Fetch Indicators

Updated 1 week ago by Elvis Hovor

Description

In the TruSTAR App for Demisto, this command fetches all Indicators in the Phishing Vetting Indicators Enclave that fit the criteria specified in the command.

This command is only available if you have the Phishing Triage feature enabled in TruSTAR

Format

trustar-get-phishing-indicators

Example

!trustar-get-phishing-indicators from_time="7 days ago"

Inputs

Argument

Description

Required

normalized_indicator_score

Normalized Indicator score to use in selecting Indicators for the return output.

Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value.

No

priority_event_score

Priority event score of the email submission. Only emails with the specified scores will be returned.

Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value.

No

from_time

Start of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the last 24 hours.

No

to_time

End of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the current time.

No

status

Intel Reports that match the specified status.

Legal values are UNRESOLVED, CONFIRMED, and IGNORED. You can specify more than one value by separating the values using commas. The default is to return items with any legal value.

No

Output

If no input arguments are specified, this command returns the most recent 1000 Indicators found in the Phishing Vetted Indicators Enclave. Otherwise, it returns up to 1000 of the Indicators that match the conditions set by the input arguments. The output is returned in the format below.

Path

Type

Description

TruSTAR.PhishingIndicator.indicatorType

string

Indicator Type

TruSTAR.PhishingIndicator.normalizedIndicatorScore

number

Indicator normalized score

TruSTAR.PhishingIndicator.originalIndicatorScore.name

string

Indicator original score name

TruSTAR.PhishingIndicator.originalIndicatorScore.value

string

Indicator original score value

TruSTAR.PhishingIndicator.sourceKey

string

Indicator source key

TruSTAR.PhishingIndicator.value

string

Indicator value

File.Name

string

The full file name.

<Indicator>

string

Supported Indicators

DBotScore.Indicator

string

The indicator we tested

DBotScore.Type

string

The type of the Indicator. See Supported Indicators.

DBotScore.Vendor

string

Vendor used to calculate the score

DBotScore.Score

number

The actual score


How Did We Do?