Integrations
This section explains the functions of Incident Responder > Integrations. The Incident Responder product can be used to perform simple tasks like adding a new integration, modifying, deactivating, and deleting the existing integration.
To access every section of this document, go to the Incident Responder > Integrations menu.
Integrations
The components of the Integrations page are:
Integration Name | Name of the Integration. |
Integration Type | Type of the Integration. |
Description | Description of the integration. |
Status | The status information of the integration. (Active, Inactive) |
Date Created | The date of the integration creation. |
Action | You can edit the selected integration. You can change the status or delete the integration by clicking the "︙" button. |
Creating New Integration
If you want to add an integration for the first time, click the New button (on the middle of the page), if there is an integration that has been added before, click the New button (in the upper right corner of the page).
You can create a new integration by following the steps in the table below.
Integration Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Select an integration type. |
API URL | The API URL address of the integration type. The VirusTotal, Google Safe Browsing, Zen Spamhaus, IBM X-Force, Opswat, Google Web Risk, VMRay, AnyRun, and Cyber X-Ray analysis engines have API URLs by default on the platform and changing the domain may cause disfunction. |
Tags | Labeling function. Integrations defined in the system can be filtered more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. |
Sender IP | Sender IP analysis capability is active by default, you can disable it if needed. |
Attachments | File analysis capability is active by default, you can disable it if needed. |
Status | Integration is active by default, you can disable the integration if needed. |
Advanced Settings
If there are emails that you do not want to be analyzed in the Incident Responder, you can exclude them from analysis by adding their IP addresses, URL addresses, and File Extensions to this menu. Using this feature, you can ensure that secure IP addresses, domains, and file extensions are not analyzed. Thus, API limits used in integrations are utilized more efficiently.
You can access this feature from the Advanced Settings page on the Incident Responder > Integration menu.
URLs | Exclude URL addresses in a reported email from the analysis. |
IP Addresses | Exclude the IP address of a reported email server and the IP addresses included as URLs in the email from the analysis. |
Attachments | Exclude file extensions in a reported email from the analysis. |
How to Add Integration
IBM X-Force
IBM X-Force is a commercial threat analysis engine from IBM, also available in a free version. The IBM X-Force threat analysis engine analyzes whether a reported email is malicious or not using the following capabilities.
Sender IP | The sender email server IP address of a reported email is analyzed. |
URLs | URL addresses in a reported email are analyzed. |
Attachments | The hash information of the file in a reported email is analyzed. NOTE: The file itself is not analyzed, its hash data is analyzed. |
IBM X-Force API Key and Password Generating Steps
First, go to the IBM X-Force API Key generation process. Sign up on the appropriate page, then confirm your account by clicking the verification link in the email that was delivered to your inbox.
To view the Profile Summary, click the user icon at the top right corner of the X-Force Exchange page.
To visit the Settings page, click the Settings link in the lower left corner. From there, click the API Access link to view the API information page.
To generate a brand-new API key and password, click the Generate button.
Before refreshing the page after creating an API key and password, save your API key and password information.
How to Integrate IBM X-Force into the Platform?
You can integrate the API key and password (which you obtained by following the steps in the 'IBM X-Force API Key and Password Creation Steps' section) to the Incident Responder by the following steps below and benefit from its capabilities.
Click the New button on the relevant page, then fill in the fields:
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Select IBM X-force integration. |
API URL | The URL address of the IBM X-force integration is defined automatically. Please do not change. |
API Key | Define the API key. |
API Password | Define the password for the API key. |
Test Connection | Make sure the API key and password are working correctly with the Test Connection button. |
Tags | Tags are used to filter the integrations defined in the system. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Sender IP | Sender IP analysis capability is enabled by default, you can disable it if needed. |
Attachments | File Hash analysis capability is enabled by default, you can disable it if needed. |
Status | Integration is active by default, you can disable the integration if needed. |
VirusTotal
VirusTotal is a commercial threat analysis engine, also available in a free version. The VirusTotal analysis engine analyzes whether a reported email is malicious or not.
URLs | URL addresses in a reported email are analyzed. |
Attachments | Only the hash data of the file in a reported email is analyzed. NOTE: The file itself is not analyzed, the Hash of the file is analyzed. |
Sender IP | The sender email server IP address of a reported email is analyzed. |
VirusTotal API Key Creation Steps
You must have a VirusTotal ID to use the VirusTotal API. After registering via the link here, you must verify your account via the verification link you received.
Once verified, log into your VirusTotal account and view the API key from the API menu on your profile.
How to Integrate VirusTotal?
The API key obtained by applying the 'VirusTotal API Key Creation Steps' can be integrated into the Incident Responder platform by following the steps below and its capabilities can be utilized.
Click the New button on the relevant page, then fill in the fields:
Name | Name of Integration. |
Description | Description of the integration. |
Integration Type | Select the Virustotal integration. |
API URL | The URL address of the Virustotal integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Detection Threshold | How many analyzing tools in Virustotal need to flag it as malicious for you to consider a link, attachment, or sender IP to be harmful in your analysis results? |
Tags | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Cache | It recommends enabling to use of API key limits more effectively. If this option is enabled, the reported domain such as "test.com" results (undetected or phishing) will be saved, and when the same domain is requested to be analyzed again, the previous results (undetected or phishing) will be referenced until the X hours and Y times. After exceeding the X hours or Y times query for the related domain, the domain will be analyzed via Virustotal and the same process will be working again. |
Attachments | File Hash analysis capability is enabled by default, you can disable it if needed. |
Status | Integration is active by default, you can disable the integration if needed. |
Google Safe Browsing
Google Safe Browsing is an analytics engine offered by Google for free. The Google Safe Browsing analysis engine analyzes whether a reported email is malicious.
URLs | URL addresses in a reported email are analyzed. |
Google Safe Browsing API Key Creation Steps
Sign in to the Google Developers Console.
After opening the Dashboard from the left menu, click the Select a Project button above.
Click on the New Project button in the upper right corner of the new window, give the project a name and create the project with the Create button.
Open the left menu and click on the Library module.
Type Safe Browsing in the Search field. Then click on Safe Browsing API.
Click the Enable button in the new window.
Click APIs & Services > Credentials in the left menu.
Click the Create Credentials button at the top. Then click on API Key.
You can save your API key created here and use it in the necessary field on our platform.
Please note that you must enable billing for the project which you created in step 3.
How to Integrate Google Safe Browsing?
The API key obtained by applying the 'Google Safe Browsing API Key Creation Steps' can be integrated on the Incident Responder platform by following the steps below and its capabilities can be utilized.
Click the New button on the relevant page, then fill in the fields:
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Select the Google Safe Browsing integration. |
API URL | The URL address of Google Safe Browsing integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Status | Integration is active by default, you can disable the integration if needed. |
Google Web Risk
Google Web Risk is an analytics engine offered by Google for free for up to 100.000 requests per month. The Google Web Risk analysis engine analyzes whether a reported email is malicious.
URLs | URL addresses in a reported email are analyzed. |
Google Web Risk API Key Creation Steps
Sign in to the Google Developers Console.
After opening the Dashboard from the left menu, click the Select a Project button above.
Click on the New Project button in the upper right corner of the new window, give the project a name and create the project with the Create button.
Open the left menu and click on the Library module.
Type Web Risk API in the Search field. Then click on Web Risk API.
Click the Enable button in the new window.
Click APIs & Services > Credentials in the left menu.
Click the Create Credentials button at the top. Then click on API Key.
As the last step, you can save your API key created here and use it in the necessary field on our platform.
How to Integrate Google Web Risk?
The API key obtained by applying the 'Google Web Risk API Key Creation Steps' can be integrated on the Incident Responder platform by following the steps below and its capabilities can be utilized.
Click the New button on the relevant page, then fill in the fields:
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Select the Google Web Risk integration. |
API URL | The URL address of Google Web Risk integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Status | Integration is active by default, you can disable the integration if needed. |
Zen SpamHaus
Zen Spamhaus is a spam analysis engine made available for free by Spamhaus. SpamHaus spam analysis engine has the following capabilities and features to analyze whether a reported email is malicious or not.
SpamHaus integration does not use API keys, analysis is done over DNS.
Sender IP | The sender's email server IP address of a reported email is analyzed. If the sender's IP address has previously performed malicious or suspicious activity (e.g. Phishing or Blacklisted), you can see it on this interface. |
How to Integrate Zen SpamHaus?
By following the steps below on the Incident Responder module, it can be integrated into the system and its capabilities can be utilized.
Click the New button on the relevant page, then fill in the fields below:
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Choose Zen SpamHaus integration. |
API URL | The URL address of the Zen SpamHaus integration is defined automatically. |
Test Connection | Make sure that the integration works correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
Sender IP | Sender IP analysis capability is enabled by default, you can disable it if needed. |
Status | Integration is active by default, you can disable the integration if needed. |
FortiSandbox
The FortiSandbox is a paid analysis engine offered by Fortinet has the following capabilities, and it automatically scans whether a reported email is malicious or not.
URLs | URL addresses in a reported email are analyzed. |
Attachments | The files in a reported email are analyzed. |
FortiSandbox API Key Creation Steps
Use the FortiSandbox administration page to log in.
Go to the Administrators page in the left menu under the System.
By selecting the Create option from the menu, you can create a user.
For the relevant person, you can provide either a Super Admin or Custom Role.
Please go to the Admin Profiles under the System heading if you wish to define a Custom Role.
Save the relevant user's username and password.
How to Integrate FortiSandbox?
By following the steps below on the Incident Responder module, you can integrate it to our platform and utilize its capabilities.
Click the New button on the relevant page, then fill in the fields below on the new page.
Name | Name of Integration. |
Description | Description of the integration. |
Integration Type | Select FortiSandbox integration. |
API URL | The URL address of FortiSandbox integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the"Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Attachments | File Hash analysis capability is enabled by default, you can disable it if needed. Optionally, you can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields. |
Status | Integration is active by default, you can disable the integration if needed. |
Cyber X-Ray
Cyber X-Ray is a commercial AI-powered threat analysis engine, also available in a free version created by Roksit. Cyber X-Ray artificial intelligence threat analysis engine has the following capabilities and it automatically scans whether a reported email is malicious or not thanks to the following features.
URLs | URL addresses in a reported email are analyzed. |
Cyber X-Ray API Key Creation Steps
Complete the registration process through the Roksik platform here.
Verify your account with the activation email sent to your email and log in to your account.
Click on Settings > API Key on the left menu.
Click the Create New API Key button in the upper right corner of the page that opens. Fill in the relevant fields in the API Key Information in the new window.
Click the Save button. Thus, a new API Key will be created, and save the new API key before closing this page.
How to Integrate Cyber X-Ray?
By following the steps below on the Incident Responder platform, it can be integrated and its capabilities can be used.
Click the New button on the relevant page, then fill in the following fields on the page that opens.
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Choose Cyber X-Ray integration. |
API URL | The URL address of Cyber X-Ray integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is active by default, you can disable it if needed. You can optionally add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address. |
Status | Integration is active by default, you can disable the integration if needed. |
OPSWAT
OPSWAT is an analysis engine available to companies for a fee. OPSWAT analysis engine has the following capabilities and automatically scans to identify whether a reported email is malicious or not. If you have the OPSWAT product, you can integrate the Incident Responder platform.
URLs | URL addresses in a reported email are analyzed. |
Sender IP | The sender email server IP address of a reported email is analyzed. |
Attachments | Analysis of the files in a reported email is performed. |
How to create OPSWAT API?
Please follow the steps below to create API to use OPSWAT integration on the platform.
Create an account on https://my.opswat.com/register and then log in.
Go to the Account Information tab, and you can find the API Key on the same page.
How to Integrate OPSWAT?
By following the steps below on the Incident Responder platform, you can integrate OPSWAT and its capabilities.
Click the New button on the relevant page, then fill in the fields below:
Name | Name of the integration. |
Description | Description of the integration. |
Integration Type | Select OPSWAT integration. |
API URL | The URL address of OPSWAT integration is defined automatically. If you are not using a cloud-based solution, you can enter the URL information of the product. |
API Key | Enter the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address. |
Sender IP | Sender IP analysis capability is active by default, you can disable it if needed. |
Attachments | URL analysis capability is not enabled by default, you can enable it if needed. You can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields. |
Status | Integration is active by default, you can disable the integration if needed. |
VMRay
VMRay is an analysis engine available to companies for a fee. VMRay analysis engine has the following capabilities and automatically scans to identify whether a reported email is malicious or not. If you have the VMRay product, you can integrate the Incident Responder platform.
URLs | URL addresses in a reported email are analyzed. |
Attachments | Dynamic and static analysis of the files in a reported email is performed. |
How to Integrate VMRay?
By following the steps below on the Incident Responder platform, you can integrate VMRay and its capabilities to utilize.
Click the New button on the relevant page, then fill in the fields below:
Name | Name of the integration. |
Description | Description of the integration. |
Integration Type | Select VMRay integration. |
API URL | The URL address of VMRay integration is defined automatically. If you are not using a cloud-based solution, you can enter the URL information of the product. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | You can filter the integrations defined in the system more easily by labeling them. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, only the domain name is analyzed instead of analyzing the entire URL address. |
Cache | It recommends enabling to use of API key limits more effectively. If this option is enabled, the reported domain such as "test.com" results (undetected or phishing) will be saved, and when the same domain is requested to be analyzed again, the previous results (undetected or phishing) will be referenced until the X hours and Y times. After exceeding the X hours or Y times query for the related domain, the domain will be analyzed via Vmray and the same process will be working again. |
Attachments | URL analysis capability is enabled by default, you can disable it if needed. Optionally, you can add to the scanning process by selecting the “Upload PE files” and “Upload other file types” fields. |
Status | Integration is active by default, you can disable the integration if needed. |
AnyRun
AnyRun is a tool for the detection, monitoring, and research of cyber threats in real-time. The service is available in free demo trial and licensed versions. The AnyRun threat analysis engine analyzes whether a reported email is malicious or not using the following capabilities.
URLs | URL addresses in a reported email are analyzed. |
Attachments | The original file itself in a reported email is analyzed. Please note if you enable the Attachment scan option, the original file in the reported email will be uploaded and analyzed in AnyRun cloud services. |
AnyRun API Key Generating Steps
Go to the AnyRun website and sign up for a free trial or purchase a license.
Go to your profile.
Click on the API and Limits menu.
Copy your API key.
How to Integrate AnyRun into the Platform?
After you copy your API key, go to the Incident Responder by the following steps below and benefit from AnyRun capabilities.
Click the New button on the relevant page, then fill in the fields:
Name | Name of the Integration. |
Description | Description of the integration. |
Integration Type | Select AnyRun integration. |
API URL | The URL address of the AnyRun integration is defined automatically. Please do not change. |
API Key | Define the API key. |
Test Connection | Make sure the API key is working correctly with the Test Connection button. |
Tags | Tags are used to filter the integrations defined in the system. |
Proxy | You can choose the proxy server that the platform will use for the connections to the integration. If not, leave Default. |
URLs | URL analysis capability is enabled by default; you can disable it if needed. Optionally, you can add it to the scanning process by selecting the "Hide URL Parameters" field. NOTE: With the Hide URL Parameters feature, instead of analyzing the entire URL address, only the relevant domain is analyzed. |
Attachments | The attachment analysis capability is disabled by default, you can enable it if needed. |
Status | Integration is active by default, you can disable the integration if needed. |
Last updated