Skip to main content

Cyware Threat Intelligence eXchange

This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 2.4 and 2.7 of CTIX. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure CTIX on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CTIX.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    base_urlEndpoint URLTrue
    access_idAccess KeyTrue
    secret_keySecret KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Return IP Details.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.IP.tenant_idstringTenant ID
CTIX.IP.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.IP.tlp_datastringTLP Value of the Threat Data Object
CTIX.IP.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.IP.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.IP.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.IP.intel_gradingstringIntel grading
CTIX.IP.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.IP.indicator_typestringThreat Data Object type
CTIX.IP.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.IP.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.IP.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.IP.labelsunknownList of Tags applied on the Threat Data Object
CTIX.IP.source_gradingstringSource Grading
CTIX.IP.name2stringValue of the Threat Data Object
CTIX.IP.published_collectionsunknownPublished collections
CTIX.IP.published_package_idunknownPackage ID
CTIX.IP.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.IP.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.IP.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.IP.notification_preferenceunknownNotification preference
CTIX.IP.followed_onunknownFollowed On
CTIX.IP.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.IP.typestringType of object
CTIX.IP.subscriber_idunknownList of Subscriber IDs
CTIX.IP.subscriberunknownList of Subscribers
CTIX.IP.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.IP.subscriber_collectionunknownList of Subscriber Collection
CTIX.IP.object_typestringType of object
CTIX.IP.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.IP.follow_byunknownList of Cyware Users who follow the object.
CTIX.IP.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.IP.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.IP.asnstringASN number of the Threat Data Object
CTIX.IP.registered_domainstringRegistered Domain
CTIX.IP.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.IP.countrystringGeographic details of the Object
CTIX.IP.registrarstringRegistrar
CTIX.IP.file_extensionstringFile Extension
CTIX.IP.whitelistedunknownList
CTIX.IP.object_descriptionstringDescription of the Threat Data Object.
CTIX.IP.custom_scorenumberCustom Score of the Threat Data Object
CTIX.IP.is_followingbooleanBoolean Value
CTIX.IP.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.IP.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.IP.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.IP.reviewed_timestringTimestamp when then object was reviewed.
CTIX.IP.object_description_defangstringDescription of the object.
CTIX.IP.source_dataunknownList of sources from which CTIX received this IP.
CTIX.IP.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.IP.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!ip ip="8.8.8.8" enhanced=True

Context Example#

{
"CTIX": {
"IP": {
"asn": "AS3356",
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": "United States",
"criticality": 0,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": null,
"enhancement_data": {},
"file_extension": null,
"first_seen": 1608281585,
"follow_by": [],
"followed_on": null,
"geo_details": {
"city": {
"city": null,
"continent_code": "NA",
"continent_name": "North America",
"country_code": "US",
"country_name": "United States",
"dma_code": null,
"latitude": 37.751,
"longitude": -97.822,
"postal_code": null,
"region": null,
"time_zone": "America/Chicago"
},
"country": {
"country_code": "US",
"country_name": "United States"
}
},
"indicator_type": "ipv4-addr",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [],
"last_seen": 1608281585,
"name2": "8.8.8.8",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-4a183313-81cb-42bf-b3ed-f163662c2fcd"
],
"published_collections": [],
"published_package_id": [],
"registered_domain": null,
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 0,
"score": 62.5,
"source": [
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
}
],
"source_grading": null,
"stix_object_id": "indicator--b09b6649-56ba-4acd-88fd-f84aadf85b55",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "8.8.8.8",
"whitelisted": []
}
},
"DBotScore": [
{
"Indicator": "8.8.8.8",
"Score": 2,
"Type": "ip",
"Vendor": "HelloWorld"
},
{
"Indicator": "8.8.8.8",
"Score": 2,
"Type": "ip",
"Vendor": "CTIX"
}
],
"IP": {
"ASN": "AS3356",
"Address": "8.8.8.8"
}
}

Human Readable Output#

IP List#

asnblockedblocked_timecountrycriticalitycustom_scoredeprecatedfirst_seengeo_detailsindicator_typeis_false_positiveis_followinglast_seenname2object_typepackage_idrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
AS3356false0United States00.0false1608281585country: {"country_code": "US", "country_name": "United States"}
city: {"city": null, "continent_code": "NA", "continent_name": "North America", "country_code": "US", "country_name": "United States", "dma_code": null, "latitude": 37.751, "longitude": -97.822, "postal_code": null, "region": null, "time_zone": "America/Chicago"}
ipv4-addrfalsefalse16082815858.8.8.8indicatorpackage-4a183313-81cb-42bf-b3ed-f163662c2fcdattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0062.5Import{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'}indicator--b09b6649-56ba-4acd-88fd-f84aadf85b550a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0

domain#


Return Domain Details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.Domain.tenant_idstringTenant ID
CTIX.Domain.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.Domain.tlp_datastringTLP Value of the Threat Data Object
CTIX.Domain.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.Domain.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.Domain.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.Domain.intel_gradingstringIntel grading
CTIX.Domain.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.Domain.indicator_typestringThreat Data Object type
CTIX.Domain.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.Domain.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.Domain.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.Domain.labelsunknownList of Tags applied on the Threat Data Object
CTIX.Domain.source_gradingstringSource Grading
CTIX.Domain.name2stringValue of the Threat Data Object
CTIX.Domain.published_collectionsunknownPublished collections
CTIX.Domain.published_package_idunknownPackage ID
CTIX.Domain.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.Domain.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.Domain.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.Domain.notification_preferenceunknownNotification preference
CTIX.Domain.followed_onunknownFollowed On
CTIX.Domain.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.Domain.typestringType of object
CTIX.Domain.subscriber_idunknownList of Subscriber IDs
CTIX.Domain.subscriberunknownList of Subscribers
CTIX.Domain.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.Domain.subscriber_collectionunknownList of Subscriber Collection
CTIX.Domain.object_typestringType of object
CTIX.Domain.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.Domain.follow_byunknownList of Cyware Users who follow the object.
CTIX.Domain.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.Domain.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.Domain.asnstringASN number of the Threat Data Object
CTIX.Domain.registered_domainstringRegistered Domain
CTIX.Domain.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.Domain.countrystringGeographic details of the Object
CTIX.Domain.registrarstringRegistrar
CTIX.Domain.file_extensionstringFile Extension
CTIX.Domain.whitelistedunknownList
CTIX.Domain.object_descriptionstringDescription of the Threat Data Object.
CTIX.Domain.custom_scorenumberCustom Score of the Threat Data Object
CTIX.Domain.is_followingbooleanBoolean Value
CTIX.Domain.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.Domain.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.Domain.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.Domain.reviewed_timestringTimestamp when then object was reviewed.
CTIX.Domain.object_description_defangstringDescription of the object.
CTIX.Domain.source_dataunknownList of sources from which CTIX received this IP.
CTIX.Domain.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.Domain.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!domain domain="google.com" enhanced=True

Context Example#

{
"CTIX": {
"Domain": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 0,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": ".com",
"enhancement_data": {},
"file_extension": null,
"first_seen": 1606486346,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "domain",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [],
"last_seen": 1607004096,
"name2": "google.com",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-caffb979-5a33-4787-8813-07319fa365df"
],
"published_collections": [],
"published_package_id": [],
"registered_domain": "google.com",
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 0,
"score": 62.5,
"source": [
"pop3",
"PoP3"
],
"source_data": [
{
"id": "2e29c86a-fb67-4ead-88ff-396ed3cef3e4",
"name": "PoP3"
},
{
"id": "da862993-bf78-4bdd-a715-83dbfb685a6c",
"name": "pop3"
}
],
"source_grading": null,
"stix_object_id": "indicator--9949458d-0dd0-4f52-8d29-01f741359f58",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "google.com",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "google.com",
"Score": 2,
"Type": "domain",
"Vendor": "CTIX"
},
"Domain": {
"Name": "google.com"
}
}

Human Readable Output#

Domain List#

blockedblocked_timecriticalitycustom_scoredeprecateddomain_tldfirst_seenindicator_typeis_false_positiveis_followinglast_seenname2object_typepackage_idregistered_domainrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
false000.0false.com1606486346domainfalsefalse1607004096google.comindicatorpackage-caffb979-5a33-4787-8813-07319fa365dfgoogle.comattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0062.5pop3,
PoP3
{'name': 'PoP3', 'id': '2e29c86a-fb67-4ead-88ff-396ed3cef3e4'},
{'name': 'pop3', 'id': 'da862993-bf78-4bdd-a715-83dbfb685a6c'}
indicator--9949458d-0dd0-4f52-8d29-01f741359f580a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0google.com

url#


Return URL Details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.URL.tenant_idstringTenant ID
CTIX.URL.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.URL.tlp_datastringTLP Value of the Threat Data Object
CTIX.URL.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.URL.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.URL.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.URL.intel_gradingstringIntel grading
CTIX.URL.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.URL.indicator_typestringThreat Data Object type
CTIX.URL.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.URL.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.URL.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.URL.labelsunknownList of Tags applied on the Threat Data Object
CTIX.URL.source_gradingstringSource Grading
CTIX.URL.name2stringValue of the Threat Data Object
CTIX.URL.published_collectionsunknownPublished collections
CTIX.URL.published_package_idunknownPackage ID
CTIX.URL.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.URL.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.URL.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.URL.notification_preferenceunknownNotification preference
CTIX.URL.followed_onunknownFollowed On
CTIX.URL.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.URL.typestringType of object
CTIX.URL.subscriber_idunknownList of Subscriber IDs
CTIX.URL.subscriberunknownList of Subscribers
CTIX.URL.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.URL.subscriber_collectionunknownList of Subscriber Collection
CTIX.URL.object_typestringType of object
CTIX.URL.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.URL.follow_byunknownList of Cyware Users who follow the object.
CTIX.URL.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.URL.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.URL.asnstringASN number of the Threat Data Object
CTIX.URL.registered_domainstringRegistered Domain
CTIX.URL.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.URL.countrystringGeographic details of the Object
CTIX.URL.registrarstringRegistrar
CTIX.URL.file_extensionstringFile Extension
CTIX.URL.whitelistedunknownList
CTIX.URL.object_descriptionstringDescription of the Threat Data Object.
CTIX.URL.custom_scorenumberCustom Score of the Threat Data Object
CTIX.URL.is_followingbooleanBoolean Value
CTIX.URL.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.URL.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.URL.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.URL.reviewed_timestringTimestamp when then object was reviewed.
CTIX.URL.object_description_defangstringDescription of the object.
CTIX.URL.source_dataunknownList of sources from which CTIX received this IP.
CTIX.URL.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.URL.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!url url="https://www.test.com/" enhanced=True

Context Example#

{
"CTIX": {
"URL": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 3,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": ".com",
"enhancement_data": {},
"file_extension": null,
"first_seen": 1605768210,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "url",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [
{
"colour_code": null,
"created": 1605030281,
"created_by": "system@default.tld",
"id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
"modified": 1605030281,
"modified_by": "system@default.tld",
"name": "anomalous-activity"
}
],
"last_seen": 1605894588,
"name2": "https://www.test.com/",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-fd79e1a4-db90-4748-b9cb-f72264bf3ffe",
"package-63f2228a-7037-4e56-a3df-23644ba3be64"
],
"published_collections": [
"inbox & polling",
"adsa",
"newtestcollection1 - edited"
],
"published_package_id": [
"5df96375-1e0d-494b-870f-3f029d5cc565",
"bbb62de5-f71f-4ca9-81b7-c4e94e3640cf",
"96c58eb5-5784-4de5-8aa7-b4292525914c"
],
"registered_domain": "test.com",
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 5,
"score": 58.18,
"source": [
"customsource1.x",
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
},
{
"id": "012072c9-1421-4960-ab01-2bb541596374",
"name": "customsource1.x"
}
],
"source_grading": null,
"stix_object_id": "indicator--70414571-660b-4360-b064-f0cf58caf903",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "https://test.com/",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "https://test.com/",
"Score": 2,
"Type": "url",
"Vendor": "CTIX"
},
"URL": {
"Data": "https://test.com/"
}
}

Human Readable Output#

URL List#

blockedblocked_timecriticalitycustom_scoredeprecateddomain_tldfirst_seenindicator_typeis_false_positiveis_followinglabelslast_seenname2object_typepackage_idpublished_collectionspublished_package_idregistered_domainrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
false030.0false.com1605768210urlfalsefalse{'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281}
1605894588https://test.comindicatorpackage-fd79e1a4-db90-4748-b9cb-f72264bf3ffe,
package-63f2228a-7037-4e56-a3df-23644ba3be64
inbox & polling,
adsa,
newtestcollection1 - edited
5df96375-1e0d-494b-870f-3f029d5cc565,
bbb62de5-f71f-4ca9-81b7-c4e94e3640cf,
96c58eb5-5784-4de5-8aa7-b4292525914c
test.comattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0558.18customsource1.x,
Import
{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'},
{'name': 'customsource1.x', 'id': '012072c9-1421-4960-ab01-2bb541596374'}
indicator--70414571-660b-4360-b064-f0cf58caf9030a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0https://test.com/

file#


Return File Details.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of Files.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
File.NameStringThe full file name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.File.tenant_idstringTenant ID
CTIX.File.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.File.tlp_datastringTLP Value of the Threat Data Object
CTIX.File.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.File.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.File.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.File.intel_gradingstringIntel grading
CTIX.File.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.File.indicator_typestringThreat Data Object type
CTIX.File.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.File.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.File.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.File.labelsunknownList of Tags applied on the Threat Data Object
CTIX.File.source_gradingstringSource Grading
CTIX.File.name2stringValue of the Threat Data Object
CTIX.File.published_collectionsunknownPublished collections
CTIX.File.published_package_idunknownPackage ID
CTIX.File.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.File.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.File.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.File.notification_preferenceunknownNotification preference
CTIX.File.followed_onunknownFollowed On
CTIX.File.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.File.typestringType of object
CTIX.File.subscriber_idunknownList of Subscriber IDs
CTIX.File.subscriberunknownList of Subscribers
CTIX.File.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.File.subscriber_collectionunknownList of Subscriber Collection
CTIX.File.object_typestringType of object
CTIX.File.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.File.follow_byunknownList of Cyware Users who follow the object.
CTIX.File.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.File.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.File.asnstringASN number of the Threat Data Object
CTIX.File.registered_domainstringRegistered Domain
CTIX.File.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.File.countrystringGeographic details of the Object
CTIX.File.registrarstringRegistrar
CTIX.File.file_extensionstringFile Extension
CTIX.File.whitelistedunknownList
CTIX.File.object_descriptionstringDescription of the Threat Data Object.
CTIX.File.custom_scorenumberCustom Score of the Threat Data Object
CTIX.File.is_followingbooleanBoolean Value
CTIX.File.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.File.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.File.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.File.reviewed_timestringTimestamp when then object was reviewed.
CTIX.File.object_description_defangstringDescription of the object.
CTIX.File.source_dataunknownList of sources from which CTIX received this IP.
CTIX.File.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.File.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!file file="4ebb2b00a11f9361cf3757e96f14ad4b" enhanced=True

Context Example#

{
"CTIX": {
"File": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 3,
"custom_score": 0,
"deprecated": true,
"deprecated_time": 1588854933,
"domain_tld": null,
"enhancement_data": {},
"file_extension": null,
"first_seen": 1586262933,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "MD5",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [
{
"colour_code": null,
"created": 1605030281,
"created_by": "system@default.tld",
"id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
"modified": 1605030281,
"modified_by": "system@default.tld",
"name": "anomalous-activity"
}
],
"last_seen": 1605791028,
"name2": "4ebb2b00a11f9361cf3757e96f14ad4b",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-d54892d8-b495-4331-b361-17ffbeacdaed",
"package-09be25b9-5d6b-4320-b512-4dc0e088f434",
"bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285"
],
"published_collections": [
"adsa",
"newtestcollection1 - edited"
],
"published_package_id": [
"1557df73-68b4-485b-9821-e3036e5fb7a4",
"a1eb2b29-fed4-4635-8e5c-a74f4339b8ab"
],
"registered_domain": null,
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 5,
"score": 50,
"source": [
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
}
],
"source_grading": null,
"stix_object_id": "indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": null,
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "4ebb2b00a11f9361cf3757e96f14ad4b",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "4ebb2b00a11f9361cf3757e96f14ad4b",
"Score": 2,
"Type": "file",
"Vendor": "CTIX"
},
"File": [
{
"Name": "4ebb2b00a11f9361cf3757e96f14ad4b"
}
]
}

Human Readable Output#

File List#

blockedblocked_timecriticalitycustom_scoredeprecateddeprecated_timefirst_seenindicator_typeis_false_positiveis_followinglabelslast_seenname2object_typepackage_idpublished_collectionspublished_package_idrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtypeunder_reviewunder_reviewed_timevalue
false030.0true15888549331586262933MD5falsefalse{'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281}16057910284ebb2b00a11f9361cf3757e96f14ad4bindicatorpackage-d54892d8-b495-4331-b361-17ffbeacdaed,
package-09be25b9-5d6b-4320-b512-4dc0e088f434,
bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285
adsa,
newtestcollection1 - edited
1557df73-68b4-485b-9821-e3036e5fb7a4,
a1eb2b29-fed4-4635-8e5c-a74f4339b8ab
attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0550.0Import{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'}indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa0a834138-cc59-4107-aa69-46e6080f06afIndicatorfalse04ebb2b00a11f9361cf3757e96f14ad4b