AlphaSOC Wisdom

Overview

Use the AlphaSOC Wisdom domain enrichment and threat intelligence plugin for Demisto to retrieve flags from the AlphaSOC threat intelligence service. Once installed, you can use Demisto commands to retrieve category and feature data (known as flags) from AlphaSOC to enrich data within Demisto and guide runbooks (e.g. flagging a known C2 domain, phishing destination, a domain associated with unwanted programs, or a benign domain that is trusted by AlphaSOC).


Prerequisites

This integration requires an AlphaSOC API key. Navigate to https://alphasoc.com/wisdom/ to generate the API key. You can use the key for 30 days to evaluate the integration and additional context that AlphaSOC provides.

If you run into any problems using the integration, or wish to discuss licensing and API use beyond the 30 day evaluation period for the AlphaSOC Wisdom service, contact the AlphaSOC support team .


Configure the AlphaSOC integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AlphaSOC Wisdom.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • AlphaSOC API key
  4. Click Test to validate the connection and API key.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Return a list of flags assigned to a domain: wisdom-domain-flags
  2. Return a list of flags assigned to an IP connection: wisdom-ip-flags

Return a list of flags assigned to a domain

Returns a list of flags (categories and features) assigned to a domain by AlphaSOC Threat Intelligence.

Base Command

wisdom-domain-flags

Input
Input Parameter Description
domain Internet domain or URL

Context Data
Path Description
Domain.Name Fully-qualified domain name (FDQN)
Wisdom.Flag AlphaSOC security category or feature

Command Examples
  • !wisdom-domain-flags domain=microsoft775.com
  • !wisdom-domain-flags domain=c0i8h8ac7e.bid
  • !wisdom-domain-flags domain=service.downloadadmin.com
  • !wisdom-domain-flags domain=luoxk.f3322.net
Raw Output
{  
   "flags":[  
      "c2"
   ]
}
Context Example
{  
   Wisdom:{  
      "flags":[  
         "c2"
      ]
   }
}

Return a list of flags assigned to an IP connection

Returns a list of flags (categories and features) assigned to an IP connection (Defined by protocol, destination address, and port number) by AlphaSOC Threat Intelligence.

Base Command

wisdom-ip-flags

Input
Input Parameter Description
proto

Transport layer protocol

  • TCP
  • UDP
  • ICMP
ip Internet-based IPv4 or IPv6 address
port Destination port

Context Data
Path Description
Wisdom.Flag AlphaSOC security category or feature

Command Examples
  • !wisdom-ip-flags proto=tcp ip=182.176.178.74 port=1604
  • !wisdom-ip-flags proto=tcp ip=95.181.249.58 port=443
Raw Output
{  
   "flags":[  
      "tor"
   ]
}
Context Example
{  
   Wisdom:{  
      "flags":[  
         "tor"
      ]
   }
}