Accessdata
Use the Quin-C AccessData integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version 20190926 of Quin-C Accessdata.
Documentation for the integration was provided by Quin-C.
AccessData Playbook
For example, you can look at “Accessdata: Dump memory for malicious process” playbook to understand how to use this integration.
Configure AccessData on Demisto
Navigate to Settings > Integrations > Servers & Services.
Search for Accessdata.
Click Add instance to create and configure a new integration instance.
Parameter Description Example Name A meaningful name for the integration instance. Quin-C Instance Alpha Server URL The URL to the AccessData server, including the scheme. FQDN or IP address in X.X.X.X format with scheme specified. Token A piece of data that servers use to verify for authenticity eea810f5-a6f6 Trust any certificate (not secure) When selected, certificates are not checked. N/A Use system proxy settings Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. https://proxyserver.com Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Get a process list
Returns a list of processes from the legacy agent.
Base Command
accessdata-legacyagent-get-processlist
Input
| Argument Name | Description | Required |
|---|---|---|
| caseid | The ID of the case. | Optional |
| target_ip | The IP address of the agent. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.Job.ID | string | The ID of the job. |
| Accessdata.Job.CaseID | string | The ID of the case. |
| Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
| Accessdata.Job.Type | string | The job type. |
| Accessdata.Job.State | string | The execution state of the job. |
Command Example
Context Example
Human Readable Output
JobID: 157
Create a legacy agent memory dump
Creates a legacy agent memory dump.
Base Command
accessdata-legacyagent-get-memorydump
Input
| Argument Name | Description | Required |
|---|---|---|
| caseid | The ID of the case. | Optional |
| target_ip | The IP address of the agent. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.Job.ID | string | The ID of the job. |
| Accessdata.Job.CaseID | string | The ID of the case. |
| Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
| Accessdata.Job.Type | string | The job type. |
| Accessdata.Job.State | string | The execution state of the job. |
Command Example
Context Example
Human Readable Output
JobID: 158
Read a file from a case folder
Reads a file from a case folder and puts the contents into the context output.
Base Command
accessdata-read-casefile
Input
| Argument Name | Description | Required |
|---|---|---|
| filepath | The path to the case file. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.File.Contents | string | The contents of the file. |
Command Example
Context Example
Human Readable Output
Check the status of a job
Checks the status of a job.
Base Command
accessdata-jobstatus-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| caseJobID | The concatenated CaseID and JobID, for example, “1_800”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.Job.CaseID | string | The ID of the case. |
| Accessdata.Job.ID | string | The ID of the job. |
| Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
| Accessdata.Job.State | string | The execution state of the job. |
Command Example
Context Example
Human Readable Output
Current job state: Success
Get a snapshot of a path
Gets a snapshot of the path from the results of the process list job.
Base Command
accessdata-get-jobstatus-processlist
Input
| Argument Name | Description | Required |
|---|---|---|
| caseID | The ID of the case. | Required |
| jobID | The ID of the job. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.Job.State | string | The state of the job. |
| Accessdata.Job.Result | string | The snapshot of the path with the processes list. |
| Accessdata.Job.ID | number | The ID of the job. |
| Accessdata.Job.CaseID | number | The case ID of the job. |
| Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
Command Example
Context Example
Human Readable Output
\X.X.X.X\D$\paths\cases\ProcessingHelperCase\b389a8e9-4ce4-473d-8d2e-9026f53f925c\Jobs\job_153\fa9787a3-49a1-4d73-a194-7c944eb9a3bf\1\snapshot.xml
Get a memory dump
Gets a memory dump path from the results of a memory dump job.
Base Command
accessdata-get-jobstatus-memorydump
Input
| Argument Name | Description | Required |
|---|---|---|
| caseID | The ID of the case. | Required |
| jobID | The ID of the job. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.Job.State | string | The state of the job. |
| Accessdata.Job.Result | string | The path of the memory dump. |
| Accessdata.Job.ID | number | The ID of the job. |
| Accessdata.Job.CaseID | number | The case ID of the job. |
| Accessdata.Job.CaseJobID | string | The concatenated CaseID and JobID, for example, like “1_800”. |
Command Example
Context Example
Human Readable Output
\X.X.X.X\data\SiteServer\storage\60564598-ca55-475c-9f27-ab4992e8ff46\1\memdump.mem
Get an ID
Returns the ID of the processing case.
Base Command
accessdata-get-processing-case-id
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Accessdata.ProcessingCaseId | string | The ID of the processing case. |
Command Example
Context Example
Human Readable Output
2