illuminate

Overview


Illuminate is an indicator, countermeasure and sensor management tool that enables analysts to collect and analyze evidence of malicious activity. Illuminate’s web based interface provides a single location to collect and analyze evidence of malicious activity and manage indicators then author, test, task and track rules to detect malicious cyber activity. Maintaing traceability between evidence, indicators, rules and sensors, analysts can identify why a rule was created, the type of activity it detects and what sensors are tasked.

This integration utilizes AnalystPlatform's illuminate system to enrich Demisto indicators with data provided by the illuminate REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.

This integration was integrated and tested with version 1.8.7 of illuminate

illuminate Playbook


illuminate Basic Indicator Enrichment: This is a simple playbook that can apply on top of an incident created from an indicator that will determine the indicator type and then properly enrich it with the associated illuminate integration command.

Use Cases


  • When you wish to have more information on a given indicator
  • When you use both Demisto and illuminate and wish to have easy linking between the two

Configure illuminate on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for illuminate.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • illuminate API Credentials (username/password)
    • Domain of illuminate server to use
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. domain
  2. email
  3. ip
  4. file
  5. illuminate-enrich-string
  6. illuminate-enrich-ipv6
  7. illuminate-enrich-mutex
  8. illuminate-enrich-http-request
  9. url

1. domain


Queries the illuminate REST API and enriches the given domain with illuminate Indicator data

Base Command

domain

Input
Argument NameDescriptionRequired
domainThe domain for which to return information.Required
Context Output
PathTypeDescription
Domain.NamestringThe domain name, for example, "google.com".
Illuminate.Domain.IDnumberThe indicator's unique ID in illuminate.
Illuminate.Domain.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Domain.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Domain.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Domain.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Domain.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Domain.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Domain.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Domain.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Domain.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.Domain.Malwares.NamestringEach matched malware name in illuminate.
Illuminate.Domain.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Domain.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Domain.IlluminateLinkstringThe URL of the matched indicator in illuminate.
Illuminate.Domain.IpResolutionstringThe resolved IP address for this domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example

!domain domain=abc.com

Context Example
{
"Illuminate.Domain": {
"LastHit": null,
"ReportedDates": [
"2018-06-12"
],
"Indicator": "abc.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/2043650",
"ID": 2043650
},
"Domain": {
"Malicious": {
"Vendor": "illuminate",
"Description": "illuminate has determined that this indicator is malicious via internal analysis."
},
"Name": "abc.com"
},
"DBotScore": {
"Vendor": "illuminate",
"Indicator": "abc.com",
"Score": 3,
"Type": "domain"
}
}
Human Readable Output

illuminate Domain Information

ActiveEvidenceCountIDIlluminateLinkIndicatorReportedDates
true12043650https://partner.analystplatform.com/indicators/2043650abc.com2018-06-12

2. email


Queries the illuminate REST API and enriches the given email with illuminate indicator data.

Base Command

email

Input
Argument NameDescriptionRequired
emailThe email for which to return information.Required
Context Output
PathTypeDescription
Email.FromstringThe sender of the email.
Illuminate.Email.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.Email.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Email.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Email.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Email.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Email.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Email.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Email.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Email.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Email.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.Email.Malwares.NamestringEach matched malware name in illuminate.
Illuminate.Email.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Email.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Email.IlluminateLinkstringThe URL of the matched indicator in illuminate.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example

!email email=001toxic@gmail.com

Context Example
{
"DBotScore": {
"Vendor": "illuminate",
"Indicator": "001toxic@gmail.com",
"Score": 3,
"Type": "email"
},
"Illuminate.Email": {
"LastHit": null,
"ReportedDates": [
"2018-02-05"
],
"Indicator": "001toxic@gmail.com",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/1637756",
"ID": 1637756
},
"Email": {
"Malicious": {
"Vendor": "illuminate",
"Description": "illuminate has determined that this indicator is malicious via internal analysis."
},
"From": "001toxic@gmail.com"
}
}
Human Readable Output

illuminate Email Information

ActiveActorsEvidenceCountIDIlluminateLinkIndicatorReportedDates
trueid = -2, name = Unknown11637756https://partner.analystplatform.com/indicators/1637756001toxic@gmail.com2018-02-05

3. ip


Queries the illuminate REST API and enriches the given IP address with illuminate indicator data.

Base Command

ip

Input
Argument NameDescriptionRequired
ipThe IP address for which to return information.Required
Context Output
PathTypeDescription
IP.AddressstringThe IP address.
Illuminate.Ip.IDnumberThe indicator's unique ID in illuminate.
Illuminate.Ip.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Ip.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Ip.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Ip.FirstHitdateThe first date this this indicator was seen in a source scanned by illuminate.
Illuminate.Ip.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Ip.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Ip.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Ip.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Ip.Malwares.IDnumberEach matched malware unique identifier in illuminate
Illuminate.Ip.Malwares.NamestringEach matched malware name in illuminate
Illuminate.Ip.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Ip.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Ip.IlluminateLinkstringThe URL of the matched indicator in illuminate.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example

!ip ip=0.154.17.105

Context Example
{
"IP": {
"Malicious": {
"Vendor": "illuminate",
"Description": "illuminate has determined that this indicator is malicious via internal analysis."
},
"Address": "0.154.17.105"
},
"Illuminate.Ip": {
"LastHit": null,
"ReportedDates": [
"2014-01-04"
],
"Indicator": "0.154.17.105",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/51469",
"ID": 51469
},
"DBotScore": {
"Vendor": "illuminate",
"Indicator": "0.154.17.105",
"Score": 3,
"Type": "ip"
}
}
Human Readable Output

illuminate Ip Information

ActiveEvidenceCountIDIlluminateLinkIndicatorReportedDates
true151469https://partner.analystplatform.com/indicators/514690.154.17.1052014-01-04

4. file


Queries the illuminate REST API and enriches the given file with illuminate indicator data.

Base Command

file

Input
Argument NameDescriptionRequired
fileThe file for which to return information.Required
Context Output
PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Illuminate.File.IDnumberThe indicator's unique ID in illuminate.
Illuminate.File.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.File.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.File.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.File.FirstHitdateThe first date this this indicator was seen in a source scanned by illuminate.
Illuminate.File.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.File.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.File.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.File.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.File.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.File.Malwares.NamestringEach matched malware name in illuminate
Illuminate.File.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.File.Actors.NamestringEach matched actor name in illuminate.
Illuminate.File.IlluminateLinkstringThe URL of the matched indicator in illuminate.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example

!file file=00000000000000000000000000000000

Context Example
{
"Illuminate.File": {
"LastHit": null,
"ReportedDates": [
"2019-06-25",
"2020-01-09"
],
"Indicator": "00000000000000000000000000000000",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-08-02",
"2019-09-01"
],
"EvidenceCount": 2,
"Actors": [
{
"id": -4,
"name": "Multiple Actors Extracted"
},
{
"id": 150,
"name": "FIN8"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/1527155",
"ID": 1527155
},
"DBotScore": {
"Vendor": "illuminate",
"Indicator": "00000000000000000000000000000000",
"Score": 3,
"Type": "file"
},
"File": {
"Malicious": {
"Vendor": "illuminate",
"Description": "illuminate has determined that this indicator is malicious via internal analysis."
},
"MD5": "00000000000000000000000000000000"
}
}
Human Readable Output

illuminate File Information

ActiveActivityDatesActorsEvidenceCountIDIlluminateLinkIndicatorReportedDates
true2018-08-02,
2019-09-01
id = -4, name = Multiple Actors Extracted,
id = 150, name = FIN8
21527155https://partner.analystplatform.com/indicators/1527155000000000000000000000000000000002019-06-25,
2020-01-09

5. illuminate-enrich-string


Queries the illuminate REST API and enriches the given string with illuminate indicator data

Base Command

illuminate-enrich-string

Input
Argument NameDescriptionRequired
stringThe string for which to return information.Required
Context Output
PathTypeDescription
Illuminate.String.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.String.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.String.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.String.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.String.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.String.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.String.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.String.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.String.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.String.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.String.Malwares.NamestringEach matched malware name in illuminate
Illuminate.String.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.String.Actors.NamestringEach matched actor name in illuminate.
Illuminate.String.IlluminateLinkstringThe URL of the matched indicator in illuminate.
Command Example

!illuminate-enrich-string string=??

Context Example
{
"Illuminate.String": {
"LastHit": null,
"ReportedDates": [
"2014-12-12",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2014-12-11",
"2014-12-14",
"2014-12-19",
"2014-12-20"
],
"EvidenceCount": 15,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/90548",
"ID": 90548
}
}
Human Readable Output

illuminate String Information

ActiveActivityDatesActorsEvidenceCountIDIlluminateLinkIndicatorReportedDates
true2014-12-11,
2014-12-14,
2014-12-19,
2014-12-20
id = -2, name = Unknown1590548https://partner.analystplatform.com/indicators/90548??2014-12-12,
2014-12-14,
2014-12-19,
2014-12-20

6. illuminate-enrich-ipv6


Queries the illuminate REST API and enriches the given IP address with illuminate indicator data.

Base Command

illuminate-enrich-ipv6

Input
Argument NameDescriptionRequired
ipThe IP address for which to return information.Required
Context Output
PathTypeDescription
Illuminate.Ipv6.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.Ipv6.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Ipv6.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Ipv6.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Ipv6.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Ipv6.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Ipv6.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Ipv6.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Ipv6.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Ipv6.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.Ipv6.Malwares.NamestringEach matched malware name in illuminate
Illuminate.Ipv6.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Ipv6.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Ipv6.IlluminateLinkstringThe URL of the matched indicator in illuminate.
Command Example

!illuminate-enrich-ipv6 ip=16::

Context Example
{
"Illuminate.Ipv6": {
"LastHit": null,
"ReportedDates": [
"2015-05-13"
],
"Indicator": "16::",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-09-08"
],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/2623838",
"ID": 2623838
}
}
Human Readable Output

illuminate Ipv6 Information

ActiveActivityDatesEvidenceCountIDIlluminateLinkIndicatorReportedDates
true2018-09-0812623838https://partner.analystplatform.com/indicators/262383816::2015-05-13

7. illuminate-enrich-mutex


Queries the illuminate REST API and enriches the given mutex with illuminate indicator data.

Base Command

illuminate-enrich-mutex

Input
Argument NameDescriptionRequired
mutexThe mutex to query information forRequired
Context Output
PathTypeDescription
Illuminate.Mutex.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.Mutex.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Mutex.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Mutex.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Mutex.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Mutex.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Mutex.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Mutex.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Mutex.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Mutex.Malwares.IDnumberEach matched malware unique identifier in illuminate.
Illuminate.Mutex.Malwares.NamestringEach matched malware name in illuminate
Illuminate.Mutex.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Mutex.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Mutex.IlluminateLinkstringThe URL of the matched indicator in illuminate.
Command Example

!illuminate-enrich-mutex mutex=??

Context Example
{
"Illuminate.Mutex": {
"LastHit": null,
"ReportedDates": [
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"Indicator": "??",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2015-01-06",
"2015-01-07",
"2015-01-14",
"2015-02-23",
"2017-08-05",
"2017-08-06"
],
"EvidenceCount": 6,
"Actors": [
{
"id": -2,
"name": "Unknown"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/95267",
"ID": 95267
}
}
Human Readable Output

illuminate Mutex Information

ActiveActivityDatesActorsEvidenceCountIDIlluminateLinkIndicatorReportedDates
true2015-01-06,
2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06
id = -2, name = Unknown695267https://partner.analystplatform.com/indicators/95267??2015-01-07,
2015-01-14,
2015-02-23,
2017-08-05,
2017-08-06

8. illuminate-enrich-http-request


Queries the illuminate REST API and enriches the given HTTP request with illuminate indicator data.

Base Command

illuminate-enrich-http-request

Input
Argument NameDescriptionRequired
http-requestThe HTTP request for which to return information.Required
Context Output
PathTypeDescription
Illuminate.Httprequest.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.Httprequest.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Httprequest.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Httprequest.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Httprequest.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Httprequest.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Httprequest.HitCountnumberThe total number of times this indicator was seen in a source scanned by illuminate.
Illuminate.Httprequest.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Httprequest.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Httprequest.Malwares.IDnumberEach matched malware unique identifier in illuminate
Illuminate.Httprequest.Malwares.NamestringEach matched malware name in illuminate.
Illuminate.Httprequest.Actors.IDnumberEach matched actor unique identifier in illuminate.
Illuminate.Httprequest.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Httprequest.IlluminateLinkstringThe URL of the matched indicator in illuminate.
Command Example

!illuminate-enrich-http-request http-request=/~

Context Example
{
"Illuminate.Httprequest": {
"LastHit": null,
"ReportedDates": [
"2020-01-06"
],
"Indicator": "/~",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [],
"EvidenceCount": 1,
"Actors": {},
"ConfidenceLevel": "high",
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/2885382",
"ID": 2885382
}
}
Human Readable Output

illuminate Httprequest Information

ActiveConfidenceLevelEvidenceCountIDIlluminateLinkIndicatorReportedDates
truehigh12885382https://partner.analystplatform.com/indicators/2885382/~2020-01-06

9. url


Queries the illuminate REST API and enriches the given URL with illuminate indicator data.

Base Command

url

Input
Argument NameDescriptionRequired
urlThe URL for which to return information.Required
Context Output
PathTypeDescription
URL.DataStringThe URL.
Illuminate.Url.IDnumberThe unique identifier of the given Indicator in illuminate
Illuminate.Url.EvidenceCountnumberThe number of evidence reports of the given indicator in illuminate.
Illuminate.Url.ActivebooleanWhether the given indicator is noted as active in illuminate.
Illuminate.Url.ConfidenceLevelstringThe confidence level of the data in illuminate.
Illuminate.Url.FirstHitdateThe first date this indicator was seen in a source scanned by illuminate.
Illuminate.Url.LastHitdateThe most recent date this indicator was seen in a source scanned by illuminate.
Illuminate.Url.HitCountnumberThe total number of this indicator was seen in a source scanned by illuminate.
Illuminate.Url.ReportedDatesdateThe dates this indicator was reported on in illuminate.
Illuminate.Url.ActivityDatesdateThe dates this indicator had reported activity in illuminate.
Illuminate.Url.Malwares.IDnumberEach matched malware unique identifier in illuminate
Illuminate.Url.Malwares.NamestringEach matched malware name in illuminate.
Illuminate.Url.Actors.IDnumberEach matched actor unique identifier in illuminate
Illuminate.Url.Actors.NamestringEach matched actor name in illuminate.
Illuminate.Url.IlluminateLinkstringThe URL of the matched indicator in illuminate.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumbeThe actual score.
DBotScore.TypeStringThe type of indicator.
DBotScore.VendorStringThe AlienVault OTX vendor.
Command Example

!url url=104.218.120.128/check.aspx

Context Example
{
"URL": {
"Malicious": {
"Vendor": "illuminate",
"Description": "illuminate has determined that this indicator is malicious via internal analysis."
},
"Data": "104.218.120.128/check.aspx"
},
"Illuminate.Url": {
"LastHit": null,
"ReportedDates": [
"2019-07-04"
],
"Indicator": "104.218.120.128/check.aspx",
"Malwares": {},
"FirstHit": null,
"ActivityDates": [
"2018-12-08"
],
"EvidenceCount": 1,
"Actors": [
{
"id": 178,
"name": "APT33"
}
],
"ConfidenceLevel": null,
"Active": true,
"HitCount": null,
"IlluminateLink": "https://partner.analystplatform.com/indicators/2699554",
"ID": 2699554
},
"DBotScore": {
"Vendor": "illuminate",
"Indicator": "104.218.120.128/check.aspx",
"Score": 3,
"Type": "url"
}
}
Human Readable Output

illuminate Url Information

ActiveActivityDatesActorsEvidenceCountIDIlluminateLinkIndicatorReportedDates
true2018-12-08id = 178, name = APT3312699554https://partner.analystplatform.com/indicators/2699554104.218.120.128/check.aspx2019-07-04