Integrations

This section explains the functions of Incident Responder > Integrations. The Incident Responder product can be used to perform simple tasks like adding a new integration, modifying, deactivating, and deleting the existing integration.

To access every section of this document, go to the Incident Responder > Integrations menu.

Integrations

The components of the Integrations page are:

Integration Name

Name of the Integration.

Integration Type

Type of the Integration.

Description

Description of the integration.

Status

The status information of the integration. (Active, Inactive)

Date Created

The date of the integration creation.

Action

You can edit the selected integration. You can change the status or delete the integration by clicking the "︙" button.

Creating New Integration

If you want to add an integration for the first time, click the New button (on the middle of the page), if there is an integration that has been added before, click the New button (in the upper right corner of the page).

You can create a new integration by following the steps in the table below.

Integration Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Select an integration type.

API URL

The API URL address of the integration type. The VirusTotal, Google Safe Browsing, Zen Spamhaus, IBM X-Force, Opswat, Google Web Risk, VMRay, AnyRun, and Cyber X-Ray analysis engines have API URLs by default on the platform and changing the domain may cause disfunction.

Tags

Labeling function. Integrations defined in the system can be filtered more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed.

Sender IP

Sender IP analysis capability is active by default, you can disable it if needed.

Attachments

File analysis capability is active by default, you can disable it if needed.

Status

Integration is active by default, you can disable the integration if needed.

Advanced Settings

If there are emails that you do not want to be analyzed in the Incident Responder, you can exclude them from analysis by adding their IP addresses, URL addresses, and File Extensions to this menu. Using this feature, you can ensure that secure IP addresses, domains, and file extensions are not analyzed. Thus, API limits used in integrations are utilized more efficiently.

You can access this feature from the Advanced Settings page on the Incident Responder > Integration menu.

URLs

Exclude URL addresses in a reported email from the analysis.

IP Addresses

Exclude the IP address of a reported email server and the IP addresses included as URLs in the email from the analysis.

Attachments

Exclude file extensions in a reported email from the analysis.

How to Add Integration

IBM X-Force

IBM X-Force is a commercial threat analysis engine from IBM. It is available in a premium version. The IBM X-Force doesn't provide a free API key subscription. The IBM X-Force threat analysis engine analyzes whether a reported email is malicious or not using the following capabilities.

Sender IP

The sender email server IP address of a reported email is analyzed.

URLs

URL addresses in a reported email are analyzed.

Attachments

The hash information of the file in a reported email is analyzed.

NOTE: The file itself is not analyzed, its hash data is analyzed.

IBM X-Force API Key and Password Generating Steps

  1. First, go to the IBM X-Force API Key generation process. Sign up on the appropriate page, then confirm your account by clicking the verification link in the email that was delivered to your inbox.

  2. To view the Profile Summary, click the user icon at the top right corner of the X-Force Exchange page.

  3. To visit the Settings page, click the Settings link in the lower left corner. From there, click the API Access link to view the API information page.

  4. To generate a brand-new API key and password, click the Generate button.

  5. Before refreshing the page after creating an API key and password, save your API key and password information.

How to Integrate IBM X-Force into the Platform?

You can integrate the API key and password (which you obtained by following the steps in the 'IBM X-Force API Key and Password Creation Steps' section) to the Incident Responder by the following steps below and benefit from its capabilities.

Click the New button on the relevant page, then fill in the fields:

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Select IBM X-force integration.

API URL

The URL address of the IBM X-force integration is defined automatically. Please do not change.

API Key

Define the API key.

API Password

Define the password for the API key.

Test Connection

Make sure the API key and password are working correctly with the Test Connection button.

Tags

Tags are used to filter the integrations defined in the system.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed.

Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field.

NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Sender IP

Sender IP analysis capability is enabled by default, you can disable it if needed.

Attachments

File Hash analysis capability is enabled by default, you can disable it if needed.

Status

Integration is active by default, you can disable the integration if needed.

VirusTotal

VirusTotal is a commercial threat analysis engine, also available in a free version. The VirusTotal analysis engine analyzes whether a reported email is malicious or not.

URLs

URL addresses in a reported email are analyzed.

Attachments

Only the hash data of the file in a reported email is analyzed.

NOTE: The file itself is not analyzed, the Hash of the file is analyzed.

Sender IP

The sender email server IP address of a reported email is analyzed.

VirusTotal API Key Creation Steps

You must have a VirusTotal ID to use the VirusTotal API. After registering via the link here, you must verify your account via the verification link you received.

Once verified, log into your VirusTotal account and view the API key from the API menu on your profile.

How to Integrate VirusTotal?

The API key obtained by applying the 'VirusTotal API Key Creation Steps' can be integrated into the Incident Responder platform by following the steps below and its capabilities can be utilized.

Click the New button on the relevant page, then fill in the fields:

Name

Name of Integration.

Description

Description of the integration.

Integration Type

Select the Virustotal integration.

API URL

The URL address of the Virustotal integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Detection Threshold

How many analyzing tools in Virustotal need to flag it as malicious for you to consider a link, attachment, or sender IP to be harmful in your analysis results?

Tags

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Cache

It recommends enabling to use of API key limits more effectively. If this option is enabled, the reported domain such as "test.com" results (undetected or phishing) will be saved, and when the same domain is requested to be analyzed again, the previous results (undetected or phishing) will be referenced until the X hours and Y times. After exceeding the X hours or Y times query for the related domain, the domain will be analyzed via Virustotal and the same process will be working again.

Attachments

File Hash analysis capability is enabled by default, you can disable it if needed.

Status

Integration is active by default, you can disable the integration if needed.

Google Safe Browsing

Google Safe Browsing is an analytics engine offered by Google for free. The Google Safe Browsing analysis engine analyzes whether a reported email is malicious.

URLs

URL addresses in a reported email are analyzed.

Google Safe Browsing API Key Creation Steps

  1. After opening the Dashboard from the left menu, click the Select a Project button above.

  2. Click on the New Project button in the upper right corner of the new window, give the project a name and create the project with the Create button.

  3. Open the left menu and click on the Library module.

  4. Type Safe Browsing in the Search field. Then click on Safe Browsing API.

  5. Click the Enable button in the new window.

  6. Click APIs & Services > Credentials in the left menu.

  7. Click the Create Credentials button at the top. Then click on API Key.

  8. You can save your API key created here and use it in the necessary field on our platform.

Please note that you must enable billing for the project which you created in step 3.

How to Integrate Google Safe Browsing?

The API key obtained by applying the 'Google Safe Browsing API Key Creation Steps' can be integrated on the Incident Responder platform by following the steps below and its capabilities can be utilized.

Click the New button on the relevant page, then fill in the fields:

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Select the Google Safe Browsing integration.

API URL

The URL address of Google Safe Browsing integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Status

Integration is active by default, you can disable the integration if needed.

Google Web Risk

Google Web Risk is an analytics engine offered by Google for free for up to 100.000 requests per month. The Google Web Risk analysis engine analyzes whether a reported email is malicious.

URLs

URL addresses in a reported email are analyzed.

Google Web Risk API Key Creation Steps

  1. After opening the Dashboard from the left menu, click the Select a Project button above.

  2. Click on the New Project button in the upper right corner of the new window, give the project a name and create the project with the Create button.

  3. Open the left menu and click on the Library module.

  4. Type Web Risk API in the Search field. Then click on Web Risk API.

  5. Click the Enable button in the new window.

  6. Click APIs & Services > Credentials in the left menu.

  7. Click the Create Credentials button at the top. Then click on API Key.

  8. As the last step, you can save your API key created here and use it in the necessary field on our platform.

How to Integrate Google Web Risk?

The API key obtained by applying the 'Google Web Risk API Key Creation Steps' can be integrated on the Incident Responder platform by following the steps below and its capabilities can be utilized.

Click the New button on the relevant page, then fill in the fields:

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Select the Google Web Risk integration.

API URL

The URL address of Google Web Risk integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed.

Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field.

NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Status

Integration is active by default, you can disable the integration if needed.

Zen SpamHaus

Zen Spamhaus is a spam analysis engine made available for free by Spamhaus. SpamHaus spam analysis engine has the following capabilities and features to analyze whether a reported email is malicious or not.

SpamHaus integration does not use API keys, analysis is done over DNS.

Sender IP

The sender's email server IP address of a reported email is analyzed. If the sender's IP address has previously performed malicious or suspicious activity (e.g. Phishing or Blacklisted), you can see it on this interface.

How to Integrate Zen SpamHaus?

By following the steps below on the Incident Responder module, it can be integrated into the system and its capabilities can be utilized.

Click the New button on the relevant page, then fill in the fields below:

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Choose Zen SpamHaus integration.

API URL

The URL address of the Zen SpamHaus integration is defined automatically.

Test Connection

Make sure that the integration works correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

Sender IP

Sender IP analysis capability is enabled by default, you can disable it if needed.

Status

Integration is active by default, you can disable the integration if needed.

FortiSandbox

The FortiSandbox is a paid analysis engine offered by Fortinet has the following capabilities, and it automatically scans whether a reported email is malicious or not.

URLs

URL addresses in a reported email are analyzed.

Attachments

The files in a reported email are analyzed.

FortiSandbox API Key Creation Steps

  1. Use the FortiSandbox administration page to log in.

  2. Go to the Administrators page in the left menu under the System.

  3. By selecting the Create option from the menu, you can create a user.

  4. For the relevant person, you can provide either a Super Admin or Custom Role.

  5. Please go to the Admin Profiles under the System heading if you wish to define a Custom Role.

  6. Save the relevant user's username and password.

How to Integrate FortiSandbox?

By following the steps below on the Incident Responder module, you can integrate it to our platform and utilize its capabilities.

Click the New button on the relevant page, then fill in the fields below on the new page.

Name

Name of Integration.

Description

Description of the integration.

Integration Type

Select FortiSandbox integration.

API URL

The URL address of FortiSandbox integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed.

Optionally, you can add it to the scanning process by selecting the"Hide URL Parameters" field.

NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Attachments

File Hash analysis capability is enabled by default, you can disable it if needed.

Optionally, you can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields.

Status

Integration is active by default, you can disable the integration if needed.

Cyber X-Ray

Cyber X-Ray is a commercial AI-powered threat analysis engine, also available in a free version created by Roksit. Cyber X-Ray artificial intelligence threat analysis engine has the following capabilities and it automatically scans whether a reported email is malicious or not thanks to the following features.

URLs

URL addresses in a reported email are analyzed.

Cyber X-Ray API Key Creation Steps

  1. Complete the registration process through the Roksik platform here.

  2. Verify your account with the activation email sent to your email and log in to your account.

  3. Click on Settings > API Key on the left menu.

  4. Click the Create New API Key button in the upper right corner of the page that opens. Fill in the relevant fields in the API Key Information in the new window.

  5. Click the Save button. Thus, a new API Key will be created, and save the new API key before closing this page.

How to Integrate Cyber X-Ray?

By following the steps below on the Incident Responder platform, it can be integrated and its capabilities can be used.

Click the New button on the relevant page, then fill in the following fields on the page that opens.

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Choose Cyber X-Ray integration.

API URL

The URL address of Cyber X-Ray integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is active by default, you can disable it if needed.

You can optionally add it to the scanning process by selecting the "Hide URL Parameters" field.

NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address.

Status

Integration is active by default, you can disable the integration if needed.

OPSWAT

OPSWAT is an analysis engine available to companies for a fee. OPSWAT analysis engine has the following capabilities and automatically scans to identify whether a reported email is malicious or not. If you have the OPSWAT product, you can integrate the Incident Responder platform.

URLs

URL addresses in a reported email are analyzed.

Sender IP

The sender email server IP address of a reported email is analyzed.

Attachments

Analysis of the files in a reported email is performed.

How to create OPSWAT API?

Please follow the steps below to create an API to use OPSWAT integration on the platform.

  • Create an account on https://my.opswat.com/register and then log in.

  • Go to the Home > Licensed Products > Cloud-based Products tab, and you can find the API Key on the same page.

How to Integrate OPSWAT?

By following the steps below on the Incident Responder platform, you can integrate OPSWAT and its capabilities.

Click the New button on the relevant page, then fill in the fields below:

Name

Name of the integration.

Description

Description of the integration.

Integration Type

Select OPSWAT integration.

API URL

The URL address of OPSWAT integration is defined automatically. If you are not using a cloud-based solution, you can enter the URL information of the product.

API Key

Enter the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address.

Sender IP

Sender IP analysis capability is active by default, you can disable it if needed.

Attachments

URL analysis capability is not enabled by default, you can enable it if needed. You can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields.

Status

Integration is active by default, you can disable the integration if needed.

VMRay

VMRay is an analysis engine available to companies for a fee. VMRay analysis engine has the following capabilities and automatically scans to identify whether a reported email is malicious or not. If you have the VMRay product, you can integrate the Incident Responder platform.

URLs

URL addresses in a reported email are analyzed.

Attachments

Dynamic and static analysis of the files in a reported email is performed.

How to Integrate VMRay?

By following the steps below on the Incident Responder platform, you can integrate VMRay and its capabilities to utilize.

Click the New button on the relevant page, then fill in the fields below:

Name

Name of the integration.

Description

Description of the integration.

Integration Type

Select VMRay integration.

API URL

The URL address of VMRay integration is defined automatically. If you are not using a cloud-based solution, you can enter the URL information of the product.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

You can filter the integrations defined in the system more easily by labeling them.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address.

Cache

It recommends enabling to use of API key limits more effectively. If this option is enabled, the reported domain such as "test.com" results (undetected or phishing) will be saved, and when the same domain is requested to be analyzed again, the previous results (undetected or phishing) will be referenced until the X hours and Y times. After exceeding the X hours or Y times query for the related domain, the domain will be analyzed via Vmray and the same process will be working again.

Attachments

URL analysis capability is enabled by default, you can disable it if needed.

Optionally, you can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields.

Status

Integration is active by default, you can disable the integration if needed.

AnyRun

AnyRun is a tool for the detection, monitoring, and research of cyber threats in real-time. The service is available in free demo trial and licensed versions. The AnyRun threat analysis engine analyzes whether a reported email is malicious or not using the following capabilities.

URLs

URL addresses in a reported email are analyzed.

Attachments

The original file itself in a reported email is analyzed. Please note if you enable the Attachment scan option, the original file in the reported email will be uploaded and analyzed in AnyRun cloud services.

AnyRun API Key Generating Steps

  1. Go to the AnyRun website and sign up for a free trial or purchase a license.

  2. Go to your profile.

  3. Click on the API and Limits menu.

  4. Copy your API key.

How to Integrate AnyRun into the Platform?

After you copy your API key, go to the Incident Responder by the following steps below and benefit from AnyRun capabilities.

Click the New button on the relevant page, then fill in the fields:

Name

Name of the Integration.

Description

Description of the integration.

Integration Type

Select AnyRun integration.

API URL

The URL address of the AnyRun integration is defined automatically. Please do not change.

API Key

Define the API key.

Test Connection

Make sure the API key is working correctly with the Test Connection button.

Tags

Tags are used to filter the integrations defined in the system.

Proxy

You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default.

URLs

URL analysis capability is enabled by default; you can disable it if needed.

Optionally, you can add it to the scanning process by selecting the "Hide

URL Parameters" field.

NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed.

Attachments

The attachment analysis capability is disabled by default, you can enable it if needed.

Status

Integration is active by default, you can disable the integration if needed.

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.