Jask

Overview


Use the JASK integration to manage entities, signals, and insights.

Configure the JASK Integration on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for JASK.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Fetch incidents
    • Incident type
    • Use system proxy settings
    • Override default fetch query
  4. Click Test to validate the URLs and token

Fetched Incidents Data


The integration fetches insights. The first fetch returns insights from the previous 24 hour period. By default, the fetch will fetch all insights with the status new and in-progress . This is a sample default query: workflow_status:(new OR inprogress). You can modify the default query in the Override default fetch query parameter.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get details for an insight: jask-get-insight-details
  2. Get comments for an insight: jask-get-insight-comments
  3. Get details for a signal: jask-get-signal-details
  4. Get details for an entity: jask-get-entity-details
  5. Get related entities: jask-get-related-entities
  6. Get a list of whitelisted entities: jask-get-whitelisted-entities
  7. Search JASK insights: jask-search-insights
  8. Search JASK signals: jask-search-signals
  9. Search JASK entities: jask-search-entities

1. Get details for an insight


Returns detailed information for a specified insight.

Base Command

jask-get-insight-details

Input
Parameter Description
insight-id The insight to retrieve details for

Context Output
Path Description
Jask.Insight.Id Insight ID
Jask.Insight.Name Insight name
Jask.Insight.Action Insight action
Jask.Insight.Entity The main entity related to the insight
Jask.Insight.AssignedTo Who the insight was assigned to
Jask.Insight.Description Insight description
Jask.Insight.IpAddress Insight IP address
Jask.Insight.LastUpdated The time the insight was last updated
Jask.Insight.LastUpdatedBy The last person to update the insight
Jask.Insight.Severity Insight severity
Jask.Insight.InsightTime The time of the insight
Jask.Insight.WorkflowStatus Insight status
Jask.Insight.RelatedEntityList.Id The ID of the related entity
Jask.Insight.RelatedEntityList.EntityType Related entity type
Jask.Insight.RelatedEntityList.Hostname The hostname of the related entity
Jask.Insight.SignalList.Id Signal ID
Jask.Insight.SignalList.Name Signal name
Jask.Insight.SignalList.Category Signal category
Jask.Insight.SignalList.SourceType The source of the signal
Jask.Insight.SignalListMetadata.Patterns.Count Number of signals of the category pattern
Jask.Insight.SignalListMetadata.Anomalies.Count Number of signals of the category anomaly
Jask.Insight.SignalListMetadata.ThreatIntel.Count Number of signals of the category threat intelligence
Jask.Insight.RelatedEntityList.IpAddress IP address of the related entity
Jask.Insight.RelatedEntityList.IsWhitelisted Whether or not the entity is whitelisted
Jask.Insight.RelatedEntityList.RiskScore The risk score of the related entity
Jask.Insight.RelatedEntityList.Source The source of the related entity

Command Example

!jask-get-insight-details insight-id="7ead8dc9-d541-3484-9320-ea593729e7cc"

Context Example
{
    "Jask": {
        "Insight": {
            "SignalListMetadata": {
                "Patterns": {
                    "Count": 4
                }, 
                "ThreatIntel": {
                    "Count": 0
                }, 
                "Anomalies": {
                    "Count": 0
                }
            }, 
            "WorkflowStatus": "new", 
            "Description": "Exfiltration, C2 Risk Score: 14", 
            "IpAddress": "104.236.54.196", 
            "Severity": 2, 
            "RelatedEntityList": [], 
            "LastUpdated": "2018-07-13T05:17:55.620330", 
            "EntityDetails": {
                "EntityType": "ip", 
                "Name": "^^^104.236.54.196^^^", 
                "RiskScore": 9, 
                "Hostname": "Unknown", 
                "Source": "discovery", 
                "LastSeen": "Sun, 05 Aug 2018 10:00:56 GMT", 
                "PrimaryEntityType": null, 
                "IpAddress": "^^^104.236.54.196^^^", 
                "Id": "7ead8dc9-d541-3484-9320-ea593729e7cc", 
                "FirstSeen": "Wed, 14 Feb 2018 19:54:31 GMT"
            }, 
            "InsightTime": "2018-07-11T18:59:12", 
            "Id": "7ead8dc9-d541-3484-9320-ea593729e7cc", 
            "SignalList": [
                {
                    "Category": "Exfiltration", 
                    "Name": "Hexadecimal in DNS Query Domain", 
                    "Timestamp": "2018-07-11T19:06:14", 
                    "ThreatIndicators": [
                        {
                            "Value": "analytics-9dd8570e3fd957ce828c34761a8e98b8.xyz", 
                            "IndicatorType": "hostname"
                        }
                    ], 
                    "Score": "2", 
                    "Description": "Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic.  While hexadecimal often appears in subdomains, it much less frequent in domains.", 
                    "Id": "b7f76616-f27b-5c18-b503-2d3dbab1bb96", 
                    "SourceType": "rule"
                }, 
                {
                    "Category": "C2", 
                    "Name": "TeslaCrypt Ransomware Domain", 
                    "Timestamp": "2018-07-11T19:51:16", 
                    "ThreatIndicators": [
                        {
                            "Value": "o4dm3.leaama.at", 
                            "IndicatorType": "hostname"
                        }
                    ], 
                    "Score": "6", 
                    "Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.", 
                    "Id": "67b2ba91-9c32-5ffb-9587-873ef68f7899", 
                    "SourceType": "rule"
                }, 
                {
                    "Category": "C2", 
                    "Name": "TeslaCrypt Ransomware Domain", 
                    "Timestamp": "2018-07-11T19:51:17", 
                    "ThreatIndicators": [
                        {
                            "Value": "kbv5s.kylepasse.at", 
                            "IndicatorType": "hostname"
                        }
                    ], 
                    "Score": "6", 
                    "Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.", 
                    "Id": "26fc053b-ad5f-5f39-8e48-12feb39b77d2", 
                    "SourceType": "rule"
                }, 
                {
                    "Category": "C2", 
                    "Name": "TorrentLocker Ransomware Domain", 
                    "Timestamp": "2018-07-11T19:51:19", 
                    "ThreatIndicators": [
                        {
                            "Value": "mz7oyb3v32vshcvk.tormidle.at", 
                            "IndicatorType": "hostname"
                        }
                    ], 
                    "Score": "6", 
                    "Description": "TorrentLocker is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TorrentLocker.", 
                    "Id": "7ed97e33-73fd-599c-9c55-6c89aa0e7bf3", 
                    "SourceType": "rule"
                }
            ], 
            "Name": "Possible Malware - Ransomware (TeslaCrypt) and Data Exfiltration"
        }
    }
}

Human Readable Output

2. Get comments for an insight


Returns comments for a specified insight.

Base Command

jask-get-insight-comments

Input
Parameter Description
insight-id The insight to retrieve comments for

Context Output
Path Description
Jask.InsightCommentList.id Comment ID
Jask.InsightCommentList.InsightId Insight ID
Jask.InsightCommentList.Author Author of comment
Jask.InsightCommentList.Body Comment body
Jask.InsightCommentList.LastUpdated The date the comment was last updated
Jask.InsightCommentList.Timestamp The time of the comment

Command Example

asdf

Context Example
asdf

Human Readable Output

asdf

3. Get details for a signal


Returns detailed information for a specified signal.

Base Command

jask-get-signal-details

Input
Parameter Description
signal-id The signal to retrieve details for

Context Output
Path Description
Jask.Signal.Id Signal ID
Jask.Signal.Name Signal name
Jask.Signal.Category Signal category
Jask.Signal.Description Signal description
Jask.Signal.Score Signal score
Jask.Signal.SourceType The source type of the signal
Jask.Signal.Timestamp The time of the signal
Jask.Signal.Metadata.RecordType Record type
Jask.Signal.Metadata.RecordCount The associated count of each record type
Jask.SignalThreatIndicators.IndicatorType Threat indicator type
Jask.Signal.ThreatIndicators.Value Value of the threat indicator

Command Example

!jask-get-signal-details signal-id=b7f76616-f27b-5c18-b503-2d3dbab1bb96

Context Example
{
    "Jask": {
        "Signal": {
            "Category": "Exfiltration", 
            "SourceType": "rule", 
            "Name": "Hexadecimal in DNS Query Domain", 
            "Timestamp": "2018-07-11T19:06:14", 
            "ThreatIndicators": [
                {
                    "Value": "analytics-9dd8570e3fd957ce828c34761a8e98b8.xyz", 
                    "IndicatorType": "hostname"
                }
            ], 
            "Score": "2", 
            "Description": "Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic.  While hexadecimal often appears in subdomains, it much less frequent in domains.", 
            "Id": "b7f76616-f27b-5c18-b503-2d3dbab1bb96", 
            "Metadata": [
                {
                    "RecordType": "flow", 
                    "RecordCount": 0
                }, 
                {
                    "RecordType": "notice", 
                    "RecordCount": 0
                }, 
                {
                    "RecordType": "http", 
                    "RecordCount": 0
                }
            ]
        }
    }
}

Human Readable Output

image

4. Get details for an entity


Returns detailed information about a speficied entity.

Base Command

jask-get-entity-details

Input
Parameter Description
entity-id The entity to retrieve details for

Context Output
Path Description
Jask.Entity.Id Entity ID
Jask.Entity.Name Entity name
Jask.Entity.IpAddress Entity IP address
Jask.Entity.FirstSeen Time the entity was first seen
Jask.Entity.LastSeen Time the entity was last seen
Jask.Entity.Source The source of the entity
Jask.Entity.AssetType Asset type
Jask.Entity.PrimaryAssetType Primary asset type
Jask.Entity.HostName Hostname
Jask.Entity.RiskScore Risk score
Jask.Entity.IsWhiteListed Whether or not the entity is whitelisted

Command Example

!jask-get-entity-details entity-id=d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e

Context Example
{
    "Jask": {
        "Entity": {
            "Name": "craig.campbell", 
            "EntityType": "username", 
            "PrimaryEntityType": "hostname", 
            "Source": "ad", 
            "LastSeen": "Sun, 05 Aug 2018 10:30:18 GMT", 
            "Groups": [
                "CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=skaj,DC=ai"
            ], 
            "Id": "d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e", 
            "FirstSeen": "Thu, 01 Mar 2018 16:52:50 GMT"
        }
    }
}

Human Readable Output

image

5. Get related entities


Get all related entities for the specified entity.

Base Command

jask-get-related-entities

Input
Parameter Description
entity-id The entity ID that the related entities are retrieved for

Context Output
Path Description
Jask.RelatedEntityList.Id Entity ID
Jask.RelatedEntityList.Name Entity name
Jask.RelatedEntityList.Email Entity email
Jask.RelatedEntityList.Source Entity source
Jask.RelatedEntityList.UserName Username of the related entity
Jask.RelatedEntityList.HostName Entity hostname
Jask.RelatedEntityList.Active Whether or not the entity is active
Jask.RelatedEntityList.Admin Entity admin
Jask.RelatedEntityList.AssetType Asset type
Jask.RelatedEntityList.CreatedTimestamp Time the entity was created
Jask.RelatedEntityList.FirstSeen Time the entity was first seen
Jask.RelatedEntityList.GivenName Name given to the entity
Jask.RelatedEntityList.IsWhiteListed Whether or not the entity is whitelisted
Jask.RelatedEntityList.LastSeen Time the entity was last seen
Jask.RelatedEntityList.LastName The last name
Jask.RelatedEntityList.RiskScore Entity risk score

Command Example

!jask-get-related-entities entity-id=d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80

Context Example
{
    "Jask": {
        "RelatedEntityList": [
            {
                "Username": "craig.campbell", 
                "Name": "craig.campbell", 
                "LastName": "Campbell", 
                "EntityType": "username", 
                "Id": "d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e", 
                "CreatedTimestamp": "2018-01-23T05:01:38", 
                "Source": "ad", 
                "LastSeen": "2018-08-05T10:30:18", 
                "Groups": [
                    "CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=skaj,DC=ai"
                ], 
                "Active": true, 
                "GivenName": "Craig", 
                "Email": "example.gmail.com", 
                "FirstSeen": "2018-03-01T16:52:50"
            }, 
            {
                "EntityType": "hostname", 
                "Name": "sea-dt5820-357.corp.skaj.ai", 
                "Hostname": "sea-dt5820-357.corp.skaj.ai", 
                "Source": "ad", 
                "LastSeen": "2018-08-05T10:30:38", 
                "Groups": [
                    "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=corp,DC=skaj,DC=ai", 
                    "CN=Cert Publishers,CN=Users,DC=corp,DC=skaj,DC=ai"
                ], 
                "Id": "7d63f14f-81c0-5442-9de1-6061404bcbd7", 
                "FirstSeen": "2018-02-15T16:04:35"
            }
        ]
    }
}

Human Readable Output

image

6. Get a list of whitelisted entities


Returns a list of all whitelisted entities.

Base Command

jask-get-whitelisted-entities

Input

There are no inputs for this command.

Context Output
Path Description
Jask.Whitelisted.EntityList.Id ID of the whitelisted entity
Jask.Whitelisted.EntityList.Name Name of the whitelisted entity
Jask.Whitelisted.EntityList.UserName Username of the whitelisted entity
Jask.Whitelisted.EntityList.ModelId The modelID of the whitelisted entity
Jask.Whitelisted.EntityList.Timestamp Time of the whitelisted entity
Jask.Whitelisted.EntityList.Metadata.TotalCount Number of whitelisted entities

Command Example

!jask-get-whitelisted-entities

Context Example
{
    "Jask": {
        "WhiteListed": {
            "EntityList": [
                {
                    "UserName": "demisto", 
                    "Timestamp": "2018-05-31T21:20:45.302635", 
                    "Name": "wittes-imac-pro.local", 
                    "Id": "e0a7172f-aa5d-4ba9-ae66-b49d99d9b4e7", 
                    "ModelId": "e0a7172f-aa5d-4ba9-ae66-b49d99d9b4e7"
                }, 
                {
                    "UserName": "demisto", 
                    "Timestamp": "2018-05-31T21:12:54.003527", 
                    "Name": "172.18.20.20", 
                    "Id": "d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80", 
                    "ModelId": "d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80"
                }, 
                {
                    "UserName": "demisto", 
                    "Timestamp": "2018-05-31T21:20:37.218586", 
                    "Name": "192.168.2.195", 
                    "Id": "306360bb-57d2-4a8d-a882-a7b3f2b92429", 
                    "ModelId": "306360bb-57d2-4a8d-a882-a7b3f2b92429"
                }
            ], 
            "Metadata": {
                "TotalCount": 3
            }
        }
    }
}

Human Readable Output

image

7. Search JASK insights


Search for JASK insights according to specific criteria.

Base Command

jask-search-insights

Input
Parameter Description
last-seen When the insight was last seen. Defaults to 'All time' if no time arguments are specified.
rating Comma-separated list of values between 1-5 (inclusive)
status Comma-separated list of values (new, inprogress, closed)
assigned-team Comma-separated list of values
assigned-user Comma-separated list of values
offset The page offset for the results
limit How many results to retrieve
sort What to sort the results by
time-from Start time for the search (MM/DD/YYYY)
time-to End time for the search (MM/DD/YYYY)

Context Output
Path Description
Jask.Insight.Id Insight ID
Jask.Insight.Name Insight name
Jask.Insight.Action The action to take on the insight
Jask.Insight.AssignedTo Who the insight was assigned to
Jask.Insight.Description Insight description
Jask.Insight.IpAddress Insight IP address
Jask.Insight.LastUpdated When the insight was last updated
Jask.Insight.LastUpdatedBy Who the insight was last updated by
Jask.Insight.Severity Insight severity
Jask.Insight.InsightTime Time of the insight
Jask.WorkflowStatus Insight status

Command Example

!jask-search-insights last-seen="Last 48 hours" limit=2 assigned-user=unassigned

Context Example
{
    "Jask": {
        "Insight": [
            {
                "WorkflowStatus": "new", 
                "Description": "Multiple signals related to lateral movement with other anomalies and threats.", 
                "InsightTime": "2018-08-04T11:06:14", 
                "LastUpdated": "2018-08-04T11:06:15.373616", 
                "AssignedTo": "unassigned", 
                "Severity": 1, 
                "IpAddress": "172.18.20.20", 
                "Id": "a01f689c-f7da-4838-bf5c-2046f1736aff", 
                "Name": "Insider Threat - Lateral Movement with Increased Traffic"
            }, 
            {
                "WorkflowStatus": "new", 
                "Description": "Multiple signals related to user, network and other threats.", 
                "InsightTime": "2018-08-04T11:05:12", 
                "LastUpdated": "2018-08-04T11:05:13.654486", 
                "AssignedTo": "unassigned", 
                "Severity": 1, 
                "IpAddress": "^^^172.18.20.20^^^", 
                "Id": "88cd2086-126f-4e95-a6c5-dde91f86afb6", 
                "Name": "User Anomalies with Beaconing Behavior"
            }
        ]
    }
}

Human Readable Output

image

8. Search JASK signals


Search for JASK signals according to specific criteria.

Base Command

jask-search-signals

Input
Parameter Description
last-seen When the insight was last seen. Defaults to 'All time' if no time arguments are specified.
source Comma-separated list of values (threatintel, rule, anomaly)
category Comma-separated list of values form options (Attack Stage, C2, Defense Evasion, Discovery, Exfiltration, Exploitation, External Recon, Internal Recon, Lateral Movement, Threat Intelligence, Traffic Anomaly)
offset The page offset for the results
limit The maximum number of signals to retrieve
sort What to sort the results by
time-from Start time for the search (MM/DD/YYYY)
time-to End time for the search (MM/DD/YYYY)

Context Output

asdfas

Command Example

!jask-search-signals last-seen="Last 24 hours" category="Attack Stage, C2" offset="0" limit="10" sort="score:desc"

Context Example
{
    "Jask": {
        "Signal": [
            {
                "Category": "C2", 
                "Name": "TeslaCrypt Ransomware Domain", 
                "Timestamp": "2018-08-04T11:59:26.447586", 
                "ThreatIndicators": [
                    {
                        "Value": "lovemydress.pl", 
                        "IndicatorType": "hostname"
                    }
                ], 
                "Score": "6", 
                "Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.", 
                "Id": "79d796dc-97e6-11e8-bdd7-02346534339c", 
                "SourceType": "rule"
            }, 
            {
                "Category": "Attack Stage", 
                "Name": "SSH Password Brute Force", 
                "Timestamp": "2018-08-04T10:36:35.256445", 
                "ThreatIndicators": [
                    {
                        "Value": "104.236.48.178", 
                        "IndicatorType": "ip"
                    }
                ], 
                "Score": "2", 
                "Description": "SSH Password brute force attack detected", 
                "Id": "79d790a6-97e6-11e8-bdc7-02346534339c", 
                "SourceType": "rule"
            }, 
            {
                "Category": "Attack Stage", 
                "Name": "SSH Password Brute Force", 
                "Timestamp": "2018-08-04T11:24:49.534168", 
                "ThreatIndicators": [
                    {
                        "Value": "^^^104.236.48.178^^^", 
                        "IndicatorType": "ip"
                    }
                ], 
                "Score": "2", 
                "Description": "SSH Password brute force attack detected", 
                "Id": "79d78eb2-97e6-11e8-bdc2-02346534339c", 
                "SourceType": "rule"
            }
        ]
    }
}

Human Readable Output

image

9. Search JASK entities


Search for JASK entities according to specific criteria.

Base Command

jask-search-entities

Input
Parameter Description
last-seen When the insight was last seen. Defaults to 'All time' if no time arguments are specified.
entity-type Comma-separated list of values (username, hostname, ip)
offset The page offset for the results
limit How many results to retrieve
sort What to sort the results by
time-from Start time for the search(MM/DD/YYYY)
time-to End time for the search (MM/DD/YYYY)

Context Output
Path Description
Jask.Entity.Id Entity ID
Jask.Entity.Name Entity name
Jask.Entity.FirstSeen When the entity was first seen
Jask.Entity.LastSeen When the entity was last seen
Jask.Entity.Source The source of the entity
Jask.Entity.EntityType Entity type
Jask.Entity.PrimaryEntityType The primary entity type
Jask.Entity.HostName Entity hostname
Jask.Entity.RiskScore Entity risk score
Jask.Entity.IsWhiteListed Whether or not the entity is whitelisted
Jask.Entity.Groups The groups of the entity
Jask.Entity.Ip.Address Entity IP address

Command Example

!jask-search-entities entity-type=ip limit=3 time-from=08/04/2018 time-to=08/05/2018

Context Example
{
    "Jask": {
        "Entity": [
            {
                "EntityType": "ip", 
                "Name": "112.175.209.72", 
                "Hostname": "Unknown", 
                "Source": "discovery", 
                "PrimaryEntityType": null, 
                "IpAddress": "^^^112.175.209.72^^^", 
                "Id": "68fe56f0-4cbc-4664-9227-868069607636"
            }, 
            {
                "EntityType": "ip", 
                "Name": "186.185.91.72", 
                "Hostname": "Unknown", 
                "Source": "discovery", 
                "PrimaryEntityType": null, 
                "IpAddress": "^^^186.185.91.72^^^", 
                "Id": "ada67af4-a7c1-45f4-9740-69b095ffdac6"
            }, 
            {
                "EntityType": "ip", 
                "Name": "105.102.75.16", 
                "Hostname": "Unknown", 
                "Source": "discovery", 
                "PrimaryEntityType": null, 
                "IpAddress": "^^^105.102.75.16^^^", 
                "Id": "b3e40046-0450-48a4-8752-6a20aec89143"
            }
        ]
    }
}

Human Readable Output

image