Skip to main content

Unit 42 Intelligence

This Integration is part of the Unit 42 Threat Intelligence by Palo Alto Networks Pack.#

Supported versions

Available on Cortex XSOAR (versions 6.10.0 and later) and Cortex XSIAM.

Enrich indicators with Unit 42 threat intelligence context including verdicts, threat object associations, and relationships.

Configure Unit 42 Intelligence in Cortex#

ParameterDescriptionRequired
Source ReliabilityReliability of the source providing the intelligence dataTrue
Create relationshipsCreate relationships between indicators and threat objectsFalse
Create threat objects as separate indicatorsWhether to create threat objects (malware families, actors, campaigns, etc.) as separate XSOAR indicatorsFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#

Enrich an IP address with Unit 42 threat intelligence context.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address to enrich.Required

Context Output#

PathTypeDescription
IP.AddressStringThe IP address.
IP.Malicious.VendorStringThe vendor reporting the IP as malicious.
IP.Malicious.DescriptionStringDescription of the malicious IP.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Unit42.IP.ValueStringThe IP address.
Unit42.IP.TypeStringThe indicator type.
Unit42.IP.CountsUnknownCounts.
Unit42.IP.VerdictStringThe verdict for the IP.
Unit42.IP.VerdictCategoryUnknownThe verdict category.
Unit42.IP.FirstSeenDateFirst seen date.
Unit42.IP.LastSeenDateLast seen date.
Unit42.IP.SeenByUnknownSources that have seen this IP.
Unit42.IP.EnrichedThreatObjectAssociationUnknownEnriched threat object association.

Command example#

!ip ip="8.8.8.8"

Context Example#

{
"Unit42.IP": {
"Counts": [
{
"count_type": "wf_sample",
"count_values": {
"benign": 246022,
"grayware": 214,
"malware": 3176800
}
}
],
"EnrichedThreatObjectAssociation": null,
"FirstSeen": "",
"LastSeen": "",
"SeenBy": [
"wf_sample"
],
"Type": "IP",
"Value": "8.8.8.8",
"Verdict": "malicious",
"VerdictCategory": null
}
}

Human Readable Output#

Unit 42 Intelligence results for IP: 8.8.8.8#

ValueVerdictVerdict CategorySeen ByFirst SeenLast Seen
8.8.8.8maliciouswf_sample

domain#

Enrich a domain with Unit 42 threat intelligence context.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain to enrich.Required

Context Output#

PathTypeDescription
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringDescription of the malicious domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Unit42.Domain.ValueStringThe domain name.
Unit42.Domain.TypeStringThe indicator type.
Unit42.Domain.CountsUnknownCounts.
Unit42.Domain.VerdictStringThe verdict for the domain.
Unit42.Domain.VerdictCategoryUnknownThe verdict category.
Unit42.Domain.FirstSeenDateFirst seen date.
Unit42.Domain.LastSeenDateLast seen date.
Unit42.Domain.SeenByUnknownSources that have seen this domain.
Unit42.Domain.EnrichedThreatObjectAssociationUnknownEnriched threat object association.

Command example#

!domain domain="example.com"

Context Example#

{
"Unit42.Domain":{
"Counts": null,
"EnrichedThreatObjectAssociation": null,
"FirstSeen": "",
"LastSeen": "",
"SeenBy": null,
"Type": "Domain",
"Value": "example.com",
"Verdict": "benign",
"VerdictCategory": [
"allowlist_dict_dga"
]
}
}

Human Readable Output#

Unit 42 Intelligence results for Domain: example.com#

ValueVerdictVerdict CategorySeen ByFirst SeenLast Seen
example.combenignallowlist_dict_dgawf_sample

url#

Enrich a URL with Unit 42 threat intelligence context.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to enrich.Required

Context Output#

PathTypeDescription
URL.DataStringThe URL.
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringDescription of the malicious URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Unit42.URL.ValueStringThe URL.
Unit42.URL.TypeStringThe indicator type.
Unit42.URL.CountsUnknownCounts.
Unit42.URL.VerdictStringThe verdict for the URL.
Unit42.URL.VerdictCategoryUnknownThe verdict category.
Unit42.URL.FirstSeenDateFirst seen date.
Unit42.URL.LastSeenDateLast seen date.
Unit42.URL.SeenByUnknownSources that have seen this URL.
Unit42.URL.EnrichedThreatObjectAssociationUnknownEnriched threat object association.

Command example#

!url url="https://en.wikipedia.org/wiki/URL"

Context Example#

{
"Unit42.URL": {
"Counts": [
{
"count_type": "wf_sample",
"count_values": {
"benign": 97,
"grayware": 0,
"malware": 0
}
}
],
"EnrichedThreatObjectAssociation": null,
"FirstSeen": "",
"LastSeen": "",
"SeenBy": [
"wf_sample"
],
"Type": "URL",
"Value": "https://en.wikipedia.org/wiki/URL",
"Verdict": "unknown",
"VerdictCategory": null
}
}

Human Readable Output#

Unit 42 Intelligence results for URL: https://en.wikipedia.org/wiki/URL#

ValueVerdictVerdict CategorySeen ByFirst SeenLast Seen
https://en.wikipedia.org/wiki/URLunknownwf_sample

file#

Enrich a file hash with Unit 42 threat intelligence context.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash to enrich (SHA256).Required

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor reporting the file as malicious.
File.Malicious.DescriptionStringDescription of the malicious file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Unit42.File.ValueStringThe file hash.
Unit42.File.TypeStringThe indicator type.
Unit42.File.CountsUnknownCounts.
Unit42.File.VerdictStringThe verdict for the file.
Unit42.File.VerdictCategoryUnknownThe verdict category.
Unit42.File.FirstSeenDateFirst seen date.
Unit42.File.LastSeenDateLast seen date.
Unit42.File.SeenByUnknownSources that have seen this file.
Unit42.File.EnrichedThreatObjectAssociationUnknownEnriched threat object association.

Command example#

!file file="123456abcdef"

Context Example#

{
"Unit42.File": {
"Counts": [
{
"count_type": "wf_sample",
"count_values": {
"benign": 0,
"grayware": 0,
"malware": 3
}
}
],
"EnrichedThreatObjectAssociation": null,
"FirstSeen": "",
"LastSeen": "",
"SeenBy": [
"wf_sample"
],
"Type": "File",
"Value": "123456abcdef",
"Verdict": "malicious",
"VerdictCategory": null
}
}

Human Readable Output#

Unit 42 Intelligence results for File: 123456abcdef#

ValueVerdictVerdict CategorySeen ByFirst SeenLast Seen
123456abcdefmaliciouswf_sample

Known Limitations#

URL Enrichment Format Requirements#

To ensure successful URL enrichment and avoid HTTP 400 errors, follow these guidelines:

URL Length

  • Maximum recommended length: 2000 characters
  • Observed maximum length for URL arguments in similar indicator submission commands within the Cortex platform

Special Characters

  • URLs must be properly encoded
  • Characters like commas (,), less-than (<), and greater-than (>) can cause parsing conflicts or API request failures (Status 400)
  • Remove or URL-encode these characters before submission

Comma Handling

  • If a URL contains a comma, the playbook task supplying the input must enclose the URL within a JSON list format to ensure it is treated as a single string, even if it is the only URL
  • Example: ["https://example.com/path?param=value,value2"]

General Guidelines

  • Ensure URLs are valid and well-formed
  • Use proper URL encoding for special characters
  • Test URLs with special characters in a non-production environment first
Edit this page
Report an Issue