X-Force
Integration version: 14.0
Configure X-Force to work with Google Security Operations
-
To obtain your personal API key, please log in to the IBM X-Force Exchange website with an active IBM ID.
-
View your user profile on the upper right corner of your screen, and then go to the Settingspage down below to create a new API key/password pair.
-
On the Settings page, click API Access, then the Generatebutton in the API Key Generation section.
Configure X-Force integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Actions
Get Hash Info
Description
Query X-Force for hash information.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Threshold
|
string | N/A | The value of the threshold can be: low, medium or high. |
Use cases
N/A
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| malware | Returns if it exists in JSON result |
| tags | Returns if it exists in JSON result |
Insights
If the risk score of the entity exceeds the threshold, then the Insight will be added to warn that the hash is marked as malware.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_risk
|
True/False | is_risk:False |
JSON Result
[
{
"EntityResult"
:
{
"malware"
:
{
"hash"
:
"0x474B9CCF5AB9D72CA8A333889BBB34F0"
,
"family"
:
[
"tsunami"
],
"origins"
:
{
"downloadServers"
:
{},
"subjects"
:
{},
"CnCServers"
:
{
"count"
:
1
,
"rows"
:
[{
"count"
:
483
,
"origin"
:
"CnC"
,
"domain"
:
"pc-guard.net"
,
"filepath"
:
"v.html"
,
"ip"
:
"1.1.1.1"
,
"uri"
:
"http://pc-guard.net/v.html"
,
"lastseen"
:
"2014-10-20T23:19:00Z"
,
"md5"
:
"474B9CCF5AB9D72CA8A333889BBB34F"
,
"type"
:
"CnC"
,
"firstseen"
:
"2014-10-20T23:19:00Z"
,
"schema"
:
"http"
}]},
"emails"
:
{},
"external"
:
{
"detectionCoverage"
:
46
,
"family"
:
[
"heuristic"
,
"trojan"
]
}},
"created"
:
"2014-10-20T23:19:00Z"
,
"familyMembers"
:
{
"tsunami"
:
{
"count"
:
61
}},
"md5"
:
"0x474B9CCF5AB9D72CA8A333889BBB34F0"
,
"type"
:
"md5"
,
"risk"
:
"high"
},
"tags"
:
[]
},
"Entity"
:
"474B9CCF5AB9D72CA8A333889BBB34F0"
}
]
Get IP by Category
Description
Get IP by category.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Category
|
string | N/A | Category for IP. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[
{
"ip"
:
"string"
,
"score"
:
"integer"
,
"created"
:
"string"
}
]
Get IP Info
Description
Query X-Force for IP information.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Threshold
|
string | N/A | Threshold must be an integer (example: 3). |
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Entities are marked as suspicious if they exceed Threshold. Otherwise: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| subnets | Returns if it exists in JSON result |
| reasonDescription | Returns if it exists in JSON result |
| tags | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| reason | Returns if it exists in JSON result |
| score | Returns if it exists in JSON result |
| categoryDescriptions | Returns if it exists in JSON result |
| cats | Returns if it exists in JSON result |
| geo | Returns if it exists in JSON result |
| history | Returns if it exists in JSON result |
Insights
If the risk score exceeds the threshold, add Insight and mark it as suspicious.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_risky
|
True/False | is_risky:False |
JSON Result
[
{
"EntityResult"
:
{
"subnets"
:
[{
"subnet"
:
"1.1.1.1/14"
,
"reasonDescription"
:
"One of the five RIRs announced a (new) location mapping of the IP."
,
"created"
:
"2017-10-18T06:23:00.000Z"
,
"ip"
:
"1.1.1.1"
,
"asns"
:
{
"8359"
:
{
"Company"
:
"MTS, RU"
,
"cidr"
:
14
}},
"reason"
:
"Regional Internet Registry"
,
"score"
:
1
,
"categoryDescriptions"
:
{},
"cats"
:
{},
"geo"
:
{
"country"
:
"Russia"
,
"countrycode"
:
"RU"
}},
{
"subnet"
:
"1.1.1.1/20"
,
"reasonDescription"
:
"Based on statistical DNS analysis."
,
"created"
:
"2014-01-22T19:56:00.000Z"
,
"ip"
:
"1.1.1.1"
,
"reason"
:
"DNS heuristics"
,
"score"
:
1
,
"categoryDescriptions"
:
{
"Dynamic IPs"
:
"This category contains IP addresses of dialup hosts and DSL lines."
},
"cats"
:
{
"Dynamic IPs"
:
71
}}],
"reasonDescription"
:
"One of the five RIRs announced a (new) location mapping of the IP."
,
"tags"
:
[],
"ip"
:
"1.1.1.1"
,
"reason"
:
"Regional Internet Registry"
,
"score"
:
1
,
"categoryDescriptions"
:
{
"Dynamic IPs"
:
"This category contains IP addresses of dialup hosts and DSL lines."
},
"cats"
:
{
"Dynamic IPs"
:
71
},
"geo"
:
{
"country"
:
"Russia"
,
"countrycode"
:
"RU"
},
"history"
:
[{
"reasonDescription"
:
"One of the five RIRs announced a (new) location mapping of the IP."
,
"created"
:
"2012-03-22T07:26:00.000Z"
,
"ip"
:
"1.1.1.1/14"
,
"reason"
:
"Regional Internet Registry"
,
"score"
:
1
,
"categoryDescriptions"
:
{},
"cats"
:
{},
"geo"
:
{
"country"
:
"Russia"
,
"countrycode"
:
"RU"
}},
{
"reasonDescription"
:
"Based on statistical DNS analysis."
,
"created"
:
"2012-04-13T13:34:00.000Z"
,
"ip"
:
"1.1.1.1/14"
,
"reason"
:
"DNS heuristics"
,
"score"
:
1
,
"categoryDescriptions"
:
{
"Dynamic IPs"
:
"This category contains IP addresses of dialup hosts and DSL lines."
},
"cats"
:
{
"Dynamic IPs"
:
100
},
"geo"
:
{
"country"
:
"Russia"
,
"countrycode"
:
"RU"
}},
{
"reasonDescription"
:
"Based on statistical DNS analysis."
,
"created"
:
"2014-01-22T19:56:00.000Z"
,
"ip"
:
"1.1.1.1/20"
,
"reason"
:
"DNS heuristics"
,
"score"
:
1
,
"categoryDescriptions"
:
{
"Dynamic IPs\": "
This
ca
te
gory
co
nta
i
ns
IP
addresses
o
f
dialup
hos
ts
a
n
d
DSL
li
nes
.
"
},
"
ca
ts
":
{
"
Dy
na
mic
IPs
": 71
},
"
geo
":
{
"
cou
ntr
y
": "
Russia
",
"
cou
ntr
ycode
": "
RU
"
}}]},
"
E
nt
i
t
y
": "
1.1.1.1
"
}
]
Get IP Malware
Description
Query X-Force for the malware associated with an IP address.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Threshold
|
string | N/A | Threshold must be an integer (example: 3). |
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Entities are marked as suspicious if malware_count is bigger than 0.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| malware | Returns if it exists in JSON result |
Insights
Add a warning Insight that the entity was associated with malware and mark it as suspicious if malware_count > 0.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_malware
|
True/False | is_malware:False |
JSON Result
[
{
"EntityResult"
:
{
"malware"
:
[{
"count"
:
13
,
"origin"
:
"CnC"
,
"domain"
:
"l33t-milf.info"
,
"last"
:
"2016-10-29T06:31:00Z"
,
"family"
:
[
"kasidet"
],
"filepath"
:
"dom/tasks.php"
,
"ip"
:
"0x00000000000000000000ffff08080808"
,
"uri"
:
"http://example.com/dom/tasks.php"
,
"first"
:
"2016-10-29T06:31:00Z"
,
"host"
:
"dom"
,
"lastseen"
:
"2016-10-29T06:31:00Z"
,
"md5"
:
"4C10F74CE20328B7CC4207245BC9D725"
,
"type"
:
"CnC"
,
"firstseen"
:
"2016-10-29T06:31:00Z"
,
"schema"
:
"http"
}]},
"Entity"
:
"1.1.1.1"
}
]
Get URL Info
Description
Query X-Force for URL information.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Threshold
|
string | N/A | Threshold must be an integer(example: 3). |
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
Entities are marked as suspicious if they exceed threshold. Otherwise: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| associated | Returns if it exists in JSON result |
| result | Returns if it exists in JSON result |
| tags | Returns if it exists in JSON result |
Insights
Add a warning Insight and mark it as suspicious if the risk score exceeds threshold.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_risk
|
True/False | is_risk:False |
JSON Result
[
{
"EntityResult"
:
{
"associated"
:
[{
"url"
:
"markossolomon.com"
,
"cats"
:
{},
"score"
:
null
,
"categoryDescriptions"
:
{}
}],
"result"
:
{
"url"
:
"markossolomon.com/f1q7qx.php"
,
"cats"
:
{
"Botnet Command and Control Server"
:
true
},
"score"
:
10
,
"categoryDescriptions"
:
{
"Botnet Command and Control Server"
:
"This category contains Web sites or domains that host a botnet command and control server."
}},
"tags"
:
[]
},
"Entity"
:
"HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Ping
Description
Test Connectivity to X-Force.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_connected
|
True/False | is_connected:False |
JSON Result
N/A
Need more help? Get answers from Community members and Google SecOps professionals.
