IntSights
Integration version: 20.0
Configure IntSights integration in Google Security Operations
For detailed instructions on how to configure an integration inGoogle SecOps, seeConfigureintegrations.
Actions
Add Note
Description
Add a note to the alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert to which you want to add a note. |
| Note | String | N/A | Yes | Specify the note for the alert. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully add a note to the alert with ID '{0}' in Intsights ".format(alert id) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add Note". Reason: {0}''.format(error.Stacktrace) If the 404 status code is reported: "Error executing action "Add Note". Reason: alert with ID {alert id} was not found in IntSights.' | General |
Ask An Analyst
Description
Ask an analyst regarding the alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert where you want to ask the analyst. |
| Comment | String | N/A | Yes | Specify the comment for the analyst. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully asked analyst in the alert with ID '{0}' in Intsights ".format(alert id) If the 400 or 500 status code is reported: "Action was not able to ask the analyst in the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Ask an Analyst". Reason: {0}''.format(error.Stacktrace) | General |
Assign Alert
Description
Assign alert to an analyst in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert on which you want to change the assignment. |
| Assignee ID | String | N/A | No | Specify the ID of the analyst that should be assigned to the alert. |
| Assignee Email Address | String | N/A | No | Specify the email address of the analyst that should be assigned to the alert. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful with assignee ID: "Successfully assigned analyst with ID '{0}' to the alert with ID {1} in Intsights ".format(assignee id, alert id) If successful with assignee email address: "Successfully assigned analyst with email address '{0}' to the alert with ID {1} in Intsights ".format(assignee email address, alert id) If assignee is not found, the status code is 400, and worked with assignee ID: "Action was not able to change the assignment on the alert with ID {0}. Reason: Assignee with ID {1} was not found.".format(alert_id, assignee id)"
If the 400 or 500 status code is reported: "Action was not able to change the assignment on the alert with ID {0}. Reason: {1}.".format(alert_id, response) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Assign Alert". Reason: {0}''.format(error.Stacktrace) If the "Assignee ID" and "Assignee Email address" parameters are not specified: "Assignee ID or Email Address should be specified." | General |
Close Alert
Description
Close alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert which you want to close. |
| Reason | DDL | Problem Solved Possible Values:
| Yes | Specify the reason why the alert needs to be closed. |
| Additional Info | String | N/A | No | Specify additional information explaining why the alert should be closed. |
| Rate | Integer | 5 | No | Specify the rating of the alert. Maximum is 5. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully closed the alert with ID '{0}' in Intsights ".format(alert id) If the 400 status code is reported: "Action was not able to close the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Close Alert". Reason: {0}''.format(error.Stacktrace) If the "Rate" parameter is not in the 1-5 range: "Rate value should be in range from 1 to 5." | General |
Download Alert CSV
Description
Download CSV file containing information related to alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert for which you want to download CSV. |
| Download Folder Path | String | N/A | Yes | Specify the path to the folder, where you want to store the CSV file. |
| Overwrite | Checkbox | N/A | No | If enabled, action will overwrite the file with the same name. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{"absolute_paths":["/opt/file_1"]}Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for at least one CSV (is_success=true): "Successfully downloaded CSV for the alert with ID {0} in Intsights:".format(alert_id) If the 400 status code is reported (is_success=true): "No CSV information was found for the alert with ID {alert_id} in Intsights." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Download Alert CSV". Reason: {0}''.format(error.Stacktrace) If a file with the same name already exists, but "Overwrite" is set to false: "Error executing action "Download Alert CSV". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true." If the 404 status code is reported: "Error executing action "Download Alert CSV". Reason: Unable to find alert with ID {ID}' | General |
Get Alert Image
Description
Retrieve information about alert images in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert Image IDs | CSV | N/A | Yes | Specify the comma-separated list of alert image IDs. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"image_name":"5b59daf4bdafd90xxxxxx","image_base64_content":"image content in base64"}]Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for at least one image: "Successfully retrieved images from the following IDs in Intsights:".format(list of ids) If not successful for at least one image: "Action wasn't able to successfully retrieve images from the following IDs in Intsights:\n".format(list of ids) If not successful for all images: "No images were retrieved". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Alert Image". Reason: {0}''.format(error.Stacktrace) | General |
Ping
Description
Check connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Reopen Alert
Description
Reopen alert in IntSights.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | True | Specify the ID of the alert which you want to reopen. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully reopened the alert with ID '{0}' in Intsights ".format(alert id) If the 400 status code is reported: "Action was not able to reopen the alert with ID {0} in Intsights. Reason: {1}.".format(alert_id, response string) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Reopen Alert". Reason: {0}''.format(error.Stacktrace) | General |
Search IOCs
Description
Organize and search all your IOCs within a single, easy-to-use dashboard. Thecentralized TIP dashboard summarizes IOCs by severity and confidence level, soyou can easily understand which malicious IOCs pose the greatest risk to yourorganization.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"EntityResult":{"Status":"Active","Domain":"sephoratv.com","Severity":{"Status":"done","LastUpdate":"2019-01-20T04:32:58.833Z","Features":[{"Score":10,"Name":"base_intsights_multiple","Match":1},{"Score":0,"Name":"domain_associated_malware_names","Match":0},{"Score":0,"Name":"domain_associated_malware_ip_addresses","Match":1}],"LastUpdateMessage":"","Value":"Low","Score":20},"SourceID":"59e376681bb0800644e1368f","Value":"sephoratv.com","Flags":{"IsInAlexa":false},"LastSeen":"2019-01-20T04:24:27.258Z","_id":"5c43f80483df230007485c48","Type":"Domains","Enrichment":{"Status":"done","LastUpdate":"2019-01-20T04:32:58.613Z","Data":{"domain_status_blocked":false,"latest_resolution_date":"2019-01-20T04:27:22.299Z","associated_malware_ip_addresses":["185.16.44.132"],"contact_emails":[],"referencing_file_hashes":[],"malware_category":[],"mail_servers":["a.mx.domainoo.fr."],"associated_malware_names":[],"threat_actor_category":[],"campaigns":[],"associated_malware_families":[],"resolved_ips":["185.16.44.132"],"cve_ids":[],"downloaded_file_hashes":[],"domain_expired":false,"communicating_file_hashes":["210c2ddbf747220df645fc4d77e7decd1be7df27e43b2f79e4b45bd5fe0a2a6e"],"name_servers":["a.ns.domainoo.fr.","b.ns.domainoo.fr.","c.ns.domainoo.fr."],"registrar":"N/A","threat_actors":[]}},"FirstSeen":"2019-01-20T04:24:27.258Z","AccountID":null},"Entity":"sephoratv.com"}]Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Status | Returns if it exists in JSON result |
| Domain | Returns if it exists in JSON result |
| Severity | Returns if it exists in JSON result |
| SourceID | Returns if it exists in JSON result |
| Value | Returns if it exists in JSON result |
| Flags | Returns if it exists in JSON result |
| LastSeen | Returns if it exists in JSON result |
| _id | Returns if it exists in JSON result |
| Type | Returns if it exists in JSON result |
| Enrichment | Returns if it exists in JSON result |
| FirstSeen | Returns if it exists in JSON result |
| AccountID | Returns if it exists in JSON result |
Insights
Yes
Connectors
Intsights Connector
Description
Fetches issues from Intsights to Google SecOps.
Configure Insights Connector in Google SecOps
For detailed instructions on how to configure a connector inGoogle SecOps, seeConfiguring theconnector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Name | Type | Default Value | Description |
|---|---|---|---|
| DeviceProductField | String | Details_Source_NetworkType | The field name used to determine the device product. |
| EventClassId | String | Details_Title | The field name used to determine the event name (sub-type). |
| PythonProcessTimeout | String | 60 | The timeout limit (in seconds) for the python process running current script. |
| Api Root | String | https://api.intsights.com | The API root of the Intsights server. |
| Account ID | String | N/A | The account ID to login with. |
| Api Key | Password | N/A | The API key to login with. |
| Verify SSL | Checkbox | Unchecked | Whether to verify the SSL certificate of the server. |
| Max Days Backwards | Integer | 3 | Max number of days backwards to pull alerts from. |
| Max Alerts Per Cycle | Integer | 10 | Max number of alerts to fetch per single connector cycle. |
| Proxy Server Address | String | N/A | The address of the proxy server to use. |
| Proxy Username | String | N/A | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.
Whitelist/Blacklist
The connector supports Whitelist/Blacklist rules.
Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.