Skip to main content

ACTI Indicator Query

This Integration is part of the Accenture CTI v2 Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Accenture CTI provides intelligence regarding security threats and vulnerabilities. This integration was integrated and tested with version v2.93.0 of ACTI

Configure ACTI Indicator Query on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for ACTI Indicator Query.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlURLTrue
api_tokenAPI TokenTrue
Source ReliabilityReliability of the source providing the intelligence data.B - Usually reliable
insecureTrust any certificate (not secure)False
use_proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Optional

Context Output#

PathTypeDescription
IP.AddressStringThe IP address that was checked.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor that was used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example#

!ip ip=0.0.0.0

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.0",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ip",
"Vendor": "ACTI Indicator Query"
},
"IP": {
"Address": "0.0.0.0"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022018-04-25 14:20:300.0.0.0Cyber EspionageMALWARE_DOWNLOAD,
MALWARE_C2

domain#


Checks the reputation of the given domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to check.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe name of the domain that was checked.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!domain domain=example.org

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "ACTI Indicator Query"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022019-09-18 15:56:49example.orgCyber CrimeMALWARE_C2

url#


Checks the reputation of the given URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL to check (must start with "http://").Optional

Context Output#

PathTypeDescription
URL.DataStringThe URL that was checked.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!url url=http://example.com

Context Example#

{
"DBotScore": {
"Indicator": "http://example.com",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "url",
"Vendor": "ACTI Indicator Query"
},
"URL": {
"Data": "http://example.com"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022020-09-16 20:29:35http://example.comCyber CrimeMALWARE_C2

acti-get-ioc-by-uuid#


Get specific indicator reputation

Base Command#

acti-get-ioc-by-uuid

Input#

Argument NameDescriptionRequired
uuidUnique User ID.Required

Context Output#

PathTypeDescription
IP.AddressStringThe IP address.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
URL.DataStringThe URL.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!acti-get-ioc-by-uuid uuid=xxxx

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "ACTI Indicator Query"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022017-01-11 20:56:22example.orgCyber EspionageMALWARE_C2

acti-getThreatIntelReport#


Fetches intelligence alerts and reports from ACTI IntelGraph to XSOAR platform.

Base Command#

acti-getThreatIntelReport

Input#

Argument NameDescriptionRequired
uuidUUID to fetch Intelligence Alerts & Intelligence Reports.Yes

Context Output#

PathTypeDescription
IAIR.abstractStringThis field is specific to Intelligence Alert and provides a summarised context, for example, 'The worldwide COVID-19 outbreak...'
IAIR.last_publishedStringThe last published timestamp of the IA/IR, for example, '2020-06-26T01:14:56.000Z'
IAIR.index_timestampStringThe index timestamp of the IA/IR, for example, '2022-02-11T17:24:03.604Z'
IAIR.display_textStringThe display text of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19'
IAIR.valueStringThe value of the IA/IR, for example, 'https://intelgraph.idefense.com/#/node/intelligence_alert/view/8b8b48f1-92a0-411a-a073-3241f6819f8b'
IAIR.last_modifiedStringThe last modified timestamp of the IA/IR, for example, '2022-02-11T17:21:48.000Z'
IAIR.threat_typesStringThe threat type of the IA/IR, for example, '- Hacktivism- Cyber Espionage- Cyber Crime- Vulnerability'. It's formatted in such a way that it gets displayed better.
IAIR.created_onStringThe creation timestamp of the IA/IR, for example, '2020-03-12T22:22:25.000Z'
IAIR.titleStringThe title of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19'
IAIR.typeStringThe type of report i.e. an IA/IR , for example, 'intelligence_alert'
IAIR.uuidStringThe uuid of the IA/IR, for example, '8b8b48f1-92a0-411a-a073-3241f6819f8b'
IAIR.analysisStringThe analysis of the IA/IR, for example, 'COVID-19 Introduces Cyberthreat Opportunities...'
IAIR.attachment_linksStringProvides with the document links related to the Intelligence Alert. This field is specific to Intelligence Alert, for example, 'https://intelgraph.idefense.com/rest/files/download/...'
IAIR.severityStringProvides severity rating. This field is specific to Intelligence Alert, for example, '4'
IAIR.mitigationStringProvides info on how to mitigate. This field is specific to Intelligence Alert, for example, '## Expert, Experienced Advice Will be CriticalTo minimize targeting opportunities...'
IAIR.conclusionStringProvides conclusion of the report. This field is specific to Intelligence Report.
IAIR.summaryStringProvides with a summary of the report. This field is specific to Intelligence Report.
IAIR.dynamic_propertiesStringProvides with the dynamic properties related to the intelligence alert/report.
IAIR.linksStringProvides details of the linked fields related to the intelligence alert/report.
IAIR.sources_externalStringProvides with external sources related to the intelligence alert/report.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor that was used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example#

!acti-getThreatIntelReport uuid=8b8b48f1-92a0-411a-a073-3241f6819f8b

Context Example#

{
"DBotScore": {
"Indicator": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ACTI Intelligence Alert",
"Vendor": "ACTI Threat Intelligence Report"
},
"IAIR": {
"abstract": "The worldwide COVID-19 outbreak, which the World Health Organization (WHO) declared a pandemic......",
"last_published": "2020-06-26T01:14:56.000Z",
"index_timestamp": "2022-02-11T17:24:03.604Z",
"display_text": "SITREP: Cybersecurity Risks Related to COVID-19",
"value": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"sources_external": {},
"last_modified":"2022-02-11T17:21:48.000Z",
"dynamic_properties": {},
"threat_types": "- Hacktivism- Cyber Espionage- Cyber Crime- Vulnerability",
"created_on": "2020-03-12T22:22:25.000Z",
"title": "SITREP: Cybersecurity Risks Related to COVID-19",
"links":{},
"type": "intelligence_alert",
"uuid": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"analysis": "##COVID-19 Introduces Cyberthreat Opportunities####Exploitation of Work-from-Home.....",
"attachment_links": "- https://intelgraph.idefense.com/rest/files/download/08/f0/05/7f1f609e7659dc......",
"severity": 4,
"mitigation": "##Expert, Experienced Advice Will be CriticalTo minimize targeting opportunities...."
}
}

Human Readable Output#

Report has been fetched!


UUID: 8b8b48f1-92a0-411a-a073-3241f6819f8b
Link to view report: https://intelgraph.idefense.com/#/node/intelligence_alert/view/8b8b48f1-92a0-411a-a073-3241f6819f8b