Cyware Threat Intelligence eXchange
CTIX Pack.#
This Integration is part of theThis is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 2.4 and 2.7 of CTIX. Supported Cortex XSOAR versions: 5.0.0 and later.
#
Configure CTIX on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for CTIX.
Click Add instance to create and configure a new integration instance.
Parameter Description Required base_url Endpoint URL True access_id Access Key True secret_key Secret Key True insecure Trust any certificate (not secure) False proxy Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipReturn IP Details.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | List of IPs. | Required |
enhanced | Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | String | IP address. |
IP.ASN | String | The autonomous system name for the IP address. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
CTIX.IP.tenant_id | string | Tenant ID |
CTIX.IP.stix_object_id | string | ID of the Threat Data Object in CTIX application |
CTIX.IP.tlp_data | string | TLP Value of the Threat Data Object |
CTIX.IP.first_seen | string | Timestamp of when the IP was first seen on the CTIX application |
CTIX.IP.last_seen | string | Timestamp of when the IP was latest seen on the CTIX application |
CTIX.IP.deprecated | boolean | Shows if the Threat Data Object is deprecated on the CTIX application |
CTIX.IP.intel_grading | string | Intel grading |
CTIX.IP.criticality | number | Criticality of the Threat Data Object on the scale of 0-5 |
CTIX.IP.indicator_type | string | Threat Data Object type |
CTIX.IP.package_id | unknown | List of IDs of packages on the CTIX application through which these IPs were received |
CTIX.IP.source | unknown | List of sources from which the IP address was received in the CTIX application |
CTIX.IP.risk_severity | number | Risk Severity of the Threat Data Object on the scale of 0-5 |
CTIX.IP.labels | unknown | List of Tags applied on the Threat Data Object |
CTIX.IP.source_grading | string | Source Grading |
CTIX.IP.name2 | string | Value of the Threat Data Object |
CTIX.IP.published_collections | unknown | Published collections |
CTIX.IP.published_package_id | unknown | Package ID |
CTIX.IP.blocked | boolean | Shows if the Threat Data Object is blocked on the CTIX application |
CTIX.IP.blocked_time | string | Timestamp of when the Threat Data Object was blocked on the CTIX application. |
CTIX.IP.deprecated_time | string | Timestamp of when the Threat Data Object was deprecated on the CTIX application |
CTIX.IP.notification_preference | unknown | Notification preference |
CTIX.IP.followed_on | unknown | Followed On |
CTIX.IP.score | number | CTIX Confidence Score of the IP Object out of 100 |
CTIX.IP.type | string | Type of object |
CTIX.IP.subscriber_id | unknown | List of Subscriber IDs |
CTIX.IP.subscriber | unknown | List of Subscribers |
CTIX.IP.subscriber_collection_id | unknown | List of Subscriber Collection IDs |
CTIX.IP.subscriber_collection | unknown | List of Subscriber Collection |
CTIX.IP.object_type | string | Type of object |
CTIX.IP.blocked_on | unknown | Name of the Application where the Threat Data Object was blocked on. |
CTIX.IP.follow_by | unknown | List of Cyware Users who follow the object. |
CTIX.IP.is_false_positive | boolean | Shows if the Threat Data Object was marked false positive in the CTIX application |
CTIX.IP.domain_tld | string | Top-Level Domain information about the Threat Data Object. |
CTIX.IP.asn | string | ASN number of the Threat Data Object |
CTIX.IP.registered_domain | string | Registered Domain |
CTIX.IP.geo_details | unknown | Geographic details of the Threat Data Object |
CTIX.IP.country | string | Geographic details of the Object |
CTIX.IP.registrar | string | Registrar |
CTIX.IP.file_extension | string | File Extension |
CTIX.IP.whitelisted | unknown | List |
CTIX.IP.object_description | string | Description of the Threat Data Object. |
CTIX.IP.custom_score | number | Custom Score of the Threat Data Object |
CTIX.IP.is_following | boolean | Boolean Value |
CTIX.IP.under_review | boolean | Shows if Threat Data Object is marked as Under Review on the CTIX application |
CTIX.IP.under_reviewed_time | string | Timestamp when the object was marked under review. |
CTIX.IP.reviewed | boolean | Shows if the Threat Data Object is Marked as Reviewed on the CTIX application |
CTIX.IP.reviewed_time | string | Timestamp when then object was reviewed. |
CTIX.IP.object_description_defang | string | Description of the object. |
CTIX.IP.source_data | unknown | List of sources from which CTIX received this IP. |
CTIX.IP.related_fields | unknown | Relationship Data about the Threat Data Object present on the CTIX application |
CTIX.IP.enhancement_data | unknown | Additional enhanced data about the Threat Data Object fetched by the CTIX application |
#
Command Example!ip ip="8.8.8.8" enhanced=True
#
Context Example#
Human Readable Output#
IP List
asn blocked blocked_time country criticality custom_score deprecated first_seen geo_details indicator_type is_false_positive is_following last_seen name2 object_type package_id related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value AS3356 false 0 United States 0 0.0 false 1608281585 country: {"country_code": "US", "country_name": "United States"}
city: {"city": null, "continent_code": "NA", "continent_name": "North America", "country_code": "US", "country_name": "United States", "dma_code": null, "latitude": 37.751, "longitude": -97.822, "postal_code": null, "region": null, "time_zone": "America/Chicago"}ipv4-addr false false 1608281585 8.8.8.8 indicator package-4a183313-81cb-42bf-b3ed-f163662c2fcd attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:false 0 0 62.5 Import {'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'} indicator--b09b6649-56ba-4acd-88fd-f84aadf85b55 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0
#
domainReturn Domain Details.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | List of Domains. | Required |
enhanced | Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The domain name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
CTIX.Domain.tenant_id | string | Tenant ID |
CTIX.Domain.stix_object_id | string | ID of the Threat Data Object in CTIX application |
CTIX.Domain.tlp_data | string | TLP Value of the Threat Data Object |
CTIX.Domain.first_seen | string | Timestamp of when the IP was first seen on the CTIX application |
CTIX.Domain.last_seen | string | Timestamp of when the IP was latest seen on the CTIX application |
CTIX.Domain.deprecated | boolean | Shows if the Threat Data Object is deprecated on the CTIX application |
CTIX.Domain.intel_grading | string | Intel grading |
CTIX.Domain.criticality | number | Criticality of the Threat Data Object on the scale of 0-5 |
CTIX.Domain.indicator_type | string | Threat Data Object type |
CTIX.Domain.package_id | unknown | List of IDs of packages on the CTIX application through which these IPs were received |
CTIX.Domain.source | unknown | List of sources from which the IP address was received in the CTIX application |
CTIX.Domain.risk_severity | number | Risk Severity of the Threat Data Object on the scale of 0-5 |
CTIX.Domain.labels | unknown | List of Tags applied on the Threat Data Object |
CTIX.Domain.source_grading | string | Source Grading |
CTIX.Domain.name2 | string | Value of the Threat Data Object |
CTIX.Domain.published_collections | unknown | Published collections |
CTIX.Domain.published_package_id | unknown | Package ID |
CTIX.Domain.blocked | boolean | Shows if the Threat Data Object is blocked on the CTIX application |
CTIX.Domain.blocked_time | string | Timestamp of when the Threat Data Object was blocked on the CTIX application. |
CTIX.Domain.deprecated_time | string | Timestamp of when the Threat Data Object was deprecated on the CTIX application |
CTIX.Domain.notification_preference | unknown | Notification preference |
CTIX.Domain.followed_on | unknown | Followed On |
CTIX.Domain.score | number | CTIX Confidence Score of the IP Object out of 100 |
CTIX.Domain.type | string | Type of object |
CTIX.Domain.subscriber_id | unknown | List of Subscriber IDs |
CTIX.Domain.subscriber | unknown | List of Subscribers |
CTIX.Domain.subscriber_collection_id | unknown | List of Subscriber Collection IDs |
CTIX.Domain.subscriber_collection | unknown | List of Subscriber Collection |
CTIX.Domain.object_type | string | Type of object |
CTIX.Domain.blocked_on | unknown | Name of the Application where the Threat Data Object was blocked on. |
CTIX.Domain.follow_by | unknown | List of Cyware Users who follow the object. |
CTIX.Domain.is_false_positive | boolean | Shows if the Threat Data Object was marked false positive in the CTIX application |
CTIX.Domain.domain_tld | string | Top-Level Domain information about the Threat Data Object. |
CTIX.Domain.asn | string | ASN number of the Threat Data Object |
CTIX.Domain.registered_domain | string | Registered Domain |
CTIX.Domain.geo_details | unknown | Geographic details of the Threat Data Object |
CTIX.Domain.country | string | Geographic details of the Object |
CTIX.Domain.registrar | string | Registrar |
CTIX.Domain.file_extension | string | File Extension |
CTIX.Domain.whitelisted | unknown | List |
CTIX.Domain.object_description | string | Description of the Threat Data Object. |
CTIX.Domain.custom_score | number | Custom Score of the Threat Data Object |
CTIX.Domain.is_following | boolean | Boolean Value |
CTIX.Domain.under_review | boolean | Shows if Threat Data Object is marked as Under Review on the CTIX application |
CTIX.Domain.under_reviewed_time | string | Timestamp when the object was marked under review. |
CTIX.Domain.reviewed | boolean | Shows if the Threat Data Object is Marked as Reviewed on the CTIX application |
CTIX.Domain.reviewed_time | string | Timestamp when then object was reviewed. |
CTIX.Domain.object_description_defang | string | Description of the object. |
CTIX.Domain.source_data | unknown | List of sources from which CTIX received this IP. |
CTIX.Domain.related_fields | unknown | Relationship Data about the Threat Data Object present on the CTIX application |
CTIX.Domain.enhancement_data | unknown | Additional enhanced data about the Threat Data Object fetched by the CTIX application |
#
Command Example!domain domain="google.com" enhanced=True
#
Context Example#
Human Readable Output#
Domain List
blocked blocked_time criticality custom_score deprecated domain_tld first_seen indicator_type is_false_positive is_following last_seen name2 object_type package_id registered_domain related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value false 0 0 0.0 false .com 1606486346 domain false false 1607004096 google.com indicator package-caffb979-5a33-4787-8813-07319fa365df google.com attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:false 0 0 62.5 pop3,
PoP3{'name': 'PoP3', 'id': '2e29c86a-fb67-4ead-88ff-396ed3cef3e4'},
{'name': 'pop3', 'id': 'da862993-bf78-4bdd-a715-83dbfb685a6c'}indicator--9949458d-0dd0-4f52-8d29-01f741359f58 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0 google.com
#
urlReturn URL Details.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | List of URLs. | Required |
enhanced | Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | String | The URL. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
CTIX.URL.tenant_id | string | Tenant ID |
CTIX.URL.stix_object_id | string | ID of the Threat Data Object in CTIX application |
CTIX.URL.tlp_data | string | TLP Value of the Threat Data Object |
CTIX.URL.first_seen | string | Timestamp of when the IP was first seen on the CTIX application |
CTIX.URL.last_seen | string | Timestamp of when the IP was latest seen on the CTIX application |
CTIX.URL.deprecated | boolean | Shows if the Threat Data Object is deprecated on the CTIX application |
CTIX.URL.intel_grading | string | Intel grading |
CTIX.URL.criticality | number | Criticality of the Threat Data Object on the scale of 0-5 |
CTIX.URL.indicator_type | string | Threat Data Object type |
CTIX.URL.package_id | unknown | List of IDs of packages on the CTIX application through which these IPs were received |
CTIX.URL.source | unknown | List of sources from which the IP address was received in the CTIX application |
CTIX.URL.risk_severity | number | Risk Severity of the Threat Data Object on the scale of 0-5 |
CTIX.URL.labels | unknown | List of Tags applied on the Threat Data Object |
CTIX.URL.source_grading | string | Source Grading |
CTIX.URL.name2 | string | Value of the Threat Data Object |
CTIX.URL.published_collections | unknown | Published collections |
CTIX.URL.published_package_id | unknown | Package ID |
CTIX.URL.blocked | boolean | Shows if the Threat Data Object is blocked on the CTIX application |
CTIX.URL.blocked_time | string | Timestamp of when the Threat Data Object was blocked on the CTIX application. |
CTIX.URL.deprecated_time | string | Timestamp of when the Threat Data Object was deprecated on the CTIX application |
CTIX.URL.notification_preference | unknown | Notification preference |
CTIX.URL.followed_on | unknown | Followed On |
CTIX.URL.score | number | CTIX Confidence Score of the IP Object out of 100 |
CTIX.URL.type | string | Type of object |
CTIX.URL.subscriber_id | unknown | List of Subscriber IDs |
CTIX.URL.subscriber | unknown | List of Subscribers |
CTIX.URL.subscriber_collection_id | unknown | List of Subscriber Collection IDs |
CTIX.URL.subscriber_collection | unknown | List of Subscriber Collection |
CTIX.URL.object_type | string | Type of object |
CTIX.URL.blocked_on | unknown | Name of the Application where the Threat Data Object was blocked on. |
CTIX.URL.follow_by | unknown | List of Cyware Users who follow the object. |
CTIX.URL.is_false_positive | boolean | Shows if the Threat Data Object was marked false positive in the CTIX application |
CTIX.URL.domain_tld | string | Top-Level Domain information about the Threat Data Object. |
CTIX.URL.asn | string | ASN number of the Threat Data Object |
CTIX.URL.registered_domain | string | Registered Domain |
CTIX.URL.geo_details | unknown | Geographic details of the Threat Data Object |
CTIX.URL.country | string | Geographic details of the Object |
CTIX.URL.registrar | string | Registrar |
CTIX.URL.file_extension | string | File Extension |
CTIX.URL.whitelisted | unknown | List |
CTIX.URL.object_description | string | Description of the Threat Data Object. |
CTIX.URL.custom_score | number | Custom Score of the Threat Data Object |
CTIX.URL.is_following | boolean | Boolean Value |
CTIX.URL.under_review | boolean | Shows if Threat Data Object is marked as Under Review on the CTIX application |
CTIX.URL.under_reviewed_time | string | Timestamp when the object was marked under review. |
CTIX.URL.reviewed | boolean | Shows if the Threat Data Object is Marked as Reviewed on the CTIX application |
CTIX.URL.reviewed_time | string | Timestamp when then object was reviewed. |
CTIX.URL.object_description_defang | string | Description of the object. |
CTIX.URL.source_data | unknown | List of sources from which CTIX received this IP. |
CTIX.URL.related_fields | unknown | Relationship Data about the Threat Data Object present on the CTIX application |
CTIX.URL.enhancement_data | unknown | Additional enhanced data about the Threat Data Object fetched by the CTIX application |
#
Command Example!url url="https://www.test.com/" enhanced=True
#
Context Example#
Human Readable Output#
URL List
blocked blocked_time criticality custom_score deprecated domain_tld first_seen indicator_type is_false_positive is_following labels last_seen name2 object_type package_id published_collections published_package_id registered_domain related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id tlp_data type under_review under_reviewed_time value false 0 3 0.0 false .com 1605768210 url false false {'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281} 1605894588 https://test.com indicator package-fd79e1a4-db90-4748-b9cb-f72264bf3ffe,
package-63f2228a-7037-4e56-a3df-23644ba3be64inbox & polling,
adsa,
newtestcollection1 - edited5df96375-1e0d-494b-870f-3f029d5cc565,
bbb62de5-f71f-4ca9-81b7-c4e94e3640cf,
96c58eb5-5784-4de5-8aa7-b4292525914ctest.com attack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:false 0 5 58.18 customsource1.x,
Import{'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'},
{'name': 'customsource1.x', 'id': '012072c9-1421-4960-ab01-2bb541596374'}indicator--70414571-660b-4360-b064-f0cf58caf903 0a834138-cc59-4107-aa69-46e6080f06af GREEN Indicator false 0 https://test.com/
#
fileReturn File Details.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | List of Files. | Required |
enhanced | Boolean Flag which when enabled returns an enhanced response which includes the extra enhancement data from various sources. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | String | The full file name. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA256 hash of the file. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
CTIX.File.tenant_id | string | Tenant ID |
CTIX.File.stix_object_id | string | ID of the Threat Data Object in CTIX application |
CTIX.File.tlp_data | string | TLP Value of the Threat Data Object |
CTIX.File.first_seen | string | Timestamp of when the IP was first seen on the CTIX application |
CTIX.File.last_seen | string | Timestamp of when the IP was latest seen on the CTIX application |
CTIX.File.deprecated | boolean | Shows if the Threat Data Object is deprecated on the CTIX application |
CTIX.File.intel_grading | string | Intel grading |
CTIX.File.criticality | number | Criticality of the Threat Data Object on the scale of 0-5 |
CTIX.File.indicator_type | string | Threat Data Object type |
CTIX.File.package_id | unknown | List of IDs of packages on the CTIX application through which these IPs were received |
CTIX.File.source | unknown | List of sources from which the IP address was received in the CTIX application |
CTIX.File.risk_severity | number | Risk Severity of the Threat Data Object on the scale of 0-5 |
CTIX.File.labels | unknown | List of Tags applied on the Threat Data Object |
CTIX.File.source_grading | string | Source Grading |
CTIX.File.name2 | string | Value of the Threat Data Object |
CTIX.File.published_collections | unknown | Published collections |
CTIX.File.published_package_id | unknown | Package ID |
CTIX.File.blocked | boolean | Shows if the Threat Data Object is blocked on the CTIX application |
CTIX.File.blocked_time | string | Timestamp of when the Threat Data Object was blocked on the CTIX application. |
CTIX.File.deprecated_time | string | Timestamp of when the Threat Data Object was deprecated on the CTIX application |
CTIX.File.notification_preference | unknown | Notification preference |
CTIX.File.followed_on | unknown | Followed On |
CTIX.File.score | number | CTIX Confidence Score of the IP Object out of 100 |
CTIX.File.type | string | Type of object |
CTIX.File.subscriber_id | unknown | List of Subscriber IDs |
CTIX.File.subscriber | unknown | List of Subscribers |
CTIX.File.subscriber_collection_id | unknown | List of Subscriber Collection IDs |
CTIX.File.subscriber_collection | unknown | List of Subscriber Collection |
CTIX.File.object_type | string | Type of object |
CTIX.File.blocked_on | unknown | Name of the Application where the Threat Data Object was blocked on. |
CTIX.File.follow_by | unknown | List of Cyware Users who follow the object. |
CTIX.File.is_false_positive | boolean | Shows if the Threat Data Object was marked false positive in the CTIX application |
CTIX.File.domain_tld | string | Top-Level Domain information about the Threat Data Object. |
CTIX.File.asn | string | ASN number of the Threat Data Object |
CTIX.File.registered_domain | string | Registered Domain |
CTIX.File.geo_details | unknown | Geographic details of the Threat Data Object |
CTIX.File.country | string | Geographic details of the Object |
CTIX.File.registrar | string | Registrar |
CTIX.File.file_extension | string | File Extension |
CTIX.File.whitelisted | unknown | List |
CTIX.File.object_description | string | Description of the Threat Data Object. |
CTIX.File.custom_score | number | Custom Score of the Threat Data Object |
CTIX.File.is_following | boolean | Boolean Value |
CTIX.File.under_review | boolean | Shows if Threat Data Object is marked as Under Review on the CTIX application |
CTIX.File.under_reviewed_time | string | Timestamp when the object was marked under review. |
CTIX.File.reviewed | boolean | Shows if the Threat Data Object is Marked as Reviewed on the CTIX application |
CTIX.File.reviewed_time | string | Timestamp when then object was reviewed. |
CTIX.File.object_description_defang | string | Description of the object. |
CTIX.File.source_data | unknown | List of sources from which CTIX received this IP. |
CTIX.File.related_fields | unknown | Relationship Data about the Threat Data Object present on the CTIX application |
CTIX.File.enhancement_data | unknown | Additional enhanced data about the Threat Data Object fetched by the CTIX application |
#
Command Example!file file="4ebb2b00a11f9361cf3757e96f14ad4b" enhanced=True
#
Context Example#
Human Readable Output#
File List
blocked blocked_time criticality custom_score deprecated deprecated_time first_seen indicator_type is_false_positive is_following labels last_seen name2 object_type package_id published_collections published_package_id related_fields reviewed reviewed_time risk_severity score source source_data stix_object_id tenant_id type under_review under_reviewed_time value false 0 3 0.0 true 1588854933 1586262933 MD5 false false {'id': '23ccc391-6968-4734-b93e-d4985e23dcfd', 'name': 'anomalous-activity', 'colour_code': None, 'created_by': 'system@default.tld', 'created': 1605030281, 'modified_by': 'system@default.tld', 'modified': 1605030281} 1605791028 4ebb2b00a11f9361cf3757e96f14ad4b indicator package-d54892d8-b495-4331-b361-17ffbeacdaed,
package-09be25b9-5d6b-4320-b512-4dc0e088f434,
bundle--87151b50-31a4-4f0a-9f5f-282b0f1d1285adsa,
newtestcollection1 - edited1557df73-68b4-485b-9821-e3036e5fb7a4,
a1eb2b29-fed4-4635-8e5c-a74f4339b8abattack_pattern:
campaign:
intrusion_set:
malware:
threat_actor:
tool:
indicator:
ttp:
kill_chain_phases:
course_of_action:false 0 5 50.0 Import {'name': 'Import', 'id': 'd1d3b628-346f-43c3-a369-235661ac6277'} indicator--2e35588f-cde1-4492-a720-ab0aee7fafaa 0a834138-cc59-4107-aa69-46e6080f06af Indicator false 0 4ebb2b00a11f9361cf3757e96f14ad4b
#
ctix-create-intelCreates Intel in CTIX platform.
#
Base Commandctix-create-intel
#
InputArgument Name | Description | Required | |
---|---|---|---|
title | Title of ioc | Optional | |
description | Description of ioc | Optional | |
tlp | Tlp of ioc | Optional | |
confidence | Confidence of ioc | Optional | |
ips | comma-separated list of IPs | Optional | |
urls | comma-separated list of URLs | Optional | |
domains | comma-separated list of domains | Optional | |
files | comma-separated list of files | Optional | |
emails | comma-separated list of emails | Optional | |
malwares | comma-separated list of malwares | Optional | |
threat_actors | comma-separated list of threat actors | Optional | |
attack_patterns | comma-separated list of attack patterns | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Intel.response | String | The response of the api |
CTIX.Intel.status | Number | Status code returned from the api |
#
Command Examplectix-create-intel ips=1.2.3.4,3.45.56.78 urls=https://ioc_test.com,https://test_ioc.com files=8e7fad44308af9d1d60aac4fafcecdf2f66aa0315eb5f092fafa5bb03a5c2e3e emails=ioc@gmail.com,malicious@gmail.com malwares=dridex,spambot threat_actors=everest,grief attack_patterns=phishing,ddos title=title_xsoar_intel_creation description=xsoar_description tlp=green confidence=70