1.3",
"subject_name":"analyze.intezer.com",
"valid_from":"2023-07-25 19:50:53.000000",
"valid_to":"2024-08-25 19:50:53.000000"
},
"domain_info":{
"creation_date":"2015-08-28 04:24:45.000000",
"domain_name":"intezer.com",
"registrar":"Example, LLC"
},
"indicators":[
{
"classification":"informative",
"indicator_info":"text/html",
"indicator_type":"content_type",
"text":"Content type: text/html"
},
{
"classification":"informative",
"indicator_type":"valid_https",
"text":"Valid https"
},
{
"classification":"informative",
"indicator_type":"url_accessible",
"text":"URL is accessible"
},
{
"classification":"suspicious",
"indicator_type":"empty_page_title",
"text":"Has empty page title"
},
{
"classification":"informative",
"indicator_type":"domain_ipv4_assigned",
"text":"Assigned IPv4 domain"
},
{
"classification":"informative",
"indicator_type":"domain_ipv4_valid",
"text":"Valid IPv4 domain"
},
{
"classification":"informative",
"indicator_type":"uses_cloudflare",
"text":"Uses Cloudflare"
}
],
"ip":"203.0.113.201",
"redirect_chain":[
{
"response_status":200,
"url":"https://example.com/"
}
],
"scanned_url":"https://example.com/",
"submitted_url":"https://example.com",
"summary":{
"description":"No suspicious activity was detected for this URL",
"main_connection_gene_count":0,
"main_connection_gene_percentage":0.0,
"title":"No Threats",
"verdict_name":"no_threats",
"verdict_type":"no_threats"
}
}
}
}
]
Output messages
The Get URL Report action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully fetched the url analysis for the following analysis
ids: ANALYSIS_ID in Intezer
|
Action succeeded. |
No url analysis were found for the provided analysis ids
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Index File
Index the file genes into the organizational database.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Index As |
Required Index as trusted or malicious. |
SHA256 |
Optional The SHA-256 hash to index. You can provide multiple hashes in a comma-separated string. |
Family Name |
Optional The family name to use in the index. This
parameter is required if the Index As parameter value is
|
Action outputs
The following table describes the output types associated with the Index File action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Index File action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Index File action:
[
{
"index_id":"091ed5aa-a94f-48d9-9b90-89ff434947b2",
"status":"succeeded"
}
]
Output messages
The Index File action provides the following output messages:
| Output message | Message description |
|---|---|
Waiting for results for the following hashes:
HASH_LIST |
Action is still in progress. |
|
Action succeeded. |
None of the file hash got indexed |
Action failed. Check the connection to the server, input parameters, or credentials. |
Ping
Test connectivity to Intezer.
This action runs on all entities.
Action inputs
None.
Action outputs
The following table describes the output types associated with the Ping action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Submit Alert
Submit a new alert that includes the raw alert information to Intezer for processing.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Source |
Required The source of the alert. |
Raw Alert |
Required Alert raw data in JSON format. |
Alert Mapping |
Required Mapping to use for the alert in JSON format. |
Action outputs
The following table describes the output types associated with the Submit Alert action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Submit Alert action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Submit Alert action:
{
"alert_id":"ccdt:2a1c5ef609ac479ba77f8ca5879c82fc:958686237274"
}
Output messages
The Submit Alert action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully submitted details about the following alert:
ALERT_ID |
Action succeeded. |
Error executing action "Submit Alert". Reason: Invalid parameter
"Alert Mapping". The JSON structure is invalid. Wrong value provided:
ALERT_ID |
Action failed. Check the Alert Mapping parameter value. |
Submit File
Submit a file for analysis.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
File Paths |
Required The paths of the files to analyze. |
Action outputs
The following table describes the output types associated with the Submit File action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Submit File action:
| Script result name | Value |
|---|---|
| is_success | True or False |
JSON result
The following example describes the JSON result output received when using the Submit File action:
{
"C:\\\\Users\\\\User1\\\\Downloads\\test_file.exe":
{
"4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356":
{
"family_name": "Example",
"analysis_id": "548e6b8b-20b1-445c-9922-af6b52a8abc3",
"sub_verdict": "known_malicious",
"analysis_url": "https://analyze.intezer.com/#/analyses/analysis-ID",
"verdict": "malicious",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"is_private": true,
"analysis_time": "Thu, 14 Feb 2019 08:58:27 GMT"
}
}
}
Submit Hash
Submit a hash for analysis to Intezer.
This action runs on a FileHash entity.
Action inputs
None.
Action outputs
The following table describes the output types associated with the Submit Hash action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Not available |
| Script result | Available |
Entity enrichment
The following table describes the entity enrichment logic associated with the Submit Hash action:
| Enrichment field | Logic |
|---|---|
family_name |
Returns if it exists in the JSON result |
analysis_id |
Returns if it exists in JSON result |
sub_verdict |
Returns if it exists in JSON result |
analysis_url |
Returns if it exists in JSON result |
verdict |
Returns if it exists in JSON result |
sha256 |
Returns if it exists in JSON result |
is_private |
Returns if it exists in JSON result |
analysis_time |
Returns if it exists in JSON result |
JSON result
The following example describes the JSON result output received when using the Submit Hash action:
[{
"EntityResult":
{
"family_name": "Example",
"analysis_id": "548e6b8b-20b1-445c-9922-af6b52a8abc3",
"sub_verdict": "known_malicious",
"analysis_url": "https://analyze.intezer.com/#/analyses/analysis-ID",
"verdict": "malicious",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"is_private": true,
"analysis_time": "Thu, 14 Feb 2019 08:58:27 GMT"
},
"Entity": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356"
}]
Script result
The following table describes the values for the script result output when using the Submit Hash action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Submit Suspicious Email
Submit a suspicious phishing email in raw format (.msg or .eml) to Intezer
for processing.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
Email File Path |
Required The path to the email file. |
Action outputs
The following table describes the output types associated with the Submit Suspicious Email action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Submit Suspicious Email action:
{
"alert_id":"3385f4f9aec655dfac9d59d54e8ff1f12343501ebc62bf1a91ad1954bb6ae0b9"
}
Output messages
The Submit Suspicious Email action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully submitted suspicious email
EMAIL_FILE_PATH in Intezer
|
Action succeeded. |
Error executing action "Intezer". Reason: No such file or
directory: EMAIL_FILE_PATH
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Submit Suspicious Email action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Unset Index File
Remove files from the index.
This action runs on all entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | Description |
|---|---|
SHA256 |
Optional The SHA-256 hash to remove from the index. You can provide multiple files in a comma-separated string. |
Action outputs
The following table describes the output types associated with the Unset Index File action:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Unset Index File action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
Action wasn't able to unset file index for the following hashes:
HASH_LIST |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Unset Index File action:
| Script result name | Value |
|---|---|
| is_success | True or False |