ACTI Indicator Query
Accenture CTI v2 Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Accenture CTI provides intelligence regarding security threats and vulnerabilities. This integration was integrated and tested with version v2.93.0 of ACTI
#
Configure ACTI Indicator Query on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for ACTI Indicator Query.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | URL | True |
api_token | API Token | True |
Source Reliability | Reliability of the source providing the intelligence data. | B - Usually reliable |
insecure | Trust any certificate (not secure) | False |
use_proxy | Use system proxy settings | False |
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipChecks the reputation of the given IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IP address to check. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | String | The IP address that was checked. |
IP.Malicious.Vendor | String | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | String | For malicious IP addresses, the reason the vendor made that decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor that was used to calculate the score. |
DBotScore.Score | String | The actual score. |
#
Command Example!ip ip=0.0.0.0
#
Context Example#
Human Readable Output#
Results
Confidence DbotReputation LastPublished Name ThreatTypes TypeOfUse 0 2 2018-04-25 14:20:30 0.0.0.0 Cyber Espionage MALWARE_DOWNLOAD,
MALWARE_C2
#
domainChecks the reputation of the given domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain to check. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain that was checked. |
Domain.Malicious.Vendor | String | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | String | For malicious domains, the reason the vendor made that decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
#
Command Example!domain domain=example.org
#
Context Example#
Human Readable Output#
Results
Confidence DbotReputation LastPublished Name ThreatTypes TypeOfUse 50 2 2019-09-18 15:56:49 example.org Cyber Crime MALWARE_C2
#
urlChecks the reputation of the given URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to check (must start with "http://"). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | String | The URL that was checked. |
URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | String | For malicious URLs, the reason the vendor made that decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
#
Command Example!url url=http://example.com
#
Context Example#
Human Readable Output#
Results
Confidence DbotReputation LastPublished Name ThreatTypes TypeOfUse 50 2 2020-09-16 20:29:35 http://example.com Cyber Crime MALWARE_C2
#
acti-get-ioc-by-uuidGet specific indicator reputation
#
Base Commandacti-get-ioc-by-uuid
#
InputArgument Name | Description | Required |
---|---|---|
uuid | Unique User ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | String | The IP address. |
IP.Malicious.Vendor | String | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | String | For malicious IP addresses, the reason the vendor made that decision. |
Domain.Name | String | The domain name. |
Domain.Malicious.Vendor | String | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | String | For malicious domains, the reason the vendor made that decision. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | String | For malicious URLs, the reason the vendor made that decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
#
Command Example!acti-get-ioc-by-uuid uuid=xxxx
#
Context Example#
Human Readable Output#
Results
Confidence DbotReputation LastPublished Name ThreatTypes TypeOfUse 0 2 2017-01-11 20:56:22 example.org Cyber Espionage MALWARE_C2
#
acti-getThreatIntelReportFetches intelligence alerts and reports from ACTI IntelGraph to XSOAR platform.
#
Base Commandacti-getThreatIntelReport
#
InputArgument Name | Description | Required |
---|---|---|
uuid | UUID to fetch Intelligence Alerts & Intelligence Reports. | Yes |
#
Context OutputPath | Type | Description |
---|---|---|
IAIR.abstract | String | This field is specific to Intelligence Alert and provides a summarised context, for example, 'The worldwide COVID-19 outbreak...' |
IAIR.last_published | String | The last published timestamp of the IA/IR, for example, '2020-06-26T01:14:56.000Z' |
IAIR.index_timestamp | String | The index timestamp of the IA/IR, for example, '2022-02-11T17:24:03.604Z' |
IAIR.display_text | String | The display text of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19' |
IAIR.value | String | The value of the IA/IR, for example, 'https://intelgraph.idefense.com/#/node/intelligence_alert/view/8b8b48f1-92a0-411a-a073-3241f6819f8b' |
IAIR.last_modified | String | The last modified timestamp of the IA/IR, for example, '2022-02-11T17:21:48.000Z' |
IAIR.threat_types | String | The threat type of the IA/IR, for example, '- Hacktivism- Cyber Espionage- Cyber Crime- Vulnerability'. It's formatted in such a way that it gets displayed better. |
IAIR.created_on | String | The creation timestamp of the IA/IR, for example, '2020-03-12T22:22:25.000Z' |
IAIR.title | String | The title of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19' |
IAIR.type | String | The type of report i.e. an IA/IR , for example, 'intelligence_alert' |
IAIR.uuid | String | The uuid of the IA/IR, for example, '8b8b48f1-92a0-411a-a073-3241f6819f8b' |
IAIR.analysis | String | The analysis of the IA/IR, for example, 'COVID-19 Introduces Cyberthreat Opportunities...' |
IAIR.attachment_links | String | Provides with the document links related to the Intelligence Alert. This field is specific to Intelligence Alert, for example, 'https://intelgraph.idefense.com/rest/files/download/...' |
IAIR.severity | String | Provides severity rating. This field is specific to Intelligence Alert, for example, '4' |
IAIR.mitigation | String | Provides info on how to mitigate. This field is specific to Intelligence Alert, for example, '## Expert, Experienced Advice Will be CriticalTo minimize targeting opportunities...' |
IAIR.conclusion | String | Provides conclusion of the report. This field is specific to Intelligence Report. |
IAIR.summary | String | Provides with a summary of the report. This field is specific to Intelligence Report. |
IAIR.dynamic_properties | String | Provides with the dynamic properties related to the intelligence alert/report. |
IAIR.links | String | Provides details of the linked fields related to the intelligence alert/report. |
IAIR.sources_external | String | Provides with external sources related to the intelligence alert/report. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor that was used to calculate the score. |
DBotScore.Score | String | The actual score. |
#
Command Example!acti-getThreatIntelReport uuid=8b8b48f1-92a0-411a-a073-3241f6819f8b
#
Context Example#
Human Readable OutputReport has been fetched!
UUID: 8b8b48f1-92a0-411a-a073-3241f6819f8b
Link to view report: https://intelgraph.idefense.com/#/node/intelligence_alert/view/8b8b48f1-92a0-411a-a073-3241f6819f8b