Deep Instinct

Overview


Deep Instinct This integration was integrated and tested with version 2.3.1.17 of Deep Instinct

Configure Deep Instinct on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Deep Instinct.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Base server URL
    • API Key
    • Fetch incidents
    • Incident type
    • first event ID to fetch from
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. deepinstinct-get-device 2. deepinstinct-get-events 3. deepinstinct-get-all-groups 4. deepinstinct-get-all-policies 5. deepinstinct-add-hash-to-blacklist 6. deepinstinct-add-hash-to-whitelist 7. deepinstinct-remove-hash-from-blacklist 8. deepinstinct-remove-hash-from-whitelist 9. deepinstinct-add-devices-to-group 10. deepinstinct-remove-devices-from-group 11. deepinstinct-delete-files-remotely 12. deepinstinct-terminate-processes 13. deepinstinct-close-events

1. deepinstinct-get-device


get specific device by ID

Base Command

deepinstinct-get-device

Input
Argument NameDescriptionRequired
device_idThe device IDRequired
Context Output
PathTypeDescription
DeepInstinct.devices.IDnumberDevice ID
DeepInstinct.devices.osstringDevice OS
DeepInstinct.devices.osvstringDevice OS version
DeepInstinct.devices.ip_addressstringDevice IP address
DeepInstinct.devices.mac_addressstringDevice mac address
DeepInstinct.devices.hostnamestringDevice hostname
DeepInstinct.devices.domainstringDevice domain
DeepInstinct.devices.scanned_filesnumberNum of device scanned files
DeepInstinct.devices.tagstringDevice tag
DeepInstinct.devices.connectivity_statusstringDevice connectivity status
DeepInstinct.devices.deployment_statusstringDevice deployment status
DeepInstinct.devices.last_registrationstringDevice last registration datetime
DeepInstinct.devices.last_contactstringDevice last contact datetime
DeepInstinct.devices.distinguished_namestringDevice distinguished name
DeepInstinct.devices.group_namestringDevice group name
DeepInstinct.devices.group_idnumberDevice group ID
DeepInstinct.devices.policy_namestringDevice policy name
DeepInstinct.devices.policy_idnumberDevice policy ID
DeepInstinct.devices.log_statusstringDevice log status
DeepInstinct.devices.agent_versionstringDevice agent version
DeepInstinct.devices.brain_versionstringDevice brain version
DeepInstinct.devices.msp_namestringDevice msp name
DeepInstinct.devices.msp_idnumberDevice msp ID
DeepInstinct.devices.tenant_namestringDevice tenant name
DeepInstinct.devices.tenant_idnumberDevice tenant ID
Command Example

!deepinstinct-get-device device_id=1

Context Example
{
"DeepInstinct.Devices": {
"last_registration": "2020-04-09T14:49:39.722292Z",
"domain": "",
"msp_name": "MSP 1",
"distinguished_name": "OU=Organizations & Sites,DC=bancshares,DC=mib",
"tenant_name": "Tenant 1",
"osv": "Windows",
"tag": "",
"id": 1,
"last_contact": "2020-04-09T14:49:39.711487Z",
"hostname": "Mock_2020-04-09 17:49:39.408405_1",
"mac_address": "00:00:00:00:00:00",
"brain_version": "115wt",
"connectivity_status": "EXPIRED",
"deployment_status": "REGISTERED",
"msp_id": 1,
"group_name": "Windows Default Group",
"ip_address": "192.168.88.80",
"log_status": "NA",
"tenant_id": 1,
"agent_version": "2.3.1.12",
"scanned_files": 0,
"policy_name": "Windows Default Policy",
"group_id": 3,
"os": "WINDOWS",
"policy_id": 3
}
}
Human Readable Output

Device

agent_versionbrain_versionconnectivity_statusdeployment_statusdistinguished_namedomaingroup_idgroup_namehostnameidip_addresslast_contactlast_registrationlog_statusmac_addressmsp_idmsp_nameososvpolicy_idpolicy_namescanned_filestagtenant_idtenant_name
2.3.1.12115wtEXPIREDREGISTEREDOU=Organizations & Sites,DC=bancshares,DC=mib3Windows Default GroupMock_2020-04-09 17:49:39.408405_11192.168.88.802020-04-09T14:49:39.711487Z2020-04-09T14:49:39.722292ZNA00:00:00:00:00:001MSP 1WINDOWSWindows3Windows Default Policy01Tenant 1

2. deepinstinct-get-events


Get all events. Max events in response can be 50, use first_event_id parameter to define first event id to get

Base Command

deepinstinct-get-events

Input
Argument NameDescriptionRequired
first_event_idFirst event id to get as max events in response can be 50Optional
Context Output
PathTypeDescription
DeepInstinct.Events.events.IDnumberevent ID
DeepInstinct.Events.events.device_idnumberevent device ID
DeepInstinct.Events.events.file_hashstringevent file hash
DeepInstinct.Events.events.file_typestringevent file type
DeepInstinct.Events.events.file_archive_hashstringevent file archive hash
DeepInstinct.Events.events.pathunknownevent file path
DeepInstinct.Events.events.file_sizenumberevent file size
DeepInstinct.Events.events.threat_severitystringevent threat severity
DeepInstinct.Events.events.deep_classificationstringDeep Instinct classification
DeepInstinct.Events.events.file_statusstringevent file status
sandbox_statusDeepInstinct.Events.events.stringevent sandbox status
DeepInstinct.Events.events.modelstringevent model
DeepInstinct.Events.events.typestringevent type
DeepInstinct.Events.events.triggerstringevent trigger
DeepInstinct.Events.events.actionstringevent action
DeepInstinct.Events.events.tenant_idnumberevent tenant id
DeepInstinct.Events.events.msp_idnumberevent msp id
DeepInstinct.Events.events.statusunknownevent status
DeepInstinct.Events.events.close_triggerunknownevent close trigger
DeepInstinct.Events.events.recorded_device_infounknownevent device info
DeepInstinct.Events.events.reoccurrence_countnumberevent reoccurrence_count
Command Example

!deepinstinct-get-events

Context Example
{
"DeepInstinct.Events": [
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 18127052,
"close_timestamp": "2020-04-22T10:27:45.391625Z",
"id": 1,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:39.408405_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:41.170331Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:41.154850Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file1.exe",
"reoccurrence_count": 0,
"device_id": 1,
"tenant_id": 1,
"file_archive_hash": "d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 15090736,
"close_timestamp": null,
"id": 2,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:41.170765_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:41.810047Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:41.805228Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file2.exe",
"reoccurrence_count": 0,
"device_id": 2,
"tenant_id": 1,
"file_archive_hash": "edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "5b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb8571",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 6100823,
"close_timestamp": null,
"id": 3,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:41.826874_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:42.406046Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:42.400310Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file2.exe",
"reoccurrence_count": 0,
"device_id": 3,
"tenant_id": 1,
"file_archive_hash": "5b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb8571",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 1274571,
"close_timestamp": null,
"id": 4,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:42.419868_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:43.096316Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:43.091237Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file3.exe",
"reoccurrence_count": 0,
"device_id": 4,
"tenant_id": 1,
"file_archive_hash": "727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 5797166,
"close_timestamp": null,
"id": 5,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:43.110126_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:43.829681Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:43.821976Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file4.exe",
"reoccurrence_count": 0,
"device_id": 5,
"tenant_id": 1,
"file_archive_hash": "59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "8e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e42",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 20730162,
"close_timestamp": null,
"id": 6,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:43.843723_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:44.453057Z",
"type": "STATIC_ANALYSIS",
"status": "OPEN",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:44.446870Z",
"msp_id": 1,
"close_trigger": null,
"path": "c:\\temp\\file5.exe",
"reoccurrence_count": 0,
"device_id": 6,
"tenant_id": 1,
"file_archive_hash": "8e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e42",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "5fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd4",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 9009328,
"close_timestamp": "2020-04-20T11:45:00.987088Z",
"id": 7,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:44.464658_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:45.101055Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:45.096553Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file6.exe",
"reoccurrence_count": 0,
"device_id": 7,
"tenant_id": 1,
"file_archive_hash": "5fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd4",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 6975122,
"close_timestamp": "2020-04-12T10:12:45.428138Z",
"id": 8,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:45.116724_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:45.889202Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:45.884910Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file7.exe",
"reoccurrence_count": 0,
"device_id": 8,
"tenant_id": 1,
"file_archive_hash": "56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d",
"action": "PREVENTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 11929486,
"close_timestamp": "2020-04-12T10:12:45.428138Z",
"id": 9,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:45.906650_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:46.515957Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:46.510849Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file8.exe",
"reoccurrence_count": 0,
"device_id": 9,
"tenant_id": 1,
"file_archive_hash": "fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d",
"action": "DETECTED",
"model": "FileEvent",
"certificate_vendor_name": null
},
{
"comment": null,
"last_action": null,
"file_type": "ZIP",
"tenant_name": "Tenant 1",
"deep_classification": null,
"file_hash": "0a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b2",
"threat_severity": "NONE",
"file_status": "NOT_UPLOADED",
"file_size": 18723521,
"close_timestamp": "2020-04-12T09:41:19.991511Z",
"id": 10,
"msp_name": "MSP 1",
"last_reoccurrence": null,
"sandbox_status": "NOT_READY_TO_GENERATE",
"trigger": "BRAIN",
"recorded_device_info": {
"tenant_name": "Tenant 1",
"hostname": "Mock_2020-04-09 17:49:46.533149_1",
"policy_name": "Windows Default Policy",
"tag": "",
"mac_address": "00:00:00:00:00:00",
"group_name": "Windows Default Group",
"os": "WINDOWS"
},
"insertion_timestamp": "2020-04-09T14:49:47.192314Z",
"type": "STATIC_ANALYSIS",
"status": "CLOSED",
"certificate_thumbprint": null,
"timestamp": "2020-04-09T14:49:47.187327Z",
"msp_id": 1,
"close_trigger": "CLOSED_BY_ADMIN",
"path": "c:\\temp\\file9.exe",
"reoccurrence_count": 0,
"device_id": 10,
"tenant_id": 1,
"file_archive_hash": "0a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b2",
"action": "DETECTED",
"model": "FileEvent",
"certificate_vendor_name": null
}
]
}
Human Readable Output

Events

actioncertificate_thumbprintcertificate_vendor_nameclose_timestampclose_triggercommentdeep_classificationdevice_idfile_archive_hashfile_hashfile_sizefile_statusfile_typeidinsertion_timestamplast_actionlast_reoccurrencemodelmsp_idmsp_namepathrecorded_device_inforeoccurrence_countsandbox_statusstatustenant_idtenant_namethreat_severitytimestamptriggertype
PREVENTED2020-04-22T10:27:45.391625ZCLOSED_BY_ADMIN1d1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053fd1838b541ff7ffe6489d120d89dfa855665fd2c708491f336c7267069387053f18127052NOT_UPLOADEDZIP12020-04-09T14:49:41.170331ZFileEvent1MSP 1c:\temp\file1.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:39.408405_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:41.154850ZBRAINSTATIC_ANALYSIS
PREVENTED2edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f960edf34902ff17838b4bc709ff15b5265dd49f652ee75a1adf69df9ae5bc52f96015090736NOT_UPLOADEDZIP22020-04-09T14:49:41.810047ZFileEvent1MSP 1c:\temp\file1.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:41.170765_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:41.805228ZBRAINSTATIC_ANALYSIS
PREVENTED35b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb85715b40c30d3a3b5c532bb9d338defc0eee6161ace8baf9fabe3c0cb1e73eeb85716100823NOT_UPLOADEDZIP32020-04-09T14:49:42.406046ZFileEvent1MSP 1c:\temp\file2.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:41.826874_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:42.400310ZBRAINSTATIC_ANALYSIS
PREVENTED4727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a727c2de729aa5fc471628a7bcfdf80353286a8a3981b9f0ffb58826e11518e3a1274571NOT_UPLOADEDZIP42020-04-09T14:49:43.096316ZFileEvent1MSP 1c:\temp\file3.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:42.419868_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:43.091237ZBRAINSTATIC_ANALYSIS
PREVENTED559c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf59c6185cc5fb87f8be1cbfc0903d1486c892bd2f84c1fab685eecd1517d041cf5797166NOT_UPLOADEDZIP52020-04-09T14:49:43.829681ZFileEvent1MSP 1c:\temp\file4.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:43.110126_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:43.821976ZBRAINSTATIC_ANALYSIS
PREVENTED68e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e428e83ec9a47265ed552f5369d25ae8f82074be91162c77d55dea5895637770e4220730162NOT_UPLOADEDZIP62020-04-09T14:49:44.453057ZFileEvent1MSP 1c:\temp\file5.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:43.843723_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATEOPEN1Tenant 1NONE2020-04-09T14:49:44.446870ZBRAINSTATIC_ANALYSIS
PREVENTED2020-04-20T11:45:00.987088ZCLOSED_BY_ADMIN75fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd45fd4efe63a89a08e860a4a53c1efd7773d7ffc07a279be04bab5860492ce4dd49009328NOT_UPLOADEDZIP72020-04-09T14:49:45.101055ZFileEvent1MSP 1c:\temp\file6.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:44.464658_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:45.096553ZBRAINSTATIC_ANALYSIS
PREVENTED2020-04-12T10:12:45.428138ZCLOSED_BY_ADMIN856bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d56bb8166c11e63dbbc42b18ad61c27d0df2346e72deb6235ba166f97169aad2d6975122NOT_UPLOADEDZIP82020-04-09T14:49:45.889202ZFileEvent1MSP 1c:\temp\file7.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:45.116724_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:45.884910ZBRAINSTATIC_ANALYSIS
DETECTED2020-04-12T10:12:45.428138ZCLOSED_BY_ADMIN9fbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81dfbf76ae6c929d5b094e376e93ef7486f0527a4060c09f0dd1ebaf073b21dd81d11929486NOT_UPLOADEDZIP92020-04-09T14:49:46.515957ZFileEvent1MSP 1c:\temp\file8.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:45.906650_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:46.510849ZBRAINSTATIC_ANALYSIS
DETECTED2020-04-12T09:41:19.991511ZCLOSED_BY_ADMIN100a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b20a733f0b309cc330641a1205b928ae80cfd1f129d8c5df2e03f5cde13215b4b218723521NOT_UPLOADEDZIP102020-04-09T14:49:47.192314ZFileEvent1MSP 1c:\temp\file9.exeos: WINDOWS mac_address: 00:00:00:00:00:00 hostname: Mock_2020-04-09 17:49:46.533149_1 tag: group_name: Windows Default Group policy_name: Windows Default Policy tenant_name: Tenant 10NOT_READY_TO_GENERATECLOSED1Tenant 1NONE2020-04-09T14:49:47.187327ZBRAINSTATIC_ANALYSIS

3. deepinstinct-get-all-groups


get all groups

Base Command

deepinstinct-get-all-groups

Input
Argument NameDescriptionRequired
Context Output
PathTypeDescription
DeepInstinct.Groups.IDnumbergroup id
DeepInstinct.Groups.osstringgroup operation system
DeepInstinct.Groups.namestringgroup name
DeepInstinct.Groups.policy_idnumbergroup policy ID
DeepInstinct.Groups.is_default_groupbooleanTrue if group is a default group, false otherwise
DeepInstinct.Groups.msp_namestringmsp name
DeepInstinct.Groups.msp_idnumbermsp ID
Command Example

!deepinstinct-get-all-groups first_event_id=0

Context Example
{
"DeepInstinct.Groups": [
{
"name": "Android Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "ANDROID",
"id": 1,
"policy_id": 1
},
{
"name": "iOS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "IOS",
"id": 2,
"policy_id": 2
},
{
"name": "Windows Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "WINDOWS",
"id": 3,
"policy_id": 3
},
{
"name": "macOS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "MAC",
"id": 4,
"policy_id": 4
},
{
"name": "Chrome OS Default Group",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": true,
"os": "CHROME",
"id": 5,
"policy_id": 5
},
{
"name": "Test",
"msp_name": "MSP 1",
"msp_id": 1,
"is_default_group": false,
"priority": 1,
"os": "WINDOWS",
"id": 6,
"policy_id": 3
}
]
}
Human Readable Output

Groups

idis_default_groupmsp_idmsp_namenameospolicy_id
1true1MSP 1Android Default GroupANDROID1
2true1MSP 1iOS Default GroupIOS2
3true1MSP 1Windows Default GroupWINDOWS3
4true1MSP 1macOS Default GroupMAC4
5true1MSP 1Chrome OS Default GroupCHROME5
6false1MSP 1TestWINDOWS3

4. deepinstinct-get-all-policies


get all policies

Base Command

deepinstinct-get-all-policies

Input
Argument NameDescriptionRequired
Context Output
PathTypeDescription
DeepInstinct.Policies.IDnumberpolicy ID
DeepInstinct.Policies.namestringpolicy name
DeepInstinct.Policies.osstringpolicy operating system
DeepInstinct.Policies.is_default_policybooleanTrue if policy is a default policy, False otherwise
DeepInstinct.Policies.msp_idnumbermsp ID
DeepInstinct.Policies.msp_namestringmsp name
Command Example

!deepinstinct-get-all-policies

Context Example
{
"DeepInstinct.Policies": [
{
"name": "iOS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "IOS",
"id": 2
},
{
"name": "Windows Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "WINDOWS",
"id": 3
},
{
"name": "macOS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "MAC",
"id": 4
},
{
"name": "Chrome OS Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "CHROME",
"id": 5
},
{
"name": "testPolicy",
"is_default_policy": false,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "WINDOWS",
"id": 6
},
{
"name": "Android Default Policy",
"is_default_policy": true,
"msp_id": 1,
"msp_name": "MSP 1",
"os": "ANDROID",
"id": 1
}
]
}
Human Readable Output

Policies

idis_default_policymsp_idmsp_namenameos
2true1MSP 1iOS Default PolicyIOS
3true1MSP 1Windows Default PolicyWINDOWS
4true1MSP 1macOS Default PolicyMAC
5true1MSP 1Chrome OS Default PolicyCHROME
6false1MSP 1testPolicyWINDOWS
1true1MSP 1Android Default PolicyANDROID

5. deepinstinct-add-hash-to-blacklist


add file hash to blacklist

Base Command

deepinstinct-add-hash-to-blacklist

Input
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
commentOptional, add comment to hash fieldOptional
Context Output

There is no context output for this command.

Command Example

!deepinstinct-add-hash-to-blacklist file_hash=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb00 policy_id=6 comment=mycomment

Human Readable Output

ok

6. deepinstinct-add-hash-to-whitelist


add file hash to whitelist

Base Command

deepinstinct-add-hash-to-whitelist

Input
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
commentOptional, add comment to hash fieldOptional
Context Output

There is no context output for this command.

Command Example

!deepinstinct-add-hash-to-whitelist file_hash=wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww00 policy_id=6 comment=mycomment

Human Readable Output

ok

7. deepinstinct-remove-hash-from-blacklist


remove file hash from blacklist

Base Command

deepinstinct-remove-hash-from-blacklist

Input
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-remove-hash-from-blacklist file_hash=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb00 policy_id=6

Human Readable Output

ok

8. deepinstinct-remove-hash-from-whitelist


remove file hash from whitelist

Base Command

deepinstinct-remove-hash-from-whitelist

Input
Argument NameDescriptionRequired
policy_idpolicy IDRequired
file_hashfile hashRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-remove-hash-from-whitelist file_hash=wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww00 policy_id=6

Human Readable Output

ok

9. deepinstinct-add-devices-to-group


add multiple devices to group

Base Command

deepinstinct-add-devices-to-group

Input
Argument NameDescriptionRequired
group_idgroup IDRequired
device_idscomma separated devices idsRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-add-devices-to-group device_ids=1 group_id=6

Human Readable Output

ok

10. deepinstinct-remove-devices-from-group


remove list of devices from group

Base Command

deepinstinct-remove-devices-from-group

Input
Argument NameDescriptionRequired
group_idgroup ID to remove fromRequired
device_idscomma separeted list of device ids to removeRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-remove-devices-from-group device_ids=1 group_id=6

Human Readable Output

ok

11. deepinstinct-delete-files-remotely


delete multiple files remotely

Base Command

deepinstinct-delete-files-remotely

Input
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-delete-files-remotely event_ids=1

Human Readable Output

ok

12. deepinstinct-terminate-processes


terminate list of processes

Base Command

deepinstinct-terminate-processes

Input
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-terminate-processes event_ids=1,2

Human Readable Output

ok

13. deepinstinct-close-events


close list of events

Base Command

deepinstinct-close-events

Input
Argument NameDescriptionRequired
event_idscomma separeted list of event idsRequired
Context Output

There is no context output for this command.

Command Example

!deepinstinct-close-events event_ids=1

Human Readable Output

ok