Skip to main content

ACTI Indicator Query

This Integration is part of the Accenture CTI v2 Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

ACTI provides intelligence regarding security threats and vulnerabilities. This integration was integrated and tested with version 2.93.0 of ACTI

Configure ACTI Indicator Query on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ACTI Indicator Query.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlURLTrue
    API TokenThe API Token to use for connectionTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Optional

Context Output#

PathTypeDescription
IP.AddressStringThe IP address that was checked.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example#

!ip ip=0.0.0.0

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.0",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ip",
"Vendor": "ACTI Indicator Query"
},
"IP": {
"Address": "0.0.0.0"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022018-04-25 14:20:300.0.0.0Cyber EspionageMALWARE_DOWNLOAD, MALWARE_C2

domain#


Checks the reputation of the given domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to check.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe name of the domain that was checked.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!domain domain=example.org

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "ACTI Indicator Query"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022019-09-18 15:56:49example.orgCyber CrimeMALWARE_C2

url#


Checks the reputation of the given URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL to check (must start with "http://").Optional

Context Output#

PathTypeDescription
URL.DataStringThe URL that was checked.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!url url=http://example.com

Context Example#

{
"DBotScore": {
"Indicator": "http://example.com",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "url",
"Vendor": "ACTI Indicator Query"
},
"URL": {
"Data": "http://example.com"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
5022020-09-16 20:29:35http://example.comCyber CrimeMALWARE_C2

acti-get-ioc-by-uuid#


Checks reputation of a specific indicator(URL/IP/Domain) uuid.

Base Command#

acti-get-ioc-by-uuid

Input#

Argument NameDescriptionRequired
uuidUnique User ID.Required

Context Output#

PathTypeDescription
IP.AddressStringThe IP address.
IP.Malicious.VendorStringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IP addresses, the reason the vendor made that decision.
Domain.NameStringThe domain name.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason the vendor made that decision.
URL.DataStringThe URL.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason the vendor made that decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!acti-get-ioc-by-uuid uuid=xxxx

Context Example#

{
"DBotScore": {
"Indicator": "example.org",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "ACTI Indicator Query"
},
"Domain": {
"Name": "example.org"
}
}

Human Readable Output#

Results#

ConfidenceDbotReputationLastPublishedNameThreatTypesTypeOfUse
022017-01-11 20:56:22example.orgCyber EspionageMALWARE_C2

acti-get-fundamentals-by-uuid#


Checks reputation of a specific Malware Family/ Threat Campaign/ Threat Group/ Threat Actor.

Base Command#

acti-get-fundamentals-by-uuid

Input#

Argument NameDescriptionRequired
uuidUnique ID of the specific Malware Family/ Threat Campaign/ Threat Group/ Threat Actor.Required

Context Output#

PathTypeDescription
ACTI_MalwareFamily.display_textStringThe display text of the Malware Family, for example, 'Artemis'
ACTI_MalwareFamily.threat_typesStringThe threat type of the Malware Family.
ACTI_MalwareFamily.typeStringThe type of fundamental i.e. an Malware Family , for example, 'malware_family'
ACTI_MalwareFamily.last_publishedStringThe last published date of the Malware Family, for example, '2022-02-11T17:24:03.604Z'
ACTI_MalwareFamily.last_modifiedStringThe last modified date of the Malware Family, for example, '2022-02-11T17:24:03.604Z'
ACTI_MalwareFamily.index_timestampStringThe index timestamp of the Malware Family, for example, '2022-02-11T17:24:03.604Z'
ACTI_MalwareFamily.created_onStringThe creation timestamp of the Malware Family, for example, '2020-03-12T22:22:25.000Z'
ACTI_MalwareFamily.descriptionStringThe description of the Malware Family
ACTI_MalwareFamily.analysisStringThe analysis of the Malware Family
ACTI_ThreatGroup.display_textStringThe display text of the Threat Group, for example, 'Black Shadow'
ACTI_ThreatGroup.threat_typesStringThe threat type of the Threat Group.
ACTI_ThreatGroup.typeStringThe type of fundamental i.e. an Threat Group, for example, 'threat_group'
ACTI_ThreatGroup.last_publishedStringThe last published date of the Threat Group, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatGroup.last_modifiedStringThe last modified date of the Threat Group, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatGroup.index_timestampStringThe index timestamp of the Threat Group, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatGroup.created_onStringThe creation timestamp of the Threat Group, for example, '2020-03-12T22:22:25.000Z'
ACTI_ThreatGroup.descriptionStringThe description of the Threat Group
ACTI_ThreatGroup.analysisStringThe analysis of the Threat Group
ACTI_ThreatActor.display_textStringThe display text of the Threat Actor, for example, 'RastaFarEye'
ACTI_ThreatActor.threat_typesStringThe threat type of the Threat Actor.
ACTI_ThreatActor.typeStringThe type of fundamental i.e. an Threat Actor, for example, 'threat_actor'
ACTI_ThreatActor.last_publishedStringThe last published date of the Threat Actor, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatActor.last_modifiedStringThe last modified date of the Threat Actor, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatActor.index_timestampStringThe index timestamp of the Threat Actor, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatActor.created_onStringThe creation timestamp of the Threat Actor, for example, '2020-03-12T22:22:25.000Z'
ACTI_ThreatActor.descriptionStringThe description of the Threat Actor
ACTI_ThreatActor.analysisStringThe analysis of the Threat Actor
ACTI_ThreatCampaign.display_textStringThe display text of the Threat Campaign, for example, 'FBI Flash CU-000141-MW'
ACTI_ThreatCampaign.threat_typesStringThe threat type of the Threat Campaign.
ACTI_ThreatCampaign.typeStringThe type of fundamental i.e. an Threat Campaign , for example, 'threat_campaign'
ACTI_ThreatCampaign.last_publishedStringThe last published date of the Threat Campaign, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatCampaign.last_modifiedStringThe last modified date of the Threat Campaign, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatCampaign.index_timestampStringThe index timestamp of the Threat Campaign, for example, '2022-02-11T17:24:03.604Z'
ACTI_ThreatCampaign.created_onStringThe creation timestamp of the Threat Campaign, for example, '2020-03-12T22:22:25.000Z'
ACTI_ThreatCampaign.descriptionStringThe description of the Threat Campaign
ACTI_ThreatCampaign.analysisStringThe analysis of the Threat Campaign
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!acti-get-fundamentals-by-uuid uuid=7q2b129s-6421-4e22-a276-22be5f76cba8

Context Example#

{
"DBotScore": {
"Indicator": "7q2b129s-6421-4e22-a276-22be5f76cba8",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ACTI Malware Family",
"Vendor": "ACTI Indicator Query"
},
"ACTI_MalwareFamily": {
"Name": "Danabot",
"DbotReputation": 2,
"ThreatTypes": "Cyber Crime",
"Type": "malware_family",
"LastPublished": "2021-04-02T04:40:19.000Z",
"LastModified": "2021-04-02T04:40:19.000Z",
"IndexTimestamp": "2021-04-02T04:40:19.000Z",
"Severity": 3,
"CreatedOn": "2021-04-02T04:40:19.000Z"
}
}

Human Readable Output#

Danabot#

For more insight click: https://intelgraph.idefense.com/#/node/malware_family/view/7q2b129s-6421-4e22-a276-22be5f76cba8

CreatedOnDBotReputationIndexTimestampLastModifiedLastPublishedNameSeverityThreatTypesType
2021-04-02 04:40:1922021-04-02 04:40:192021-04-02 04:40:192021-04-02 04:40:19Danabot3Cyber Crimemalware_family

acti-getThreatIntelReport#


Fetches Intelligence Alerts & Intelligence Reports.

Base Command#

acti-getThreatIntelReport

Input#

Argument NameDescriptionRequired
uuiduuid of Intelligence Alert/Report (IA/IR) in the ACTI IntelGraph platform.Required

Context Output#

PathTypeDescription
IAIR.abstractStringThis field is specific to Intelligence Alert and provides a summarised context, for example, 'The worldwide COVID-19 outbreak...'
IAIR.last_publishedStringThe last published timestamp of the IA/IR, for example, '2020-06-26T01:14:56.000Z'
IAIR.index_timestampStringThe index timestamp of the IA/IR, for example, '2022-02-11T17:24:03.604Z'
IAIR.display_textStringThe display text of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19'
IAIR.valueStringThe value of the IA/IR, for example, '8b8b48f1-92a0-411a-a073-3241f6819f8b'
IAIR.last_modifiedStringThe last modified timestamp of the IA/IR, for example, '2022-02-11T17:21:48.000Z'
IAIR.threat_typesStringThe threat type of the IA/IR, for example, '- Hacktivism- Cyber Espionage- Cyber Crime- Vulnerability'. It's formatted in such a way that it gets displayed better.
IAIR.created_onStringThe creation timestamp of the IA/IR, for example, '2020-03-12T22:22:25.000Z'
IAIR.titleStringThe title of the IA/IR, for example, 'SITREP Cybersecurity Risks Related to COVID-19'
IAIR.typeStringThe type of report i.e. an IA/IR , for example, 'intelligence_alert'
IAIR.uuidStringThe uuid of the IA/IR, for example, '8b8b48f1-92a0-411a-a073-3241f6819f8b'
IAIR.analysisStringThe analysis of the IA/IR, for example, 'COVID-19 Introduces Cyberthreat Opportunities...'
IAIR.attachment_linksStringProvides with the document links related to the Intelligence Alert. This field is specific to Intelligence Alert, for example, 'https://intelgraph.idefense.com/rest/files/download/...'
IAIR.severityStringProvides severity rating. This field is specific to Intelligence Alert, for example, '4'
IAIR.mitigationStringProvides info on how to mitigate. This field is specific to Intelligence Alert, for example, '## Expert, Experienced Advice Will be CriticalTo minimize targeting opportunities...'
IAIR.conclusionStringProvides conclusion of the report. This field is specific to Intelligence Report
IAIR.summaryStringProvides with a summary of the report. This field is specific to Intelligence Report.
IAIR.dynamic_propertiesStringProvides with the dynamic properties related to the intelligence alert/report.
IAIR.linksStringProvides details of the linked fields related to the intelligence alert/report.
IAIR.sources_externalStringProvides with external sources related to the intelligence alert/report.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor that was used to calculate the score.
DBotScore.ScoreStringThe actual score.

Command Example#

!acti-getThreatIntelReport uuid=8b8b48f1-92a0-411a-a073-3241f6819f8b

Context Example#

{
"DBotScore": {
"Indicator": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ACTI Intelligence Alert",
"Vendor": "ACTI Indicator Query"
},
"IAIR": {
"abstract": "The worldwide COVID-19 outbreak, which the World Health Organization (WHO) declared a pandemic......",
"last_published": "2020-06-26T01:14:56.000Z",
"index_timestamp": "2022-02-11T17:24:03.604Z",
"display_text": "SITREP: Cybersecurity Risks Related to COVID-19",
"value": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"sources_external": {},
"last_modified":"2022-02-11T17:21:48.000Z",
"dynamic_properties": {},
"threat_types": "- Hacktivism- Cyber Espionage- Cyber Crime- Vulnerability",
"created_on": "2020-03-12T22:22:25.000Z",
"title": "SITREP: Cybersecurity Risks Related to COVID-19",
"links":{},
"type": "intelligence_alert",
"uuid": "8b8b48f1-92a0-411a-a073-3241f6819f8b",
"analysis": "##COVID-19 Introduces Cyberthreat Opportunities####Exploitation of Work-from-Home.....",
"attachment_links": "- https://intelgraph.idefense.com/rest/files/download/08/f0/05/7f1f609e7659dc......",
"severity": 4,
"mitigation": "##Expert, Experienced Advice Will be CriticalTo minimize targeting opportunities...."
}
}

Human Readable Output#

Report has been fetched! UUID: 8b8b48f1-92a0-411a-a073-3241f6819f8b Link to view report: https://intelgraph.idefense.com/#/node/intelligence_alert/view/8b8b48f1-92a0-411a-a073-3241f6819f8b