Dela via


HYAS Insight (Preview)

HYAS Insight integration to Microsoft Azure Sentinel provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name HYAS Infosec
URL https://www.hyas.com/contact
Email support@hyas.com
Connector Metadata
Publisher HYAS Infosec
Website https://www.hyas.com
Privacy policy https://www.hyas.com/privacy-statement/
Categories Security;Website

HYAS Insight Connector

HYAS Insight integration to Microsoft Azure Sentinel provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.

Pre-requisites

You will need the following to proceed:

  • A Microsoft Power Apps or Power Automate plan with custom connector feature
  • An Azure subscription
  • HYAS Insight API Key

Supported Operations

Details of all the supported operations, inputs and outputs are available here.

Support and documentation:

For all the support requests and general queries you can contact support@hyas.com or visit contact-us

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
HYAS Insight API Key securestring The HYAS Insight API Key for this api True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get C2 Attribution Information

Returns C2 Attribution Information.

Get Current Whois Information

Returns Current Whois Information for domain.

Get Dynamic DNS Information

Returns Dynamic DNS Information.

Get Malware Sample Information

Returns Malware Information.

Get Malware Sample Record Information

Returns Malware Sample Records.

Get Mobile Geolocation Information

Returns a list of mobile geolocation information.

Get Open Source Indicators Information

Returns a list of threat or intel indicators from open sources.

Get Passive DNS Information

Returns Passive DNS Information.

Get Passive Hash Information

Returns Passive Hash Information.

Get Sinkhole Information

Returns Sinkhole Information.

Get SSL Certificate Information

Returns SSL Certificate Information.

Get Whois Information

Returns Whois Information.

Get C2 Attribution Information

Returns C2 Attribution Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query c2attribution endpoint, supported values are domain, ip, email and sha256.

Indicator Value
indicator_value True string

Please provide a valid domain or ip or email or sha256 value.

Returns

Get Current Whois Information

Returns Current Whois Information for domain.

Parameters

Name Key Required Type Description
Domain
domain True string

Please provide a valid domain.

Returns

Get Dynamic DNS Information

Returns Dynamic DNS Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query dynamicdns endpoint, supported values are ip, domain and email.

Indicator Value
indicator_value True string

Please provide a valid ip or domain or email value.

Returns

Items
dynamicdns

Get Malware Sample Information

Returns Malware Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query sample/infromation endpoint, supported values are hash.

Indicator Value
indicator_value True string

Please provide a valid hash value.

Returns

Get Malware Sample Record Information

Returns Malware Sample Records.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query sample endpoint, supported values are md5, domain and ipv4.

Indicator Value
indicator_value True string

Please provide a valid md5 or domain or ipv4 value.

Returns

Items
sample

Get Mobile Geolocation Information

Returns a list of mobile geolocation information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query device_geo endpoint, supported values are ipv4 and ipv6.

Indicator Value
indicator_value True string

Please provide a valid ipv4 or ipv6 value.

Returns

Items
device_geo

Get Open Source Indicators Information

Returns a list of threat or intel indicators from open sources.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query os_indicators endpoint, supported values are ipv4, ipv6, domain, sha1, sha256 and md5.

Indicator Value
indicator_value True string

Please provide a valid ipv4 or ipv6 or domain or sha1 or sha256 or md5 value.

Returns

Get Passive DNS Information

Returns Passive DNS Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query passivedns endpoint, supported values are ipv4, domain.

Indicator Value
indicator_value True string

Please provide a valid ipv4 or domain value.

Returns

Items
passivedns

Get Passive Hash Information

Returns Passive Hash Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query passivehash endpoint, supported values are ipv4 and domain.

Indicator Value
indicator_value True string

Please provide a valid ipv4 or domain value.

Returns

Items
passivehash

Get Sinkhole Information

Returns Sinkhole Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query sinkhole endpoint, supported values are ipv4.

Indicator Value
indicator_value True string

Please provide a valid ipv4 value.

Returns

Items
sinkhole

Get SSL Certificate Information

Returns SSL Certificate Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query ssl_certificate endpoint, supported values are sha1 hash, ip and domain.

Indicator Value
indicator_value True string

Please provide a valid sha1 hash or ip or domain value.

Returns

Get Whois Information

Returns Whois Information.

Parameters

Name Key Required Type Description
Indicator Type
indicator_type True string

Filter used to query whois endpoint, supported values are domain, email and phone.

Indicator Value
indicator_value True string

Please provide a valid domain or email or phone value.

Returns

Items
whois

Definitions

device_geo

Name Path Type Description
datetime
datetime string

A date-time string in RFC 3339 format.

device_user_agent
device_user_agent string

The user agent string for the device.

geo_country_alpha_2
geo_country_alpha_2 string

The ISO 3316 alpha-2 code for the country associated with the lat/long reported.

geo_horizontal_accuracy
geo_horizontal_accuracy float

The GPS horizontal accuracy.

ipv4
ipv4 string

The ipv4 address assigned to the device. A device may have either or ipv4 and ipv6.

ipv6
ipv6 string

The ipv6 address assigned to the device. A device may have either or ipv4 and ipv6.

latitude
latitude float

Units are degrees on the WGS 84 spheroid.

longitude
longitude float

Units are degrees on the WGS 84 spheroid.

wifi_bssid
wifi_bssid string

The BSSID (MAC address) of the wifi router that the device communicated through.

sinkhole

Name Path Type Description
count
count number

The sinkhole count.

country_name
country_name string

The country of the ip.

data_port
data_port number

The data port.

datetime
datetime string

The first seen date of the sinkhole.

ipv4
ipv4 string

The ipv4 of the sinkhole.

last_seen
last_seen string

The last seen date of the sinkhole.

organization_name
organization_name string

The isp organization for the ip.

sink_source
sink_source string

The ipv4 of the sink source.

passivedns

Name Path Type Description
cert_name
cert_name string

The certificate provider name.

count
count number

The passive dns count.

domain
domain string

The domain of the passive dns information requested.

first_seen
first_seen string

The first time this domain was seen.

city_name
ip.geo.city_name string

The City of the ip organization.

country_iso_code
ip.geo.country_iso_code string

The Country ISO code of the ip organization.

country_name
ip.geo.country_name string

The Country name of the ip organization.

location_latitude
ip.geo.location_latitude string

The latitude of the ip organization.

location_longitude
ip.geo.location_longitude string

The longitude of the ip organization.

postal_code
ip.geo.postal_code string

The postalcode of the ip organization.

ip
ip.ip string

IP of the organization.

autonomous_system_number
ip.isp.autonomous_system_number string

The ASN of the ip.

autonomous_system_organization
ip.isp.autonomous_system_organization string

The ASO of the ip.

ip_address
ip.isp.ip_address string

The IP.

isp
ip.isp.isp string

The Internet Service Provider.

organization
ip.isp.organization string

The ISP organization.

ipv4
ipv4 string

The ipv4 address of the passive dns record.

ipv6
ipv6 string

The ipv6 address of the passive dns record.

last_seen
last_seen string

The last time this domain was seen.

sources
sources array of string

A list of pDNS providers which the data came from.

dynamicdns

Name Path Type Description
a_record
a_record string

The A record for the domain.

account
account string

The account holder name.

created
created string

The date which the domain was created.

created_ip
created_ip string

The ip address of the account holder.

domain
domain string

The domain associated with the dynamic dns information.

domain_creator_ip
domain_creator_ip string

The ip address of the domain creator.

email
email string

The email address connected to the domain.

passivehash

Name Path Type Description
domain
domain string

The domain of the passive hash information requested.

md5_count
md5_count number

The passive dns count.

sslcertificate

Name Path Type Description
related_count
related_count number

The number of ip addresses connected to this certificate.

ssl_certs
ssl_certs array of object

The ssl_certs object.

ip
ssl_certs.ip string

The ip address associated with certificate.

cert_key
ssl_certs.ssl_cert.cert_key string

The certificate key (sha1).

expire_date
ssl_certs.ssl_cert.expire_date string

The expiry date of the certificate.

issue_date
ssl_certs.ssl_cert.issue_date string

The issue date of the certificate.

issuer_commonName
ssl_certs.ssl_cert.issuer_commonName string

The common name that the certificate was issued from.

issuer_countryName
ssl_certs.ssl_cert.issuer_countryName string

The country ISO the certificate was issued from.

issuer_localityName
ssl_certs.ssl_cert.issuer_localityName string

The city where the issuer company is legally located.

issuer_organizationName
ssl_certs.ssl_cert.issuer_organizationName string

The organization name that issued the certificate.

issuer_organizationalUnitName
ssl_certs.ssl_cert.issuer_organizationalUnitName string

The organization unit name that issued the certificate.

issuer_stateOrProvinceName
ssl_certs.ssl_cert.issuer_stateOrProvinceName string

The issuer state or province.

md5
ssl_certs.ssl_cert.md5 string

The certificate MD5.

serial_number
ssl_certs.ssl_cert.serial_number string

The certificate serial number.

sha1
ssl_certs.ssl_cert.sha1 string

The certificate sha1.

sha_256
ssl_certs.ssl_cert.sha_256 string

The certificate sha256.

sig_algo
ssl_certs.ssl_cert.sig_algo string

The certificate signature algorithm.

signature
ssl_certs.ssl_cert.signature string

Signature split into multiple lines.

ssl_version
ssl_certs.ssl_cert.ssl_version

The SSL version.

subject_commonName
ssl_certs.ssl_cert.subject_commonName string

The subject name that the certificate was issued to.

subject_countryName
ssl_certs.ssl_cert.subject_countryName string

The country the certificate was issued to.

subject_localityName
ssl_certs.ssl_cert.subject_localityName string

The city where the subject company is legally located.

subject_organizationName
ssl_certs.ssl_cert.subject_organizationName string

The organization name that recieved the certificate.

subject_organizationalUnitName
ssl_certs.ssl_cert.subject_organizationalUnitName string

The organization unit name that recieved the certificate.

subject_stateOrProvinceName
ssl_certs.ssl_cert.subject_stateOrProvinceName string

The state or province name where the subject company is located.

timestamp
ssl_certs.ssl_cert.timestamp string

The certificate date and time.

whois

Name Path Type Description
address
address array of string

The address information.

city
city array of string

The city information.

country
country array of string

The country information.

domain
domain string

The domain of the registrant.

domain_2tld
domain_2tld string

The second-level domain of the registrant.

domain_created_datetime
domain_created_datetime string

The date and time when the whois record was created.

domain_expires_datetime
domain_expires_datetime string

The date and time when the whois record expires.

domain_updated_datetime
domain_updated_datetime string

The date and time when the whois record was last updated.

email
email array of string

The email information.

idn_name
idn_name string

The international domain name.

nameserver
nameserver array of string

The nameserver information.

phone
phone array of object

Array of object, The phone number registrant contact in e164 format along with geo info.

phone
phone.phone string

The phone number registrant contact in e164 format.

carrier
phone.phone_info.carrier string

Phone number carrier.

country
phone.phone_info.country string

Phone number country.

geo
phone.phone_info.geo string

Phone number geo Can be city or province or region or country.

privacy_punch
privacy_punch boolean

True if this record has additional information bypassing privacy protect.

registrar
registrar string

The domain registrar.

whois_hash
whois_hash string

The hash information.

whois_id
whois_id string

The whois id information.

c2attribution

Name Path Type Description
actor_ipv4
actor_ipv4 string

The actor ipv4.

c2_domain
c2_domain string

The c2 domain.

c2_ip
c2_ip string

The c2 ipv4.

c2_url
c2_url string

The C2 panel url.

datetime
datetime string

C2 Attribution datetime.

email
email string

The actor email.

email_domain
email_domain string

The email domain.

referrer_domain
referrer_domain string

The referrer domain.

referrer_ipv4
referrer_ipv4 string

The referrer ipv4.

referrer_url
referrer_url string

The referrer url.

sha256
sha256 string

The sha256 malware hash.

sample_information

Name Path Type Description
avscan_score
avscan_score string

AV scan score.

md5
md5 string

MD5 Hash.

scan_results
scan_results array of object
av_name
scan_results.av_name string

The AV Name.

def_time
scan_results.def_time string

The AV datetime.

threat_found
scan_results.threat_found string

The source.

scan_time
scan_time string

The datetime of the scan.

sha1
sha1 string

The sha1 hash.

sha256
sha256 string

The sha256 hash.

sha512
sha512 string

The sha512 hash.

sample

Name Path Type Description
datetime
datetime string

The date which the sample was processed.

domain
domain string

The domain of the sample.

ipv4
ipv4 string

The ipv4 of the sample.

ipv6
ipv6 string

The ipv6 of the sample.

md5
md5 string

The md5 of the sample.

sha1
sha1 string

The sha1 of the sample.

sha256
sha256 string

The sha256 of the sample.

os_indicators

Name Path Type Description
context
context string

Additional information about source.

data
data object

The json blob with raw data.

datetime
datetime string

The date-time string in RFC 3339 format.

domain
domain string

The domain.

domain_2tld
domain_2tld string

The domain_2tld.

first_seen
first_seen string

The date-time string in RFC 3339 format.

ipv4
ipv4 string

The ipv4 address. Can be a cidr.

ipv6
ipv6 string

The ipv6 address. Can be a cidr.

last_seen
last_seen string

The date-time string in RFC 3339 format.

md5
md5 string

The md5 value.

sha1
sha1 string

The sha1 value.

sha256
sha256 string

The sha256 value.

source_name
source_name string

The source_name.

source_url
source_url string

The source_url.

uri
uri string

The source uri value.

whois_current

Name Path Type Description
items
items array of object

The items object.

abuse_emails
items.abuse_emails array of string

The abuse emails information.

address
items.address array of string

The address information.

city
items.city array of string

The city of the registrant.

country
items.country array of string

The country of the registrant.

data
items.data string

The data information.

datetime
items.datetime string

The datetime information.

domain
items.domain string

The domain of the registrant.

domain_2tld
items.domain_2tld string

The second-level domain of the registrant.

domain_created_datetime
items.domain_created_datetime string

The date and time when the Whois record was created.

domain_expires_datetime
items.domain_expires_datetime string

The date and time when the Whois record expires.

domain_updated_datetime
items.domain_updated_datetime string

The date and time when the Whois record was last updated.

email
items.email array of string

The email information.

idn_name
items.idn_name string

The international domain name information.

meta_data
items.meta_data string

The metadata information.

name
items.name array of string

The contact name (registrant contact, administrative contact, technical contact, or abuse contact.)

nameserver
items.nameserver array of string

The nameserver domain.

organization
items.organization array of string

The organization information.

phone
items.phone array of

The phone number of the registrant in e164 format.

registrar
items.registrar string

The domain registrar.

state
items.state array of

The state where domain was registered.

whois_hash
items.whois_hash string

The hash information.

whois_id
items.whois_id string

The whois id information.

whois_nameserver
items.whois_nameserver array of object

The whois_nameserver object.

domain
items.whois_nameserver.domain string

The nameserver's domain information.

domain_2tld
items.whois_nameserver.domain_2tld string

The nameserver's domain_2tld information.

whois_related_nameserver_id
items.whois_nameserver.whois_related_nameserver_id string

The nameserver's Id Information.

whois_pii
items.whois_pii array of object

The whois_pii object.

address
items.whois_pii.address string

The personal identity address information.

city
items.whois_pii.city string

The personal identity city information.

data
items.whois_pii.data string

The personal identity data information.

email
items.whois_pii.email string

The personal identity email information.

geo_country_alpha_2
items.whois_pii.geo_country_alpha_2 string

The personal identity country information.

name
items.whois_pii.name string

The personal identity name information.

organization
items.whois_pii.organization string

The personal identity organization information.

phone_e164
items.whois_pii.phone_e164 string

The personal identity Phone_e164 information.

state
items.whois_pii.state string

The personal identity state information.

whois_related_pii_id
items.whois_pii.whois_related_pii_id string

The personal identity Id information.

whois_related_type
items.whois_pii.whois_related_type string

The personal identity related information.

source
source string

The source information.

total_count
total_count number

The total count information.