Maltiverse

Overview


Analyze suspicious hashes, URLs, domains and IP addresses This integration was integrated and tested with version 1.0.0-oas3 of Maltiverse

Use Cases


  1. Enriching information about different IOC types.
  2. Search for Reputation about different IOC types.
  3. Calculate DBot Score for indicators.

Configure Maltiverse on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Maltiverse.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • API Key
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. ip 2. domain 3. url 4. file

1. ip


Checks the reputation of an IP address

Base Command

ip

Input
Argument NameDescriptionRequired
ipIP address to checkRequired
thresholdIf the number of positives is higher than the threshold, the IP address will be considered malicious. If the threshold is not specified, the default IP threshold, as configured in the instance settings, will be used.Optional
fullResponseReturn all of the results, note that it can be thousands of results. Prefer not to use in playbooks. The default value is "falseOptional
Context Output
PathTypeDescription
IP.AddressStringThe checked IP address
IP.Geo.CountryStringThe country code of the IP address
IP.Malicious.DescriptionUnknownDescribes the reason for the IP to be in the blacklist
IP.PositiveDetectionsNumberThe number of sources that positively reported the indicator as blacklist
IP.TagsStringThe type of indicator
IP.ThreatTypesUnknownA list with the description of the elements in the blacklist
DBotScore.ScoreNumberThe DBot score
DBotScore.TypeStringThe type of indicator
DBotScore.VendorStringThe vendor used to calculate the score
DBotScore.IndicatorStringThe indicator that was tested
Maltiverse.IP.AddressStringThe checked IP address
Maltiverse.IP.ClassificationUnknownQualitative maliciousness classification for an IoC. Possible values are malicious, suspicious, neutral and whitelisted
Maltiverse.IP.Blacklist.FirstSeenDateFirst time that the IoC has been seen
Maltiverse.IP.Blacklist.LastSeenDateLast time that the IoC has been seen
Maltiverse.IP.Blacklist.DescriptionStringDescribes the reason for the IP to be in the blacklist
Maltiverse.IP.Blacklist.SourceStringThe name of sources that reported the indicator
Maltiverse.IP.TagsStringThe type of indicator
Command Example

!ip ip=8.8.8.8

Human Readable Output

image

2. domain


Checks the reputation of a Domain

Base Command

domain

Input
Argument NameDescriptionRequired
domainDomain address to checkRequired
thresholdIf the number of positives is higher than the threshold, the domain will be considered malicious. If the thershold is not specified, the default domain threshold, as configured in the instance settings, will be used.Optional
fullResponseReturn all of the results, note that it can be thousands of results. Prefer not to use in playbooks. The default value is "falseOptional
Context Output
PathTypeDescription
Domain.NameStringThe domain name
Domain.CreationDateDateDate when a IoC has been inserted for the first time
Domain.ModificationDateDateDate when a IoC has been updated for the last time
Domain.TLDNumberTop Level Domain of the hostname
Domain.ASNameStringAutonumous system name of the domain
Domain.TagsStringAttribute to label an IoC
Domain.ThreatTypesUnknownA list with the description of the elements in the blacklist
DBotScore.ScoreNumberThe DBot score
DBotScore.TypeStringThe type of indicator
DBotScore.VendorStringThe vendor used to calculate the score
DBotScore.IndicatorStringThe indicator that was tested
Maltiverse.Domain.AddressStringThe domain name
Maltiverse.Domain.ClassificationStringQualitative maliciousness classification for an IoC. Possible value are malicious, suspicious, neutral and whitlist
Maltiverse.Domain.Blacklist.FirstseenDateFirst time that the IoC was seen
Maltiverse.Domain.Blacklist.LastSeenDateLast time that the IoC was seen
Maltiverse.Domain.Blacklist.DescriptionUnknownDescribes the reason for the domain to be in the blacklist
Maltiverse.Domain.Blacklist.SourceStringThe name of sources that reported the indicator
Maltiverse.Domain.TagsStringAttribute to label an IoC
Maltiverse.Domain.ModificationTimeDateDate when the IoC was updated for the last time
Maltiverse.Domain.CreationTimeDateDate when a IoC was inserted for the first time
Maltiverse.Domain.TLDStringTop level domain of the hostname
Maltiverse.Domain.ResolvedIP.IPStringStores an IP that was resolved by the domain
Maltiverse.Domain.ResolvedIP.TimestampDateStores an timestamp when an IP address has been resolved by the domain
Command Example

!domain domain=google.com

Human Readable Output

image

3. url


Checks the reputation of an URL

Base Command

url

Input
Argument NameDescriptionRequired
urlURL address to checkRequired
thresholdIf the number of positives is higher than the threshold, the URL address will be considered malicious. If the threshold is not specified, the default URL threshold, as configured in the instance settings, will be used.Optional
fullResponseReturn all of the results, note that it can be thousands of results. Prefer not to use in playbooks. The default value is "false"Optional
Context Output
PathTypeDescription
URL.DataStringThe URL
URL.Malicious.DescriptionStringDescribes the reason for the URL to be in the blacklist
URL.Malicious.VendorStringThe vendor that sends the indicator for reputation check.
URL.PositiveDetectionsNumberThe number of sources that positively reported the indicator as blacklist
URL.TagsStringAttribute to label an IoC
URL.ThreatTypesUnknownA list with the description of the elements in the blacklist
DBotScore.ScoreNumberThe DBot score
DBotScore.TypeStringThe type of indicato
DBotScore.VendorStringThe vendor used to calculate the score
DBotScore.IndicatorStringThe indicator that was tested
Maltiverse.URL.AddressStringThe checked URL
Maltiverse.URL.ClassificationStringQualitative maliciousness classification for an IoC. Possible values are malicious, suspicious, neutral and whitelist
Maltiverse.URL.Blacklist.FirstSeenDateFirst time that the IoC has been seen
Maltiverse.URL.Blacklist.LastSeenDateLast time that the IoC was seen
Maltiverse.URL.Blacklist.DescriptionDateDescribes the reason for the URL to be in the blacklist
Maltiverse.URL.Blacklist.SourceStringThe name of sources that reported the indicator.
Maltiverse.URL.TagsStringAttribute to label an IoC
Maltiverse.URL.ModificationTimeDateDate when the IOC has been updated for the last time.
Maltiverse.URL.CreationTimeDateDate when a IOC has been inserted for the first time
Maltiverse.URL.HostnameStringStores the hostname to which the url belongs
Maltiverse.URL.DomainStringStores the domain to which the hostname belongs. Hostame and domain can match on level 2 hostnames
Maltiverse.URL.TLDStringTop level domain of the hostname
Command Example

!url url=https://dv-expert.org

Human Readable Output

image

4. file


Check the reputation of a file

Base Command

file

Input
Argument NameDescriptionRequired
fileSHA256 to checkRequired
thresholdIf the number of positives AV detection is higher than the threshold, the file will be considered malicious. If the threshold is not specified, the default file threshold, as configured in the instance settings, will be used.Optional
fullResponseReturn all of the results, note that it can be thousands of results. Prefer not to use in playbooks. The default value is "false"Optional
Context Output
PathTypeDescription
File.NameStringThe full file name (including file extension).
File.MD5StringFile MD5 hash
File.SHA1StringThe SHA1 hash of the file
File.SHA256StringThe SHA256 hash of the file
File.SizeNumberThe size of the file in bytes
File.ExtensionStringThe extension of the file
File.TypeStringDescription of the file type based on its magic numbers
File.PathStringThe path of the file
File.TagsStringAttribute to label an IoC
File.ThreatTypesUnknownA list with the description of the elements in the blacklist
DBotScore.ScoreNumberThe DBot score
DBotScore.TypeStringThe type of indicator
DBotScore.VendorStringThe vendor used to calculate the score
DBotScore.IndicatorStringThe indicator that was tested
Maltiverse.File.ScoreNumberQualitative scoring of the maliciousness of the file. Values from 0 to 100.
Maltiverse.File.TagsStringAttribute to label an IOC
Maltiverse.File.Malicious.VendorStringFor malicious files, the vendor that made the decision
Maltiverse.File.Malicious.DescriptionStringFor malicious files, describes the reason for the file to be malicious
Maltiverse.File.PositiveDetectionsNumberThe number of sources that positively reported the indicator as blacklist.
Maltiverse.File.NameStringThe file name
Maltiverse.File.ClassificationStringQualitative maliciousness classification for an IoC. Possible values are malicious, suspicious, neutral and whitelist
Maltiverse.File.Blacklist.FirstSeenDateFirst time that the IoC has been seen.
Maltiverse.File.Blacklist.LastSeenDateLast time that the IoC was seen
Maltiverse.File.Blacklist.DescriptionStringDescribes the reason for the URL to be in the blacklist
Maltiverse.File.Blacklist.SourceStringThe name of sources that reported the indicator
Maltiverse.File.ModificationTimeDateDate when the IOC has been updated for the last time
Maltiverse.File.CreationTimeDateDate when a IOC has been inserted for the first time
Maltiverse.File.SizeNumberSize of the file in bytes
Maltiverse.File.ProcessListStringList of processes raised by the file in runtime.
Maltiverse.File.ContactedHostStringList of the IP addresses contacted by the sample in runtime
Maltiverse.File.DNSRequestStringList of hostnames resolved by the sample in runtime
Command Example

!file file=edb2f88c29844117cd74acf8bb357edf92487a1b142fe6f60b6ac5e15d2d718f

Human Readable Output

image

Additional Information


For additional information please visit: https://whatis.maltiverse.com/

Known Limitations


  • When not creating an Maltiverse account there is a limit of 20 API calls per day. A free account grants 100 API calls per day. Please see https://maltiverse.com/plans for more information about the different plans.
  • URL command: When running the !url command, an URL may be followed by a '/' at the end. Maltiverse requires this '/' but it might cause the indicator to not show in the war room.

Troubleshooting


Possible Errors (DO NOT PUBLISH ON ZENDESK):

  • 'The given IP was invalid'
  • 'Command not found.'
  • f'Failed to execute {command} command. Error: {e}'