IntSights

Integration version: 20.0

Configure IntSights integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Add Note

Description

Add a note to the alert in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert to which you want to add a note.
Note String N/A Yes Specify the note for the alert.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful (is_success=true): "Successfully add a note to the alert with ID '{0}' in Intsights ".format(alert id)

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add Note". Reason: {0}''.format(error.Stacktrace)

If the 404 status code is reported: "Error executing action "Add Note". Reason: alert with ID {alert id} was not found in IntSights.'

 General

Ask An Analyst

Description

Ask an analyst regarding the alert in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert where you want to ask the analyst.
Comment String N/A Yes Specify the comment for the analyst.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully asked analyst in the alert with ID '{0}' in Intsights ".format(alert id)

If the 400 or 500 status code is reported: "Action was not able to ask the analyst in the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string)

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Ask an Analyst". Reason: {0}''.format(error.Stacktrace)

 General

Assign Alert

Description

Assign alert to an analyst in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert on which you want to change the assignment.
Assignee ID String N/A No

Specify the ID of the analyst that should be assigned to the alert.
Note: If both "Assignee ID" and "Assignee Email Address" are specified, action will prioritize "Assignee ID".
Assignee Email Address String N/A No

Specify the email address of the analyst that should be assigned to the alert.
Note: If both "Assignee ID" and "Assignee Email Address" are specified, action will prioritize "Assignee ID".

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful with assignee ID: "Successfully assigned analyst with ID '{0}' to the alert with ID {1} in Intsights ".format(assignee id, alert id)

If successful with assignee email address: "Successfully assigned analyst with email address '{0}' to the alert with ID {1} in Intsights ".format(assignee email address, alert id)

If assignee is not found, the status code is 400, and worked with assignee ID:

"Action was not able to change the assignment on the alert with ID {0}. Reason: Assignee with ID {1} was not found.".format(alert_id, assignee id)"


If assignee is not found, the status code is 400, and worked with assignee email address: "Action was not able to change the assignment on the alert with ID {0}. Reason: Assignee with email address {1} was not found.format(alert_id, email address)"

If the 400 or 500 status code is reported: "Action was not able to change the assignment on the alert with ID {0}. Reason: {1}.".format(alert_id, response)

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Assign Alert". Reason: {0}''.format(error.Stacktrace)

If the "Assignee ID" and "Assignee Email address" parameters are not specified: "Assignee ID or Email Address should be specified."

 General

Close Alert

Description

Close alert in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert which you want to close.
Reason DDL

Problem Solved

Possible Values:

  • Problem Solved
  • Informational Only
  • Problem We Are Aware Of
  • Company Owned Domain
  • Legitimate Application/Profile
  • Not Related To My Company
  • False Positive
  • Other
 Yes Specify the reason why the alert needs to be closed.
Additional Info String N/A No Specify additional information explaining why the alert should be closed.
Rate Integer 5 No Specify the rating of the alert. Maximum is 5.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully closed the alert with ID '{0}' in Intsights ".format(alert id)

If the 400 status code is reported: "Action was not able to close the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string)

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Close Alert". Reason: {0}''.format(error.Stacktrace)

If the "Rate" parameter is not in the 1-5 range: "Rate value should be in range from 1 to 5."

 General

Download Alert CSV

Description

Download CSV file containing information related to alert in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert for which you want to download CSV.
Download Folder Path String N/A Yes Specify the path to the folder, where you want to store the CSV file.
Overwrite Checkbox N/A No If enabled, action will overwrite the file with the same name.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "absolute_paths": ["/opt/file_1"]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful for at least one CSV (is_success=true): "Successfully downloaded CSV for the alert with ID {0} in Intsights:".format(alert_id)

If the 400 status code is reported (is_success=true): "No CSV information was found for the alert with ID {alert_id} in Intsights."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported:

"Error executing action "Download Alert CSV". Reason: {0}''.format(error.Stacktrace)

If a file with the same name already exists, but "Overwrite" is set to false: "Error executing action "Download Alert CSV". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true."

If the 404 status code is reported: "Error executing action "Download Alert CSV". Reason: Unable to find alert with ID {ID}'

 General

Get Alert Image

Description

Retrieve information about alert images in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert Image IDs CSV N/A Yes

Specify the comma-separated list of alert image IDs.
Example: id1,id2.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
  {
    "image_name": "5b59daf4bdafd90xxxxxx",
    "image_base64_content": "image content in base64"
  }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful for at least one image: "Successfully retrieved images from the following IDs in Intsights:".format(list of ids)

If not successful for at least one image: "Action wasn't able to successfully retrieve images from the following IDs in Intsights:\n".format(list of ids)

If not successful for all images: "No images were retrieved".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Alert Image". Reason: {0}''.format(error.Stacktrace)

 General

Ping

Description

Check connectivity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the URL entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Reopen Alert

Description

Reopen alert in IntSights.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A True Specify the ID of the alert which you want to reopen.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully reopened the alert with ID '{0}' in Intsights ".format(alert id)

If the 400 status code is reported: "Action was not able to reopen the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string)

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Reopen Alert". Reason: {0}''.format(error.Stacktrace)

 General

Search IOCs

Description

Organize and search all your IOCs within a single, easy-to-use dashboard. The centralized TIP dashboard summarizes IOCs by severity and confidence level, so you can easily understand which malicious IOCs pose the greatest risk to your organization.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
   "EntityResult":
     {
        "Status": "Active",
        "Domain": "sephoratv.com",
        "Severity":
         {
           "Status": "done",
           "LastUpdate": "2019-01-20T04:32:58.833Z",
           "Features":
             [{
                 "Score": 10, "Name": "base_intsights_multiple",
                  "Match": 1
               },
               {
                  "Score": 0,
                  "Name": "domain_associated_malware_names",
                  "Match": 0
                },
               {
                  "Score": 0,
                  "Name": "domain_associated_malware_ip_addresses",
                  "Match": 1
              }],
           "LastUpdateMessage": "",
           "Value": "Low",
           "Score": 20
          },
        "SourceID": "59e376681bb0800644e1368f",
        "Value": "sephoratv.com",
        "Flags": {"IsInAlexa": false},
        "LastSeen": "2019-01-20T04:24:27.258Z",
        "_id": "5c43f80483df230007485c48",
        "Type": "Domains",
        "Enrichment":
         {
           "Status": "done",
           "LastUpdate": "2019-01-20T04:32:58.613Z",
           "Data":
               {
                  "domain_status_blocked": false,
                  "latest_resolution_date": "2019-01-20T04:27:22.299Z",
                  "associated_malware_ip_addresses": ["185.16.44.132"],
                  "contact_emails": [],
                  "referencing_file_hashes": [],
                  "malware_category": [],
                  "mail_servers": ["a.mx.domainoo.fr."],
                  "associated_malware_names": [],
                  "threat_actor_category": [],
                  "campaigns": [],
                  "associated_malware_families": [],
                  "resolved_ips": ["185.16.44.132"],
                  "cve_ids": [],
                  "downloaded_file_hashes": [],
                  "domain_expired": false,
                  "communicating_file_hashes": ["210c2ddbf747220df645fc4d77e7decd1be7df27e43b2f79e4b45bd5fe0a2a6e"],
                  "name_servers": ["a.ns.domainoo.fr.",
                                   "b.ns.domainoo.fr.",
                                   "c.ns.domainoo.fr."],
                  "registrar": "N/A",
                  "threat_actors": []
                }
           },
        "FirstSeen": "2019-01-20T04:24:27.258Z",
        "AccountID": null
    },
 "Entity": "sephoratv.com"
}]
Entity Enrichment
Enrichment Field Name Logic - When to apply
Status Returns if it exists in JSON result
Domain Returns if it exists in JSON result
Severity Returns if it exists in JSON result
SourceID Returns if it exists in JSON result
Value Returns if it exists in JSON result
Flags Returns if it exists in JSON result
LastSeen Returns if it exists in JSON result
_id Returns if it exists in JSON result
Type Returns if it exists in JSON result
Enrichment Returns if it exists in JSON result
FirstSeen Returns if it exists in JSON result
AccountID Returns if it exists in JSON result
Insights

Yes

Connectors

Intsights Connector

Description

Fetches issues from Intsights to Google Security Operations SOAR.

Configure Insights Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Name Type Default Value Description
DeviceProductField String Details_Source_NetworkType The field name used to determine the device product.
EventClassId String Details_Title The field name used to determine the event name (sub-type).
PythonProcessTimeout String 60 The timeout limit (in seconds) for the python process running current script.
Api Root String https://api.intsights.com The API root of the Intsights server.
Account ID String N/A The account ID to login with.
Api Key Password N/A The API key to login with.
Verify SSL Checkbox Unchecked Whether to verify the SSL certificate of the server.
Max Days Backwards Integer 3 Max number of days backwards to pull alerts from.
Max Alerts Per Cycle Integer 10 Max number of alerts to fetch per single connector cycle.
Proxy Server Address String N/A The address of the proxy server to use.
Proxy Username String N/A The proxy username to authenticate with.
Proxy Password Password N/A The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.

Whitelist/Blacklist

The connector supports Whitelist/Blacklist rules.