To learn more, visit the Intezer documentation.
Parametersβ
| Parameter | Description |
|---|---|
| Alert IDs | List of comma separated alert ids to search for. |
| Environments | List of comma separated environments to search in. |
Example Outputβ
{ "result": { "alert_count": 1, "alerts": [ { "alert_id": "ed638299999999862495_-1864999299", "intezer_alert_url": "https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299", "note": "π¦ Intezer Automated Triage𧨠\n===================================\n Confirmed Threat - Generic Threat - CoinMiner\n===================================\nRecommended actions: Kill, Quarantine\nTTPs: Defense Evasion, Execution\nIOCs: 2 indicators\n\nView alert: π https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299", "alert": { "alert_id": "ed638299999999862495_-1864999299", "creation_time": "2023-06-28T07:06:38.228013", "creation_time_display": "28 Jun 23 | 06:38 UTC", "alert_title": "MyThreatName.exe", "severity": "high", "severity_display": "High", "alert_url": "https://falcon.crowdstrike.com/activity/detections/detail/9999c9999af9999d84d999c2ee7131bb/999994989665", "descriptions": [ "This file meets the File Analysis ML algorithm's low-confidence threshold for malware." ], "external_account_name": "MyAccountName", "site_name": "MySiteName", "is_mitigated": false, "mitigation_status_display": "Not Mitigated", "device": { "id": "9999c9999af9999d84d999c2ee7131bb", "hostname": "MyHostName", "os_type": "windows", "os_name": "Windows 10" } }, "triage_result": { "alert_verdict": "confirmed_threat", "alert_verdict_display": "Confirmed Threat", "risk_level": "high", "risk_level_display": "High", "risk_category": "generic_threat", "risk_category_display": "Generic Threat", "families": { "family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9", "family_name": "HopperTick" }, "threat_name": "MyThreatName.exe", "risk_score": 20, "ttps": [ { "tactic_id": "TA0002", "technique": "Command and Scripting Interpreter: Unix Shell", "technique_id": "T1059.004", "source": "analysis", "tactic": "Execution" } ] }, "alert_sub_types": [ "file_based" ], "raw_alert": {}, "sender": "cs", "scans": [ { "is_main_analysis": true, "file_analysis": { "family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9", "sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356", "ttps": [ { "tactic_id": "TA0002", "technique": "Command and Scripting Interpreter: Unix Shell", "technique_id": "T1059.004", "tactic": "Execution" } ], "file_name": "MyFileName.exe", "verdict": "malicious", "sub_verdict": "malicious", "iocs": { "files": [ { "path": "/path/to/MyFileName.exe", "sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356", "verdict": "malicious", "family": null, "type": "main_file" } ], "network": [ { "source": [ "Network communication" ], "ioc": "10.0.0.1", "type": "ip" } ] }, "analysis_time": "2022-05-28T07:09:58", "analysis_url": "https://analyze.intezer.com/analyses/0833e33b-2dcd-4d48-a853-8b4822675911", "family_name": "Emotet", "analysis_id": "0833e33b-2dcd-4d48-a853-8b4822675911" }, "collection_status": "collected", "scan_type": "file" } ], "response": { "automated_response_actions": [ { "action_name": "Endpoint scan performed", "action_key": "endpoint_scan_performed", "status": "suggested" } ], "user_recommended_actions": [ { "action_name": "Kill Process (RTR)", "action_key": "kill_process" } ], "user_recommended_actions_display": "Kill Process (RTR)", "iocs": { "files": [ { "path": "/path/to/MyFileName.exe", "sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356", "verdict": "malicious", "family": null, "type": "main_file" } ], "network": [ { "ioc": "10.0.0.1", "source": [ "Network communication" ], "type": "ip" } ] }, "status": "follow_up_required", "status_display": "Follow Up Required" }, "source": "cs", "source_display": "CrowdStrike", "source_type": "edr" } ] }}
Workflow Library Exampleβ
Get Alerts by Alert Ids with Intezer and Send Results Via Email
Preview this Workflow on desktop