Darkmon

Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence from the Clear, Deep, and Dark Web tailored to your assets. Pack also helps with integration with Cortex XSOAR and provides pre-made playbooks/templates to ease integration use.

Data Enrichment & Threat Intelligence · Darkmon

Configuration parameters

  • base_url — API Base URL
  • X-API-KEY — (required)
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • integrationReliability — Source Reliability
  • redact_secrets — Redact secrets in War Room output
  • first_fetch — First fetch time
  • max_fetch — Maximum number of incidents per fetch
  • incident_types_to_fetch — Darkmon incident types to fetch
  • incidentType — Incident type
  • isFetch — Fetch incidents

Commands (16)

  • dmontip-get-boardemails

    Retrieves leaked accounts, combo lists, or public breaches associated with a board-protected email. Use dmontip-get-boardprotection first to list monitored emails.

  • dmontip-get-boardprotection

    Lists the emails currently under board-leak protection (monitored) including request state, owner name, and tokens. Backed by the board-leak/request endpoint.

  • dmontip-get-compromised

    Retrieve compromised data of a given type from Darkmon - leaked accounts, leaked bank cards, combo lists, public breaches, or compromised employee accounts. Use the 'type' argument to choose the data set.

  • dmontip-get-cve

    Retrieve security vulnerabilities (CVEs) with severity, CVSS score, published/lastModified timestamps, source identifier, and tags.

  • dmontip-get-landscape

    Retrieve cybersecurity landscape news articles or company-specific landscape mentions with title, link, source, author, and matched keywords.

  • dmontip-get-nrd

    Retrieve newly registered domains (NRD) recently observed by Darkmon, sorted newest first by timestamp unless overridden. Filters the IOC feed by classification NEWLY_REGISTERED_DOMAIN.

  • dmontip-get-proxy

    Retrieve known open-proxy IOCs with pagination, sorted newest first by firstSeen unless overridden.

  • dmontip-get-ransomware

    Retrieve ransomware articles or company-specific ransomware mentions with details such as victim name, threat actor, published date, and matched keywords. Sorted newest first by publishedAt unless overridden.

  • dmontip-get-tbf

    Retrieve telnet brute-force IOCs - sources observed attempting telnet brute-force attacks, sorted newest first by timestamp unless overridden. Filters the IOC feed by classification TELNET_BRUTE_FORCE.

  • dmontip-get-vpn

    Retrieve known VPN exit-node IOCs with pagination, sorted newest first by firstSeen unless overridden.

  • dmontip-global-search

    The dmontip-global-search command performs a comprehensive search across the Darkmon Threat Intelligence Platform. This command allows users to search for indicators, threat actors, malware, and other intelligence data using keywords or specific search terms. It queries multiple data sources simultaneously and returns consolidated results, helping analysts quickly find relevant intelligence across the platform.

  • domain

    Performs domain-focused threat intelligence searches in the Darkmon platform. Returns comprehensive information about potentially malicious domains.

  • email

    Searches for threat intelligence related to specific email addresses. Identifies compromised accounts or emails associated with malicious activities.

  • file

    Searches the Darkmon platform using file hash values (MD5, SHA-1, SHA-256). Identifies malware and provides associated threat intelligence data.

  • ip

    Searches the Darkmon platform for intelligence related to a specific IP address. A focused interface for threat intelligence lookup of IP indicators.

  • url

    Searches for URL-specific threat intelligence across the Darkmon platform. Quickly identifies malicious or suspicious URLs and associated threat data.