Energy SOAR User Guide

• Overview
  • About
    • Components

• Energy SOAR installation guide
  • Install

• Architecture
  • Logical architecture

• Configuration
  • Cortex
    • Database
    • Analyzers and Responders
    • Authentication
    • OAuth2/OpenID Connect
    • Performance
    • Analyzer Results
    • Streaming (a.k.a The Flow)
    • Entity Size Limit
    • HTTPS
  • TheHive
    • secret.conf file
    • License
    • Listen address & port
    • Context
    • Specific configuration for streams
    • Manage content lengh
    • Manage configuration files
  • SSL
  • Change system language

• User guide
  • Administration
    • Manage analyzer template
      • List analyzer templates
      • Import analyzer templates
    • User Profiles management
      • Permissions
      • Profiles
      • Observable types
    • Kill user session
  • Reports
    • Create and edit
    • List
  • Cases
    • Observables
      • How to add observables into Case
  • Organisation
  • Reports
  • Workflows
    • Crate your first workflow
      • Automate Incident Reporting with Typeform
    • Connection
      • Example
    • Workflows List
    • Credentials
    • Executions
    • Node
      • Core nodes
      • Regular nodes
        • Example
      • Trigger nodes
      • Node settings
        • Operations
        • Parameters
        • Settings
    • Workflow integration nodes

• Operations

• Integrations
  • Responders
    • AMPforEndpoints
      • AMPforEndpoints_IsolationStart
      • AMPforEndpoints_IsolationStop
      • AMPforEndpoints_MoveGUID
      • AMPforEndpoints_SCDAdd
      • AMPforEndpoints_SCDRemove
    • AzureTokenRevoker
      • AzureTokenRevoker
    • CheckPoint
      • CheckPoint_Lock
      • CheckPoint_Unlock
        • CkeckPoint
          • Requirements
    • CheckPointBlockIP
      • Check Point Block IP
    • CheckPointUnblockIP
      • Check Point Unblock IP
    • DNS-RPZ
      • DNS-RPZ
    • DomainToolsIris_AddRiskyDNSTag
      • DomainToolsIris_AddRiskyDNSTag
    • DomainToolsIris_CheckMaliciousTags
      • DomainToolsIris_CheckMaliciousTags
    • Duo_Security
      • DuoLockUserAccount
      • DuoUnlockUserAccount
        • CortexResponder_DuoUserAccount
          • How to install:
          • Add Observable type in TheHive**
          • Run the Responder action in TheHive
    • Eset
      • EsetMachineIntegration
      • EsetMachineIsolation
      • EsetAddSHA1ToBlacklist
    • FalconCustomIOC
      • Crowdstrike_Falcon_Custom_IOC_API
    • FortiMailBlockRecipient
      • FortiMailBlockRecipient
    • FortiMailBlockSender
      • FortiMailBlockSender
    • FortiMailConnectionTest
      • FortiMailConnectionTest
    • FortiMailUnblockRecipient
      • FortiMailUnblockRecipient
    • FortiMailUnblockSender
      • FortiMailUnblockSender
    • Gmail
      • Gmail_BlockDomain
      • Gmail_BlockSender
      • Gmail_DeleteMessage
      • Gmail_UnblockDomain
      • Gmail_UnblockSender
        • Gmail responder
          • How to setup a Gmail service account
    • KnowBe4
      • KnowBe4
    • LDAP
      • LDAP_ChangePWD
      • LDAP_UnblockUser
      • LDAP_BlockUser
        • Responders Included:
        • Important Note:
    • MSDefenderEndpoints
      • MSDefender-IsolateMachine
      • MSDefender-PushIOC-Alert
      • MSDefender-PushIOC-Block
      • MSDefender-UnisolateMachine
      • MSDefender-FullVirusscan
        • Cortex responder for Microsoft Defender for Endpoints (formerly know as Microsoft ATP)
          • With this responder you can
            • In general, you’ll need to take the following steps to use the responder
            • Steps
            • API permission
            • Detailed permissions:
    • MSDefenderOffice365
      • MSDefenderOffice365_block
      • MSDefenderOffice365_unblock
    • MailIncidentStatus
      • MailIncidentStatus
    • Mailer
      • Mailer
    • Minemeld
      • Minemeld
        • Palo Alto Minemeld
          • Requirements
    • PaloAltoCortexXDR
      • PaloAltoCortexXDR_isolate
      • PaloAltoCortexXDR_scan
      • PaloAltoCortexXDR_unisolate
    • PaloAltoNGFW
      • PaloAltoNGFW_block_external_IP_address
      • PaloAltoNGFW_block_external_domain
      • PaloAltoNGFW_block_external_user
      • PaloAltoNGFW_block_internal_IP_address
      • PaloAltoNGFW_block_internal_domain
      • PaloAltoNGFW_block_internal_user
      • PaloAltoNGFW_block_port_for_external_communication
      • PaloAltoNGFW_block_port_for_internal_communication
      • PaloAltoNGFW_unblock_external_IP_address
      • PaloAltoNGFW_unblock_external_domain
      • PaloAltoNGFW_unblock_external_user
      • PaloAltoNGFW_unblock_internal_IP_address
      • PaloAltoNGFW_unblock_internal_domain
      • PaloAltoNGFW_unblock_internal_user
      • PaloAltoNGFW_unblock_port_for_external_communication
      • PaloAltoNGFW_unblock_port_for_internal_communication
        • Description of the responder module operation for the Palo Alto NGFW system
          • Installation
        • ToDo
    • QRadarAutoClose
      • QRadar_Auto_Closing_Offense
    • RT4
      • RT4-CreateTicket
        • Request Tracker 4 Cortex Responder
          • Initial Responder Configuration
          • Workflow
          • Templates
          • Tags to Modify RT4 Responder Behavior
          • Ticket customization order
          • Observable Object Data
    • Redmine
      • Redmine_Issue
    • RiskIQ
      • RiskIQ_PushArtifactToProject
    • RunWorkflow
      • RunWorkflow
    • SEPBlockHash
      • Symantec Endpoint Protection Block Hash
    • SEPQuarantineHost
      • Symantec Endpoint Protection Quarantine Host
    • SEPUnblockHash
      • Symantec Endpoint Protection Unblock Hash
    • SEPUnquarantineHost
      • Symantec Endpoint Protection Unquarantine Host
    • SMGBlockDomain
      • Symantec Messaging Gateway Block Domain
    • SMGBlockEmail
      • Symantec Messaging Gateway Block Email
    • SMGBlockIP
      • Symantec Messaging Gateway Block IP
    • SMGUnblockDomain
      • Symantec Messaging Gateway Unblock Domain
    • SMGUnblockEmail
      • Symantec Messaging Gateway Unblock Email
    • SMGUnblockIP
      • Symantec Messaging Gateway Unblock IP
    • SendGrid
      • SendGrid
    • SentinelOne
      • SentinelOne-Unisolate
      • SentinelOne-Scan
      • SentinelOne-Isolate
    • SentinelOne
      • SentinelOne-Unisolate
      • SentinelOne-Scan
      • SentinelOne-Isolate
    • Shuffle
      • Shuffle
    • UmbrellaBlacklister
      • Umbrella_Blacklister
    • Velociraptor
      • Velociraptor_Flow
        • Velociraptor
          • Requirements
    • VirustotalDownloader
      • Virustotal_Downloader
        • VirusTotalDownloader
          • Requirements
    • Wazuh
      • Wazuh
    • ZEROFOX_Close_alert
      • ZEROFOX_Close_alert
    • ZEROFOX_Takedown_request
      • ZEROFOX_Takedown_request
  • Analyzers
    • AbuseIPDB
      • AbuseIPDB
        • AbuseIPDB
          • Requirements
    • Abuse_Finder
      • Abuse_Finder
        • Abuse_Finder
    • AnyRun
      • AnyRun_Sandbox_Analysis
        • AnyRun
          • Requirements
    • Autofocus
      • Autofocus_GetSampleAnalysis
      • Autofocus_SearchIOC
      • Autofocus_SearchJSON
    • BackscatterIO
      • BackscatterIO_Enrichment
      • BackscatterIO_GetObservations
    • BitcoinAbuse
      • BitcoinAbuse
    • C1fApp
      • C1fApp
    • CERTatPassiveDNS
      • CERTatPassiveDNS
    • CIRCLHashlookup
      • CIRCLHashlookup
    • CIRCLPassiveDNS
      • CIRCLPassiveDNS
        • CIRCLPassiveDNS
          • Requirements
    • CIRCLPassiveSSL
      • CIRCLPassiveSSL
        • CIRCLPassiveSSL
          • Requirements
    • CISMCAP
      • CISMCAP
    • Censys
      • Censys
        • Censys
          • Requirements
    • CheckPhish
      • CheckPhish
      • CheckPhish_Submit
    • ClamAV
      • ClamAV_FileInfo
    • Crowdsec
      • Crowdsec_Analyzer
        • CrowdSec
          • Requirements
    • Crtsh
      • Crt_sh_Transparency_Logs
        • Crtsh
          • Requirements
    • CuckooSandbox
      • CuckooSandbox_File_Analysis_Inet
      • CuckooSandbox_Url_Analysis
        • CuckooSandbox
          • Requirements
    • CyberChef
      • CyberChef_FromBase64
      • CyberChef_FromCharCode
      • CyberChef_FromHex
        • Cyberchef
          • Requirements
    • CyberCrime-Tracker
      • CyberCrime-Tracker
        • cybercrime-tracker
          • Requirements
    • Cyberprotect
      • Cyberprotect_ThreatScore
        • cyberprotect
          • Requirements
    • Cylance
      • Cylance
    • Cylance hashlookup
    • FAQ
    • DNSDB
      • DNSDB_DomainName
      • DNSDB_IPHistory
      • DNSDB_NameHistory
    • DNSLookingglass
      • DNS_Lookingglass
        • DNS Lookingglass Analyzer
          • Requirements
    • DNSSinkhole
      • DNSSinkhole
    • DShield
      • DShield_lookup
        • DShield
          • Requirements
    • Diario
      • Diario_GetReport
      • Diario_Scan
    • DomainMailSPFDMARC
      • DomainMailSPFDMARC_Analyzer
    • DomainTools
      • DomainTools_HostingHistory
      • DomainTools_Reputation
      • DomainTools_ReverseIP
      • DomainTools_ReverseIPWhois
      • DomainTools_ReverseNameServer
      • DomainTools_ReverseWhois
      • DomainTools_Risk
      • DomainTools_WhoisHistory
      • DomainTools_WhoisLookup
      • DomainTools_WhoisLookupUnparsed
    • DomainToolsIris
      • DomainToolsIris_Investigate
      • DomainToolsIris_Pivot
        • Requirements
    • EchoTrail
      • EchoTrail
    • Elasticsearch
      • Elasticsearch_Analysis
    • EmailRep
      • EmailRep
        • Emailrep
          • Requirements
    • EmergingThreats
      • EmergingThreats_DomainInfo
      • EmergingThreats_IPInfo
      • EmergingThreats_MalwareInfo
        • EmergingThreats
          • Requirements
    • EmlParser
      • EmlParser
        • Email visualisation
        • Requirements
    • EnrichmentEngine
      • EnrichmentEngine
    • FalconSandbox
      • FalconSandbox
    • FileInfo
      • FileInfo
    • FireEyeiSight
      • FireEyeiSight
        • FireEyeiSight
          • Requirements
    • FireHOLBlocklists
      • FireHOLBlocklists
        • FireJOLBlocklists
          • Requirements
    • ForcepointWebsensePing
      • ForcepointWebsensePing
        • Requirements
    • Fortiguard
      • Fortiguard_URLCategory
        • Fortiguard
          • Requirements
    • GRR
      • GRR
    • GoogleDNS
      • GoogleDNS_resolve
    • GoogleSafebrowsing
      • GoogleSafebrowsing
    • GoogleVisionAPI
      • GoogleVisionAPI_WebDetection
    • GreyNoise
      • GreyNoise
        • GreyNoise
          • Requirements
    • HIBP
      • HIBP_Query
    • Hashdd
      • Hashdd_Detail
      • Hashdd_Status
        • Hashdd
          • Requirements
    • Hippocampe
      • Hipposcore
      • HippoMore
    • Hunterio
      • Hunterio_DomainSearch
    • HybridAnalysis
      • HybridAnalysis_GetReport
    • IBMXForce
      • IBMXForce_Lookup
    • IP-API
      • IP-API
    • IPVoid
      • IPVoid
    • IPinfo
      • IPinfo_Details
      • IPinfo_Hosted_Domains
    • IVRE
      • IVRE
        • IVRE
          • Requirements
    • Inoitsu
      • Inoitsu
    • Inoitsu-analyzer
    • IntezerCommunity
      • IntezerCommunity
        • Intezer
          • Requirements
    • Investigate
      • Investigate_Categorization
      • Investigate_Sample
    • JoeSandbox
      • JoeSandbox_File_Analysis_Inet
      • JoeSandbox_File_Analysis_Noinet
      • JoeSandbox_Url_Analysis
        • Joe SandBox
    • KasperskyTIP
      • KasperskyThreatIntelligencePortal
    • LastInfoSec
      • LastInfoSec
    • LdapQuery
      • Ldap_Query
    • MISP
      • MISP
        • MISP
          • Requirements
    • MISPWarningLists
      • MISPWarningLists
        • MISPWarningLists
          • Requirements
    • Malpedia
      • Malpedia
    • Maltiverse
      • Maltiverse_Report
        • Maltiverse
          • Requirements
    • MalwareBazaar
      • MalwareBazaar
        • MalwareBazaar
          • Requirements
    • MalwareClustering
      • MalwareClustering_Search
    • Prerequisites:
      • Required:
      • Optional:
    • Malwares
      • Malwares_GetReport
      • Malwares_Scan
        • Malwares
          • Requirements
    • MaxMind
      • MaxMind_GeoIP
    • MetaDefender
      • MetaDefenderCloud_GetReport
      • MetaDefenderCloud_Reputation
      • MetaDefenderCloud_Scan
      • MetaDefenderCore_GetReport
      • MetaDefenderCore_Scan
    • MnemonicPDNS
      • Mnemonic_pDNS_Closed
      • Mnemonic_pDNS_Public
    • MsgParser
      • Msg_Parser
    • NERD
      • NERD
        • Nerd
          • Requirements
    • NSRL
      • NSRL
    • Nessus
      • Nessus
    • OTXQuery
      • OTXQuery
        • OXT Alienvault
          • Requirements
    • Onyphe
      • Onyphe_Summary
    • OpenCTI
      • OpenCTI_SearchExactObservable
      • OpenCTI_SearchObservables
        • Requirements
    • PaloAltoWildFire
      • PaloAltoWildFire
    • PassiveTotal
      • PassiveTotal_Components
      • PassiveTotal_Enrichment
      • PassiveTotal_Host_Pairs
      • PassiveTotal_Malware
      • PassiveTotal_Osint
      • PassiveTotal_Passive_Dns
      • PassiveTotal_Ssl_Certificate_Details
      • PassiveTotal_Ssl_Certificate_History
      • PassiveTotal_Trackers
      • PassiveTotal_Unique_Resolutions
      • PassiveTotal_Whois_Details
    • Patrowl
      • Patrowl_GetReport
        • Patrowl
          • Requirements
    • PayloadSecurity
      • PayloadSecurity_File_Analysis
      • PayloadSecurity_Url_Analysis
    • PhishTank
      • PhishTank_CheckURL
        • PhishTank
          • Requirements
    • PhishingInitiative
      • PhishingInitiative_Lookup
      • PhishingInitiative_Scan
        • Phishing-Initiative
          • Requirements
    • ProofPoint
      • ProofPoint_Lookup
    • Pulsedive
      • Pulsedive_GetIndicator
    • RecordedFuture
      • RecordedFuture_risk
    • RiskIQ
      • RiskIQ_Articles
      • RiskIQ_Artifacts
      • RiskIQ_Certificates
      • RiskIQ_Components
      • RiskIQ_Cookies
      • RiskIQ_HostpairChildren
      • RiskIQ_HostpairParents
      • RiskIQ_Malware
      • RiskIQ_Projects
      • RiskIQ_Reputation
      • RiskIQ_Resolutions
      • RiskIQ_Services
      • RiskIQ_Subdomains
      • RiskIQ_Summary
      • RiskIQ_Trackers
      • RiskIQ_Whois
    • Robtex
      • Robtex_Forward_PDNS_Query
      • Robtex_IP_Query
      • Robtex_Reverse_PDNS_Query
    • SEKOIAIntelligenceCenter
      • SEKOIAIntelligenceCenter_Context
      • SEKOIAIntelligenceCenter_Indicators
      • SEKOIAIntelligenceCenter_Observables
        • Requirements
    • SecurityTrails
      • SecurityTrails_Passive_DNS
      • SecurityTrails_Whois
    • SentinelOne
      • SentinelOne_DeepVisibility_DNSQuery
    • Shodan
      • Shodan_DNSResolve
      • Shodan_Host
      • Shodan_Host_History
      • Shodan_InfoDomain
      • Shodan_ReverseDNS
      • Shodan_Search
    • SinkDB
      • SinkDB
    • SoltraEdge
      • SoltraEdge
    • SophosIntelix
      • SophosIntelix_GetReport
      • SophosIntelix_Submit_Dynamic
      • SophosIntelix_Submit_Static
    • SpamAssassin
      • SpamAssassin
    • SpamhausDBL
      • SpamhausDBL
    • Splunk
      • Splunk_Search_Domain_FQDN
      • Splunk_Search_File_Filename
      • Splunk_Search_Hash
      • Splunk_Search_IP
      • Splunk_Search_Mail_Email
      • Splunk_Search_Mail_Subject
      • Splunk_Search_Other
      • Splunk_Search_Registry
      • Splunk_Search_URL_URI_Path
      • Splunk_Search_User
      • Splunk_Search_User_Agent
        • Requirements
        • How to recover arguments in Splunk ?
        • Taxonomies
    • StamusNetworks
      • StamusNetworks_HostID
    • StaxxSearch
      • StaxxSearch
    • StopForumSpam
      • StopForumSpam
    • TalosReputation
      • TalosReputation
    • TeamCymruMHR
      • TeamCymruMHR
    • ThreatGrid
      • ThreatGrid
    • ThreatMiner
      • ThreatMiner
    • ThreatResponse
      • ThreatResponse
    • Threatcrowd
      • Threatcrowd
    • Thunderstorm
      • THOR_Thunderstorm_ScanSample
        • Thunderstorm
          • Requirements
          • Scope
          • Matches
          • Access to Thunderstorm
    • TorBlutmagie
      • TorBlutmagie
    • TorProject
      • TorProject
    • Triage
      • Triage
    • Triage Sandbox analyzer
    • FAQ
    • URLhaus
      • URLhaus
    • Umbrella
      • Umbrella_Report
    • UnshortenLink
      • UnshortenLink
    • Urlscan.io
      • Urlscan.io_Scan
      • Urlscan.io_Search
    • VMRay
      • VMRay
    • Valhalla
      • Valhalla_GetRuleMatches
        • Valhalla
          • Requirements
          • Scope
          • Matches
    • Verifalia
      • Verifalia
    • VirusTotal
      • VirusTotal_DownloadSample
      • VirusTotal_GetReport
      • VirusTotal_Rescan
      • VirusTotal_Scan
        • Extracted Observables
    • Virusshare
      • Virusshare
        • VirusShare
          • Requirements
    • Vulners
      • Vulners_CVE
      • Vulners_IOC
        • Vulners-analyzer
          • Setting up analyzer
          • Add Observable type in TheHive
          • Run the Analyzer in TheHive
            • Network IOCs:
            • Vulnerabilities:
    • WOT
      • WOT_Lookup
    • Yara
      • Yara
    • Yeti
      • Yeti
    • Zscaler
      • Zscaler
        • Zscaler
          • General requirements
          • Credit
  • Energy Logserver SIEM
    • Create API key
    • Edit Alert
    • Alert rule configuration
    • Custom message
  • Microsoft Exchange
    • Installation
    • Instance configuration

• API
  • Base API Guide
    • Authentication
      • Using API key
      • Using basic authentication
    • Alert
      • Model definition
      • Alert Manipulation
        • Alert methods
        • Get an alert
        • Create an alert
        • Merge an alert
        • Bulk merge alert
    • Observable
      • Model definition
      • Observable manipulation
        • Observable methods
        • List Observables of a Case
    • Case
      • Model definition
      • Case Manipulation
        • Case methods
        • Create a Case
    • Log
      • Model definition
      • Log manipulation
        • Log methods
        • Create a log
    • Task
      • Model definition
      • Task manipulation
        • Task methods
        • Create a task
    • Base module Model Definition
      • Field Types
      • Common Attributes
    • Request formats
      • Query String
      • URL-encoded Form
      • JSON
      • Multi-part
      • Response Format
    • User
      • Model definition
      • User Manipulation
        • User methods
        • Create a User
  • Automation API Guide
    • Introduction
      • Request & Response Formats
        • Query String
        • URL-encoded Form
        • JSON
        • Multi-part
        • Response Format
      • Authentication
        • Generating API Keys with an orgAdmin Account
        • Generating API Keys with a superAdmin Account
        • Authenticating with an API Key
        • Using Basic Authentication
    • Organization APIs
      • Organization Model
      • List
      • Create
      • Update
      • Delete
      • Obtain Details
      • List Users
      • List Enabled Analyzers
    • User APIs
      • User Model
      • List All
      • List Users within an Organization
      • Search
      • Create
      • Update
      • Get Details
      • Set a Password
      • Change a password
      • Set and Renew an API Key
      • Get an API Key
      • Revoke an API Key
    • Job APIs
      • Job Model
      • List and Search
      • Get Details
      • Get Details and Report
      • Wait and Get Job Report
      • Get Artifacts
      • Delete
    • Analyzer APIs
      • Analyzer Model
      • Enable
      • List and Search
      • Get Details
      • Get By Type
      • Update
      • Run
      • Disable
    • Miscellaneous APIs
      • Paging and Sorting