Skip to main content

Cyware Threat Intelligence eXchange

This Integration is part of the CTIX Pack.#

This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 2.4 and 2.7 of CTIX. This integration is NOT COMPATIBLE with CTIX version 3.0 and above. Use the CTIX V3 Integration for CTIX version 3 and above. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure CTIX in Cortex#

ParameterDescriptionRequired
base_urlEndpoint URLTrue
access_idAccess KeyTrue
secret_keySecret KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Return IP Details.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.IP.tenant_idstringTenant ID
CTIX.IP.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.IP.tlp_datastringTLP Value of the Threat Data Object
CTIX.IP.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.IP.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.IP.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.IP.intel_gradingstringIntel grading
CTIX.IP.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.IP.indicator_typestringThreat Data Object type
CTIX.IP.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.IP.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.IP.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.IP.labelsunknownList of Tags applied on the Threat Data Object
CTIX.IP.source_gradingstringSource Grading
CTIX.IP.name2stringValue of the Threat Data Object
CTIX.IP.published_collectionsunknownPublished collections
CTIX.IP.published_package_idunknownPackage ID
CTIX.IP.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.IP.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.IP.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.IP.notification_preferenceunknownNotification preference
CTIX.IP.followed_onunknownFollowed On
CTIX.IP.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.IP.typestringType of object
CTIX.IP.subscriber_idunknownList of Subscriber IDs
CTIX.IP.subscriberunknownList of Subscribers
CTIX.IP.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.IP.subscriber_collectionunknownList of Subscriber Collection
CTIX.IP.object_typestringType of object
CTIX.IP.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.IP.follow_byunknownList of Cyware Users who follow the object.
CTIX.IP.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.IP.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.IP.asnstringASN number of the Threat Data Object
CTIX.IP.registered_domainstringRegistered Domain
CTIX.IP.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.IP.countrystringGeographic details of the Object
CTIX.IP.registrarstringRegistrar
CTIX.IP.file_extensionstringFile Extension
CTIX.IP.whitelistedunknownList
CTIX.IP.object_descriptionstringDescription of the Threat Data Object.
CTIX.IP.custom_scorenumberCustom Score of the Threat Data Object
CTIX.IP.is_followingbooleanBoolean Value
CTIX.IP.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.IP.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.IP.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.IP.reviewed_timestringTimestamp when then object was reviewed.
CTIX.IP.object_description_defangstringDescription of the object.
CTIX.IP.source_dataunknownList of sources from which CTIX received this IP.
CTIX.IP.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.IP.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!ip ip="8.8.8.8" enhanced=True

Context Example#

{
"CTIX": {
"IP": {
"asn": "AS3356",
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": "United States",
"criticality": 0,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": null,
"enhancement_data": {},
"file_extension": null,
"first_seen": 1608281585,
"follow_by": [],
"followed_on": null,
"geo_details": {
"city": {
"city": null,
"continent_code": "NA",
"continent_name": "North America",
"country_code": "US",
"country_name": "United States",
"dma_code": null,
"latitude": 37.751,
"longitude": -97.822,
"postal_code": null,
"region": null,
"time_zone": "America/Chicago"
},
"country": {
"country_code": "US",
"country_name": "United States"
}
},
"indicator_type": "ipv4-addr",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [],
"last_seen": 1608281585,
"name2": "8.8.8.8",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-4a183313-81cb-42bf-b3ed-f163662c2fcd"
],
"published_collections": [],
"published_package_id": [],
"registered_domain": null,
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 0,
"score": 62.5,
"source": [
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
}
],
"source_grading": null,
"stix_object_id": "indicator--b09b6649-56ba-4acd-88fd-f84aadf85b55",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "8.8.8.8",
"whitelisted": []
}
},
"DBotScore": [
{
"Indicator": "8.8.8.8",
"Score": 2,
"Type": "ip",
"Vendor": "HelloWorld"
},
{
"Indicator": "8.8.8.8",
"Score": 2,
"Type": "ip",
"Vendor": "CTIX"
}
],
"IP": {
"ASN": "AS3356",
"Address": "8.8.8.8"
}
}

Human Readable Output#

IP List#

asnblockedblocked_timecountrycriticalitycustom_scoredeprecatedfirst_seengeo_detailsindicator_typeis_false_positiveis_followinglast_seenname2object_typepackage_idrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
AS3356false0United States00.0false1608281585country: {"country_code": "US", "country_name": "United States"}
city: {"city": null, "continent_code": "NA", "continent_name": "North America", "country_code": "US", "country_name": "United States", "dma_code": null, "latitude": 37.751, "longitude": -97.822, "postal_code": null, "region": null, "time_zone": "America/Chicago"}
ipv4-addrfalsefalse16082815858.8.8.8indicatorpackage-4a183313-81cb-42bf-b3ed-f163662c2fcdattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0062.5Import{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'}indicator--b09b6649-56ba-4acd-88fd-f84aadf85b550a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0

domain#


Return Domain Details.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.Domain.tenant_idstringTenant ID
CTIX.Domain.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.Domain.tlp_datastringTLP Value of the Threat Data Object
CTIX.Domain.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.Domain.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.Domain.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.Domain.intel_gradingstringIntel grading
CTIX.Domain.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.Domain.indicator_typestringThreat Data Object type
CTIX.Domain.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.Domain.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.Domain.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.Domain.labelsunknownList of Tags applied on the Threat Data Object
CTIX.Domain.source_gradingstringSource Grading
CTIX.Domain.name2stringValue of the Threat Data Object
CTIX.Domain.published_collectionsunknownPublished collections
CTIX.Domain.published_package_idunknownPackage ID
CTIX.Domain.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.Domain.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.Domain.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.Domain.notification_preferenceunknownNotification preference
CTIX.Domain.followed_onunknownFollowed On
CTIX.Domain.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.Domain.typestringType of object
CTIX.Domain.subscriber_idunknownList of Subscriber IDs
CTIX.Domain.subscriberunknownList of Subscribers
CTIX.Domain.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.Domain.subscriber_collectionunknownList of Subscriber Collection
CTIX.Domain.object_typestringType of object
CTIX.Domain.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.Domain.follow_byunknownList of Cyware Users who follow the object.
CTIX.Domain.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.Domain.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.Domain.asnstringASN number of the Threat Data Object
CTIX.Domain.registered_domainstringRegistered Domain
CTIX.Domain.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.Domain.countrystringGeographic details of the Object
CTIX.Domain.registrarstringRegistrar
CTIX.Domain.file_extensionstringFile Extension
CTIX.Domain.whitelistedunknownList
CTIX.Domain.object_descriptionstringDescription of the Threat Data Object.
CTIX.Domain.custom_scorenumberCustom Score of the Threat Data Object
CTIX.Domain.is_followingbooleanBoolean Value
CTIX.Domain.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.Domain.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.Domain.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.Domain.reviewed_timestringTimestamp when then object was reviewed.
CTIX.Domain.object_description_defangstringDescription of the object.
CTIX.Domain.source_dataunknownList of sources from which CTIX received this IP.
CTIX.Domain.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.Domain.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!domain domain="google.com" enhanced=True

Context Example#

{
"CTIX": {
"Domain": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 0,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": ".com",
"enhancement_data": {},
"file_extension": null,
"first_seen": 1606486346,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "domain",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [],
"last_seen": 1607004096,
"name2": "google.com",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-caffb979-5a33-4787-8813-07319fa365df"
],
"published_collections": [],
"published_package_id": [],
"registered_domain": "google.com",
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 0,
"score": 62.5,
"source": [
"pop3",
"PoP3"
],
"source_data": [
{
"id": "2e29c86a-fb67-4ead-88ff-396ed3cef3e4",
"name": "PoP3"
},
{
"id": "da862993-bf78-4bdd-a715-83dbfb685a6c",
"name": "pop3"
}
],
"source_grading": null,
"stix_object_id": "indicator--9949458d-0dd0-4f52-8d29-01f741359f58",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "google.com",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "google.com",
"Score": 2,
"Type": "domain",
"Vendor": "CTIX"
},
"Domain": {
"Name": "google.com"
}
}

Human Readable Output#

Domain List#

blockedblocked_timecriticalitycustom_scoredeprecateddomain_tldfirst_seenindicator_typeis_false_positiveis_followinglast_seenname2object_typepackage_idregistered_domainrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
false000.0false.com1606486346domainfalsefalse1607004096google.comindicatorpackage-caffb979-5a33-4787-8813-07319fa365dfgoogle.comattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0062.5pop3,
PoP3
{'name': 'PoP3', 'id': '2e29c86a-fb67-4ead-88ff-396ed3cef3e4'},
{'name': 'pop3', 'id': 'da862993-bf78-4bdd-a715-83dbfb685a6c'}
indicator--9949458d-0dd0-4f52-8d29-01f741359f580a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0google.com

url#


Return URL Details.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.URL.tenant_idstringTenant ID
CTIX.URL.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.URL.tlp_datastringTLP Value of the Threat Data Object
CTIX.URL.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.URL.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.URL.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.URL.intel_gradingstringIntel grading
CTIX.URL.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.URL.indicator_typestringThreat Data Object type
CTIX.URL.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.URL.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.URL.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.URL.labelsunknownList of Tags applied on the Threat Data Object
CTIX.URL.source_gradingstringSource Grading
CTIX.URL.name2stringValue of the Threat Data Object
CTIX.URL.published_collectionsunknownPublished collections
CTIX.URL.published_package_idunknownPackage ID
CTIX.URL.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.URL.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.URL.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.URL.notification_preferenceunknownNotification preference
CTIX.URL.followed_onunknownFollowed On
CTIX.URL.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.URL.typestringType of object
CTIX.URL.subscriber_idunknownList of Subscriber IDs
CTIX.URL.subscriberunknownList of Subscribers
CTIX.URL.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.URL.subscriber_collectionunknownList of Subscriber Collection
CTIX.URL.object_typestringType of object
CTIX.URL.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.URL.follow_byunknownList of Cyware Users who follow the object.
CTIX.URL.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.URL.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.URL.asnstringASN number of the Threat Data Object
CTIX.URL.registered_domainstringRegistered Domain
CTIX.URL.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.URL.countrystringGeographic details of the Object
CTIX.URL.registrarstringRegistrar
CTIX.URL.file_extensionstringFile Extension
CTIX.URL.whitelistedunknownList
CTIX.URL.object_descriptionstringDescription of the Threat Data Object.
CTIX.URL.custom_scorenumberCustom Score of the Threat Data Object
CTIX.URL.is_followingbooleanBoolean Value
CTIX.URL.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.URL.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.URL.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.URL.reviewed_timestringTimestamp when then object was reviewed.
CTIX.URL.object_description_defangstringDescription of the object.
CTIX.URL.source_dataunknownList of sources from which CTIX received this IP.
CTIX.URL.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.URL.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!url url="https://www.test.com/" enhanced=True

Context Example#

{
"CTIX": {
"URL": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 3,
"custom_score": 0,
"deprecated": false,
"deprecated_time": null,
"domain_tld": ".com",
"enhancement_data": {},
"file_extension": null,
"first_seen": 1605768210,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "url",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [
{
"colour_code": null,
"created": 1605030281,
"created_by": "system@default.tld",
"id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
"modified": 1605030281,
"modified_by": "system@default.tld",
"name": "anomalous-activity"
}
],
"last_seen": 1605894588,
"name2": "https://www.test.com/",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-fd79e1a4-db90-4748-b9cb-f72264bf3ffe",
"package-63f2228a-7037-4e56-a3df-23644ba3be64"
],
"published_collections": [
"inbox & polling",
"adsa",
"newtestcollection1 - edited"
],
"published_package_id": [
"5df96375-1e0d-494b-870f-3f029d5cc565",
"bbb62de5-f71f-4ca9-81b7-c4e94e3640cf",
"96c58eb5-5784-4de5-8aa7-b4292525914c"
],
"registered_domain": "test.com",
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 5,
"score": 58.18,
"source": [
"customsource1.x",
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
},
{
"id": "012072c9-1421-4960-ab01-2bb541596374",
"name": "customsource1.x"
}
],
"source_grading": null,
"stix_object_id": "indicator--70414571-660b-4360-b064-f0cf58caf903",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": "GREEN",
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "https://test.com/",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "https://test.com/",
"Score": 2,
"Type": "url",
"Vendor": "CTIX"
},
"URL": {
"Data": "https://test.com/"
}
}

Human Readable Output#

URL List#

blockedblocked_timecriticalitycustom_scoredeprecateddomain_tldfirst_seenindicator_typeis_false_positiveis_followinglabelslast_seenname2object_typepackage_idpublished_collectionspublished_package_idregistered_domainrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtlp_datatypeunder_reviewunder_reviewed_timevalue
false030.0false.com1605768210urlfalsefalse{'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281}
1605894588https://test.comindicatorpackage-fd79e1a4-db90-4748-b9cb-f72264bf3ffe,
package-63f2228a-7037-4e56-a3df-23644ba3be64
inbox & polling,
adsa,
newtestcollection1 - edited
5df96375-1e0d-494b-870f-3f029d5cc565,
bbb62de5-f71f-4ca9-81b7-c4e94e3640cf,
96c58eb5-5784-4de5-8aa7-b4292525914c
test.comattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0558.18customsource1.x,
Import
{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'},
{'name': 'customsource1.x', 'id': '012072c9-1421-4960-ab01-2bb541596374'}
indicator--70414571-660b-4360-b064-f0cf58caf9030a834138-cc59-4107-aa69-46e6080f06afGREENIndicatorfalse0https://test.com/

file#


Return File Details.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of Files.Required
enhancedBoolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
File.NameStringThe full file name.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA256 hash of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
CTIX.File.tenant_idstringTenant ID
CTIX.File.stix_object_idstringID of the Threat Data Object in CTIX application
CTIX.File.tlp_datastringTLP Value of the Threat Data Object
CTIX.File.first_seenstringTimestamp of when the IP was first seen on the CTIX application
CTIX.File.last_seenstringTimestamp of when the IP was latest seen on the CTIX application
CTIX.File.deprecatedbooleanShows if the Threat Data Object is deprecated on the CTIX application
CTIX.File.intel_gradingstringIntel grading
CTIX.File.criticalitynumberCriticality of the Threat Data Object on the scale of 0-5
CTIX.File.indicator_typestringThreat Data Object type
CTIX.File.package_idunknownList of IDs of packages on the CTIX application through which these IPs were received
CTIX.File.sourceunknownList of sources from which the IP address was received in the CTIX application
CTIX.File.risk_severitynumberRisk Severity of the Threat Data Object on the scale of 0-5
CTIX.File.labelsunknownList of Tags applied on the Threat Data Object
CTIX.File.source_gradingstringSource Grading
CTIX.File.name2stringValue of the Threat Data Object
CTIX.File.published_collectionsunknownPublished collections
CTIX.File.published_package_idunknownPackage ID
CTIX.File.blockedbooleanShows if the Threat Data Object is blocked on the CTIX application
CTIX.File.blocked_timestringTimestamp of when the Threat Data Object was blocked on the CTIX application.
CTIX.File.deprecated_timestringTimestamp of when the Threat Data Object was deprecated on the CTIX application
CTIX.File.notification_preferenceunknownNotification preference
CTIX.File.followed_onunknownFollowed On
CTIX.File.scorenumberCTIX Confidence Score of the IP Object out of 100
CTIX.File.typestringType of object
CTIX.File.subscriber_idunknownList of Subscriber IDs
CTIX.File.subscriberunknownList of Subscribers
CTIX.File.subscriber_collection_idunknownList of Subscriber Collection IDs
CTIX.File.subscriber_collectionunknownList of Subscriber Collection
CTIX.File.object_typestringType of object
CTIX.File.blocked_onunknownName of the Application where the Threat Data Object was blocked on.
CTIX.File.follow_byunknownList of Cyware Users who follow the object.
CTIX.File.is_false_positivebooleanShows if the Threat Data Object was marked false positive in the CTIX application
CTIX.File.domain_tldstringTop-Level Domain information about the Threat Data Object.
CTIX.File.asnstringASN number of the Threat Data Object
CTIX.File.registered_domainstringRegistered Domain
CTIX.File.geo_detailsunknownGeographic details of the Threat Data Object
CTIX.File.countrystringGeographic details of the Object
CTIX.File.registrarstringRegistrar
CTIX.File.file_extensionstringFile Extension
CTIX.File.whitelistedunknownList
CTIX.File.object_descriptionstringDescription of the Threat Data Object.
CTIX.File.custom_scorenumberCustom Score of the Threat Data Object
CTIX.File.is_followingbooleanBoolean Value
CTIX.File.under_reviewbooleanShows if Threat Data Object is marked as Under Review on the CTIX application
CTIX.File.under_reviewed_timestringTimestamp when the object was marked under review.
CTIX.File.reviewedbooleanShows if the Threat Data Object is Marked as Reviewed on the CTIX application
CTIX.File.reviewed_timestringTimestamp when then object was reviewed.
CTIX.File.object_description_defangstringDescription of the object.
CTIX.File.source_dataunknownList of sources from which CTIX received this IP.
CTIX.File.related_fieldsunknownRelationship Data about the Threat Data Object present on the CTIX application
CTIX.File.enhancement_dataunknownAdditional enhanced data about the Threat Data Object fetched by the CTIX application

Command Example#

!file file="4ebb2b00a11f9361cf3757e96f14ad4b" enhanced=True

Context Example#

{
"CTIX": {
"File": {
"asn": null,
"blocked": false,
"blocked_on": [],
"blocked_time": 0,
"country": null,
"criticality": 3,
"custom_score": 0,
"deprecated": true,
"deprecated_time": 1588854933,
"domain_tld": null,
"enhancement_data": {},
"file_extension": null,
"first_seen": 1586262933,
"follow_by": [],
"followed_on": null,
"geo_details": {},
"indicator_type": "MD5",
"intel_grading": null,
"is_false_positive": false,
"is_following": false,
"labels": [
{
"colour_code": null,
"created": 1605030281,
"created_by": "system@default.tld",
"id": "23ccc391-6968-4734-b93e-d4985e23dcfd",
"modified": 1605030281,
"modified_by": "system@default.tld",
"name": "anomalous-activity"
}
],
"last_seen": 1605791028,
"name2": "4ebb2b00a11f9361cf3757e96f14ad4b",
"notification_preference": null,
"object_description": "",
"object_description_defang": "",
"object_type": "indicator",
"package_id": [
"package-d54892d8-b495-4331-b361-17ffbeacdaed",
"package-09be25b9-5d6b-4320-b512-4dc0e088f434",
"bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285"
],
"published_collections": [
"adsa",
"newtestcollection1 - edited"
],
"published_package_id": [
"1557df73-68b4-485b-9821-e3036e5fb7a4",
"a1eb2b29-fed4-4635-8e5c-a74f4339b8ab"
],
"registered_domain": null,
"registrar": null,
"related_fields": {
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"indicator": [],
"intrusion_set": [],
"kill_chain_phases": [],
"malware": [],
"threat_actor": [],
"tool": [],
"ttp": []
},
"reviewed": false,
"reviewed_time": 0,
"risk_severity": 5,
"score": 50,
"source": [
"Import"
],
"source_data": [
{
"id": "d1d3b628-346f-43c3-a369-235661ac6277",
"name": "Import"
}
],
"source_grading": null,
"stix_object_id": "indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa",
"subscriber": [],
"subscriber_collection": [],
"subscriber_collection_id": [],
"subscriber_id": [],
"tenant_id": "0a834138-cc59-4107-aa69-46e6080f06af",
"tlp_data": null,
"type": "Indicator",
"under_review": false,
"under_reviewed_time": 0,
"value": "4ebb2b00a11f9361cf3757e96f14ad4b",
"whitelisted": []
}
},
"DBotScore": {
"Indicator": "4ebb2b00a11f9361cf3757e96f14ad4b",
"Score": 2,
"Type": "file",
"Vendor": "CTIX"
},
"File": [
{
"Name": "4ebb2b00a11f9361cf3757e96f14ad4b",
"MD5": "4ebb2b00a11f9361cf3757e96f14ad4b"
}
]
}

Human Readable Output#

File List#

blockedblocked_timecriticalitycustom_scoredeprecateddeprecated_timefirst_seenindicator_typeis_false_positiveis_followinglabelslast_seenname2object_typepackage_idpublished_collectionspublished_package_idrelated_fieldsreviewedreviewed_timerisk_severityscoresourcesource_datastix_object_idtenant_idtypeunder_reviewunder_reviewed_timevalue
false030.0true15888549331586262933MD5falsefalse{'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281}16057910284ebb2b00a11f9361cf3757e96f14ad4bindicatorpackage-d54892d8-b495-4331-b361-17ffbeacdaed,
package-09be25b9-5d6b-4320-b512-4dc0e088f434,
bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285
adsa,
newtestcollection1 - edited
1557df73-68b4-485b-9821-e3036e5fb7a4,
a1eb2b29-fed4-4635-8e5c-a74f4339b8ab
attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:
false0550.0Import{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'}indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa0a834138-cc59-4107-aa69-46e6080f06afIndicatorfalse04ebb2b00a11f9361cf3757e96f14ad4b

ctix-create-intel#


Creates Intel in CTIX platform.

Base Command#

ctix-create-intel

Input#

Argument NameDescriptionRequired
titleTitle of iocOptional
descriptionDescription of iocOptional
tlpTlp of iocOptional
confidenceConfidence of iocOptional
ipscomma-separated list of IPsOptional
urlscomma-separated list of URLsOptional
domainscomma-separated list of domainsOptional
filescomma-separated list of filesOptional
emailscomma-separated list of emailsOptional
malwarescomma-separated list of malwaresOptional
threat_actorscomma-separated list of threat actorsOptional
attack_patternscomma-separated list of attack patternsOptional

Context Output#

PathTypeDescription
CTIX.Intel.responseStringThe response of the api
CTIX.Intel.statusNumberStatus code returned from the api

Command Example#

ctix-create-intel ips=1.2.3.4,3.45.56.78 urls=https://ioc_test.com,https://test_ioc.com files=8e7fad44308af9d1d60aac4fafcecdf2f66aa0315eb5f092fafa5bb03a5c2e3e emails=ioc@gmail.com,malicious@gmail.com malwares=dridex,spambot threat_actors=everest,grief attack_patterns=phishing,ddos title=title_xsoar_intel_creation description=xsoar_description tlp=green confidence=70

Context Example#

{
"CTIX": {
"Intel": {
"response": "Package is pushed in CTIX for publishing",
"status": 201
}
}
}