Intezer v2

Use the Intezer v2 integration to detect and analyze malware, based on code reuse.

Configure Intezer v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Intezer v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • API Key
    • Use system proxy
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check file reputation by hash: intezer-analyze-by-hash
  2. Check file reputation by uploading a file: intezer-analyze-by-file
  3. Check analysis status and results: intezer-get-analysis-result

1. Check file reputation by hash


Checks file reputation of the given hash, supports SHA256, SHA1, and MD5.

Base Command

intezer-analyze-by-hash

Input
Argument Name Description Required
file_hash Hash of the file to query. Supports SHA256, MD5, and SHA1. Required

Context Output
Path Type Description
Intezer.Analysis.ID string Intezer analysis ID.
Intezer.Analysis.Status string Status of the analysis.
Intezer.Analysis.Type string Analysis type.

Command Example
intezer-analyze-by-hash file_hash="8cbf90aeab2c93b2819fcfd6262b2cdb"
Context Example
{
    "Intezer.Analysis": {
        "Status": "Created", 
        "type": "File", 
        "ID": "59e2f081-45f3-4822-bf45-407670dcb4d7"
    }
}
Human Readable Output

Analysis created successfully

2. Check the reputation of a file


Checks file reputation for an uploaded file. Maximum file size is 32 MB.

Base Command

intezer-analyze-by-file

Input
Argument Name Description Required
file_entry_id The entry ID of the file to upload. Required

Context Output
Path Type Description
Intezer.Analysis.ID string Intezer analysis ID.
Intezer.Analysis.Status string Status of the analysis.
Intezer.Analysis.Type string Analysis type.

Command Example
intezer-analyze-by-file file_entry_id=1188@6
Context Example
{
    "Intezer.Analysis": {
        "Status": "Created", 
        "type": "File", 
        "ID": "675515a1-62e9-4d55-880c-fd46a7963a56"
    }
}
Human Readable Output

Analysis created successfully

3. Check analysis status and results


Checks the analysis status and gets the analysis result, supports file and endpoint analysis.

Base Command

intezer-get-analysis-result

Input
Argument Name Description Required
analysis_id The analysis ID for which to get results. Optional
analysis_type The type of analysis. Optional
indicator_name Indicator to classify. Optional

Context Output
Path Type Description
File.SHA256 string SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.
File.Metadata Unknown Metadata returned from Intezer analysis (analysis id, analysis url, family, family type, sha256, verdict, sub_verdict). Metedata will only be returned for supported files.
Endpoint.Metadata Unknown Metadata returned from Intezer analysis (endpoint analysis id, endpoint analysis url, families, verdict, host_name).

Command Example
intezer-get-analysis-result analysis_id="9e3acdc3-b7ea-412b-88ae-7103eebc9398"
Context Example
{
    "DBotScore": {
        "Vendor": "Intezer", 
        "Indicator": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", 
        "Score": 0, 
        "Type": "hash"
    }, 
    "Intezer.Analysis": {
        "Status": "Done", 
        "ID": "9e3acdc3-b7ea-412b-88ae-7103eebc9398"
    }, 
    "File": {
        "ExistsInIntezer": true, 
        "SHA256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", 
        "Metadata": {
            "analysis_id": "9e3acdc3-b7ea-412b-88ae-7103eebc9398", 
            "sub_verdict": "file_type_not_supported", 
            "analysis_url": "https://analyze.intezer.com/#/analyses/9e3acdc3-b7ea-412b-88ae-7103eebc9398", 
            "verdict": "not_supported", 
            "sha256": "fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387", 
            "is_private": true, 
            "analysis_time": "Wed, 19 Jun 2019 07:48:12 GMT"
        }
    }
}
Human Readable Output

Intezer File analysis result

SHA256: fa5953e0c34a4bbf69ac31f3a1360024101c1232bb45cccaad3611b682c92387
Verdict: not_supported (file_type_not_supported)
Analysis Link