iDefense v2

iDefense provides intelligence regarding security threats and vulnerabilities. This integration was integrated and tested with version v2.58.0 of iDefense

Configure iDefense v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for iDefense v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlURLTrue
api_tokenAPI TokenTrue
insecureTrust any certificate (not secure)False
use_proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip


Checks the reputation of the given IP address.

Base Command

ip

Input

Argument NameDescriptionRequired
ipIP address to check.Optional

Context Output

PathTypeDescription
IP.AddressStringThe IP address that was checked.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor that was used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example

!ip ip=0.0.0.0

Context Example

{
"DBotScore": {
"Indicator": "0.0.0.0",
"Score": 2,
"Type": "ip",
"Vendor": "iDefense"
},
"IP": {
"Address": "0.0.0.0"
}
}

Human Readable Output

Results

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022018-04-25 14:20:300.0.0.0Cyber EspionageMALWARE_DOWNLOAD,
MALWARE_C2

domain


Checks the reputation of the given domain.

Base Command

domain

Input

Argument NameDescriptionRequired
domainThe domain to check.Optional

Context Output

PathTypeDescription
Domain.NameStringThe name of the domain that was checked.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example

!domain domain=example.org

Context Example

{
"DBotScore": {
"Indicator": "example.org",
"Score": 2,
"Type": "domain",
"Vendor": "iDefense"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output

Results

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022019-09-18 15:56:49example.orgCyber CrimeMALWARE_C2

url


Checks the reputation of the given URL.

Base Command

url

Input

Argument NameDescriptionRequired
urlThe URL to check (must start with "http://").Optional

Context Output

PathTypeDescription
URL.DataStringThe URL that was checked.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example

!url url=http://example.com

Context Example

{
"DBotScore": {
"Indicator": "http://example.com",
"Score": 2,
"Type": "url",
"Vendor": "iDefense"
},
"URL": {
"Data": "http://example.com"
}
}

Human Readable Output

Results

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022020-09-16 20:29:35http://example.comCyber CrimeMALWARE_C2

idefense-get-ioc-by-uuid


Get specific indicator reputation

Base Command

idefense-get-ioc-by-uuid

Input

Argument NameDescriptionRequired
uuidUnique User ID.Required

Context Output

PathTypeDescription
IP.AddressStringThe IP address.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason the vendor made that decision.
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
URL.DataStringThe URL.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example

!idefense-get-ioc-by-uuid uuid=xxxx

Context Example

{
"DBotScore": {
"Indicator": "example.org",
"Score": 2,
"Type": "domain",
"Vendor": "iDefense"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output

Results

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022017-01-11 20:56:22example.orgCyber EspionageMALWARE_C2