Flashpoint

Details
Content
Dependencies
Version History

Use the Flashpoint integration to reduce business risk.

Use the Flashpoint integration to reduce business risk. Flashpoint allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.

What does this pack do?

The actions in this pack helps you to determine risks and help to remediate tasks using playbook:

Get alerts, compromised credentials, forum details, event details, report and reputation information.
Investigate compromised credentials incident.

Playbook

Compromised Credentials Match - Flashpoint: It authenticates and expires the credentials and sends an email alert.

For more information, visit our Flashpoint Developer Documentation

What does this pack do?

The actions in this pack helps you to determine risks and help to remediate tasks using playbook:

Get alerts, compromised credentials, forum details, event details, report and reputation information.
Investigate compromised credentials incident.

Playbook

Compromised Credentials Match - Flashpoint: It authenticates and expires the credentials and sends an email alert.

For more information, visit our Flashpoint Developer Documentation

Classifiers

Name	Description
Ignite Alert - Incoming Mapper	The incoming mapper for the Ignite Alert.
Flashpoint Compromised Credentials - Incoming Mapper	Incoming Mapper for Flashpoint Compromised Credentials
Flashpoint Alerts - Incoming Mapper	Incoming Mapper for Flashpoint Alerts

Incident Fields

Name	Description
Flashpoint Site Title	The original site or platform where the resource was published.
Flashpoint Services	Services of the FLahpoint alert asset
Flashpoint Basetypes
Flashpoint Read Status
Flashpoint Is Fresh	This will be "true" if the credential has not been seen before, and it hasn't been marked "not fresh" by an analyst.
Flashpoint Container	Container of Flashpoint alert resource
Flashpoint Entity Type
Flashpoint Reason Sources
Flashpoint Shodan Host	Information about Shodan Host
Flashpoint Native ID	The ID used by the original site for the resource.
Flashpoint Affected Domain	Affected domain of the IoC.
Flashpoint Parent Basetypes	Basetypes of Flashpoint alert's parent
Flashpoint Alert Text	The body of the alert.
Flashpoint Keyword Text	The value of the keyword.
Flashpoint Sort Date	Sort date of the alert.
Flashpoint Data Type
Flashpoint Source Name	Name of flashpoint alert resource
Flashpoint Parent Data Type
Flashpoint Entity ID
Flashpoint Site Name	Name of Site of Flashpoint Alert's resource.
Flashpoint Entity Name
Flashpoint Mime Type	Mime Type of Flashpoint alert's resource's media.
Flashpoint Source ID	ID of flashpoint Source.
Flashpoint Source	Code repository platform.
Flashpoint Victim	Victim of the breach.
Flashpoint Source Repo	Repository name.
Flashpoint ID	The Flashpoint ID of the alert.
Flashpoint Compromised Email	The email address for the compromised credential.
Flashpoint Source Owner	Author of the repo.
Flashpoint Compromised Password	The password for the credential (in plain text, if possible).
Flashpoint Source File	File name for the matched alert.
Flashpoint Resource URL	URL of Flashpoint Alert.
Flashpoint Site Actor Name	Actor name of Flashpoint alert's resource's site.
Flashpoint Reason Text	Reason Text of Flashpoint Alert reason.
Flashpoint Source Basetypes	The type of the alert.
Flashpoint Created Date	The created date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Breach Source Type	Type of source of the breach.
Flashpoint Media Type	Media Type of Flashpoint alert's resource's media.
Flashpoint Ports	Ports of the FLahpoint alert asset
Flashpoint Site Actor Names	The handle of the user who created the message, authored the blog post, or posted a product for sale.
Flashpoint Reason Type
Flashpoint Alert ID	The ID of the alert.
Flashpoint Title	The title of the alert.
Flashpoint Password Probable Hash Algorithms	The probable hash algorithm information of the password.
Flashpoint Image Safe Search
Flashpoint Reason Origin
Flashpoint Generated Date	Generated Timestamp of Flashpoint alert
Flashpoint Source URL	Link to the alerted source.
Flashpoint Link to Alert	The link of the alert.
Flashpoint Reason ID	ID of Flashpoint reason
Flashpoint Source Domain	This is the domain object extracted off of the email address.
Flashpoint Breach Source	Data source of breach (i.e. Analyst Research, CredentialStealer, etc.).
Flashpoint Source Sort Date	Sort Date of Flashpoint alert's resource.
Flashpoint Status	status of flashpoint alert.
Flashpoint Last Observed Date	If exists, time object for when the credential was previously observed. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Reason Name
Flashpoint Phash	Phash of Flashpoint alert's resource's media.
Flashpoint Header Indexed At Date	Timestamp for when this document was indexed into the Flashpoint database.
Flashpoint First Observed Date	The first observed date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Site Native ID	Native ID of Site actor of flashpoint alert's resource.
Flashpoint Media Storage URI	Storage URI of Flashpoint alert resource's media.
Flashpoint Source Snippet	Snippet of flashppoint alert
Flashpoint Password Information	The information about password complexity of the credential.

Incident Types

Name	Description
Flashpoint Compromised Credentials
Flashpoint Alerts
Ignite Alert

Integrations

Name	Description
Flashpoint Ignite (Partner Contribution)	Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.
Flashpoint (Deprecated) (Partner Contribution)	Deprecated. Use Flashpoint Ignite instead.

Layouts

Name	Description
Flashpoint Compromised Credentials	Flashpoint Compromised Credentials Layout.
Ignite Alert	Ignite Alerts Layout.
Flashpoint Alerts	Flashpoint Alerts Layout.

Playbooks

Name	Description
Compromised Credentials Match - Flashpoint	The Compromised Credentials Match playbook uses the details of the compromised credentials ingested from Flashpoint Ignite and authenticates using the Active Directory integration by providing the compromised credentials of the user. It then expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: Flashpoint OpenLDAP Active Directory Query v2

Classifiers

Name	Description
Ignite Alert - Incoming Mapper	The incoming mapper for the Ignite Alert.
Flashpoint Compromised Credentials - Incoming Mapper	Incoming Mapper for Flashpoint Compromised Credentials
Flashpoint Alerts - Incoming Mapper	Incoming Mapper for Flashpoint Alerts

Incident Fields

Name	Description
Flashpoint Media Type	Media Type of Flashpoint alert's resource's media.
Flashpoint Site Title	The original site or platform where the resource was published.
Flashpoint Breach Source	Data source of breach (i.e. Analyst Research, CredentialStealer, etc.).
Flashpoint Site Actor Names	The handle of the user who created the message, authored the blog post, or posted a product for sale.
Flashpoint Compromised Email	The email address for the compromised credential.
Flashpoint Sort Date	Sort date of the alert.
Flashpoint First Observed Date	The first observed date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Image Safe Search
Flashpoint Source Repo	Repository name.
Flashpoint Source Snippet	Snippet of flashppoint alert
Flashpoint Password Probable Hash Algorithms	The probable hash algorithm information of the password.
Flashpoint Source Owner	Author of the repo.
Flashpoint Phash	Phash of Flashpoint alert's resource's media.
Flashpoint Entity Type
Flashpoint Affected Domain	Affected domain of the IoC.
Flashpoint Reason ID	ID of Flashpoint reason
Flashpoint Reason Text	Reason Text of Flashpoint Alert reason.
Flashpoint Site Native ID	Native ID of Site actor of flashpoint alert's resource.
Flashpoint Generated Date	Generated Timestamp of Flashpoint alert
Flashpoint Password Information	The information about password complexity of the credential.
Flashpoint Parent Data Type
Flashpoint Source File	File name for the matched alert.
Flashpoint Native ID	The ID used by the original site for the resource.
Flashpoint Site Name	Name of Site of Flashpoint Alert's resource.
Flashpoint ID	The Flashpoint ID of the alert.
Flashpoint Basetypes
Flashpoint Is Fresh	This will be "true" if the credential has not been seen before, and it hasn't been marked "not fresh" by an analyst.
Flashpoint Container	Container of Flashpoint alert resource
Flashpoint Source Domain	This is the domain object extracted off of the email address.
Flashpoint Created Date	The created date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Source ID	ID of flashpoint Source.
Flashpoint Services	Services of the FLahpoint alert asset
Flashpoint Title	The title of the alert.
Flashpoint Last Observed Date	If exists, time object for when the credential was previously observed. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Ports	Ports of the FLahpoint alert asset
Flashpoint Parent Basetypes	Basetypes of Flashpoint alert's parent
Flashpoint Source Name	Name of flashpoint alert resource
Flashpoint Source URL	Link to the alerted source.
Flashpoint Header Indexed At Date	Timestamp for when this document was indexed into the Flashpoint database.
Flashpoint Victim	Victim of the breach.
Flashpoint Reason Name
Flashpoint Keyword Text	The value of the keyword.
Flashpoint Alert ID	The ID of the alert.
Flashpoint Alert Text	The body of the alert.
Flashpoint Resource URL	URL of Flashpoint Alert.
Flashpoint Link to Alert	The link of the alert.
Flashpoint Reason Type
Flashpoint Data Type
Flashpoint Mime Type	Mime Type of Flashpoint alert's resource's media.
Flashpoint Site Actor Name	Actor name of Flashpoint alert's resource's site.
Flashpoint Source Basetypes	The type of the alert.
Flashpoint Source	Code repository platform.
Flashpoint Source Sort Date	Sort Date of Flashpoint alert's resource.
Flashpoint Entity ID
Flashpoint Reason Origin
Flashpoint Shodan Host	Information about Shodan Host
Flashpoint Compromised Password	The password for the credential (in plain text, if possible).
Flashpoint Media Storage URI	Storage URI of Flashpoint alert resource's media.
Flashpoint Entity Name
Flashpoint Breach Source Type	Type of source of the breach.
Flashpoint Reason Sources
Flashpoint Status	status of flashpoint alert.
Flashpoint Read Status

Incident Types

Name	Description
Flashpoint Compromised Credentials
Ignite Alert
Flashpoint Alerts

Integrations

Name	Description
Flashpoint Ignite (Partner Contribution)	Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.
Flashpoint (Deprecated) (Partner Contribution)	Deprecated. Use Flashpoint Ignite instead.

Playbooks

Name	Description
Compromised Credentials Match - Flashpoint	The Compromised Credentials Match playbook uses the details of the compromised credentials ingested from Flashpoint Ignite and authenticates using the Active Directory integration by providing the compromised credentials of the user. It then expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: Flashpoint OpenLDAP Active Directory Query v2

Required Content Packs (4)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
LDAP Authentication	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
LDAP Authentication	By: Cortex XSOAR

2.0.1 - 1480610 (October 8, 2024)

Integrations

Flashpoint Ignite

Fixed an issue with the resource URL incident field in cases where it is not populated by default.
Updated the Docker image to: demisto/python3:3.11.10.111526.

Related pull requests:
- 36595
- 36646

Download

2.0.0 - R1221739 (July 29, 2024)

Incident Fields

Flashpoint Alert ID
Added the "Ignite Alert" incident type.
Flashpoint Alert Text
Added the "Ignite Alert" incident type.
Flashpoint Created Date
Added the "Ignite Alert" incident type.
Flashpoint Source
Added the "Ignite Alert" incident type.
Flashpoint Source File
Added the "Ignite Alert" incident type.
Flashpoint Source Owner
Added the "Ignite Alert" incident type.
Flashpoint Source Repo
Added the "Ignite Alert" incident type.

Incident Types

New: Ignite Alert
New: Ignite Alert

Integrations

Flashpoint (Deprecated)

Deprecated. Use Flashpoint Ignite instead.

New: Flashpoint Ignite

New: Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and execute commands such as search intelligence report, ip, url, get events, and more.

Updated the Docker image to: demisto/python3:3.11.9.104957

Layouts

New: Ignite Alert
New: Added the new layout for the "Ignite Alert" incident type (Available from Cortex XSOAR 6.10.0).

Mappers

New: Ignite Alert - Incoming Mapper

New: Added the new incoming mapper for the "Ignite Alert" incident type (Available from Cortex XSOAR 6.10.0).

Playbooks

Compromised Credentials Match - Flashpoint

Updated the condition for checking the enabled integration of Ignite instead of the deprecated Flashpoint integration.

Related pull requests:
- 35587
- 35268

Download

1.3.17 - R828628 (February 14, 2024)

Integrations

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

1.3.16 - 743135 (January 4, 2024)

Integrations

Flashpoint

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31967

Download

1.3.15 - R6592021 (October 13, 2023)

Integrations

Flashpoint

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28758

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	October 8, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.