HYAS Insight (Preview)
HYAS Insight integration to Microsoft Azure Sentinel provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Contact | |
---|---|
Name | HYAS Infosec |
URL | https://www.hyas.com/contact |
[email protected] |
Connector Metadata | |
---|---|
Publisher | HYAS Infosec |
Website | https://www.hyas.com |
Privacy policy | https://www.hyas.com/privacy-statement/ |
Categories | Security;Website |
HYAS Insight Connector
HYAS Insight integration to Microsoft Azure Sentinel provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
Pre-requisites
You will need the following to proceed:
- A Microsoft Power Apps or Power Automate plan with custom connector feature
- An Azure subscription
- HYAS Insight API Key
Supported Operations
Details of all the supported operations, inputs and outputs are available here.
Support and documentation:
For all the support requests and general queries you can contact [email protected] or visit contact-us
Creating a connection
The connector supports the following authentication types:
Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
HYAS Insight API Key | securestring | The HYAS Insight API Key for this api | True |
Throttling Limits
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 100 | 60 seconds |
Actions
Get C2 Attribution Information |
Returns C2 Attribution Information. |
Get Current Whois Information |
Returns Current Whois Information for domain. |
Get Dynamic DNS Information |
Returns Dynamic DNS Information. |
Get Malware Sample Information |
Returns Malware Information. |
Get Malware Sample Record Information |
Returns Malware Sample Records. |
Get Mobile Geolocation Information |
Returns a list of mobile geolocation information. |
Get Open Source Indicators Information |
Returns a list of threat or intel indicators from open sources. |
Get Passive DNS Information |
Returns Passive DNS Information. |
Get Passive Hash Information |
Returns Passive Hash Information. |
Get Sinkhole Information |
Returns Sinkhole Information. |
Get SSL Certificate Information |
Returns SSL Certificate Information. |
Get Whois Information |
Returns Whois Information. |
Get C2 Attribution Information
Returns C2 Attribution Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query c2attribution endpoint, supported values are domain, ip, email and sha256. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid domain or ip or email or sha256 value. |
Returns
- Items
- c2attribution
Get Current Whois Information
Returns Current Whois Information for domain.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Domain
|
domain | True | string |
Please provide a valid domain. |
Returns
- Body
- whois_current
Get Dynamic DNS Information
Returns Dynamic DNS Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query dynamicdns endpoint, supported values are ip, domain and email. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ip or domain or email value. |
Returns
- Items
- dynamicdns
Get Malware Sample Information
Returns Malware Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query sample/infromation endpoint, supported values are hash. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid hash value. |
Returns
- Body
- sample_information
Get Malware Sample Record Information
Returns Malware Sample Records.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query sample endpoint, supported values are md5, domain and ipv4. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid md5 or domain or ipv4 value. |
Returns
- Items
- sample
Get Mobile Geolocation Information
Returns a list of mobile geolocation information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query device_geo endpoint, supported values are ipv4 and ipv6. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ipv4 or ipv6 value. |
Returns
- Items
- device_geo
Get Open Source Indicators Information
Returns a list of threat or intel indicators from open sources.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query os_indicators endpoint, supported values are ipv4, ipv6, domain, sha1, sha256 and md5. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ipv4 or ipv6 or domain or sha1 or sha256 or md5 value. |
Returns
- Items
- os_indicators
Get Passive DNS Information
Returns Passive DNS Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query passivedns endpoint, supported values are ipv4, domain. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ipv4 or domain value. |
Returns
- Items
- passivedns
Get Passive Hash Information
Returns Passive Hash Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query passivehash endpoint, supported values are ipv4 and domain. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ipv4 or domain value. |
Returns
- Items
- passivehash
Get Sinkhole Information
Returns Sinkhole Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query sinkhole endpoint, supported values are ipv4. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid ipv4 value. |
Returns
- Items
- sinkhole
Get SSL Certificate Information
Returns SSL Certificate Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query ssl_certificate endpoint, supported values are sha1 hash, ip and domain. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid sha1 hash or ip or domain value. |
Returns
- Body
- sslcertificate
Get Whois Information
Returns Whois Information.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Indicator Type
|
indicator_type | True | string |
Filter used to query whois endpoint, supported values are domain, email and phone. |
Indicator Value
|
indicator_value | True | string |
Please provide a valid domain or email or phone value. |
Returns
- Items
- whois
Definitions
device_geo
Name | Path | Type | Description |
---|---|---|---|
datetime
|
datetime | string |
A date-time string in RFC 3339 format. |
device_user_agent
|
device_user_agent | string |
The user agent string for the device. |
geo_country_alpha_2
|
geo_country_alpha_2 | string |
The ISO 3316 alpha-2 code for the country associated with the lat/long reported. |
geo_horizontal_accuracy
|
geo_horizontal_accuracy | float |
The GPS horizontal accuracy. |
ipv4
|
ipv4 | string |
The ipv4 address assigned to the device. A device may have either or ipv4 and ipv6. |
ipv6
|
ipv6 | string |
The ipv6 address assigned to the device. A device may have either or ipv4 and ipv6. |
latitude
|
latitude | float |
Units are degrees on the WGS 84 spheroid. |
longitude
|
longitude | float |
Units are degrees on the WGS 84 spheroid. |
wifi_bssid
|
wifi_bssid | string |
The BSSID (MAC address) of the wifi router that the device communicated through. |
sinkhole
Name | Path | Type | Description |
---|---|---|---|
count
|
count | number |
The sinkhole count. |
country_name
|
country_name | string |
The country of the ip. |
data_port
|
data_port | number |
The data port. |
datetime
|
datetime | string |
The first seen date of the sinkhole. |
ipv4
|
ipv4 | string |
The ipv4 of the sinkhole. |
last_seen
|
last_seen | string |
The last seen date of the sinkhole. |
organization_name
|
organization_name | string |
The isp organization for the ip. |
sink_source
|
sink_source | string |
The ipv4 of the sink source. |
passivedns
Name | Path | Type | Description |
---|---|---|---|
cert_name
|
cert_name | string |
The certificate provider name. |
count
|
count | number |
The passive dns count. |
domain
|
domain | string |
The domain of the passive dns information requested. |
first_seen
|
first_seen | string |
The first time this domain was seen. |
city_name
|
ip.geo.city_name | string |
The City of the ip organization. |
country_iso_code
|
ip.geo.country_iso_code | string |
The Country ISO code of the ip organization. |
country_name
|
ip.geo.country_name | string |
The Country name of the ip organization. |
location_latitude
|
ip.geo.location_latitude | string |
The latitude of the ip organization. |
location_longitude
|
ip.geo.location_longitude | string |
The longitude of the ip organization. |
postal_code
|
ip.geo.postal_code | string |
The postalcode of the ip organization. |
ip
|
ip.ip | string |
IP of the organization. |
autonomous_system_number
|
ip.isp.autonomous_system_number | string |
The ASN of the ip. |
autonomous_system_organization
|
ip.isp.autonomous_system_organization | string |
The ASO of the ip. |
ip_address
|
ip.isp.ip_address | string |
The IP. |
isp
|
ip.isp.isp | string |
The Internet Service Provider. |
organization
|
ip.isp.organization | string |
The ISP organization. |
ipv4
|
ipv4 | string |
The ipv4 address of the passive dns record. |
ipv6
|
ipv6 | string |
The ipv6 address of the passive dns record. |
last_seen
|
last_seen | string |
The last time this domain was seen. |
sources
|
sources | array of string |
A list of pDNS providers which the data came from. |
dynamicdns
Name | Path | Type | Description |
---|---|---|---|
a_record
|
a_record | string |
The A record for the domain. |
account
|
account | string |
The account holder name. |
created
|
created | string |
The date which the domain was created. |
created_ip
|
created_ip | string |
The ip address of the account holder. |
domain
|
domain | string |
The domain associated with the dynamic dns information. |
domain_creator_ip
|
domain_creator_ip | string |
The ip address of the domain creator. |
email
|
string |
The email address connected to the domain. |
passivehash
Name | Path | Type | Description |
---|---|---|---|
domain
|
domain | string |
The domain of the passive hash information requested. |
md5_count
|
md5_count | number |
The passive dns count. |
sslcertificate
Name | Path | Type | Description |
---|---|---|---|
related_count
|
related_count | number |
The number of ip addresses connected to this certificate. |
ssl_certs
|
ssl_certs | array of object |
The ssl_certs object. |
ip
|
ssl_certs.ip | string |
The ip address associated with certificate. |
cert_key
|
ssl_certs.ssl_cert.cert_key | string |
The certificate key (sha1). |
expire_date
|
ssl_certs.ssl_cert.expire_date | string |
The expiry date of the certificate. |
issue_date
|
ssl_certs.ssl_cert.issue_date | string |
The issue date of the certificate. |
issuer_commonName
|
ssl_certs.ssl_cert.issuer_commonName | string |
The common name that the certificate was issued from. |
issuer_countryName
|
ssl_certs.ssl_cert.issuer_countryName | string |
The country ISO the certificate was issued from. |
issuer_localityName
|
ssl_certs.ssl_cert.issuer_localityName | string |
The city where the issuer company is legally located. |
issuer_organizationName
|
ssl_certs.ssl_cert.issuer_organizationName | string |
The organization name that issued the certificate. |
issuer_organizationalUnitName
|
ssl_certs.ssl_cert.issuer_organizationalUnitName | string |
The organization unit name that issued the certificate. |
issuer_stateOrProvinceName
|
ssl_certs.ssl_cert.issuer_stateOrProvinceName | string |
The issuer state or province. |
md5
|
ssl_certs.ssl_cert.md5 | string |
The certificate MD5. |
serial_number
|
ssl_certs.ssl_cert.serial_number | string |
The certificate serial number. |
sha1
|
ssl_certs.ssl_cert.sha1 | string |
The certificate sha1. |
sha_256
|
ssl_certs.ssl_cert.sha_256 | string |
The certificate sha256. |
sig_algo
|
ssl_certs.ssl_cert.sig_algo | string |
The certificate signature algorithm. |
signature
|
ssl_certs.ssl_cert.signature | string |
Signature split into multiple lines. |
ssl_version
|
ssl_certs.ssl_cert.ssl_version |
The SSL version. |
|
subject_commonName
|
ssl_certs.ssl_cert.subject_commonName | string |
The subject name that the certificate was issued to. |
subject_countryName
|
ssl_certs.ssl_cert.subject_countryName | string |
The country the certificate was issued to. |
subject_localityName
|
ssl_certs.ssl_cert.subject_localityName | string |
The city where the subject company is legally located. |
subject_organizationName
|
ssl_certs.ssl_cert.subject_organizationName | string |
The organization name that recieved the certificate. |
subject_organizationalUnitName
|
ssl_certs.ssl_cert.subject_organizationalUnitName | string |
The organization unit name that recieved the certificate. |
subject_stateOrProvinceName
|
ssl_certs.ssl_cert.subject_stateOrProvinceName | string |
The state or province name where the subject company is located. |
timestamp
|
ssl_certs.ssl_cert.timestamp | string |
The certificate date and time. |
whois
Name | Path | Type | Description |
---|---|---|---|
address
|
address | array of string |
The address information. |
city
|
city | array of string |
The city information. |
country
|
country | array of string |
The country information. |
domain
|
domain | string |
The domain of the registrant. |
domain_2tld
|
domain_2tld | string |
The second-level domain of the registrant. |
domain_created_datetime
|
domain_created_datetime | string |
The date and time when the whois record was created. |
domain_expires_datetime
|
domain_expires_datetime | string |
The date and time when the whois record expires. |
domain_updated_datetime
|
domain_updated_datetime | string |
The date and time when the whois record was last updated. |
email
|
array of string |
The email information. |
|
idn_name
|
idn_name | string |
The international domain name. |
nameserver
|
nameserver | array of string |
The nameserver information. |
phone
|
phone | array of object |
Array of object, The phone number registrant contact in e164 format along with geo info. |
phone
|
phone.phone | string |
The phone number registrant contact in e164 format. |
carrier
|
phone.phone_info.carrier | string |
Phone number carrier. |
country
|
phone.phone_info.country | string |
Phone number country. |
geo
|
phone.phone_info.geo | string |
Phone number geo Can be city or province or region or country. |
privacy_punch
|
privacy_punch | boolean |
True if this record has additional information bypassing privacy protect. |
registrar
|
registrar | string |
The domain registrar. |
whois_hash
|
whois_hash | string |
The hash information. |
whois_id
|
whois_id | string |
The whois id information. |
c2attribution
Name | Path | Type | Description |
---|---|---|---|
actor_ipv4
|
actor_ipv4 | string |
The actor ipv4. |
c2_domain
|
c2_domain | string |
The c2 domain. |
c2_ip
|
c2_ip | string |
The c2 ipv4. |
c2_url
|
c2_url | string |
The C2 panel url. |
datetime
|
datetime | string |
C2 Attribution datetime. |
email
|
string |
The actor email. |
|
email_domain
|
email_domain | string |
The email domain. |
referrer_domain
|
referrer_domain | string |
The referrer domain. |
referrer_ipv4
|
referrer_ipv4 | string |
The referrer ipv4. |
referrer_url
|
referrer_url | string |
The referrer url. |
sha256
|
sha256 | string |
The sha256 malware hash. |
sample_information
Name | Path | Type | Description |
---|---|---|---|
avscan_score
|
avscan_score | string |
AV scan score. |
md5
|
md5 | string |
MD5 Hash. |
scan_results
|
scan_results | array of object | |
av_name
|
scan_results.av_name | string |
The AV Name. |
def_time
|
scan_results.def_time | string |
The AV datetime. |
threat_found
|
scan_results.threat_found | string |
The source. |
scan_time
|
scan_time | string |
The datetime of the scan. |
sha1
|
sha1 | string |
The sha1 hash. |
sha256
|
sha256 | string |
The sha256 hash. |
sha512
|
sha512 | string |
The sha512 hash. |
sample
Name | Path | Type | Description |
---|---|---|---|
datetime
|
datetime | string |
The date which the sample was processed. |
domain
|
domain | string |
The domain of the sample. |
ipv4
|
ipv4 | string |
The ipv4 of the sample. |
ipv6
|
ipv6 | string |
The ipv6 of the sample. |
md5
|
md5 | string |
The md5 of the sample. |
sha1
|
sha1 | string |
The sha1 of the sample. |
sha256
|
sha256 | string |
The sha256 of the sample. |
os_indicators
Name | Path | Type | Description |
---|---|---|---|
context
|
context | string |
Additional information about source. |
data
|
data | object |
The json blob with raw data. |
datetime
|
datetime | string |
The date-time string in RFC 3339 format. |
domain
|
domain | string |
The domain. |
domain_2tld
|
domain_2tld | string |
The domain_2tld. |
first_seen
|
first_seen | string |
The date-time string in RFC 3339 format. |
ipv4
|
ipv4 | string |
The ipv4 address. Can be a cidr. |
ipv6
|
ipv6 | string |
The ipv6 address. Can be a cidr. |
last_seen
|
last_seen | string |
The date-time string in RFC 3339 format. |
md5
|
md5 | string |
The md5 value. |
sha1
|
sha1 | string |
The sha1 value. |
sha256
|
sha256 | string |
The sha256 value. |
source_name
|
source_name | string |
The source_name. |
source_url
|
source_url | string |
The source_url. |
uri
|
uri | string |
The source uri value. |
whois_current
Name | Path | Type | Description |
---|---|---|---|
items
|
items | array of object |
The items object. |
abuse_emails
|
items.abuse_emails | array of string |
The abuse emails information. |
address
|
items.address | array of string |
The address information. |
city
|
items.city | array of string |
The city of the registrant. |
country
|
items.country | array of string |
The country of the registrant. |
data
|
items.data | string |
The data information. |
datetime
|
items.datetime | string |
The datetime information. |
domain
|
items.domain | string |
The domain of the registrant. |
domain_2tld
|
items.domain_2tld | string |
The second-level domain of the registrant. |
domain_created_datetime
|
items.domain_created_datetime | string |
The date and time when the Whois record was created. |
domain_expires_datetime
|
items.domain_expires_datetime | string |
The date and time when the Whois record expires. |
domain_updated_datetime
|
items.domain_updated_datetime | string |
The date and time when the Whois record was last updated. |
email
|
items.email | array of string |
The email information. |
idn_name
|
items.idn_name | string |
The international domain name information. |
meta_data
|
items.meta_data | string |
The metadata information. |
name
|
items.name | array of string |
The contact name (registrant contact, administrative contact, technical contact, or abuse contact.) |
nameserver
|
items.nameserver | array of string |
The nameserver domain. |
organization
|
items.organization | array of string |
The organization information. |
phone
|
items.phone | array of |
The phone number of the registrant in e164 format. |
registrar
|
items.registrar | string |
The domain registrar. |
state
|
items.state | array of |
The state where domain was registered. |
whois_hash
|
items.whois_hash | string |
The hash information. |
whois_id
|
items.whois_id | string |
The whois id information. |
whois_nameserver
|
items.whois_nameserver | array of object |
The whois_nameserver object. |
domain
|
items.whois_nameserver.domain | string |
The nameserver's domain information. |
domain_2tld
|
items.whois_nameserver.domain_2tld | string |
The nameserver's domain_2tld information. |
whois_related_nameserver_id
|
items.whois_nameserver.whois_related_nameserver_id | string |
The nameserver's Id Information. |
whois_pii
|
items.whois_pii | array of object |
The whois_pii object. |
address
|
items.whois_pii.address | string |
The personal identity address information. |
city
|
items.whois_pii.city | string |
The personal identity city information. |
data
|
items.whois_pii.data | string |
The personal identity data information. |
email
|
items.whois_pii.email | string |
The personal identity email information. |
geo_country_alpha_2
|
items.whois_pii.geo_country_alpha_2 | string |
The personal identity country information. |
name
|
items.whois_pii.name | string |
The personal identity name information. |
organization
|
items.whois_pii.organization | string |
The personal identity organization information. |
phone_e164
|
items.whois_pii.phone_e164 | string |
The personal identity Phone_e164 information. |
state
|
items.whois_pii.state | string |
The personal identity state information. |
whois_related_pii_id
|
items.whois_pii.whois_related_pii_id | string |
The personal identity Id information. |
whois_related_type
|
items.whois_pii.whois_related_type | string |
The personal identity related information. |
source
|
source | string |
The source information. |
total_count
|
total_count | number |
The total count information. |