Infocyte

Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access. This integration was integrated and tested with version 3008.0.1.2800 of Infocyte

Configure Infocyte on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Infocyte.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
InstanceNameInstance Name. You can find this in your Infocyte url: https://*InstanceName*.infocyte.comTrue
APIKeyAPI KeyTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
first_fetchInitial fetch time in daysFalse
insecureTrust any certificate -- not secureFalse
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

infocyte-scan-host


Kicks off a Scan (forensic collection) against an endpoint

Base Command

infocyte-scan-host

Input

Argument NameDescriptionRequired
targetHostname or ip address of target endpointRequired

Context Output

PathTypeDescription
Infocyte.Task.userTaskIdstringTask id used with infocyte-get-taskstatus. This id is returned from any async command/task.
Infocyte.Task.typestringTask type (SCAN or RESPONSE)
Infocyte.Task.targetstringHostname or ip of target provided

Command Example

!infocyte-scan-host target="pegasusactual"

Context Example

{
"Infocyte": {
"Task": {
"host": "pegasusactual",
"type": "SCAN",
"userTaskId": "28854b93-8f26-43fa-afd9-69450755916a"
}
}
}

Human Readable Output

typeuserTaskIdhost
SCAN28854b93-8f26-43fa-afd9-69450755916apegasusactual

infocyte-isolate-host


Isolates a host to only communicate to Infocyte and other security tools

Base Command

infocyte-isolate-host

Input

Argument NameDescriptionRequired
targetHostname or ip address of target endpointRequired

Context Output

PathTypeDescription
Infocyte.Task.userTaskIdstringTask id used with taskstatus
Infocyte.Task.typestringTask type (SCAN or RESPONSE)
Infocyte.Task.targetstringHostname or ip of target provided
Infocyte.Task.extensionNamestringName of extension ran

Command Example

!infocyte-isolate-host target="pegasusactual"

Context Example

{
"Infocyte": {
"Task": {
"extensionName": "Host Isolation",
"target": "pegasusactual",
"type": "RESPONSE",
"userTaskId": "e4eac99b-ef71-46ec-8b51-bea5cd5caa35"
}
}
}

Human Readable Output

typeuserTaskIdextensionNametarget
RESPONSEe4eac99b-ef71-46ec-8b51-bea5cd5caa35Host Isolationpegasusactual

infocyte-restore-host


Restore an isolated host

Base Command

infocyte-restore-host

Input

Argument NameDescriptionRequired
targetHostname or ip address of target endpointRequired

Context Output

PathTypeDescription
Infocyte.Task.userTaskIdstringTask id used with infocyte-get-taskstatus. This id is returned from any async command/task.
Infocyte.Task.typestringTask type (SCAN or RESPONSE)
Infocyte.Task.targetstringHostname or ip of target provided
Infocyte.Task.extensionNamestringName of extension ran

Command Example

!infocyte-restore-host target="pegasusactual"

Context Example

{
"Infocyte": {
"Task": {
"extensionName": "Host Isolation Restore",
"target": "pegasusactual",
"type": "RESPONSE",
"userTaskId": "e95eae57-2fee-4f79-9c2c-723ed035723d"
}
}
}

Human Readable Output

typeuserTaskIdextensionNametarget
RESPONSEe95eae57-2fee-4f79-9c2c-723ed035723dHost Isolation Restorepegasusactual

infocyte-kill-process


Kills a process on target endpoint

Base Command

infocyte-kill-process

Input

Argument NameDescriptionRequired
targetHostname or ip address of target endpointRequired
processNameName of process to search for and kill on target endpointOptional
sha1SHA1 of process image to search for and killOptional
processIdPid of process to search for and kill on target endpointOptional
processPathPath of of process to search for and kill on target endpointOptional

Context Output

There is no context output for this command.

Command Example

!infocyte-kill-process target="pegasusactual"

Context Example

{
"Infocyte": {
"Task": {
"extensionName": "Terminate Process",
"target": "pegasusactual",
"type": "RESPONSE",
"userTaskId": "3f0e5549-c7e3-42fb-8fa3-5adbeba733c5"
}
}
}

Human Readable Output

typeuserTaskIdextensionNametarget
RESPONSE3f0e5549-c7e3-42fb-8fa3-5adbeba733c5Terminate Processpegasusactual

infocyte-run-response


Runs the named Infocyte extension on target host. Extensions are Infocyte script modules that run against a host or set of hosts to either collect additional data or perform a response action like killing a process or changing a configuration. Some Infocyte defined response actions are supported natively through prebuild XSOAR integrated commands like infocyte-kill-process.

You can find the available open sourced extensions here: https://github.com/Infocyte/extensions

Extensions can be loaded into your instance here: https://<_instancename_>.infocyte.com/admin/extensions/list

Base Command

infocyte-run-response

Input

Argument NameDescriptionRequired
targetHostname or ip address of target endpointRequired
extensionNameName of extension loaded in Infocyte to run on target hostRequired

Context Output

PathTypeDescription
Infocyte.Task.userTaskIdstringTask id used with infocyte-get-taskstatus. This id is returned from any async command/task.
Infocyte.Task.typestringTask type (SCAN or RESPONSE)
Infocyte.Task.targetstringHostname or ip of target provided
Infocyte.Task.extensionNamestringName of extension ran

Command Example

!infocyte-run-response target="pegasusactual" extensionName="Yara Scanner"

Context Example

{
"Infocyte": {
"Task": {
"extensionName": "Yara Scanner",
"target": "pegasusactual",
"type": "RESPONSE",
"userTaskId": "d5213898-7538-4ee6-bbd8-4979420ae234"
}
}
}

Human Readable Output

typeuserTaskIdextensionNametarget
RESPONSEd5213898-7538-4ee6-bbd8-4979420ae234Yara Scannerpegasusactual

infocyte-get-taskstatus


Gets status of an Infocyte task (scan, response action, etc.)

Base Command

infocyte-get-taskstatus

Input

Argument NameDescriptionRequired
userTaskIdTask id used with infocyte-get-taskstatus. This id is returned from any async command/task.Required

Context Output

PathTypeDescription
Infocyte.Task.userTaskIdstringTask id used with infocyte-get-taskstatus. This id is returned from any async command/task.
Infocyte.Scan.scanIdstringInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemas.
Infocyte.Task.typestringTask type (SCAN or RESPONSE)
Infocyte.Task.progressnumberPercent completed
Infocyte.Task.messagestringMessage regarding the current status
Infocyte.Task.statusstringCurrent status of task (created, active, completed, cancelled, failed)
Infocyte.Task.timeElapsednumberSeconds since task created

Command Example

!infocyte-get-taskstatus userTaskId="873ea61b-1705-49e6-87a5-57db12369ea1"

Context Example

{
"Infocyte": {
"Task": {
"message": "Complete",
"progress": 100,
"scanId": "27673898-f615-484c-9731-6526192aff21",
"status": "Completed",
"timeElapsed": 396,
"type": "RESPONSE",
"userTaskId": "873ea61b-1705-49e6-87a5-57db12369ea1"
}
}
}

Human Readable Output

timeElapseduserTaskIdtypestatusscanIdmessageprogress
396873ea61b-1705-49e6-87a5-57db12369ea1RESPONSECompleted27673898-f615-484c-9731-6526192aff21Complete100

infocyte-get-scanresult


Retrieve metadata and results for a scan against multiple hosts

Base Command

infocyte-get-scanresult

Input

Argument NameDescriptionRequired
scanIdInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemasRequired

Context Output

PathTypeDescription
Infocyte.Scan.scanIdstringInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemas
Infocyte.Scan.completedOndateTime scan was completed on target
Infocyte.Scan.alertCountnumbernumber of alerts associated with scan of host
Infocyte.Scan.compromisedObjectsnumberBad files, artifacts, and events found
Infocyte.Scan.objectCountnumberTotal files, artifacts, and events collected
Infocyte.Scan.Host.hostnamestringHostname
Infocyte.Scan.Host.ipstringIP Address of Host
Infocyte.Scan.Host.osVersionstringOperating system of host
Infocyte.Scan.Alert.idstringInfocyte alertId
Infocyte.Scan.Alert.namestringName of alerted file or alert
Infocyte.Scan.Alert.typestringType of object or artifact (process, module, artifact, autostart, script, etc.)
Infocyte.Scan.Alert.threatNamestringThreat category assigned by extension logic (Good, Low risk, Unknown, Suspicious, Bad)
Infocyte.Scan.Alert.threatScorenumber0-10 confidence score. Higher = more confident.
Infocyte.Scan.Alert.avPositivenumberNumber of engines and threat intel sources flagging the object as bad
Infocyte.Scan.Alert.avTotalnumberNumber of engines and threat intel sources that analyzed the object
Infocyte.Scan.Alert.synapseScorenumberInfocyte proprietary machine learning score on maliciousness. Negative (especially below -1) indicates backdoor or remote access tool features (generally bad), positive is good
Infocyte.Scan.Alert.sizenumberSize of object/file in bytes
Infocyte.Scan.Alert.flagnamestringName of user assigned flag in Infocyte on this artifact
Infocyte.Scan.Alert.flagWeightnumber0-10 user-assigned score assigned to the flag. Higher = more critical
Infocyte.Scan.Alert.hostnamestringHostname of target host
Infocyte.Scan.Alert.sha1stringSha1 (fileRepId) of file

Command Example

!infocyte-get-scanresult scanId="27673898-f615-484c-9731-6526192aff21"

Context Example

{
"Infocyte": {
"Scan": {
"Alert": {},
"Host": {
"hostname": "pegasusactual",
"ip": "192.168.x.x",
"osVersion": "Windows 10 Pro 2004 Professional 64-bit"
},
"alertCount": 0,
"completeOn": "2020-06-04T12:50:57.532Z",
"compromisedObjects": 0,
"hostCount": 1,
"objectCount": 223,
"scanId": "27673898-f615-484c-9731-6526192aff21"
}
}
}

Human Readable Output

compromisedObjectsalertCountscanIdobjectCountcompleteOnhostCount
0027673898-f615-484c-9731-6526192aff212236/4/20 12:50:57 PM1

Hosts

hostnameiposVersion
pegasusactual192.168.x.xWindows 10 Pro 2004 Professional 64-bit

infocyte-get-hostscanresult


Retrieve results for a scan on a target host

Base Command

infocyte-get-hostscanresult

Input

Argument NameDescriptionRequired
scanIdInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemasRequired
targetHostname or ip address of target endpointOptional

Context Output

PathTypeDescription
Infocyte.Scan.scanIdstringInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemas
Infocyte.Scan.hostIdstringInfocyte Id assigned to the target host
Infocyte.Scan.osstringOperating system of the target host
Infocyte.Scan.compromisedbooleanFlagged if system has a malicious item found
Infocyte.Scan.alertCountnumbernumber of alerts associated with scan of host
Infocyte.Scan.hostnamestringHostname of target host
Infocyte.Scan.ipstringIp of target host
Infocyte.Scan.compromisedObjectsnumberBad files, artifacts, and events found
Infocyte.Scan.objectCountnumberTotal number of files, artifacts, and events inspected or retrieved
Infocyte.Scan.Alert.idstringInfocyte alertId
Infocyte.Scan.Alert.namestringName of alerted file or alert
Infocyte.Scan.Alert.typestringType of object or artifact (process, module, artifact, autostart, script, etc.)
Infocyte.Scan.Alert.threatNamestringThreat category assigned by extension logic (Good, Low risk, Unknown, Suspicious, Bad)
Infocyte.Scan.Alert.threatScorenumber0-10 confidence score. Higher = more confident.
Infocyte.Scan.Alert.avPositivenumberNumber of engines and threat intel sources flagging the object as bad
Infocyte.Scan.Alert.avTotalnumberNumber of engines and threat intel sources that analyzed the object
Infocyte.Scan.Alert.synapseScorenumberInfocyte proprietary machine learning score on maliciousness. Negative (especially below -1) indicates backdoor or remote access tool features (generally bad), positive is good
Infocyte.Scan.Alert.sizenumberSize of object/file in bytes
Infocyte.Scan.Alert.flagnamestringName of user assigned flag in Infocyte on this artifact
Infocyte.Scan.Alert.flagWeightnumber0-10 user-assigned score assigned to the flag. Higher = more critical
Infocyte.Scan.Alert.sha1stringSha1 (fileRepId) of file

Command Example

!infocyte-get-hostscanresult scanId="27673898-f615-484c-9731-6526192aff21" target="pegasusactual"

Context Example

{
"Infocyte": {
"Scan": {
"Alert": {},
"alertCount": 0,
"completedOn": "2020-06-04T12:50:24.674Z",
"compromised": false,
"hostId": "558feacbbae80c63d54ec1252ac34bdc285b20a7",
"hostname": "pegasusactual",
"ip": "192.168.x.x",
"os": null,
"scanId": "27673898-f615-484c-9731-6526192aff21",
"success": true
}
}
}

Human Readable Output

successhostIdipalertCountscanIdcompromisedcompletedOnhostname
True558feacbbae80c63d54ec1252ac34bdc285b20a7192.168.x.x027673898-f615-484c-9731-6526192aff21False6/4/20 12:50:24 PMpegasusactual

infocyte-get-responseresult


Gets the results of a response action.

Base Command

infocyte-get-responseresult

Input

Argument NameDescriptionRequired
scanIdInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemasRequired
targetHostname or ip address of target endpointOptional

Context Output

PathTypeDescription
Infocyte.Response.scanIdstringInfocyte id used to look up the data associated with a specific scan, collection, or action. scanIds are returned by infocyte-get-taskstatus and is present in all job-based data schemas
Infocyte.Response.hostIdstringInfocyte Id assigned to the target host
Infocyte.Response.osstringOperating system of the target host
Infocyte.Response.successbooleanFlag if extention successfully ran and completed (not necessarily if it performed everything correctly)
Infocyte.Response.threatStatusstringThreat category assigned by extension logic (Good, Low risk, Unknown, Suspicious, Bad)
Infocyte.Response.compromisedbooleanFlagged if system has a malicious item found
Infocyte.Response.completedOndateDatetime stamp that action completed
Infocyte.Response.messagesstringLogs of the response action taking place on the target endpoint
Infocyte.Response.hostnamestringHostname of target host
Infocyte.Response.ipstringIp of target host
Infocyte.Response.extensionIdstringId of Infocyte extension being run
Infocyte.Response.extensionNamestringName of Infocyte extension being run

Command Example

!infocyte-get-responseresult scanId="27673898-f615-484c-9731-6526192aff21"

Context Example

{
"Infocyte.Response": {
"completedOn": "2020-06-04T12:50:24.674Z",
"compromised": false,
"extensionId": "2ffd753a-ba60-4414-8991-52aa54615e73",
"extensionName": "Terminate Process",
"hostId": "558feacbbae80c63d54ec1252ac34bdc285b20a7",
"hostname": "pegasusactual",
"ip": "192.168.x.x",
"messages": [
"Finding and killing processes that match the following search terms (name, path, or pid):\nTerm[1]: C:\\windows\\system32\\calc.exe\nTerm[2]: 17604\nTerm[3]: calculator",
"Killed calculator.exe [pid: 40396] with image path: c:\\program files\\windowsapps\\microsoft.windowscalculator_10.2002.13.0_x64__8wekyb3d8bbwe\\calculator.exe",
"Killed 1 processes."
],
"os": "Windows 10 Pro 2004 Professional 64-bit",
"scanId": "27673898-f615-484c-9731-6526192aff21",
"success": true,
"threatStatus": "Good"
}
}

Human Readable Output

successosipthreatStatuscompletedOnextensionNamehostname
TrueWindows 10 Pro 2004 Professional 64-bit192.168.x.xGood6/4/20 12:50:24 PMTerminate Processpegasusactual
Messages

Finding and killing processes that match the following search terms (name, path, or pid): Term[1]: C:\windows\system32\calc.exe Term[2]: 17604 Term[3]: calculator Killed calculator.exe [pid: 40396] with image path: c:\program files\windowsapps\microsoft.windowscalculator_10.2002.13.0_x64__8wekyb3d8bbwe\calculator.exe Killed 1 processes.

infocyte-get-alerts


Retrieve alert by alertId, since a lastAlertId, since LastRun (if no arguments provided)

Base Command

infocyte-get-alerts

Input

Argument NameDescriptionRequired
alertIdInfocyte alertId to look upOptional
lastAlertIdLast alertId to start fetching fromOptional
maxNumber of alerts to fetchOptional

Context Output

PathTypeDescription
Infocyte.Alert.idstringInfocyte alertId
Infocyte.Alert.scanIdstringInfocyte scanId the alert originated from
Infocyte.Alert.namestringName of alerted file or alert
Infocyte.Alert.typestringType of object or artifact (process, module, artifact, autostart, script, etc.)
Infocyte.Alert.threatNamestringThreat category assigned by extension logic (Good, Low risk, Unknown, Suspicious, Bad)
Infocyte.Alert.hasAvScanbooleanTrue if it has been scanned by AV and/or sandbox malware engines
Infocyte.Alert.threatScorenumber0-10 confidence score. Higher = more confident.
Infocyte.Alert.avPositivenumberNumber of engines and threat intel sources flagging the object as bad
Infocyte.Alert.avTotalnumberNumber of engines and threat intel sources that analyzed the object
Infocyte.Alert.synapseScorenumberInfocyte proprietary machine learning score on maliciousness. Negative (especially below -1) indicates backdoor or remote access tool features (generally bad), positive is good
Infocyte.Alert.sizenumberSize of object/file in bytes
Infocyte.Alert.flagnamestringName of user assigned flag in Infocyte on this artifact
Infocyte.Alert.flagWeightnumber0-10 user-assigned score assigned to the flag. Higher = more critical
Infocyte.Alert.createdOndateDatetime stamp the alert
Infocyte.Alert.hostnamestringHostname of target host
Infocyte.Alert.sha1stringSha1 (fileRepId) of file
Infocyte.Alert.signedbooleanValid and unexpired digital signature on file
Infocyte.Alert.managedbooleanFile has been hash validated as part of a linux package manager

Command Example

!infocyte-get-alerts alertId="d2e1499e-8b11-4300-9848-c1e97094834b"

Context Example

{
"Infocyte": {
"Alert": [
{
"avPositives": 53,
"avTotal": 66,
"createdOn": "2020-05-28T05:57:18.404Z",
"flagName": null,
"flagWeight": null,
"hasAvScan": true,
"hostname": "pegasusactual",
"id": "d2e1499e-8b11-4300-9848-c1e97094834b",
"managed": null,
"name": "mimikatz.exe",
"scanId": "aeac5ff3-52e9-4073-b37f-a23cadd3c69e",
"sha1": "4a45814547f237bbd96db61dec58c0e3fd5c7558",
"signed": true,
"size": "1255176",
"synapseScore": null,
"threatName": "Bad",
"threatScore": 9,
"threatWeight": 8,
"type": "Artifact"
}
]
}
}

Human Readable Output

namethreatNamesha1idtypeavsize
mimikatz.exeBad4a45814547f237bbd96db61dec58c0e3fd5c7558d2e1499e-8b11-4300-9848-c1e97094834bArtifact53/661255176