InfoArmor VigilanteATI

Overview


VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team.

Configure InfoArmor VigilanteATI on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for InfoArmor VigilanteATI.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL
    • API Key
    • API Secret
    • Trust any certificate (not secure)
    • Use system proxy
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Query infected host data: vigilante-query-infected-host-data
  2. Get vulnerable host data: vigilante-get-vulnerable-host-data
  3. Query the eCrime intelligence database: vigilante-query-ecrime-db
  4. Get a list of leaks: vigilante-search-leaks
  5. Get a list of account credentials for a leak: vigilante-get-leak
  6. Search for an account in the leaked credentials database: vigilante-query-accounts
  7. Search for a domain in the leaked credentials database: vigilante-query-domains
  8. Add account details to a watchlist: vigilante-watchlist-add-accounts
  9. Remove account details from a watchlist: vigilante-watchlist-remove-accounts
  10. Get a list of identifiers on a watchlist: vigilante-get-watchlist
  11. Get usage data for your account: vigilante-account-usage-info

1. Query infected host data


Query all infected host data. This is the API call you want to use to lookup infected host data using an IP address or a network range.

Base Command

vigilante-query-infected-host-data

Input
Argument Name Description Required
days_ago Specifies how many days ago (in history) we should go back to fetch data for. By default, this parameter is set to 1 which means it returns all infected host data added to the database within the last 1 day. To return data for all infected hosts you can set this value to be equal to 0, or set it a high value such as 3650 days (or 10 years). Optional
limit Specifies the maximum number of entries to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 infected hosts. The valid range for value of limit is from 1 (minimum) to 50,000 (maximum). Optional
token The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. Optional
q_address Query parameter specifying the alphanumeric version of the IPv4 address that will be used to query the database. Optional
cc_ipaddress Query parameter specifying the IP address of the infected host was seen communicating with. Optional
Context Output
Path Type Description
VigilanteATI.InfectedHosts.ip string Alphanumeric version of the IPv4 address belonging to this infected host.
VigilanteATI.InfectedHosts.port number Port number used by the infected host.
VigilanteATI.InfectedHosts.domain string Domain name associated with the infected host. (e.g sample.com)
VigilanteATI.InfectedHosts.country string Country code representing the country the host is located in. (e.g US)
VigilanteATI.InfectedHosts.malware string Name of the malware family we believe has infected the host. (e.g c_zeroaccess)
VigilanteATI.InfectedHosts.c_and_c string IP address of the C&C the infected host was seen communicating with.
VigilanteATI.InfectedHosts.timestamp date Timestamp of when we last saw this infected host and imported it into our database. (e.g 2015-10-10 12:01:01)
VigilanteATI.GetInfectedHostsToken string Token required to paginate the next set of results in. This is only provided if host number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string. If empty, it means there is no next page
VigilanteATI.InfectedHosts unknown Container for infected host objects. This is basically a list of dictionaries (hosts).
Command Example
!vigilante-query-infected-host-data days_ago="10" limit="4"
Context Example
{
  "VigilanteATI": {
    "InfectedHost": [
      {
        "c&c": "184.105.192.2",
        "country": "Asia",
        "domain": "sancharnet.in",
        "ip": "117.194.21.62",
        "malware": "s_gamarue",
        "timestamp": "2018-12-01T12:57:22"
      },
      {
        "c&c": "184.105.192.2",
        "country": "Asia",
        "domain": "airtel.in",
        "ip": "122.175.240.173",
        "malware": "s_gamarue",
        "timestamp": "2018-12-01T12:57:22"
      },
      {
        "c&c": "184.105.192.2",
        "country": "Asia",
        "domain": "vnnic.net.vn",
        "ip": "113.186.213.226",
        "malware": "s_gamarue",
        "timestamp": "2018-12-01T12:57:22"
      },
      {
        "c&c": "184.105.192.2",
        "country": "Asia",
        "domain": "parsonline.net",
        "ip": "37.27.67.92",
        "malware": "s_gamarue",
        "timestamp": "2018-12-01T12:57:22"
      }
    ]
  }
}
Human Readable Output

image

2. Get vulnerable host data


Returns all vulnerable host data from VI feed for the given query. This is the API call you want to use to download the entire feed of vulnerable hosts that matches the query.

Base Command

vigilante-get-vulnerable-host-data

Input
Argument Name Description Required
limit Specifies the maximum number of entries to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 cards. The valid range for value of limit is from 1 (minimum) to 1,000 (maximum). (optional) Optional
re_token The re_token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a re_token along with the response so the client can request the next page of results appropriately with the next API request. (optional) Optional
q_address The q_address is IP address of the vulnerable one wishes to search. If not provided, by default this parameter is set to '*', and thus, will not have any constrains on q_address. (optional) Optional
q_mask The q_mask is mask one wishes to apply to the IP while searching. If not provided, by default this parameter is set to '32', and thus, will not have any constrains on q_address. (optional) Optional
q_type The q_type is type of the vulnerable one wishes to search. If not provided, by default this parameter is set to '*', and thus, will not have any constrains on q_type. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Hosts unknown Container for vulnerable host objects. This is basically a list of dictionaries (hosts).
VigilanteATI.Hosts.ip unknown Alphanumeric version of the IPv4 address belonging to this vulnerable host.
VigilanteATI.Hosts.hostname unknown Hostname of the host. Obtained by doing a lookup using the given IPv4 address. (e.g "sample.hostname.com")
VigilanteATI.Hosts.type unknown Vulnerability type/name. (e.g heartbleed)
VigilanteATI.Hosts.port unknown Port numbers that this might affect. (e.g 443)
VigilanteATI.Hosts.protocols unknown Protocols that this might affect. (e.g "ssh")
VigilanteATI.Hosts.url unknown URL field. Only applicable with certain vulnerability types such as web shell.
VigilanteATI.Hosts.geoip unknown JSon of all the data we have about the IP and its location.
VigilanteATI.Hosts.geoip.timezone unknown Timezone (e.g Asia/Tokyo)
VigilanteATI.Hosts.geoip.ip string IPv4 addresss
VigilanteATI.Hosts.geoip.continent_code string Contient Code (e.g AS)
VigilanteATI.Hosts.geoip.city_name string City Name (e.g Tokyo)
VigilanteATI.Hosts.geoip.country_code2 string Country Code (e.g JP)
VigilanteATI.Hosts.geoip.country_name string Country Name (e.g Japan)
VigilanteATI.Hosts.geoip.country_code3 string Country Code (e.g JP)
VigilanteATI.Hosts.geoip.region_name unknown Region Name(e.g Tokyo)
VigilanteATI.Hosts.geoip.latitude number Latitude (e.g 35.6502)
VigilanteATI.Hosts.geoip.longitude number Longitude (e.g 139.6939)
VigilanteATI.Hosts.geoip.postal_code string Postal Code (e.g 153-0042)
VigilanteATI.Hosts.geoip.region_code string Region Code (e.g 13)
VigilanteATI.Hosts.timestamp date Timestamp of when we found this vulnerable host and imported it into our database. (e.g 2015-10-10 12:01:01)
VigilanteATI.GetVulnerableHostsToken unknown The re_token parameter value required to retrieve the next page of results. The token is valid for 5 minutes. The value is null if count is equal to either 0 or total.
Command Example
!vigilante-get-vulnerable-host-data limit="5" q_address="9.9.9.9"
Context Example
{
  "VigilanteATI": {
    "Hosts": [
      {
        "geoip": {
          "postal_code": "27709",
          "ip": "9.9.9.9",
          "latitude": 35.994,
          "longitude": -78.8986,
          "dma_code": 560,
          "country_name": "United States",
          "location": {
            "lat": 35.994,
            "lon": -78.8986
          },
          "region_name": "North Carolina",
          "region_code": "NC",
          "continent_code": "NA",
          "timezone": "America/New_York",
          "country_code2": "US",
          "country_code3": "US",
          "city_name": "Durham"
        },
        "hostname": [
          "dns.quad9.net"
        ],
        "ip": "9.9.9.9",
        "port": 53,
        "protocols": "udp",
        "timestamp": "2018-03-27 08:33:42",
        "type": "accessible port 53",
        "url": [
          "quad9.net"
        ]
      }
    ]
  }
}
Human Readable Output

image

3. Query the eCrime intelligence database


Queries the eCrime intelligence database. This is the API call you want to use to do a full text search on eCrime intelligence data, such as hacker chatter.

Base Command

vigilante-query-ecrime-db

Input
Argument Name Description Required
query Specifies the search query; may be a lucene query. Required
q_forum Specifies a specific forum to search. Optional
q_start_date Specifies the search start date; only posts on or after q_start_date are retrieved. e.g 2017-10-01) Optional
q_end_date Specifies the search end date; only posts on or before q_end_date are retrieved. (e.g 2017-10-03) Optional
limit Specifies the maximum number of posts to return. By default limit is set to 10, which means the result set is limited to the first 10 posts. limit must be between 1 and 100, inclusive. Optional
re_token The re_token required to retrieve the next page of results when the result set is larger than limit. If this parameter is specified, all other parameters are ignored. Optional
Context Output
Path Type Description
VigilanteATI.ECrimeQueryToken string The re_token parameter value required to retrieve the next page of results. The token is valid for 5 minutes. The value is null if count is equal to either 0 or total.
VigilanteATI.ECrimePosts.title string base64 encoded, matching search terms highlighted via tags
VigilanteATI.ECrimePosts.date date Post date (format YYYY-MM-DD)
VigilanteATI.ECrimePosts.forum string Forum (e.g rstforums.com)
VigilanteATI.ECrimePosts.author string Author
VigilanteATI.ECrimePosts.post string base64 encoded, matching search terms highlighted via tags
Command Example
!vigilante-query-ecrime-db query="netflix" q_start_date="2018-05-20" limit="5"
Context Example
{
  "VigilanteATI": {
    "ECrimePosts": [
      {
        "author": "fb_official2",
        "date": "2018-12-10",
        "forum": "bcbm4y7yusdxthg3.onion",
        "post": "<mark>NETFLIX</mark> TODAY\n\nACCOUNT:  example@gmail.com\nPASS: THEdonbone",
        "thread_url": "http://bcbm4y7yusdxthg3.onion/showthread.php?t=28120",
        "title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
      },
      {
        "author": "fb_official2",
        "date": "2018-12-10",
        "forum": "bcbm4y7yusdxthg3.onion",
        "post": "https://ibb.co/miywTp\nhttps://ibb.co/g6xZEU",
        "thread_url": "http://bcbm4y7yusdxthg3.onion/showthread.php?t=28120",
        "title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
      },
      {
        "author": "fb_official2",
        "date": "2018-12-09",
        "forum": "sky-fraud",
        "post": "https://www.lifewire.com/thmb/3AYgoV...f77283d151.jpg\n\n\n\n\n<mark>NETFLIX</mark> TODAY\n\nACCOUNT:  example.gmail.com\nPASS: THEdonbone",
        "thread_url": "https://sky-fraud.ru/showthread.php?t=28120",
        "title": "FREE <mark>NETFLIX</mark> ACCOUNT DAILY.."
      },
      {
        "author": "piscedor",
        "date": "2018-12-09",
        "forum": "https://bitshacking.com",
        "post": "grosspam@msn.com:dylan1\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Pam\r\nLastname: Gross\r\nCountry: US\n\n\example.gmail.com:matthew\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Jim\r\nLastname: Dutton\r\nCountry: US\n\n\example.gmail.com:axleaxle\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Berni\r\nLastname: Hartford\r\nCountry: CA\n\n\example@gmail.com:jtrocks\r\nCaptured Keys:\r\n<------------>\r\nFirstname: James\r\nLastname: Roselle\r\nCountry: US\n\n\example.gmail.com:helpme\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Jessica\r\nLastname: Cacciola\r\nCountry: US\n\n\njbur1111@yahoo.com:wilson\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Colleen\r\nLastname: Burke\r\nCountry: US\n\n\example.gmail.com:callie\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Donald\r\nLastname: Graves\r\nCountry: US\n\n\nglennzenner@yahoo.com:colorado\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Glenn\r\nLastname: Zenner\r\nCountry: US\n\n\example@gmail.com:anthony13\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Anthony D.\r\nLastname: ORTIZ\r\nCountry: US\n\n\example.gmail.com:goodguys1\r\nCaptured Keys:\r\n<------------>\r\nFirstname: Garrick\r\nLastname: Lew\r\nCountry: US",
        "thread_url": "http://www.bitshacking.com/forum/accounts-database-section/146703-10-x-netflix-premium-accounts.html",
        "title": "10 x <mark>Netflix</mark> premium accounts"
      },
      {
        "author": "piscedor",
        "date": "2018-12-09",
        "forum": "https://bitshacking.com",
        "post": "example.gmail.com|alphadog666\example.gmail.com|slamdunk1991\example@gmail.com|dennick6892",
        "thread_url": "http://www.bitshacking.com/forum/accounts-database-section/146705-3x-netflix-account.html",
        "title": "3x <mark>netflix</mark> account"
      }
    ]
  }
}
Human Readable Output

image

4. Get a list of leaks


Retrieves the list of leaks from database.

Base Command

vigilante-search-leaks

Input
Argument Name Description Required
leak_id If set this parameter determines which leak the user wants to return metadata for. This is used primarily when you want to get information on just a single leak instead of a set of leaks. Optional
days_ago Specifies how many days ago (in history) we should go back to fetch leak data for. By default this parameter is set to 7 which means it returns all leaks added to the database within the last 7 days. To return data for all leaks you can set this value to be equal to 0. Optional
keyword Allows you to specify a string keyword to search for. The keyword specified is used to search metadata associated with a leak and return any matching results. You can search by domain names, hacker groups, affected companies, etc. Optional
limit Specifies the maximum number of leaks to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 leaks. The valid range for value of limit is from 1 (minimum) to 1,000 (maximum). (optional) Optional
token The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Leaks.leak_id string Unique identifier for the leak. We internally use MD5 sums to identify leaks, so this will be a MD5 sum
VigilanteATI.Leaks.title unknown Title of the leak.
VigilanteATI.Leaks.description unknown A short leak description
VigilanteATI.Leaks.leak_type unknown Type of the leak. Currently we feature the following leak designations: "Database dump", "Credentials dump" or "Credit card dump". As our service grows we will add new leak types into the system.
VigilanteATI.Leaks.source_refs string List of sources (URIs) where this leak was available at the time VigilanteATI team harvested it.
VigilanteATI.Leaks.import_date date The date the leak was first imported into the VigilanteATI database.
VigilanteATI.Leaks.attackers string A list of attackers (hackers) who claimed responsibility for the breach/leak.
VigilanteATI.Leaks.score number An integer, in a range of 0 to 100, of how confident we are this leak is legitimate.
VigilanteATI.Leaks.num_domains_affected number Number of domains affected by the leak.
VigilanteATI.Leaks.target_industries string A list of target industry verticals affected by the leak.
VigilanteATI.Leaks.attack_method string The method of attack on the target; if published. This is usually "SQLi", "phishing", "social engineering", etc.
VigilanteATI.Leaks.media_refs unknown A list of media articles covering the data leak.
VigilanteATI.Leaks.targets string List of entities targeted by this leak.
VigilanteATI.Leaks.num_entries number Total number of account credentials (email/password pairs) harvested from this leak.
VigilanteATI.Leaks.password_hash string Type of password hash; only present if leaked passwords have been hashed.
VigilanteATI.LeakInfoToken string Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string.
Command Example
!vigilante-search-leaks days_ago="100" keyword="apple" limit="5"
Context Example
{
    "VigilanteATI": {
        "Leaks": [
            {
                "leak_id": "aa66573902ed4f4bfb2ae08ebac390c3", 
                "password_type": null, 
                "description": "part of solenya collection of dumps www.shareapple.com.txt. Many smaller breaches from smaller websites. Original breach dates unknown, but most likely happened before Jan 2017. Often repacked in to larger combolists. ", 
                "source_refs": [], 
                "attack_method": "", 
                "title": "www.shareapple.com.txt solenya collection leak", 
                "import_date": "2018-03-17 00:00:00", 
                "breach_date": "", 
                "targets": [
                    "www.shareapple.com.txt"
                ], 
                "attackers": [], 
                "num_entries": 5669, 
                "score": 30, 
                "num_domains_affected": 5669, 
                "leak_type": "Database dump", 
                "target_industries": "", 
                "password_hash": "", 
                "leak_date": "2017-01-01 00:00:00", 
                "media_refs": []
            }, 
            {
                "leak_id": "5892cc3edb5ee8463a6ebbfd54b1b2ad", 
                "password_type": null, 
                "description": "part of solenya collection of dumps www.applebeebook.co.kr.txt. Many smaller breaches from smaller websites. Original breach dates unknown, but most likely happened before Jan 2017. Often repacked in to larger combolists. ", 
                "source_refs": [], 
                "attack_method": "", 
                "title": "www.applebeebook.co.kr.txt solenya collection leak", 
                "import_date": "2018-03-16 00:00:00", 
                "breach_date": "", 
                "targets": [
                    "www.applebeebook.co.kr.txt"
                ], 
                "attackers": [], 
                "num_entries": 64147, 
                "score": 30, 
                "num_domains_affected": 64147, 
                "leak_type": "Database dump", 
                "target_industries": "", 
                "password_hash": "", 
                "leak_date": "2017-01-01 00:00:00", 
                "media_refs": []
            }, 
            {
                "leak_id": "a6eb0ca9fb47777aa81ce58d71a30495", 
                "password_type": "plaintext", 
                "description": "An unknown hacker or hacker group posted what they're claiming is a listing of Apple ID accounts, with email addresses and passwords. The listing also denotes the location of the users.", 
                "source_refs": [
                    "http://pastebin.com/raw.php?i=E8n5cBRf"
                ], 
                "attack_method": "", 
                "title": "Alleged dump of Apple accounts", 
                "import_date": "2015-09-14 00:00:00", 
                "breach_date": "", 
                "targets": [], 
                "attackers": [], 
                "num_entries": 14, 
                "score": 60, 
                "num_domains_affected": 14, 
                "leak_type": "Credentials dump", 
                "target_industries": "", 
                "password_hash": "", 
                "leak_date": "2015-09-14 00:00:00", 
                "media_refs": []
            }, 
            {
                "leak_id": "ff2fe066c6f6289e70be0157d3b2e24e", 
                "password_type": "hashes", 
                "description": "A hacker group calling themselves Kim Jong-Cracks have supposedly breached the database of Insanelyi, a product of Cydia. Cydia is the jailbraker's App Store alternative for iOS apps on Apple devices. The hacker group posted a CSV file containing usernames, email addresses, MD5 password hashes, password salts and more. ", 
                "source_refs": [
                    "http://apt.ripbigboss.com/insanelyi.nfo"
                ], 
                "attack_method": "", 
                "title": "Cydia database dumped", 
                "import_date": "2014-07-30 00:00:00", 
                "breach_date": "", 
                "targets": [], 
                "attackers": [], 
                "num_entries": 104079, 
                "score": 90, 
                "num_domains_affected": 104079, 
                "leak_type": "Credentials dump", 
                "target_industries": "", 
                "password_hash": "MD5", 
                "leak_date": "2014-07-29 00:00:00", 
                "media_refs": [
                    "http://www.technobuffalo.com/2014/07/20/cydias-popular-bigboss-repo-allegedly-gets-hacked/"
                ]
            }, 
            {
                "leak_id": "128e4664c1712016e80678dad86c7a7b", 
                "password_type": "plaintext", 
                "description": "A hacker or hacker group named An0nGhost posted a data dump from store.apple.com. The leak contains what appears to be emails and passwords.", 
                "source_refs": [
                    "http://pastebin.com/raw.php?i=BBXjnNxj"
                ], 
                "attack_method": "", 
                "title": "store.apple.com accounts hacked", 
                "import_date": "2014-06-02 00:00:00", 
                "breach_date": "", 
                "targets": [
                    "store.apple.com"
                ], 
                "attackers": [
                    "An0nGhost"
                ], 
                "num_entries": 210, 
                "score": 60, 
                "num_domains_affected": 210, 
                "leak_type": "Credentials dump", 
                "target_industries": "", 
                "password_hash": "", 
                "leak_date": "2014-06-02 00:00:00", 
                "media_refs": []
            }
        ], 
        "LeakInfoToken": "Bwz/okTPVNIldyAYJQ6bFanwA/VYIAjy2BjSuSuceCv0Xi/pEVbsniqOYZP61tLbSxjkTAcgTpfDdaJqy8Eu3Q=="
    }
}
Human Readable Output

image

5. Get a list of account credentials for a leak


Retrieves the list of account credentials that belong to a particular leak.

Base Command

vigilante-get-leak

Input
Argument Name Description Required
leak_id An identifier (MD5 sum) that uniquely represents this leak in our database. Required
limit Specifies the maximum number of account credentials to return from this request. By default this parameter is set to 20 which means it returns up to the first 20 accounts harvested from this leak. The valid range for value of limit is from 1 (minimum) to 10,000 (maximum). (optional) Optional
domains A comma delimited list of domains to use a filter for returning the harvested credentials. This parameter is used to return only a subset of the leak that matches a particular email domain, rather than the whole leak. By default this parameter is set to empty string which means it returns all harvested credentials, regardless of the email domain they belong to. (optional) Optional
token The token required to retrieve the next page of results; if necessary. When the result set is larger than the value of limit the API will return a token along with the response so the client can request the next page of results appropriately with the next API request. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Leaks.leak_id string Unique identifier for the leak from which the accounts come from. (MD5 sum)
VigilanteATI.Leaks.accounts unknown Container for account objects. This is just a list of dictionaries.
VigilanteATI.Leaks.accounts.domain string Email domain which the account belongs to.
VigilanteATI.Leaks.accounts.type_id number Type of account. At the moment we only support accounts of type 1, which are email addresses. As we expand our service we will add support for additional types such as usernames.
VigilanteATI.Leaks.accounts.email string A plaintext form of the email address from the account. The email address will always be lowercased.
VigilanteATI.Leaks.accounts.password string The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you.
VigilanteATI.LeakAccountsToken string Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string.
Command Example
!vigilante-get-leak leak_id="aa66573902ed4f4bfb2ae08ebac390c3" limit="3" domains="hotmail.com,sina.com"
Context Example
{
    "VigilanteATI": {
        "LeakAccountsToken": "p2V99rXakNhn3mafVJ6WJ6MEEfcPGh+q+DY9sO1SlNo2AR3D4akFOWTY+8T53rX4FJWc4LjylGORXKKp9Zl52PYhViNR1P3+Z1Sn3pYKrvC5iDTXwXVe5eqcomd44qbx", 
        "Leaks": {
            "leak_id": "aa66573902ed4f4bfb2ae08ebac390c3", 
            "accounts": [
                {
                    "leak_id": "aa66573902ed4f4bfb2ae08ebac390c3", 
                    "domain": "hotmail.com", 
                    "password": "dummypassword", 
                    "email": "dummy1@hotmail.com", 
                    "type_id": 1
                }, 
                {
                    "leak_id": "aa66573902ed4f4bfb2ae08ebac390c3", 
                    "domain": "sina.com", 
                    "password": "dummypassword", 
                    "email": "dummy2@sina.com", 
                    "type_id": 1
                }, 
                {
                    "leak_id": "aa66573902ed4f4bfb2ae08ebac390c3", 
                    "domain": "hotmail.com", 
                    "password": "dummypassword", 
                    "email": "dummy3@hotmail.com", 
                    "type_id": 1
                }
            ]
        }
    }
}
Human Readable Output

image

6. Search for an account in the leaked credentials database


Performs a query to match the given account identifier against database of leaked credentials.

Base Command

vigilante-query-accounts

Input
Argument Name Description Required
emails The string (or comma delimited list of strings) that uniquely identifier the account we are trying to match on. In the current version of the API the only acceptable types of account identifiers are email address and SHA-512 hashes of email addresses. Please note that if you're populating this argument with a list of email addresses or SHA-512 hashes we do not allow mixing of the two types. The list must be either only email addresses, or only hashes. Any email address provided in account_identifier must adhere to RFC 2822. (required) Required
limit Upper bounds for how many results we will return. By default this is set to 20. (optional) Optional
days_ago Used to specify a time range on matching against the given account identifier. By default we will run the query against our entire database, without restricting results to a time range. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Account.leak_id string Leak ID related to that account
VigilanteATI.Account.type_id number Type of account. At the moment we only support accounts of type 1, which are email addresses. As we expand our service we will add support for additional types such as usernames.
VigilanteATI.Account.source_type number Denotes type of data. Value of 1 indicates compromised credentials. Value of 2 means that these are Endangered Credentials, and the password field contains a JSON dictionary instead of a password.
VigilanteATI.Account.email string A plaintext form of the email address from the account. The email address will always be lowercased.
VigilanteATI.Account.password string The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you.
VigilanteATI.AccountQueryToken string Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string.
Command Example
!vigilante-query-accounts emails="example@gmail.com,example.gmail.com" limit="3"
Context Example
{
  "VigilanteATI": {
    "Account": [
      {
        "email": "16@gmail.com",
        "leak_id": "792b3740220e53017d3d0c16b87b5750",
        "password": "6FQS8sui06wUvI1voAEupvgMip30C+WqGjqQpIh/oC4YJSD2yPv8xpNVgCULgkGPQs6SYcnSrcIT4+qFB0mu/Q==",
        "source_type": 1,
        "type_id": 1
      },
      {
        "email": "16@gmail.com",
        "leak_id": "a657545e1ee7e4f1c4d2cc8aed217f3b",
        "password": "lW/it+jISMOKXK1DIE8Q3w==",
        "source_type": 1,
        "type_id": 1
      },
      {
        "email": "16@gmail.com",
        "leak_id": "a657545e1ee7e4f1c4d2cc8aed217f3b",
        "password": "rVWiTDWzwulB2HZPYv+3Ng==",
        "source_type": 1,
        "type_id": 1
      }
    ]
  }
}
Human Readable Output

image

7. Search for a domain in the leaked credentials database


Performs a query to match the given domain name against our database of leaked credentials.

Base Command

vigilante-query-domains

Input
Argument Name Description Required
domain The string that uniquely identifies the domain we are trying to match on. Domain names provided as domain_identifier must adhere to RFC 1035. Required
days_ago If this parameter is supplied, the API will only search the previous n days for the domains. The maximum value allowed is 365 days if supplied. If this parameter is not included, the will not be restricted by time. Optional
limit Upper bounds for how many results we will return. By default this is set to 20. Optional
token The token required to retrieve the next page of results; if necessary. When the result set is larger than our max page size the API returns a token along with the response so the client can request the next page appropriately with the next API request. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Domain.domain string The domain name you queried for.
VigilanteATI.Domain.accounts unknown Container for results. List of dictionaries, each representing a single pair of account credentials with associated metadata.
VigilanteATI.Domain.accounts.source_type number Denotes type of data. Value of 1 indicates compromised credentials. Value of 2 means that these are Endangered Credentials, and the password field contains a JSON dictionary instead of a password.
VigilanteATI.Domain.accounts.email string A plaintext form of the email address from the account. The email address will always be lowercased.
VigilanteATI.Domain.accounts.password string The encrypted password found in this leaked account credential. This field is the BASE64 encoded representation of the encrypted data. You will need to decrypt this password using a decryption key provided to you.
VigilanteATI.DomainQueryToken string Token required to paginate the next set of results in. This is only provided if the number of items in the response exceeds our max pagination size. Otherwise it is set to an empty string.
VigilanteATI.Domain.accounts.leak_id string Identifier of the leak where this account came from. You can use this ID to correlate account data to the leak.
Command Example
!vigilante-query-domains domain="yahoo.com" limit="3"
Context Example
{
  "VigilanteATI": {
    "Domain": [
      {
        "accounts": [
          {
            "email": "foo4@yahoo.com",
            "leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
            "password": "//dummypass==",
            "source_type": 1,
            "type_id": 1
          },
          {
            "email": "foo6@yahoo.com",
            "leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
            "password": "dummypass/stw==",
            "source_type": 1,
            "type_id": 1
          },
          {
            "email": "foo7@yahoo.com",
            "leak_id": "e1c5019aaf21ca585cb9f630d95e2301",
            "password": "dummypass==",
            "source_type": 1,
            "type_id": 1
          }
        ],
        "domain": "yahoo.com"
      }
    ]
  }
}
Human Readable Output

image

8. Add account identifiers to a watchlist


Adds account identifiers to your watchlist.

Base Command

vigilante-watchlist-add-accounts

Input
Argument Name Description Required
account_identifiers Command separated string containing account identifiers to add to your watchlist. All identifiers must be of the same type as specified by the type parameter. Identifiers cannot be longer than 255 characters. Multiple occurrences of an identifier in the array are treated as a single identifier. The maximum number of account identifiers allowed per request is 100. Email addresses must adhere to RFC 2822. Required
type The type of each account identifier, either "email" or "domain" Required
tag A textual note to associate with each account identifier. Tags cannot be longer than 255 characters. (optional) Optional
Context Output

There is no context output for this command.

Command Example
!vigilante-watchlist-add-accounts account_identifiers="demisto.com" type="domain"
Context Example

N/A

Human Readable Output

image

9. Remove account identifiers from a watchlist


Removes account identifiers from your watchlist.

Base Command

vigilante-watchlist-remove-accounts

Input
Argument Name Description Required
account_identifiers Comma-separated string containing account identifiers to remove from your watchlist. Multiple occurrences of an identifier in the array are treated as a single identifier. The maximum number of account identifiers allowed per request is 100. (required) Required
Context Output

There is no context output for this command.

Command Example
!vigilante-watchlist-remove-accounts account_identifiers="demisto.com"
Context Example

N/A

Human Readable Output

image

10. Get a list of account identifiers on a watchlist


Retrieve account identifiers on your watchlist.

Base Command

vigilante-get-watchlist

Input
Argument Name Description Required
limit Specifies the maximum number of identifiers to return. By default limit is set to 20, which means the result set is limited to the most recently added 20 identifiers. limit must be between 1 and 5000, inclusive. (optional) Optional
token The token required to retrieve the next page of results. If this parameter is specified, the limit parameter is ignored. (optional) Optional
Context Output
Path Type Description
VigilanteATI.Watchlist unknown Watchlist of accounts
VigilanteATI.Watchlist.identifier unknown account identifier (e.g " john@domain.com ")
VigilanteATI.Watchlist.type unknown identifer type ("email" or "domain")
VigilanteATI.Watchlist.date_added unknown date identifier added to watchlist (YYYY-MM-DD)
VigilanteATI.Watchlist.date_notified unknown latest matching intelligence date (YYYY-MM-DD)
VigilanteATI.Watchlist.tag unknown identifier tag
VigilanteATI.WatchlistQueryToken string The token parameter value required to retrieve the next page of results. The value is null if there are no more pages of results to retrieve.

11. Get usage data for your account


Returns the usage data for your account.

Base Command

vigilante-account-usage-info

Input

There is no input for this command.

Context Output

There is no context output for this command.

Command Example
!vigilante-get-watchlist limit="1"
Context Example
{
  "VigilanteATI": {
    "Watchlist": [
      {
        "date added": "2018-06-19",
        "date notified": "",
        "identifier": "example.gmail.com",
        "tag": "",
        "type": "email"
      }
    ]
  }
}
Human Readable Output

image