Rediger

Del via

Pure Signal Scout

  • Artikel

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Pure Signal Scout The Team Cymru's Pure Signal Scout plugin enables Security Copilot customers to gather detailed threat intelligence on IP addresses and domains in real-time. Scout delivers unparalleled speed, accuracy, and visibility, helping security analysts make faster, better-informed decisions. Scout's powerful features ensure that security teams can stay ahead of evolving cyber threats. It provides insights into malicious IP activity, domain information, open ports, communication, and more. With AI-enriched data from sources like Passive DNS and cryptographic certificates, it helps security teams detect and block harmful IPs, streamlining investigations and improving response times.

Know before you begin

Integration with Security Copilot works with an API key that you must retrieve before using the plugin. You can create a new user account or use your existing account to get the key.

Create a new user account and get your API key

  1. Go to Scout Insight trial and fill out the required details.

  2. Verify your email and set a password.

  3. Sign into the Pure Signal Scout portal.

  4. Go to the API Keys page.

  5. Select Create.

  6. (Optional) Add a description for the key.

  7. Select Create Key to generate the key.

  8. If the Create button is disabled, your organization has reached the maximum number of keys. In this case, follow these steps:

    1. Next to an old key, select Revoke.

    2. Select Create Key to start generating a new key.

Use your existing account and get your API key

  1. Sign into the Pure Signal Scout portal.

  2. Go to the API Keys page.

  3. Select Create.

  4. (Optional) Add a description for the key.

  5. Select Create Key to generate the key.

  6. If the Create button is disabled, your organization has reached the maximum number of keys. In this case, follow these steps:

    1. Next to an old key, select Revoke.

    2. Select Create Key to start generating a new key.

Configure the Pure Signal Scout Plugin in Security Copilot

  1. Sign in to Microsoft Security Copilot.

  2. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  3. Next to Pure Signal Scout Plugin, select Set up.

    Image of the Pure Signal Scout plugin.

  4. In the Value field, paste the Pure Signal Scout API key, and then select Save.

    Image of the Pure Signal Scout plugin settings.

Sample Pure Signal Scout prompts

Capability Description Input Parameters Example Prompts
ScoutFoundationAPI Accepts IP addresses and enables bulk analysis, offering insights into whether the set contains suspicious, malicious, or informational IPs. The Scout Foundation API also provides AS information, country codes, and key tags associated with IP addresses. Required: ips (max 10 IP Addresses) - List down the malicious and suspicious IPs from these 8.8.8.8 175.155.2.48 185.220.101.101 192.42.116.175 188.165.200.97 185.220.101.88 178.20.55.182 104.182.36.17 with help of Pure Signal Scout plugin.

- Using the Pure Signal Scout plugin, find if the IP Address 185.220.100.240 is malicious ?

- List down key tag associated with IP Address 12wd85.220.100.240 using Scout plugin.
ScoutIPDetailsAPI The Scout IP Details API provides comprehensive information about a specific IP address, covering details such as identity, network communication history, passive DNS data, open ports, X.509 certificates, TLS/SSL fingerprints, and WHOIS records. This endpoint enables users to retrieve a full report on an IP address's behavior and relationships over time by specifying start and end dates or selecting a range of days. Required: IP AddressOptional: start_date :

start_date can't be more than 90 days back from current date & 30 days before end date

end_date : can't be in the future Days: min: 1, max: 30
(Relative offset in days from current time in UTC. It can't exceed the maximum range of 30 days.)

size:
default: 100, min: 1, max: 1000
(The size of the response, in records, to return) sections: identity
comms pdns open_ports x509 fingerprints whois summary proto_by_ip		 - Using Pure Signal Scout to find what open ports are available on this IP address 47.156.224.38?

- Are there any unusual communication patterns for this IP address 47.156.224.38? Check with the Pure Signal Scout plugin.

- What are the most frequent destinations for this IP address 47.156.224.38? Find using Scout plugin.

- Using Scout plugin find what are the connections between this IP address 47.156.224.38 and specific ASNs?

- Has this IP address 175.155.2.48 been seen in any honeypot data? Find using Scout.

- What are the potential threats associated with this IP address 175.155.2.48?

- What are the country origins of IPs communicating with this one IP 47.156.224.38?
ScoutSearchAPI The Scout Search API provides detailed information about domains and supports advanced search queries using the Scout Query Language. It returns results that may include country codes, autonomous system (AS) information, tags, WHOIS data, open ports, passive DNS (PDNS), communication details, service information, X.509 certificates, and fingerprints. This API allows users to build a query using various formats, including IP address, domain names, websites, or advanced queries with specific selectors (for example, pdns.domain). Full details on the available search selectors can be found at Scout documentation. Required: query

Optional: start_date: can't be more than 90 days back from current date & 30 days before end date
end_date: can't be future Days: min: 1, max: 30 (Relative offset in days from current time in UTC. It can't exceed the maximum range of 30 days.) size: default: 100, min: 1, max: 5000 (The size of the response, in records, to return)		 - Using Pure Signal Scout to find what is the WHOIS information for this domain 10crypto.top ?

- Using the Pure Signal Scout plugin can you show me the historical DNS data for this domain akamai.com?

- What are the most recent WHOIS updates for this subtitleseeker.com? Use Scout plugin.

- Using Scout to find what is the reverse WHOIS information for this domain 10crypto.top?

- Use Scout to run the query pdns.domain="*ngrok.io" and give the certificate details about top 10 associated IPs.

- What organization is associated with subtitleseeker.com in the WHOIS data? Use Scout.

Troubleshoot the Pure Signal Scout plugin

Errors occur

If you encounter errors like "Couldn't complete your request," try these steps to troubleshoot:

  1. Start a new session to refresh context and attempt the prompt again in a new session.

  2. Specify a Detailed Prompt: Refer to the best prompt guidelines for Security Copilot here and crafting detailed prompts according to Pure Signal Scout plugin skills and capabilities.

  3. Adjust the Size Parameter: If the issue persists, reduce the size parameter in your prompt to control response size, for example, "Use size as 10." This can also be adjusted in the IP Details API or Scout Search API to help minimize response payloads.

If the issue continues, sign out of Security Copilot, then sign back in and try again.

Prompts aren't invoking the correct capabilities

If prompts aren't invoking the correct capabilities or if they seem to be activating a different plugin, it may be due to other plugins or custom plugins that provide similar capabilities as Pure Signal Scout. For instance, if you have multiple plugins that offer threat intelligence or domain information, conflicts might arise. To prioritize and specifically Pure Signal Scout, consider disabling other custom plugins. Alternatively, you can either use the product name Pure Signal Scout in your prompts or specify a particular skill.

Provide feedback

To provide feedback, contact Pure Signal Scout.

See also

Other plugins for Microsoft Security Copilot

Manage plugins in Microsoft Security Copilot