IntSights
Integration version: 20.0
Configure IntSights integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Actions
Add Note
Description
Add a note to the alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert ID
|
String | N/A | Yes | Specify the ID of the alert to which you want to add a note. |
|
Note
|
String | N/A | Yes | Specify the note for the alert. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful (is_success=true):
"Successfully add a note to the alert with ID '{0}' in Intsights ".format(alert id) The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add Note". Reason: {0}''.format(error.Stacktrace) If the 404 status code is reported: "Error executing action "Add Note". Reason: alert with ID {alert id} was not found in IntSights.' |
General |
Ask An Analyst
Description
Ask an analyst regarding the alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert ID
|
String | N/A | Yes | Specify the ID of the alert where you want to ask the analyst. |
|
Comment
|
String | N/A | Yes | Specify the comment for the analyst. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful:
"Successfully asked analyst in the alert with ID '{0}' in Intsights ".format(alert id) If the 400 or 500 status code is reported:
"Action was not able to ask the analyst in the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Ask an Analyst". Reason: {0}''.format(error.Stacktrace) |
General |
Assign Alert
Description
Assign alert to an analyst in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert ID
|
String | N/A | Yes | Specify the ID of the alert on which you want to change the assignment. |
|
Assignee ID
|
String | N/A | No | Specify the ID of the analyst that should be assigned to the alert.Note: If both "Assignee ID" and "Assignee Email Address" are specified, action will prioritize "Assignee ID". |
|
Assignee Email Address
|
String | N/A | No | Specify the email address of the analyst that should be assigned to the alert.Note: If both "Assignee ID" and "Assignee Email Address" are specified, action will prioritize "Assignee ID". |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful with assignee ID:
"Successfully assigned analyst with ID '{0}' to the alert with ID {1} in Intsights ".format(assignee id, alert id) If successful with assignee email address:
"Successfully assigned analyst with email address '{0}' to the alert with ID {1} in Intsights ".format(assignee email address, alert id) If assignee is not found, the status code is 400, and worked with assignee ID: "Action was not able to change the assignment on the alert with ID {0}. Reason: Assignee with ID {1} was not found.".format(alert_id, assignee id)" If the 400 or 500 status code is reported:
"Action was not able to change the assignment on the alert with ID {0}. Reason: {1}.".format(alert_id, response) The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported:
"Error executing action "Assign Alert". Reason: {0}''.format(error.Stacktrace) If the "Assignee ID" and "Assignee Email address" parameters are not specified: "Assignee ID or Email Address should be specified." |
General |
Close Alert
Description
Close alert in IntSights.
Parameters
Problem Solved
Possible Values:
- Problem Solved
- Informational Only
- Problem We Are Aware Of
- Company Owned Domain
- Legitimate Application/Profile
- Not Related To My Company
- False Positive
- Other
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful:
"Successfully closed the alert with ID '{0}' in Intsights ".format(alert id) If the 400 status code is reported:
"Action was not able to close the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported:
"Error executing action "Close Alert". Reason: {0}''.format(error.Stacktrace) If the "Rate" parameter is not in the 1-5 range: "Rate value should be in range from 1 to 5." |
General |
Download Alert CSV
Description
Download CSV file containing information related to alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert ID
|
String | N/A | Yes | Specify the ID of the alert for which you want to download CSV. |
|
Download Folder Path
|
String | N/A | Yes | Specify the path to the folder, where you want to store the CSV file. |
|
Overwrite
|
Checkbox | N/A | No | If enabled, action will overwrite the file with the same name. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"absolute_paths"
:
[
"/opt/file_1"
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful for at least one CSV (is_success=true):
"Successfully downloaded CSV for the alert with ID {0} in Intsights:".format(alert_id) If the 400 status code is reported (is_success=true):
"No CSV information was found for the alert with ID {alert_id} in Intsights." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Download Alert CSV". Reason: {0}''.format(error.Stacktrace)
If a file with the same name already exists, but "Overwrite" is set to false: "Error executing action "Download Alert CSV". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true."
If the 404 status code is reported: "Error executing action "Download Alert CSV". Reason: Unable to find alert with ID {ID}' |
General |
Get Alert Image
Description
Retrieve information about alert images in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert Image IDs
|
CSV | N/A | Yes | Specify the comma-separated list of alert image IDs.Example: id1,id2. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[
{
"image_name"
:
"5b59daf4bdafd90xxxxxx"
,
"image_base64_content"
:
"image content in base64"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful for at least one image:
"Successfully retrieved images from the following IDs in Intsights:".format(list of ids) If not successful for at least one image:
"Action wasn't able to successfully retrieve images from the following IDs in Intsights:\n".format(list of ids) If not successful for all images:
"No images were retrieved". The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Alert Image". Reason: {0}''.format(error.Stacktrace) |
General |
Ping
Description
Check connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Reopen Alert
Description
Reopen alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Alert ID
|
String | N/A | True | Specify the ID of the alert which you want to reopen. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful: "Successfully reopened the alert with ID '{0}' in Intsights ".format(alert id)
If the 400 status code is reported:
"Action was not able to reopen the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Reopen Alert". Reason: {0}''.format(error.Stacktrace) |
General |
Search IOCs
Description
Organize and search all your IOCs within a single, easy-to-use dashboard. The centralized TIP dashboard summarizes IOCs by severity and confidence level, so you can easily understand which malicious IOCs pose the greatest risk to your organization.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
{
"Status"
:
"Active"
,
"Domain"
:
"sephoratv.com"
,
"Severity"
:
{
"Status"
:
"done"
,
"LastUpdate"
:
"2019-01-20T04:32:58.833Z"
,
"Features"
:
[{
"Score"
:
10
,
"Name"
:
"base_intsights_multiple"
,
"Match"
:
1
},
{
"Score"
:
0
,
"Name"
:
"domain_associated_malware_names"
,
"Match"
:
0
},
{
"Score"
:
0
,
"Name"
:
"domain_associated_malware_ip_addresses"
,
"Match"
:
1
}],
"LastUpdateMessage"
:
""
,
"Value"
:
"Low"
,
"Score"
:
20
},
"SourceID"
:
"59e376681bb0800644e1368f"
,
"Value"
:
"sephoratv.com"
,
"Flags"
:
{
"IsInAlexa"
:
false
},
"LastSeen"
:
"2019-01-20T04:24:27.258Z"
,
"_id"
:
"5c43f80483df230007485c48"
,
"Type"
:
"Domains"
,
"Enrichment"
:
{
"Status"
:
"done"
,
"LastUpdate"
:
"2019-01-20T04:32:58.613Z"
,
"Data"
:
{
"domain_status_blocked"
:
false
,
"latest_resolution_date"
:
"2019-01-20T04:27:22.299Z"
,
"associated_malware_ip_addresses"
:
[
"185.16.44.132"
],
"contact_emails"
:
[],
"referencing_file_hashes"
:
[],
"malware_category"
:
[],
"mail_servers"
:
[
"a.mx.domainoo.fr."
],
"associated_malware_names"
:
[],
"threat_actor_category"
:
[],
"campaigns"
:
[],
"associated_malware_families"
:
[],
"resolved_ips"
:
[
"185.16.44.132"
],
"cve_ids"
:
[],
"downloaded_file_hashes"
:
[],
"domain_expired"
:
false
,
"communicating_file_hashes"
:
[
"210c2ddbf747220df645fc4d77e7decd1be7df27e43b2f79e4b45bd5fe0a2a6e"
],
"name_servers"
:
[
"a.ns.domainoo.fr."
,
"b.ns.domainoo.fr."
,
"c.ns.domainoo.fr."
],
"registrar"
:
"N/A"
,
"threat_actors"
:
[]
}
},
"FirstSeen"
:
"2019-01-20T04:24:27.258Z"
,
"AccountID"
:
null
},
"Entity"
:
"sephoratv.com"
}]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Status | Returns if it exists in JSON result |
| Domain | Returns if it exists in JSON result |
| Severity | Returns if it exists in JSON result |
| SourceID | Returns if it exists in JSON result |
| Value | Returns if it exists in JSON result |
| Flags | Returns if it exists in JSON result |
| LastSeen | Returns if it exists in JSON result |
| _id | Returns if it exists in JSON result |
| Type | Returns if it exists in JSON result |
| Enrichment | Returns if it exists in JSON result |
| FirstSeen | Returns if it exists in JSON result |
| AccountID | Returns if it exists in JSON result |
Insights
Yes
Connectors
Intsights Connector
Description
Fetches issues from Intsights to Google SecOps.
Configure Insights Connector in Google SecOps
For detailed instructions on how to configure a connector in Google SecOps, see Configuring the connector .
Connector parameters
Use the following parameters to configure the connector:
| Parameter Name | Type | Default Value | Description |
|---|---|---|---|
|
DeviceProductField
|
String | Details_Source_NetworkType | The field name used to determine the device product. |
|
EventClassId
|
String | Details_Title | The field name used to determine the event name (sub-type). |
|
PythonProcessTimeout
|
String | 60 | The timeout limit (in seconds) for the python process running current script. |
|
Api Root
|
String | https://api.intsights.com | The API root of the Intsights server. |
|
Account ID
|
String | N/A | The account ID to login with. |
|
Api Key
|
Password | N/A | The API key to login with. |
|
Verify SSL
|
Checkbox | Unchecked | Whether to verify the SSL certificate of the server. |
|
Max Days Backwards
|
Integer | 3 | Max number of days backwards to pull alerts from. |
|
Max Alerts Per Cycle
|
Integer | 10 | Max number of alerts to fetch per single connector cycle. |
|
Proxy Server Address
|
String | N/A | The address of the proxy server to use. |
|
Proxy Username
|
String | N/A | The proxy username to authenticate with. |
|
Proxy Password
|
Password | N/A | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.
Whitelist/Blacklist
The connector supports Whitelist/Blacklist rules.
Need more help? Get answers from Community members and Google SecOps professionals.
