Cyware Threat Intelligence eXchange

This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 2.4 and 2.7 of CTIX. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure CTIX on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for CTIX.
Click Add instance to create and configure a new integration instance.
Parameter Description Required
base_url Endpoint URL True
access_id Access Key True
secret_key Secret Key True
insecure Trust any certificate (not secure) False
proxy Use system proxy settings False
Click Test to validate the URLs, token, and connection.

Parameter	Description	Required
base_url	Endpoint URL	True
access_id	Access Key	True
secret_key	Secret Key	True
insecure	Trust any certificate (not secure)	False
proxy	Use system proxy settings	False

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#

Return IP Details.

Base Command#

ip

Input#

Argument Name	Description	Required
ip	List of IPs.	Required
enhanced	Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.	Optional

Context Output#

Path	Type	Description
IP.Address	String	IP address.
IP.ASN	String	The autonomous system name for the IP address.
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Score	Number	The actual score.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
CTIX.IP.tenant_id	string	Tenant ID
CTIX.IP.stix_object_id	string	ID of the Threat Data Object in CTIX application
CTIX.IP.tlp_data	string	TLP Value of the Threat Data Object
CTIX.IP.first_seen	string	Timestamp of when the IP was first seen on the CTIX application
CTIX.IP.last_seen	string	Timestamp of when the IP was latest seen on the CTIX application
CTIX.IP.deprecated	boolean	Shows if the Threat Data Object is deprecated on the CTIX application
CTIX.IP.intel_grading	string	Intel grading
CTIX.IP.criticality	number	Criticality of the Threat Data Object on the scale of 0-5
CTIX.IP.indicator_type	string	Threat Data Object type
CTIX.IP.package_id	unknown	List of IDs of packages on the CTIX application through which these IPs were received
CTIX.IP.source	unknown	List of sources from which the IP address was received in the CTIX application
CTIX.IP.risk_severity	number	Risk Severity of the Threat Data Object on the scale of 0-5
CTIX.IP.labels	unknown	List of Tags applied on the Threat Data Object
CTIX.IP.source_grading	string	Source Grading
CTIX.IP.name2	string	Value of the Threat Data Object
CTIX.IP.published_collections	unknown	Published collections
CTIX.IP.published_package_id	unknown	Package ID
CTIX.IP.blocked	boolean	Shows if the Threat Data Object is blocked on the CTIX application
CTIX.IP.blocked_time	string	Timestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.IP.deprecated_time	string	Timestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.IP.notification_preference	unknown	Notification preference
CTIX.IP.followed_on	unknown	Followed On
CTIX.IP.score	number	CTIX Confidence Score of the IP Object out of 100
CTIX.IP.type	string	Type of object
CTIX.IP.subscriber_id	unknown	List of Subscriber IDs
CTIX.IP.subscriber	unknown	List of Subscribers
CTIX.IP.subscriber_collection_id	unknown	List of Subscriber Collection IDs
CTIX.IP.subscriber_collection	unknown	List of Subscriber Collection
CTIX.IP.object_type	string	Type of object
CTIX.IP.blocked_on	unknown	Name of the Application where the Threat Data Object was blocked on.
CTIX.IP.follow_by	unknown	List of Cyware Users who follow the object.
CTIX.IP.is_false_positive	boolean	Shows if the Threat Data Object was marked false positive in the CTIX application
CTIX.IP.domain_tld	string	Top-Level Domain information about the Threat Data Object.
CTIX.IP.asn	string	ASN number of the Threat Data Object
CTIX.IP.registered_domain	string	Registered Domain
CTIX.IP.geo_details	unknown	Geographic details of the Threat Data Object
CTIX.IP.country	string	Geographic details of the Object
CTIX.IP.registrar	string	Registrar
CTIX.IP.file_extension	string	File Extension
CTIX.IP.whitelisted	unknown	List
CTIX.IP.object_description	string	Description of the Threat Data Object.
CTIX.IP.custom_score	number	Custom Score of the Threat Data Object
CTIX.IP.is_following	boolean	Boolean Value
CTIX.IP.under_review	boolean	Shows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.IP.under_reviewed_time	string	Timestamp when the object was marked under review.
CTIX.IP.reviewed	boolean	Shows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.IP.reviewed_time	string	Timestamp when then object was reviewed.
CTIX.IP.object_description_defang	string	Description of the object.
CTIX.IP.source_data	unknown	List of sources from which CTIX received this IP.
CTIX.IP.related_fields	unknown	Relationship Data about the Threat Data Object present on the CTIX application
CTIX.IP.enhancement_data	unknown	Additional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!ip ip="8.8.8.8" enhanced=True

Context Example#

{
    "CTIX": {
        "IP": {
            "asn": "AS3356",
            "blocked": false,
            "blocked_on": [],
            "blocked_time": 0,
            "country": "United States",
            "criticality": 0,
            "custom_score": 0,
            "deprecated": false,
            "deprecated_time": null,
            "domain_tld": null,
            "enhancement_data": {},
            "file_extension": null,
            "first_seen": 1608281585,
            "follow_by": [],
            "followed_on": null,
            "geo_details": {
                "city": {
                    "city": null,
                    "continent_code": "NA",
                    "continent_name": "North America",
                    "country_code": "US",
                    "country_name": "United States",
                    "dma_code": null,
                    "latitude": 37.751,
                    "longitude": -97.822,
                    "postal_code": null,
                    "region": null,
                    "time_zone": "America/Chicago"
                },
                "country": {
                    "country_code": "US",
                    "country_name": "United States"
                }
            },
            "indicator_type": "ipv4-addr",
            "intel_grading": null,
            "is_false_positive": false,
            "is_following": false,
            "labels": [],
            "last_seen": 1608281585,
            "name2": "8.8.8.8",
            "notification_preference": null,
            "object_description": "",
            "object_description_defang": "",
            "object_type": "indicator",
            "package_id": [
                "package-4a183313-81cb-42bf-b3ed-f163662c2fcd"
            ],
            "published_collections": [],
            "published_package_id": [],
            "registered_domain": null,
            "registrar": null,
            "related_fields": {
                "attack_pattern": [],
                "campaign": [],
                "course_of_action": [],
                "indicator": [],
                "intrusion_set": [],
                "kill_chain_phases": [],
                "malware": [],
                "threat_actor": [],
                "tool": [],
                "ttp": []
            },
            "reviewed": false,
            "reviewed_time": 0,
            "risk_severity": 0,
            "score": 62.5,
            "source": [
                "Import"
            ],
            "source_data": [
                {
                    "id": "d1d3b628-346f-43c3-a369-235661ac6277",
                    "name": "Import"
                }
            ],
            "source_grading": null,
            "stix_object_id": "indicator--b09b6649-56ba-4acd-88fd-f84aadf85b55",
            "subscriber": [],
            "subscriber_collection": [],
            "subscriber_collection_id": [],
            "subscriber_id": [],
            "tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
            "tlp_data": "GREEN",
            "type": "Indicator",
            "under_review": false,
            "under_reviewed_time": 0,
            "value": "8.8.8.8",
            "whitelisted": []
        }
    },
    "DBotScore": [
        {
            "Indicator": "8.8.8.8",
            "Score": 2,
            "Type": "ip",
            "Vendor": "HelloWorld"
        },
        {
            "Indicator": "8.8.8.8",
            "Score": 2,
            "Type": "ip",
            "Vendor": "CTIX"
        }
    ],
    "IP": {
        "ASN": "AS3356",
        "Address": "8.8.8.8"
    }
}

Human Readable Output#

IP List#
asn blocked blocked_time country criticality custom_score deprecated first_seen geo_details indicator_type is_false_positive is_following last_seen name2 object_type package_id related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value
AS3356 false 0 United States 0 0.0 false 1608281585 country: {"country_code": "US", "country_name": "United States"}
city: {"city": null, "continent_code": "NA", "continent_name": "North America", "country_code": "US", "country_name": "United States", "dma_code": null, "latitude": 37.751, "longitude": -97.822, "postal_code": null, "region": null, "time_zone": "America/Chicago"} ipv4-addr false false 1608281585 8.8.8.8 indicator package-4a183313-81cb-42bf-b3ed-f163662c2fcd attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action: false 0 0 62.5 Import {'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'} indicator--b09b6649-56ba-4acd-88fd-f84aadf85b55 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0

domain#

Return Domain Details.

Base Command#

domain

Input#

Argument Name	Description	Required
domain	List of Domains.	Required
enhanced	Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.	Optional

Context Output#

Path	Type	Description
Domain.Name	String	The domain name.
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Score	Number	The actual score.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
CTIX.Domain.tenant_id	string	Tenant ID
CTIX.Domain.stix_object_id	string	ID of the Threat Data Object in CTIX application
CTIX.Domain.tlp_data	string	TLP Value of the Threat Data Object
CTIX.Domain.first_seen	string	Timestamp of when the IP was first seen on the CTIX application
CTIX.Domain.last_seen	string	Timestamp of when the IP was latest seen on the CTIX application
CTIX.Domain.deprecated	boolean	Shows if the Threat Data Object is deprecated on the CTIX application
CTIX.Domain.intel_grading	string	Intel grading
CTIX.Domain.criticality	number	Criticality of the Threat Data Object on the scale of 0-5
CTIX.Domain.indicator_type	string	Threat Data Object type
CTIX.Domain.package_id	unknown	List of IDs of packages on the CTIX application through which these IPs were received
CTIX.Domain.source	unknown	List of sources from which the IP address was received in the CTIX application
CTIX.Domain.risk_severity	number	Risk Severity of the Threat Data Object on the scale of 0-5
CTIX.Domain.labels	unknown	List of Tags applied on the Threat Data Object
CTIX.Domain.source_grading	string	Source Grading
CTIX.Domain.name2	string	Value of the Threat Data Object
CTIX.Domain.published_collections	unknown	Published collections
CTIX.Domain.published_package_id	unknown	Package ID
CTIX.Domain.blocked	boolean	Shows if the Threat Data Object is blocked on the CTIX application
CTIX.Domain.blocked_time	string	Timestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.Domain.deprecated_time	string	Timestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.Domain.notification_preference	unknown	Notification preference
CTIX.Domain.followed_on	unknown	Followed On
CTIX.Domain.score	number	CTIX Confidence Score of the IP Object out of 100
CTIX.Domain.type	string	Type of object
CTIX.Domain.subscriber_id	unknown	List of Subscriber IDs
CTIX.Domain.subscriber	unknown	List of Subscribers
CTIX.Domain.subscriber_collection_id	unknown	List of Subscriber Collection IDs
CTIX.Domain.subscriber_collection	unknown	List of Subscriber Collection
CTIX.Domain.object_type	string	Type of object
CTIX.Domain.blocked_on	unknown	Name of the Application where the Threat Data Object was blocked on.
CTIX.Domain.follow_by	unknown	List of Cyware Users who follow the object.
CTIX.Domain.is_false_positive	boolean	Shows if the Threat Data Object was marked false positive in the CTIX application
CTIX.Domain.domain_tld	string	Top-Level Domain information about the Threat Data Object.
CTIX.Domain.asn	string	ASN number of the Threat Data Object
CTIX.Domain.registered_domain	string	Registered Domain
CTIX.Domain.geo_details	unknown	Geographic details of the Threat Data Object
CTIX.Domain.country	string	Geographic details of the Object
CTIX.Domain.registrar	string	Registrar
CTIX.Domain.file_extension	string	File Extension
CTIX.Domain.whitelisted	unknown	List
CTIX.Domain.object_description	string	Description of the Threat Data Object.
CTIX.Domain.custom_score	number	Custom Score of the Threat Data Object
CTIX.Domain.is_following	boolean	Boolean Value
CTIX.Domain.under_review	boolean	Shows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.Domain.under_reviewed_time	string	Timestamp when the object was marked under review.
CTIX.Domain.reviewed	boolean	Shows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.Domain.reviewed_time	string	Timestamp when then object was reviewed.
CTIX.Domain.object_description_defang	string	Description of the object.
CTIX.Domain.source_data	unknown	List of sources from which CTIX received this IP.
CTIX.Domain.related_fields	unknown	Relationship Data about the Threat Data Object present on the CTIX application
CTIX.Domain.enhancement_data	unknown	Additional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!domain domain="google.com" enhanced=True

Context Example#

{
    "CTIX": {
        "Domain": {
            "asn": null,
            "blocked": false,
            "blocked_on": [],
            "blocked_time": 0,
            "country": null,
            "criticality": 0,
            "custom_score": 0,
            "deprecated": false,
            "deprecated_time": null,
            "domain_tld": ".com",
            "enhancement_data": {},
            "file_extension": null,
            "first_seen": 1606486346,
            "follow_by": [],
            "followed_on": null,
            "geo_details": {},
            "indicator_type": "domain",
            "intel_grading": null,
            "is_false_positive": false,
            "is_following": false,
            "labels": [],
            "last_seen": 1607004096,
            "name2": "google.com",
            "notification_preference": null,
            "object_description": "",
            "object_description_defang": "",
            "object_type": "indicator",
            "package_id": [
                "package-caffb979-5a33-4787-8813-07319fa365df"
            ],
            "published_collections": [],
            "published_package_id": [],
            "registered_domain": "google.com",
            "registrar": null,
            "related_fields": {
                "attack_pattern": [],
                "campaign": [],
                "course_of_action": [],
                "indicator": [],
                "intrusion_set": [],
                "kill_chain_phases": [],
                "malware": [],
                "threat_actor": [],
                "tool": [],
                "ttp": []
            },
            "reviewed": false,
            "reviewed_time": 0,
            "risk_severity": 0,
            "score": 62.5,
            "source": [
                "pop3",
                "PoP3"
            ],
            "source_data": [
                {
                    "id": "2e29c86a-fb67-4ead-88ff-396ed3cef3e4",
                    "name": "PoP3"
                },
                {
                    "id": "da862993-bf78-4bdd-a715-83dbfb685a6c",
                    "name": "pop3"
                }
            ],
            "source_grading": null,
            "stix_object_id": "indicator--9949458d-0dd0-4f52-8d29-01f741359f58",
            "subscriber": [],
            "subscriber_collection": [],
            "subscriber_collection_id": [],
            "subscriber_id": [],
            "tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
            "tlp_data": "GREEN",
            "type": "Indicator",
            "under_review": false,
            "under_reviewed_time": 0,
            "value": "google.com",
            "whitelisted": []
        }
    },
    "DBotScore": {
        "Indicator": "google.com",
        "Score": 2,
        "Type": "domain",
        "Vendor": "CTIX"
    },
    "Domain": {
        "Name": "google.com"
    }
}

Human Readable Output#

Domain List#
blocked blocked_time criticality custom_score deprecated domain_tld first_seen indicator_type is_false_positive is_following last_seen name2 object_type package_id registered_domain related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value
false 0 0 0.0 false .com 1606486346 domain false false 1607004096 google.com indicator package-caffb979-5a33-4787-8813-07319fa365df google.com attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action: false 0 0 62.5 pop3,
PoP3 {'name': 'PoP3', 'id': '2e29c86a-fb67-4ead-88ff-396ed3cef3e4'},
{'name': 'pop3', 'id': 'da862993-bf78-4bdd-a715-83dbfb685a6c'} indicator--9949458d-0dd0-4f52-8d29-01f741359f58 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0 google.com

url#

Return URL Details.

Base Command#

url

Input#

Argument Name	Description	Required
url	List of URLs.	Required
enhanced	Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.	Optional

Context Output#

Path	Type	Description
URL.Data	String	The URL.
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Score	Number	The actual score.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
CTIX.URL.tenant_id	string	Tenant ID
CTIX.URL.stix_object_id	string	ID of the Threat Data Object in CTIX application
CTIX.URL.tlp_data	string	TLP Value of the Threat Data Object
CTIX.URL.first_seen	string	Timestamp of when the IP was first seen on the CTIX application
CTIX.URL.last_seen	string	Timestamp of when the IP was latest seen on the CTIX application
CTIX.URL.deprecated	boolean	Shows if the Threat Data Object is deprecated on the CTIX application
CTIX.URL.intel_grading	string	Intel grading
CTIX.URL.criticality	number	Criticality of the Threat Data Object on the scale of 0-5
CTIX.URL.indicator_type	string	Threat Data Object type
CTIX.URL.package_id	unknown	List of IDs of packages on the CTIX application through which these IPs were received
CTIX.URL.source	unknown	List of sources from which the IP address was received in the CTIX application
CTIX.URL.risk_severity	number	Risk Severity of the Threat Data Object on the scale of 0-5
CTIX.URL.labels	unknown	List of Tags applied on the Threat Data Object
CTIX.URL.source_grading	string	Source Grading
CTIX.URL.name2	string	Value of the Threat Data Object
CTIX.URL.published_collections	unknown	Published collections
CTIX.URL.published_package_id	unknown	Package ID
CTIX.URL.blocked	boolean	Shows if the Threat Data Object is blocked on the CTIX application
CTIX.URL.blocked_time	string	Timestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.URL.deprecated_time	string	Timestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.URL.notification_preference	unknown	Notification preference
CTIX.URL.followed_on	unknown	Followed On
CTIX.URL.score	number	CTIX Confidence Score of the IP Object out of 100
CTIX.URL.type	string	Type of object
CTIX.URL.subscriber_id	unknown	List of Subscriber IDs
CTIX.URL.subscriber	unknown	List of Subscribers
CTIX.URL.subscriber_collection_id	unknown	List of Subscriber Collection IDs
CTIX.URL.subscriber_collection	unknown	List of Subscriber Collection
CTIX.URL.object_type	string	Type of object
CTIX.URL.blocked_on	unknown	Name of the Application where the Threat Data Object was blocked on.
CTIX.URL.follow_by	unknown	List of Cyware Users who follow the object.
CTIX.URL.is_false_positive	boolean	Shows if the Threat Data Object was marked false positive in the CTIX application
CTIX.URL.domain_tld	string	Top-Level Domain information about the Threat Data Object.
CTIX.URL.asn	string	ASN number of the Threat Data Object
CTIX.URL.registered_domain	string	Registered Domain
CTIX.URL.geo_details	unknown	Geographic details of the Threat Data Object
CTIX.URL.country	string	Geographic details of the Object
CTIX.URL.registrar	string	Registrar
CTIX.URL.file_extension	string	File Extension
CTIX.URL.whitelisted	unknown	List
CTIX.URL.object_description	string	Description of the Threat Data Object.
CTIX.URL.custom_score	number	Custom Score of the Threat Data Object
CTIX.URL.is_following	boolean	Boolean Value
CTIX.URL.under_review	boolean	Shows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.URL.under_reviewed_time	string	Timestamp when the object was marked under review.
CTIX.URL.reviewed	boolean	Shows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.URL.reviewed_time	string	Timestamp when then object was reviewed.
CTIX.URL.object_description_defang	string	Description of the object.
CTIX.URL.source_data	unknown	List of sources from which CTIX received this IP.
CTIX.URL.related_fields	unknown	Relationship Data about the Threat Data Object present on the CTIX application
CTIX.URL.enhancement_data	unknown	Additional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!url url="https://www.test.com/" enhanced=True

Context Example#

{
    "CTIX": {
        "URL": {
            "asn": null,
            "blocked": false,
            "blocked_on": [],
            "blocked_time": 0,
            "country": null,
            "criticality": 3,
            "custom_score": 0,
            "deprecated": false,
            "deprecated_time": null,
            "domain_tld": ".com",
            "enhancement_data": {},
            "file_extension": null,
            "first_seen": 1605768210,
            "follow_by": [],
            "followed_on": null,
            "geo_details": {},
            "indicator_type": "url",
            "intel_grading": null,
            "is_false_positive": false,
            "is_following": false,
            "labels": [
                {
                    "colour_code": null,
                    "created": 1605030281,
                    "created_by": "system@default.tld",
                    "id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
                    "modified": 1605030281,
                    "modified_by": "system@default.tld",
                    "name": "anomalous-activity"
                }
            ],
            "last_seen": 1605894588,
            "name2": "https://www.test.com/",
            "notification_preference": null,
            "object_description": "",
            "object_description_defang": "",
            "object_type": "indicator",
            "package_id": [
                "package-fd79e1a4-db90-4748-b9cb-f72264bf3ffe",
                "package-63f2228a-7037-4e56-a3df-23644ba3be64"
            ],
            "published_collections": [
                "inbox & polling",
                "adsa",
                "newtestcollection1 - edited"
            ],
            "published_package_id": [
                "5df96375-1e0d-494b-870f-3f029d5cc565",
                "bbb62de5-f71f-4ca9-81b7-c4e94e3640cf",
                "96c58eb5-5784-4de5-8aa7-b4292525914c"
            ],
            "registered_domain": "test.com",
            "registrar": null,
            "related_fields": {
                "attack_pattern": [],
                "campaign": [],
                "course_of_action": [],
                "indicator": [],
                "intrusion_set": [],
                "kill_chain_phases": [],
                "malware": [],
                "threat_actor": [],
                "tool": [],
                "ttp": []
            },
            "reviewed": false,
            "reviewed_time": 0,
            "risk_severity": 5,
            "score": 58.18,
            "source": [
                "customsource1.x",
                "Import"
            ],
            "source_data": [
                {
                    "id": "d1d3b628-346f-43c3-a369-235661ac6277",
                    "name": "Import"
                },
                {
                    "id": "012072c9-1421-4960-ab01-2bb541596374",
                    "name": "customsource1.x"
                }
            ],
            "source_grading": null,
            "stix_object_id": "indicator--70414571-660b-4360-b064-f0cf58caf903",
            "subscriber": [],
            "subscriber_collection": [],
            "subscriber_collection_id": [],
            "subscriber_id": [],
            "tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
            "tlp_data": "GREEN",
            "type": "Indicator",
            "under_review": false,
            "under_reviewed_time": 0,
            "value": "https://test.com/",
            "whitelisted": []
        }
    },
    "DBotScore": {
        "Indicator": "https://test.com/",
        "Score": 2,
        "Type": "url",
        "Vendor": "CTIX"
    },
    "URL": {
        "Data": "https://test.com/"
    }
}

Human Readable Output#

URL List#
blocked blocked_time criticality custom_score deprecated domain_tld first_seen indicator_type is_false_positive is_following labels last_seen name2 object_type package_id published_collections published_package_id registered_domain related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value
false 0 3 0.0 false .com 1605768210 url false false {'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281}
1605894588 https://test.com indicator package-fd79e1a4-db90-4748-b9cb-f72264bf3ffe,
package-63f2228a-7037-4e56-a3df-23644ba3be64 inbox & polling,
adsa,
newtestcollection1 - edited 5df96375-1e0d-494b-870f-3f029d5cc565,
bbb62de5-f71f-4ca9-81b7-c4e94e3640cf,
96c58eb5-5784-4de5-8aa7-b4292525914c test.com attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action: false 0 5 58.18 customsource1.x,
Import {'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'},
{'name': 'customsource1.x', 'id': '012072c9-1421-4960-ab01-2bb541596374'} indicator--70414571-660b-4360-b064-f0cf58caf903 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0 https://test.com/

file#

Return File Details.

Base Command#

file

Input#

Argument Name	Description	Required
file	List of Files.	Required
enhanced	Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.	Optional

Context Output#

Path	Type	Description
File.Name	String	The full file name.
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Score	Number	The actual score.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
CTIX.File.tenant_id	string	Tenant ID
CTIX.File.stix_object_id	string	ID of the Threat Data Object in CTIX application
CTIX.File.tlp_data	string	TLP Value of the Threat Data Object
CTIX.File.first_seen	string	Timestamp of when the IP was first seen on the CTIX application
CTIX.File.last_seen	string	Timestamp of when the IP was latest seen on the CTIX application
CTIX.File.deprecated	boolean	Shows if the Threat Data Object is deprecated on the CTIX application
CTIX.File.intel_grading	string	Intel grading
CTIX.File.criticality	number	Criticality of the Threat Data Object on the scale of 0-5
CTIX.File.indicator_type	string	Threat Data Object type
CTIX.File.package_id	unknown	List of IDs of packages on the CTIX application through which these IPs were received
CTIX.File.source	unknown	List of sources from which the IP address was received in the CTIX application
CTIX.File.risk_severity	number	Risk Severity of the Threat Data Object on the scale of 0-5
CTIX.File.labels	unknown	List of Tags applied on the Threat Data Object
CTIX.File.source_grading	string	Source Grading
CTIX.File.name2	string	Value of the Threat Data Object
CTIX.File.published_collections	unknown	Published collections
CTIX.File.published_package_id	unknown	Package ID
CTIX.File.blocked	boolean	Shows if the Threat Data Object is blocked on the CTIX application
CTIX.File.blocked_time	string	Timestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.File.deprecated_time	string	Timestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.File.notification_preference	unknown	Notification preference
CTIX.File.followed_on	unknown	Followed On
CTIX.File.score	number	CTIX Confidence Score of the IP Object out of 100
CTIX.File.type	string	Type of object
CTIX.File.subscriber_id	unknown	List of Subscriber IDs
CTIX.File.subscriber	unknown	List of Subscribers
CTIX.File.subscriber_collection_id	unknown	List of Subscriber Collection IDs
CTIX.File.subscriber_collection	unknown	List of Subscriber Collection
CTIX.File.object_type	string	Type of object
CTIX.File.blocked_on	unknown	Name of the Application where the Threat Data Object was blocked on.
CTIX.File.follow_by	unknown	List of Cyware Users who follow the object.
CTIX.File.is_false_positive	boolean	Shows if the Threat Data Object was marked false positive in the CTIX application
CTIX.File.domain_tld	string	Top-Level Domain information about the Threat Data Object.
CTIX.File.asn	string	ASN number of the Threat Data Object
CTIX.File.registered_domain	string	Registered Domain
CTIX.File.geo_details	unknown	Geographic details of the Threat Data Object
CTIX.File.country	string	Geographic details of the Object
CTIX.File.registrar	string	Registrar
CTIX.File.file_extension	string	File Extension
CTIX.File.whitelisted	unknown	List
CTIX.File.object_description	string	Description of the Threat Data Object.
CTIX.File.custom_score	number	Custom Score of the Threat Data Object
CTIX.File.is_following	boolean	Boolean Value
CTIX.File.under_review	boolean	Shows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.File.under_reviewed_time	string	Timestamp when the object was marked under review.
CTIX.File.reviewed	boolean	Shows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.File.reviewed_time	string	Timestamp when then object was reviewed.
CTIX.File.object_description_defang	string	Description of the object.
CTIX.File.source_data	unknown	List of sources from which CTIX received this IP.
CTIX.File.related_fields	unknown	Relationship Data about the Threat Data Object present on the CTIX application
CTIX.File.enhancement_data	unknown	Additional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!file file="4ebb2b00a11f9361cf3757e96f14ad4b" enhanced=True

Context Example#

{
    "CTIX": {
        "File": {
            "asn": null,
            "blocked": false,
            "blocked_on": [],
            "blocked_time": 0,
            "country": null,
            "criticality": 3,
            "custom_score": 0,
            "deprecated": true,
            "deprecated_time": 1588854933,
            "domain_tld": null,
            "enhancement_data": {},
            "file_extension": null,
            "first_seen": 1586262933,
            "follow_by": [],
            "followed_on": null,
            "geo_details": {},
            "indicator_type": "MD5",
            "intel_grading": null,
            "is_false_positive": false,
            "is_following": false,
            "labels": [
                {
                    "colour_code": null,
                    "created": 1605030281,
                    "created_by": "system@default.tld",
                    "id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
                    "modified": 1605030281,
                    "modified_by": "system@default.tld",
                    "name": "anomalous-activity"
                }
            ],
            "last_seen": 1605791028,
            "name2": "4ebb2b00a11f9361cf3757e96f14ad4b",
            "notification_preference": null,
            "object_description": "",
            "object_description_defang": "",
            "object_type": "indicator",
            "package_id": [
                "package-d54892d8-b495-4331-b361-17ffbeacdaed",
                "package-09be25b9-5d6b-4320-b512-4dc0e088f434",
                "bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285"
            ],
            "published_collections": [
                "adsa",
                "newtestcollection1 - edited"
            ],
            "published_package_id": [
                "1557df73-68b4-485b-9821-e3036e5fb7a4",
                "a1eb2b29-fed4-4635-8e5c-a74f4339b8ab"
            ],
            "registered_domain": null,
            "registrar": null,
            "related_fields": {
                "attack_pattern": [],
                "campaign": [],
                "course_of_action": [],
                "indicator": [],
                "intrusion_set": [],
                "kill_chain_phases": [],
                "malware": [],
                "threat_actor": [],
                "tool": [],
                "ttp": []
            },
            "reviewed": false,
            "reviewed_time": 0,
            "risk_severity": 5,
            "score": 50,
            "source": [
                "Import"
            ],
            "source_data": [
                {
                    "id": "d1d3b628-346f-43c3-a369-235661ac6277",
                    "name": "Import"
                }
            ],
            "source_grading": null,
            "stix_object_id": "indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa",
            "subscriber": [],
            "subscriber_collection": [],
            "subscriber_collection_id": [],
            "subscriber_id": [],
            "tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
            "tlp_data": null,
            "type": "Indicator",
            "under_review": false,
            "under_reviewed_time": 0,
            "value": "4ebb2b00a11f9361cf3757e96f14ad4b",
            "whitelisted": []
        }
    },
    "DBotScore": {
        "Indicator": "4ebb2b00a11f9361cf3757e96f14ad4b",
        "Score": 2,
        "Type": "file",
        "Vendor": "CTIX"
    },
    "File": [
        {
            "Name": "4ebb2b00a11f9361cf3757e96f14ad4b"
        }
    ]
}

Human Readable Output#

File List#
blocked blocked_time criticality custom_score deprecated deprecated_time first_seen indicator_type is_false_positive is_following labels last_seen name2 object_type package_id published_collections published_package_id related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id type under_review under_reviewed_time value
false 0 3 0.0 true 1588854933 1586262933 MD5 false false {'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281} 1605791028 4ebb2b00a11f9361cf3757e96f14ad4b indicator package-d54892d8-b495-4331-b361-17ffbeacdaed,
package-09be25b9-5d6b-4320-b512-4dc0e088f434,
bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285 adsa,
newtestcollection1 - edited 1557df73-68b4-485b-9821-e3036e5fb7a4,
a1eb2b29-fed4-4635-8e5c-a74f4339b8ab attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action: false 0 5 50.0 Import {'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'} indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa 0a834138-cc59-4107-aa69-46e6080f06af Indicator false 0 4ebb2b00a11f9361cf3757e96f14ad4b

PAN-OS

Cortex Data Lake

Cortex XSOAR

PAN-OS

Cortex Data Lake

Cortex XSOAR

Configure CTIX on Cortex XSOAR#

Commands#

ip#

Base Command#

Input#

Context Output#

Command Example#

Context Example#

Human Readable Output#

IP List#

domain#

Base Command#

Input#

Context Output#

Command Example#

Context Example#

Human Readable Output#

Domain List#

url#

Base Command#

Input#

Context Output#

Command Example#

Context Example#

Human Readable Output#

URL List#

file#

Base Command#

Input#

Context Output#

Command Example#

Context Example#

Human Readable Output#

File List#