iDefense v2

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

iDefense provides intelligence regarding security threats and vulnerabilities. This integration was integrated and tested with version v2.58.0 of iDefense

Configure iDefense v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for iDefense v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlURLTrue
api_tokenAPI TokenTrue
insecureTrust any certificate (not secure)False
use_proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Optional

Context Output#

PathTypeDescription
IP.AddressStringThe IP address that was checked.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor that was used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example#

!ip ip=0.0.0.0

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.0",
"Score": 2,
"Type": "ip",
"Vendor": "iDefense"
},
"IP": {
"Address": "0.0.0.0"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022018-04-25 14:20:300.0.0.0Cyber EspionageMALWARE_DOWNLOAD,
MALWARE_C2

domain#


Checks the reputation of the given domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to check.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe name of the domain that was checked.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!domain domain=example.org

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Score": 2,
"Type": "domain",
"Vendor": "iDefense"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022019-09-18 15:56:49example.orgCyber CrimeMALWARE_C2

url#


Checks the reputation of the given URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL to check (must start with "http://").Optional

Context Output#

PathTypeDescription
URL.DataStringThe URL that was checked.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!url url=http://example.com

Context Example#

{
"DBotScore": {
"Indicator": "http://example.com",
"Score": 2,
"Type": "url",
"Vendor": "iDefense"
},
"URL": {
"Data": "http://example.com"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022020-09-16 20:29:35http://example.comCyber CrimeMALWARE_C2

idefense-get-ioc-by-uuid#


Get specific indicator reputation

Base Command#

idefense-get-ioc-by-uuid

Input#

Argument NameDescriptionRequired
uuidUnique User ID.Required

Context Output#

PathTypeDescription
IP.AddressStringThe IP address.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason the vendor made that decision.
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
URL.DataStringThe URL.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!idefense-get-ioc-by-uuid uuid=xxxx

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Score": 2,
"Type": "domain",
"Vendor": "iDefense"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022017-01-11 20:56:22example.orgCyber EspionageMALWARE_C2