Darkmon
Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence from the Clear, Deep, and Dark Web tailored to your assets. Pack also helps with integration with Cortex XSOAR and provides pre-made playbooks/templates to ease integration use.
Data Enrichment & Threat Intelligence · Darkmon
Configuration parameters
base_url— API Base URLX-API-KEY— (required)insecure— Trust any certificate (not secure)proxy— Use system proxy settingsintegrationReliability— Source Reliabilityredact_secrets— Redact secrets in War Room outputfirst_fetch— First fetch timemax_fetch— Maximum number of incidents per fetchincident_types_to_fetch— Darkmon incident types to fetchincidentType— Incident typeisFetch— Fetch incidents
Commands (16)
-
dmontip-get-boardemailsRetrieves leaked accounts, combo lists, or public breaches associated with a board-protected email. Use dmontip-get-boardprotection first to list monitored emails.
-
dmontip-get-boardprotectionLists the emails currently under board-leak protection (monitored) including request state, owner name, and tokens. Backed by the board-leak/request endpoint.
-
dmontip-get-compromisedRetrieve compromised data of a given type from Darkmon - leaked accounts, leaked bank cards, combo lists, public breaches, or compromised employee accounts. Use the 'type' argument to choose the data set.
-
dmontip-get-cveRetrieve security vulnerabilities (CVEs) with severity, CVSS score, published/lastModified timestamps, source identifier, and tags.
-
dmontip-get-landscapeRetrieve cybersecurity landscape news articles or company-specific landscape mentions with title, link, source, author, and matched keywords.
-
dmontip-get-nrdRetrieve newly registered domains (NRD) recently observed by Darkmon, sorted newest first by timestamp unless overridden. Filters the IOC feed by classification NEWLY_REGISTERED_DOMAIN.
-
dmontip-get-proxyRetrieve known open-proxy IOCs with pagination, sorted newest first by firstSeen unless overridden.
-
dmontip-get-ransomwareRetrieve ransomware articles or company-specific ransomware mentions with details such as victim name, threat actor, published date, and matched keywords. Sorted newest first by publishedAt unless overridden.
-
dmontip-get-tbfRetrieve telnet brute-force IOCs - sources observed attempting telnet brute-force attacks, sorted newest first by timestamp unless overridden. Filters the IOC feed by classification TELNET_BRUTE_FORCE.
-
dmontip-get-vpnRetrieve known VPN exit-node IOCs with pagination, sorted newest first by firstSeen unless overridden.
-
dmontip-global-searchThe dmontip-global-search command performs a comprehensive search across the Darkmon Threat Intelligence Platform. This command allows users to search for indicators, threat actors, malware, and other intelligence data using keywords or specific search terms. It queries multiple data sources simultaneously and returns consolidated results, helping analysts quickly find relevant intelligence across the platform.
-
domainPerforms domain-focused threat intelligence searches in the Darkmon platform. Returns comprehensive information about potentially malicious domains.
-
emailSearches for threat intelligence related to specific email addresses. Identifies compromised accounts or emails associated with malicious activities.
-
fileSearches the Darkmon platform using file hash values (MD5, SHA-1, SHA-256). Identifies malware and provides associated threat intelligence data.
-
ipSearches the Darkmon platform for intelligence related to a specific IP address. A focused interface for threat intelligence lookup of IP indicators.
-
urlSearches for URL-specific threat intelligence across the Darkmon platform. Quickly identifies malicious or suspicious URLs and associated threat data.