Jask (Deprecated)
This Integration is part of the Jask (Deprecated) Pack.#
Deprecated
Use Sumo Logic Cloud SIEM instead.
Deprecated. Use Sumo Logic Cloud SIEM integration instead. For further details about the migration, visit our Sumo Logic SIEM integration documentation .
Overview
Use the JASK integration to manage entities, signals, and insights.
Configure the JASK Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for JASK.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Fetch incidents
- Incident type
- Use system proxy settings
- Override default fetch query
- Click Test to validate the URLs and token
Fetched Incidents Data
The integration fetches insights. The first fetch returns insights from the previous 24 hour period. By default, the fetch will fetch all insights with the status new and in-progress . This is a sample default query: workflow_status:(new OR inprogress). You can modify the default query in the Override default fetch query parameter.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get details for an insight: jask-get-insight-details
- Get comments for an insight: jask-get-insight-comments
- Get details for a signal: jask-get-signal-details
- Get details for an entity: jask-get-entity-details
- Get related entities: jask-get-related-entities
- Get a list of entities on allow list: jask-get-whitelisted-entities
- Search JASK insights: jask-search-insights
- Search JASK signals: jask-search-signals
- Search JASK entities: jask-search-entities
1. Get details for an insight
Note: This command is deprecated. Use `sumologic-sec-insight-get-details` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Returns detailed information for a specified insight.
Base Command
jask-get-insight-details
Input
| Parameter | Description |
|---|---|
| insight-id | The insight to retrieve details for |
Context Output
| Path | Description |
|---|---|
| Jask.Insight.Id | Insight ID |
| Jask.Insight.Name | Insight name |
| Jask.Insight.Action | Insight action |
| Jask.Insight.Entity | The main entity related to the insight |
| Jask.Insight.AssignedTo | Who the insight was assigned to |
| Jask.Insight.Description | Insight description |
| Jask.Insight.IpAddress | Insight IP address |
| Jask.Insight.LastUpdated | The time the insight was last updated |
| Jask.Insight.LastUpdatedBy | The last person to update the insight |
| Jask.Insight.Severity | Insight severity |
| Jask.Insight.InsightTime | The time of the insight |
| Jask.Insight.WorkflowStatus | Insight status |
| Jask.Insight.RelatedEntityList.Id | The ID of the related entity |
| Jask.Insight.RelatedEntityList.EntityType | Related entity type |
| Jask.Insight.RelatedEntityList.Hostname | The hostname of the related entity |
| Jask.Insight.SignalList.Id | Signal ID |
| Jask.Insight.SignalList.Name | Signal name |
| Jask.Insight.SignalList.Category | Signal category |
| Jask.Insight.SignalList.SourceType | The source of the signal |
| Jask.Insight.SignalListMetadata.Patterns.Count | Number of signals of the category pattern |
| Jask.Insight.SignalListMetadata.Anomalies.Count | Number of signals of the category anomaly |
| Jask.Insight.SignalListMetadata.ThreatIntel.Count | Number of signals of the category threat intelligence |
| Jask.Insight.RelatedEntityList.IpAddress | IP address of the related entity |
| Jask.Insight.RelatedEntityList.IsWhitelisted | Whether or not the entity is on allow list |
| Jask.Insight.RelatedEntityList.RiskScore | The risk score of the related entity |
| Jask.Insight.RelatedEntityList.Source | The source of the related entity |
Command Example
!jask-get-insight-details insight-id="7ead8dc9-d541-3484-9320-ea593729e7cc"
Context Example
{
"Jask": {
"Insight": {
"SignalListMetadata": {
"Patterns": {
"Count": 4
},
"ThreatIntel": {
"Count": 0
},
"Anomalies": {
"Count": 0
}
},
"WorkflowStatus": "new",
"Description": "Exfiltration, C2 Risk Score: 14",
"IpAddress": "104.236.54.196",
"Severity": 2,
"RelatedEntityList": [],
"LastUpdated": "2018-07-13T05:17:55.620330",
"EntityDetails": {
"EntityType": "ip",
"Name": "^^^104.236.54.196^^^",
"RiskScore": 9,
"Hostname": "Unknown",
"Source": "discovery",
"LastSeen": "Sun, 05 Aug 2018 10:00:56 GMT",
"PrimaryEntityType": null,
"IpAddress": "^^^104.236.54.196^^^",
"Id": "7ead8dc9-d541-3484-9320-ea593729e7cc",
"FirstSeen": "Wed, 14 Feb 2018 19:54:31 GMT"
},
"InsightTime": "2018-07-11T18:59:12",
"Id": "7ead8dc9-d541-3484-9320-ea593729e7cc",
"SignalList": [
{
"Category": "Exfiltration",
"Name": "Hexadecimal in DNS Query Domain",
"Timestamp": "2018-07-11T19:06:14",
"ThreatIndicators": [
{
"Value": "analytics-9dd8570e3fd957ce828c34761a8e98b8.xyz",
"IndicatorType": "hostname"
}
],
"Score": "2",
"Description": "Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic. While hexadecimal often appears in subdomains, it much less frequent in domains.",
"Id": "b7f76616-f27b-5c18-b503-2d3dbab1bb96",
"SourceType": "rule"
},
{
"Category": "C2",
"Name": "TeslaCrypt Ransomware Domain",
"Timestamp": "2018-07-11T19:51:16",
"ThreatIndicators": [
{
"Value": "o4dm3.leaama.at",
"IndicatorType": "hostname"
}
],
"Score": "6",
"Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.",
"Id": "67b2ba91-9c32-5ffb-9587-873ef68f7899",
"SourceType": "rule"
},
{
"Category": "C2",
"Name": "TeslaCrypt Ransomware Domain",
"Timestamp": "2018-07-11T19:51:17",
"ThreatIndicators": [
{
"Value": "kbv5s.kylepasse.at",
"IndicatorType": "hostname"
}
],
"Score": "6",
"Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.",
"Id": "26fc053b-ad5f-5f39-8e48-12feb39b77d2",
"SourceType": "rule"
},
{
"Category": "C2",
"Name": "TorrentLocker Ransomware Domain",
"Timestamp": "2018-07-11T19:51:19",
"ThreatIndicators": [
{
"Value": "mz7oyb3v32vshcvk.tormidle.at",
"IndicatorType": "hostname"
}
],
"Score": "6",
"Description": "TorrentLocker is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TorrentLocker.",
"Id": "7ed97e33-73fd-599c-9c55-6c89aa0e7bf3",
"SourceType": "rule"
}
],
"Name": "Possible Malware - Ransomware (TeslaCrypt) and Data Exfiltration"
}
}
}
Human Readable Output
2. Get comments for an insight
Note: This command is deprecated. Use `sumologic-sec-insight-get-comments` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Returns comments for a specified insight.
Base Command
jask-get-insight-comments
Input
| Parameter | Description |
|---|---|
| insight-id | The insight to retrieve comments for |
Context Output
| Path | Description |
|---|---|
| Jask.InsightCommentList.id | Comment ID |
| Jask.InsightCommentList.InsightId | Insight ID |
| Jask.InsightCommentList.Author | Author of comment |
| Jask.InsightCommentList.Body | Comment body |
| Jask.InsightCommentList.LastUpdated | The date the comment was last updated |
| Jask.InsightCommentList.Timestamp | The time of the comment |
Command Example
asdf
Context Example
asdf
Human Readable Output
asdf
3. Get details for a signal
Note: This command is deprecated. Use `sumologic-sec-signal-get-details` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Returns detailed information for a specified signal.
Base Command
jask-get-signal-details
Input
| Parameter | Description |
|---|---|
| signal-id | The signal to retrieve details for |
Context Output
| Path | Description |
|---|---|
| Jask.Signal.Id | Signal ID |
| Jask.Signal.Name | Signal name |
| Jask.Signal.Category | Signal category |
| Jask.Signal.Description | Signal description |
| Jask.Signal.Score | Signal score |
| Jask.Signal.SourceType | The source type of the signal |
| Jask.Signal.Timestamp | The time of the signal |
| Jask.Signal.Metadata.RecordType | Record type |
| Jask.Signal.Metadata.RecordCount | The associated count of each record type |
| Jask.SignalThreatIndicators.IndicatorType | Threat indicator type |
| Jask.Signal.ThreatIndicators.Value | Value of the threat indicator |
Command Example
!jask-get-signal-details signal-id=b7f76616-f27b-5c18-b503-2d3dbab1bb96
Context Example
{
"Jask": {
"Signal": {
"Category": "Exfiltration",
"SourceType": "rule",
"Name": "Hexadecimal in DNS Query Domain",
"Timestamp": "2018-07-11T19:06:14",
"ThreatIndicators": [
{
"Value": "analytics-9dd8570e3fd957ce828c34761a8e98b8.xyz",
"IndicatorType": "hostname"
}
],
"Score": "2",
"Description": "Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic. While hexadecimal often appears in subdomains, it much less frequent in domains.",
"Id": "b7f76616-f27b-5c18-b503-2d3dbab1bb96",
"Metadata": [
{
"RecordType": "flow",
"RecordCount": 0
},
{
"RecordType": "notice",
"RecordCount": 0
},
{
"RecordType": "http",
"RecordCount": 0
}
]
}
}
}
Human Readable Output
4. Get details for an entity
Note: This command is deprecated. Use `sumologic-sec-entity-get-details` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Returns detailed information about a speficied entity.
Base Command
jask-get-entity-details
Input
| Parameter | Description |
|---|---|
| entity-id | The entity to retrieve details for |
Context Output
| Path | Description |
|---|---|
| Jask.Entity.Id | Entity ID |
| Jask.Entity.Name | Entity name |
| Jask.Entity.IpAddress | Entity IP address |
| Jask.Entity.FirstSeen | Time the entity was first seen |
| Jask.Entity.LastSeen | Time the entity was last seen |
| Jask.Entity.Source | The source of the entity |
| Jask.Entity.AssetType | Asset type |
| Jask.Entity.PrimaryAssetType | Primary asset type |
| Jask.Entity.HostName | Hostname |
| Jask.Entity.RiskScore | Risk score |
| Jask.Entity.IsWhiteListed | Whether or not the entity is on allow list |
Command Example
!jask-get-entity-details entity-id=d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e
Context Example
{
"Jask": {
"Entity": {
"Name": "craig.campbell",
"EntityType": "username",
"PrimaryEntityType": "hostname",
"Source": "ad",
"LastSeen": "Sun, 05 Aug 2018 10:30:18 GMT",
"Groups": [
"CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=skaj,DC=ai"
],
"Id": "d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e",
"FirstSeen": "Thu, 01 Mar 2018 16:52:50 GMT"
}
}
}
Human Readable Output
5. Get related entities
Note: This command is deprecated and will not be supported in Sumo Logic SIEM. For further details, visit our Sumo Logic SIEM integration documentation .
Get all related entities for the specified entity.
Base Command
jask-get-related-entities
Input
| Parameter | Description |
|---|---|
| entity-id | The entity ID that the related entities are retrieved for |
Context Output
| Path | Description |
|---|---|
| Jask.RelatedEntityList.Id | Entity ID |
| Jask.RelatedEntityList.Name | Entity name |
| Jask.RelatedEntityList.Email | Entity email |
| Jask.RelatedEntityList.Source | Entity source |
| Jask.RelatedEntityList.UserName | Username of the related entity |
| Jask.RelatedEntityList.HostName | Entity hostname |
| Jask.RelatedEntityList.Active | Whether or not the entity is active |
| Jask.RelatedEntityList.Admin | Entity admin |
| Jask.RelatedEntityList.AssetType | Asset type |
| Jask.RelatedEntityList.CreatedTimestamp | Time the entity was created |
| Jask.RelatedEntityList.FirstSeen | Time the entity was first seen |
| Jask.RelatedEntityList.GivenName | Name given to the entity |
| Jask.RelatedEntityList.IsWhiteListed | Whether or not the entity is on allow list |
| Jask.RelatedEntityList.LastSeen | Time the entity was last seen |
| Jask.RelatedEntityList.LastName | The last name |
| Jask.RelatedEntityList.RiskScore | Entity risk score |
Command Example
!jask-get-related-entities entity-id=d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80
Context Example
{
"Jask": {
"RelatedEntityList": [
{
"Username": "craig.campbell",
"Name": "craig.campbell",
"LastName": "Campbell",
"EntityType": "username",
"Id": "d07ef37f-06c1-58c3-a7a0-c1cd0fa4cd8e",
"CreatedTimestamp": "2018-01-23T05:01:38",
"Source": "ad",
"LastSeen": "2018-08-05T10:30:18",
"Groups": [
"CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=skaj,DC=ai"
],
"Active": true,
"GivenName": "Craig",
"Email": "example.gmail.com",
"FirstSeen": "2018-03-01T16:52:50"
},
{
"EntityType": "hostname",
"Name": "sea-dt5820-357.corp.skaj.ai",
"Hostname": "sea-dt5820-357.corp.skaj.ai",
"Source": "ad",
"LastSeen": "2018-08-05T10:30:38",
"Groups": [
"CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=corp,DC=skaj,DC=ai",
"CN=Cert Publishers,CN=Users,DC=corp,DC=skaj,DC=ai"
],
"Id": "7d63f14f-81c0-5442-9de1-6061404bcbd7",
"FirstSeen": "2018-02-15T16:04:35"
}
]
}
}
Human Readable Output
6. Get a list of entities on allow list
Note: This command is deprecated and will not be supported in Sumo Logic SIEM. For further details, visit our Sumo Logic SIEM integration documentation .
Returns a list of all entities on allow list.
Base Command
jask-get-whitelisted-entities
Input
There are no inputs for this command.
Context Output
| Path | Description |
|---|---|
| Jask.Whitelisted.EntityList.Id | ID of the entity on allow list |
| Jask.Whitelisted.EntityList.Name | Name of the entity on allow list |
| Jask.Whitelisted.EntityList.UserName | Username of the entity on allow list |
| Jask.Whitelisted.EntityList.ModelId | The modelID of the entity on allow list |
| Jask.Whitelisted.EntityList.Timestamp | Time of the entity on allow list |
| Jask.Whitelisted.EntityList.Metadata.TotalCount | Number of entities on allow list |
Command Example
!jask-get-whitelisted-entities
Context Example
{
"Jask": {
"WhiteListed": {
"EntityList": [
{
"UserName": "demisto",
"Timestamp": "2018-05-31T21:20:45.302635",
"Name": "wittes-imac-pro.local",
"Id": "e0a7172f-aa5d-4ba9-ae66-b49d99d9b4e7",
"ModelId": "e0a7172f-aa5d-4ba9-ae66-b49d99d9b4e7"
},
{
"UserName": "demisto",
"Timestamp": "2018-05-31T21:12:54.003527",
"Name": "172.18.20.20",
"Id": "d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80",
"ModelId": "d5d04bc6-c00a-4a9a-a8f5-6f6231f55d80"
},
{
"UserName": "demisto",
"Timestamp": "2018-05-31T21:20:37.218586",
"Name": "192.168.2.195",
"Id": "306360bb-57d2-4a8d-a882-a7b3f2b92429",
"ModelId": "306360bb-57d2-4a8d-a882-a7b3f2b92429"
}
],
"Metadata": {
"TotalCount": 3
}
}
}
}
Human Readable Output
7. Search JASK insights
Note: This command is deprecated. Use `sumologic-sec-insight-search` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Search for JASK insights according to specific criteria.
Base Command
jask-search-insights
Input
| Parameter | Description |
|---|---|
| last-seen | When the insight was last seen. Defaults to 'All time' if no time arguments are specified. |
| rating | Comma-separated list of values between 1-5 (inclusive) |
| status | Comma-separated list of values (new, inprogress, closed) |
| assigned-team | Comma-separated list of values |
| assigned-user | Comma-separated list of values |
| offset | The page offset for the results |
| limit | How many results to retrieve |
| sort | What to sort the results by |
| time-from | Start time for the search (MM/DD/YYYY) |
| time-to | End time for the search (MM/DD/YYYY) |
Context Output
| Path | Description |
|---|---|
| Jask.Insight.Id | Insight ID |
| Jask.Insight.Name | Insight name |
| Jask.Insight.Action | The action to take on the insight |
| Jask.Insight.AssignedTo | Who the insight was assigned to |
| Jask.Insight.Description | Insight description |
| Jask.Insight.IpAddress | Insight IP address |
| Jask.Insight.LastUpdated | When the insight was last updated |
| Jask.Insight.LastUpdatedBy | Who the insight was last updated by |
| Jask.Insight.Severity | Insight severity |
| Jask.Insight.InsightTime | Time of the insight |
| Jask.WorkflowStatus | Insight status |
Command Example
!jask-search-insights last-seen="Last 48 hours" limit=2 assigned-user=unassigned
Context Example
{
"Jask": {
"Insight": [
{
"WorkflowStatus": "new",
"Description": "Multiple signals related to lateral movement with other anomalies and threats.",
"InsightTime": "2018-08-04T11:06:14",
"LastUpdated": "2018-08-04T11:06:15.373616",
"AssignedTo": "unassigned",
"Severity": 1,
"IpAddress": "172.18.20.20",
"Id": "a01f689c-f7da-4838-bf5c-2046f1736aff",
"Name": "Insider Threat - Lateral Movement with Increased Traffic"
},
{
"WorkflowStatus": "new",
"Description": "Multiple signals related to user, network and other threats.",
"InsightTime": "2018-08-04T11:05:12",
"LastUpdated": "2018-08-04T11:05:13.654486",
"AssignedTo": "unassigned",
"Severity": 1,
"IpAddress": "^^^172.18.20.20^^^",
"Id": "88cd2086-126f-4e95-a6c5-dde91f86afb6",
"Name": "User Anomalies with Beaconing Behavior"
}
]
}
}
Human Readable Output
8. Search JASK signals
Note: This command is deprecated. Use `sumologic-sec-signal-search` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Search for JASK signals according to specific criteria.
Base Command
jask-search-signals
Input
| Parameter | Description |
|---|---|
| last-seen | When the insight was last seen. Defaults to 'All time' if no time arguments are specified. |
| source | Comma-separated list of values (threatintel, rule, anomaly) |
| category | Comma-separated list of values form options (Attack Stage, C2, Defense Evasion, Discovery, Exfiltration, Exploitation, External Recon, Internal Recon, Lateral Movement, Threat Intelligence, Traffic Anomaly) |
| offset | The page offset for the results |
| limit | The maximum number of signals to retrieve |
| sort | What to sort the results by |
| time-from | Start time for the search (MM/DD/YYYY) |
| time-to | End time for the search (MM/DD/YYYY) |
Context Output
asdfas
Command Example
!jask-search-signals last-seen="Last 24 hours" category="Attack Stage, C2" offset="0" limit="10" sort="score:desc"
Context Example
{
"Jask": {
"Signal": [
{
"Category": "C2",
"Name": "TeslaCrypt Ransomware Domain",
"Timestamp": "2018-08-04T11:59:26.447586",
"ThreatIndicators": [
{
"Value": "lovemydress.pl",
"IndicatorType": "hostname"
}
],
"Score": "6",
"Description": "TeslaCrypt is a ransomware that encrypts documents, databases, code, bitcoin wallets and more. This rule looks for DNS queries that include domains known to be associated with TeslaCrypt.",
"Id": "79d796dc-97e6-11e8-bdd7-02346534339c",
"SourceType": "rule"
},
{
"Category": "Attack Stage",
"Name": "SSH Password Brute Force",
"Timestamp": "2018-08-04T10:36:35.256445",
"ThreatIndicators": [
{
"Value": "104.236.48.178",
"IndicatorType": "ip"
}
],
"Score": "2",
"Description": "SSH Password brute force attack detected",
"Id": "79d790a6-97e6-11e8-bdc7-02346534339c",
"SourceType": "rule"
},
{
"Category": "Attack Stage",
"Name": "SSH Password Brute Force",
"Timestamp": "2018-08-04T11:24:49.534168",
"ThreatIndicators": [
{
"Value": "^^^104.236.48.178^^^",
"IndicatorType": "ip"
}
],
"Score": "2",
"Description": "SSH Password brute force attack detected",
"Id": "79d78eb2-97e6-11e8-bdc2-02346534339c",
"SourceType": "rule"
}
]
}
}
Human Readable Output
9. Search JASK entities
Note: This command is deprecated. Use `sumologic-sec-entity-search` command in Sumo Logic SIEM integration. For further details, visit our Sumo Logic SIEM integration documentation .
Search for JASK entities according to specific criteria.
Base Command
jask-search-entities
Input
| Parameter | Description |
|---|---|
| last-seen | When the insight was last seen. Defaults to 'All time' if no time arguments are specified. |
| entity-type | Comma-separated list of values (username, hostname, ip) |
| offset | The page offset for the results |
| limit | How many results to retrieve |
| sort | What to sort the results by |
| time-from | Start time for the search(MM/DD/YYYY) |
| time-to | End time for the search (MM/DD/YYYY) |
Context Output
| Path | Description |
|---|---|
| Jask.Entity.Id | Entity ID |
| Jask.Entity.Name | Entity name |
| Jask.Entity.FirstSeen | When the entity was first seen |
| Jask.Entity.LastSeen | When the entity was last seen |
| Jask.Entity.Source | The source of the entity |
| Jask.Entity.EntityType | Entity type |
| Jask.Entity.PrimaryEntityType | The primary entity type |
| Jask.Entity.HostName | Entity hostname |
| Jask.Entity.RiskScore | Entity risk score |
| Jask.Entity.IsWhiteListed | Whether or not the entity is on allow list |
| Jask.Entity.Groups | The groups of the entity |
| Jask.Entity.Ip.Address | Entity IP address |
Command Example
!jask-search-entities entity-type=ip limit=3 time-from=08/04/2018 time-to=08/05/2018
Context Example
{
"Jask": {
"Entity": [
{
"EntityType": "ip",
"Name": "112.175.209.72",
"Hostname": "Unknown",
"Source": "discovery",
"PrimaryEntityType": null,
"IpAddress": "^^^112.175.209.72^^^",
"Id": "68fe56f0-4cbc-4664-9227-868069607636"
},
{
"EntityType": "ip",
"Name": "186.185.91.72",
"Hostname": "Unknown",
"Source": "discovery",
"PrimaryEntityType": null,
"IpAddress": "^^^186.185.91.72^^^",
"Id": "ada67af4-a7c1-45f4-9740-69b095ffdac6"
},
{
"EntityType": "ip",
"Name": "105.102.75.16",
"Hostname": "Unknown",
"Source": "discovery",
"PrimaryEntityType": null,
"IpAddress": "^^^105.102.75.16^^^",
"Id": "b3e40046-0450-48a4-8752-6a20aec89143"
}
]
}
}
Human Readable Output
