Accessdata

Use the Quin-C AccessData integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version 20190926 of Quin-C Accessdata.

Documentation for the integration was provided by Quin-C.

AccessData Playbook

For example, you can look at “Accessdata: Dump memory for malicious process” playbook to understand how to use this integration.

Configure AccessData on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Accessdata.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionExample
    NameA meaningful name for the integration instance.Quin-C Instance Alpha
    Server URLThe URL to the AccessData server, including the scheme.FQDN or IP address in X.X.X.X format with scheme specified.
    TokenA piece of data that servers use to verify for authenticityeea810f5-a6f6
    Trust any certificate (not secure)When selected, certificates are not checked.N/A
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://proxyserver.com
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get a process list


Returns a list of processes from the legacy agent.

Base Command

accessdata-legacyagent-get-processlist

Input
Argument NameDescriptionRequired
caseidThe ID of the case.Optional
target_ipThe IP address of the agent.Required
Context Output
PathTypeDescription
Accessdata.Job.IDstringThe ID of the job.
Accessdata.Job.CaseIDstringThe ID of the case.
Accessdata.Job.CaseJobIDstringThe concatenated CaseID and JobID, for example, like “1_800”.
Accessdata.Job.TypestringThe job type.
Accessdata.Job.StatestringThe execution state of the job.
Command Example
accessdata-legacyagent-get-processlist caseid=2 target_ip=X.X.X.X
Context Example
{
"Accessdata.Job": {
"ID": 157,
"Type": "Volatile",
"CaseID": "2",
"State": "Unknown",
"CaseJobID": "2_157"
}
}
Human Readable Output

JobID: 157

Create a legacy agent memory dump


Creates a legacy agent memory dump.

Base Command

accessdata-legacyagent-get-memorydump

Input
Argument NameDescriptionRequired
caseidThe ID of the case.Optional
target_ipThe IP address of the agent.Required
Context Output
PathTypeDescription
Accessdata.Job.IDstringThe ID of the job.
Accessdata.Job.CaseIDstringThe ID of the case.
Accessdata.Job.CaseJobIDstringThe concatenated CaseID and JobID, for example, like “1_800”.
Accessdata.Job.TypestringThe job type.
Accessdata.Job.StatestringThe execution state of the job.
Command Example
accessdata-legacyagent-get-memorydump caseid=2 target_ip=X.X.X.X
Context Example
{
"Accessdata.Job": {
"ID": 158,
"Type": "LegacyMemoryDump",
"CaseID": "2",
"State": "Unknown",
"CaseJobID": "2_158"
}
}
Human Readable Output

JobID: 158

Read a file from a case folder


Reads a file from a case folder and puts the contents into the context output.

Base Command

accessdata-read-casefile

Input
Argument NameDescriptionRequired
filepathThe path to the case file.Required
Context Output
PathTypeDescription
Accessdata.File.ContentsstringThe contents of the file.
Command Example
accessdata-read-casefile filepath="\\X.X.X.X\D$\paths\cases\ProcessingHelperCase\b389a8e9-4ce4-473d-8d2e-9026f53f925c\Jobs\job_153\fa9787a3-49a1-4d73-a194-7c944eb9a3bf\1\snapshot.xml"
Context Example
{
"Accessdata.File.Contents": "<?xml version=\"1.0\"?>\r\n<root>\r\n<Process resultitemtype=\"15\"><Name>addm.exe</Name><Path/><StartTi ... ress>0</baseAddress><ImageSize>0</ImageSize><ProcessName/><FromAgent/></DLL>\r\n</root>\r\n"
}
Human Readable Output
<?xml version="1.0"?>
<root>
<Process resultitemtype="15">\<Name>addm.exe</Name>\<Path/>\<StartTi ... ress>0</baseAddress>\<ImageSize>0</ImageSize>\<ProcessName/>\<FromAgent/>\</DLL>
</root>

Check the status of a job


Checks the status of a job.

Base Command

accessdata-jobstatus-scan

Input
Argument NameDescriptionRequired
caseJobIDThe concatenated CaseID and JobID, for example, “1_800”.Required
Context Output
PathTypeDescription
Accessdata.Job.CaseIDstringThe ID of the case.
Accessdata.Job.IDstringThe ID of the job.
Accessdata.Job.CaseJobIDstringThe concatenated CaseID and JobID, for example, like “1_800”.
Accessdata.Job.StatestringThe execution state of the job.
Command Example
accessdata-jobstatus-scan caseJobID=2_153
Context Example
{
"Accessdata.Job": {
"ID": "153",
"CaseID": "2",
"State": "Success",
"CaseJobID": "2_153"
}
}
Human Readable Output

Current job state: Success

Get a snapshot of a path


Gets a snapshot of the path from the results of the process list job.

Base Command

accessdata-get-jobstatus-processlist

Input
Argument NameDescriptionRequired
caseIDThe ID of the case.Required
jobIDThe ID of the job.Required
Context Output
PathTypeDescription
Accessdata.Job.StatestringThe state of the job.
Accessdata.Job.ResultstringThe snapshot of the path with the processes list.
Accessdata.Job.IDnumberThe ID of the job.
Accessdata.Job.CaseIDnumberThe case ID of the job.
Accessdata.Job.CaseJobIDstringThe concatenated CaseID and JobID, for example, like “1_800”.
Command Example
accessdata-get-jobstatus-processlist caseID=2 jobID=153
Context Example
{
"Accessdata.Job": {
"ID": "153",
"Result": "\\\\X.X.X.X\\D$\\paths\\cases\\ProcessingHelperCase\\b389a8e9-4ce4-473d-8d2e-9026f53f925c\\Jobs\\job_153\\fa9787a3-49a1-4d73-a194-7c944eb9a3bf\\1\\snapshot.xml",
"CaseID": "2",
"State": "Success",
"CaseJobID": "2_153"
}
}
Human Readable Output

\X.X.X.X\D$\paths\cases\ProcessingHelperCase\b389a8e9-4ce4-473d-8d2e-9026f53f925c\Jobs\job_153\fa9787a3-49a1-4d73-a194-7c944eb9a3bf\1\snapshot.xml

Get a memory dump


Gets a memory dump path from the results of a memory dump job.

Base Command

accessdata-get-jobstatus-memorydump

Input
Argument NameDescriptionRequired
caseIDThe ID of the case.Required
jobIDThe ID of the job.Required
Context Output
PathTypeDescription
Accessdata.Job.StatestringThe state of the job.
Accessdata.Job.ResultstringThe path of the memory dump.
Accessdata.Job.IDnumberThe ID of the job.
Accessdata.Job.CaseIDnumberThe case ID of the job.
Accessdata.Job.CaseJobIDstringThe concatenated CaseID and JobID, for example, like “1_800”.
Command Example
accessdata-get-jobstatus-memorydump caseID=2 jobID=154
Context Example
{
"Accessdata.Job": {
"ID": "154",
"Result": "\\\\X.X.X.X\\data\\SiteServer\\storage\\60564598-ca55-475c-9f27-ab4992e8ff46\\1\\memdump.mem",
"CaseID": "2",
"State": "Success",
"CaseJobID": "2_154"
}
}
Human Readable Output

\X.X.X.X\data\SiteServer\storage\60564598-ca55-475c-9f27-ab4992e8ff46\1\memdump.mem

Get an ID


Returns the ID of the processing case.

Base Command

accessdata-get-processing-case-id

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Accessdata.ProcessingCaseIdstringThe ID of the processing case.
Command Example
accessdata-get-processing-case-id
Context Example
{
"Accessdata.ProcessingCaseId": 2
}
Human Readable Output

2