Skip to main content

CTIX v3

This Integration is part of the CTIX Pack.#

This is example Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 3.0.0 of CTIX

Configure CTIX in Cortex#

ParameterDescriptionRequired
Endpoint URLEnter the endpoint URL of your CTIX Instance.True
Access KeyEnter the Access Key from the CTIX application.True
Secret KeyEnter the Secret Key from the CTIX application.True
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incidents Fetch IntervalFalse
Incident typeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ctix-create-tag#


Create new tag in the ctix platform

Base Command#

ctix-create-tag

Input#

Argument NameDescriptionRequired
tag_nameNew tag's name.Required
color_codeNew tag's hex colour code e.g #111111.Required

Context Output#

PathTypeDescription
CTIX.Tag.namestringName of the tag
CTIX.Tag.tag_typestringType of the tag (manual)
CTIX.Tag.colour_codestringColour Code of the tag
CTIX.Tag.idstringId of the Created Tag
CTIX.Tag.creatednumberCreated at timestamp
CTIX.Tag.modifiednumberModified at timestamp

Command Example#

!ctix-create-tag tag_name=xsoar_test_trial color_code=#95A1B1

Context Example#

{
"colour_code": null,
"created": 1652077948,
"created_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"id": "47662c77-b419-419c-9bcf-420e05b01067",
"modified": 1652077948,
"modified_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"name": "xsoar_test_temp",
"type": "manual"
}

ctix-get-tags#


Get paginated list of tags

Base Command#

ctix-get-tags

Input#

Argument NameDescriptionRequired
pagePage number for pagination. Default is 1.Optional
page_sizePage size for pagination. Default is 10.Optional
qsearch query parameter.Optional

Context Output#

PathTypeDescription
CTIX.Tag.namestringName of the tag
CTIX.Tag.idstringID of the tag
CTIX.Tag.colour_codestringHex colour code associated with tag
CTIX.Tag.tag_typestringType of the tag
CTIX.Tag.creatednumberCreated at timestamp
CTIX.Tag.modifiednumberModified at timestamp

Command Example#

!ctix-get-tags

Context Example#

{"next": "tags/?page=2&page_size=1&AccessID=sasfafs-asasvsfasf-vasvasf&Expires=1652078371&Signature=jndjaksbdakbsjdkabscbkjb",
"page_size": 1,
"previous": null,
"results": [{"colour_code": null,
"created": 1652077948,
"created_by": {"email": "dummy.account@test.com",
"first_name": "dummy",
"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"},
"id": "47662c77-b419-419c-9bcf-420e05b01067",
"modified": 1652077948,
"modified_by": {"email": "dummy.account@test.com",
"first_name": "dummy",
"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"},
"name": "xsoar_test_temp",
"type": "manual"}],
"total": 10}

ctix-delete-tag#


Delete a tag with given tag_name

Base Command#

ctix-delete-tag

Input#

Argument NameDescriptionRequired
tag_nameName of the tag.Required

Context Output#

PathTypeDescription
CTIX.DeleteTag.resultstringStatus

Command Example#

!ctix-delete-tag tag_name=xsoar_test_trial

Context Example#

{"result": "Action Successfully Executed"}

ctix-allowed-iocs#


Adds list of same type of iocs to allowed

Base Command#

ctix-allowed-iocs

Input#

Argument NameDescriptionRequired
typeType of ioc. Possible values are: ipv4-addr, ipv6-addr, autonomous-system, email-addr, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SSDEEP, url, cidr, domain-name, mutex, windows-registry-key, user-agent.Required
valuesValues of the given type.Required
reasonDescriptive reason.Required

Context Output#

PathTypeDescription
CTIX.Details.invalidunknownInvalid iocs sent in request
CTIX.Details.new_createdunknownList of iocs added to whitelist
CTIX.Details.already_existsunknownList of iocs already existing

Command Example#

!ctix-allowed-iocs reason=test type="ipv4-addr" values=x.x.x.x,x.x.x.x

Context Example#

{
"details":{
"already_exists": [
"x.x.x.x",
"x.x.x.x"
],
"invalid": [],
"new_created": []
}
}

ctix-get-allowed-iocs#


get paginated list of allowed iocs

Base Command#

ctix-get-allowed-iocs

Input#

Argument NameDescriptionRequired
pagePage number . Default is 1.Optional
page_sizePage size. Default is 10.Optional
qquery param for searching.Optional

Context Output#

PathTypeDescription
CTIX.IOC.idstringID of the object
CTIX.IOC.include_emailsbooleanIf enabled then the emails to the corresponding emails will be whitelisted
CTIX.IOC.include_sub_domainsbooleanIf enabled then the emails to the corresponding sub domains will be whitelisted
CTIX.IOC.include_urlsbooleanIf enabled then the emails to the corresponding urls will be whitelisted
CTIX.IOC.typestringType of the ioc
CTIX.IOC.valuestringValue of the ioc
CTIX.IOC.creatednumberCreated at timestamp
CTIX.IOC.modifiednumberModified at timestamp

Command Example#

!ctix-get-allowed-iocs q=type=indicator

Context Example#

{"next": "allowed/?page=2&page_size=1", "page_size": 1, "previous": null,
"results": [{"created": 1652084983, "created_by": {"email":
"dumy.account@example.com", "first_name": "dumy", "id":
"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "follow":
true, "id": "2df4a0ad-b1dd-4a4c-bf71-dcdefce0dcf9", "include_emails": false,
"include_subdomains": false, "include_urls": false, "modified": 1652097309,
"modified_by": {"email": "dummt.acount@example.com", "first_name": "", "id":
"4a5f744c-800a-4fcd-be06-53f4b1b8f966", "last_name": ""}, "type":
"ipv4-addr", "value": "x.x.x.x"}], "total": 5}

ctix-remove-allowed-ioc#


Removes a alloweded ioc with given id

Base Command#

ctix-remove-allowed-ioc

Input#

Argument NameDescriptionRequired
idsallowed IOC ids.Required

Context Output#

PathTypeDescription
detailsstringOperation result

Command Example#

!ctix-remove-allowed-ioc ids=7a33a7ac-ab54-412f-a725-f35c208a54ea

Context Example#

{
"details": "Action applied succesfully"
}

ctix-get-threat-data#


Command for querying and listing threat data

Base Command#

ctix-get-threat-data

Input#

Argument NameDescriptionRequired
queryQuery statement for the thread data, please refer to the documentation.Required
pagepage. Default is 1.Optional
page_sizesize of page. Default is 1.Optional

Context Output#

PathTypeDescription
CTIX.ThreatData.confidence_scorenumberConfidence Score of the IOC
CTIX.ThreatData.confidence_typestringConfidence Type of the IOC
CTIX.ThreatData.creatednumberWhen the IOC was created in source
CTIX.ThreatData.ctix_creatednumberWhen the IOC was created in CTIX
CTIX.ThreatData.ctix_modifiednumberWhen the IOC was modified in CTIX
CTIX.ThreatData.idstringID of the IOC in CTIX
CTIX.ThreatData.indicator_typestringType of the Indicator
CTIX.ThreatData.ioc_typestringType of IOC
CTIX.ThreatData.is_actionedbooleanIs Actioned
CTIX.ThreatData.is_deprecatedbooleanIs Deprecated
CTIX.ThreatData.is_false_positivebooleanIs False Positive
CTIX.ThreatData.is_reviewedbooleanIs reviewed
CTIX.ThreatData.is_revokedbooleanIs revoked
CTIX.ThreatData.is_watchlistbooleanIs Watchlist
CTIX.ThreatData.is_whitelistedbooleanIs alloweded
CTIX.ThreatData.modifiedbooleanWhen the indicator modified
CTIX.ThreatData.namebooleanName of the indicator
CTIX.ThreatData.risk_severitybooleanrisk severity of the indicator
CTIX.ThreatData.source_collectionsunknownSource Collections of the Indicator
CTIX.ThreatData.source_confidencestringSource Confidence of the indicator
CTIX.ThreatData.sourcesunknownsources of the indicator
CTIX.ThreatData.sub_typestringSub Type of the IOC
CTIX.ThreatData.tlpstringTLP of the indicator
CTIX.ThreatData.typestringType of the IOC
CTIX.ThreatData.valid_fromnumberDate from which IOC is valid

Command Example#

!ctix-get-threat-data query=type=indicator

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 50,
"confidence_type": "ctix",
"country": null,
"created": 1652081902,
"ctix_created": 1652081903,
"ctix_modified": 1652081903,
"first_seen": null,
"id": "1ff2a18a-0574-4015-bbec-bc7692dccb14",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1652081902,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [{"id": "1981f5f6-49d4-4cad-97b7-8b2d276d2956",
"name": "dummy"}],
"source_confidence": "HIGH",
"sources": [{"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",
"name": "dummy",
"source_type": "RSS_FEED"}],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1652081902,
"valid_until": null}],
"total": 1}

ctix-get-saved-searches#


Saved Search listing api with pagination

Base Command#

ctix-get-saved-searches

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 5.Optional

Context Output#

PathTypeDescription
CTIX.SavedSearch.idstringID of the object
CTIX.SavedSearch.editableboolean
CTIX.SavedSearch.is_threat_data_searchboolean
CTIX.SavedSearch.namestring
CTIX.SavedSearch.ordernumber
CTIX.SavedSearch.pinnedboolean
CTIX.SavedSearch.querystring
CTIX.SavedSearch.shared_typestring
CTIX.SavedSearch.typestring
CTIX.SavedSearch.meta_dataunknown

Command Example#

!ctix-get-saved-searches

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"created_by": {
"email": "system.default@example.com",
"first_name": "System",
"id": "e99b5f93-4ae8-4560-a848-a4fbae3f4f26",
"last_name": "Default"
},
"description": null,
"editable": false,
"id": "d5b54bc7-3b3f-424b-b08d-5e8cf746e998",
"is_threat_data_search": true,
"meta_data": null,
"name": "Indicator",
"order": 0,
"pinned": false,
"query": "type =indicator",
"shared_type": "global",
"shared_users": [
],
"type": "cql"
}
],
"total": 1
}

ctix-get-server-collections#


Source Collection listing api with pagination

Base Command#

ctix-get-server-collections

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 15.Optional

Context Output#

PathTypeDescription
CTIX.ServerCollection.namestringName of the server
CTIX.ServerCollection.idstringID of the object
CTIX.ServerCollection.inboxbooleanInbox is enabled or not
CTIX.ServerCollection.is_activebooleanObject if active or not
CTIX.ServerCollection.is_editablebooleanObject if editable or not
CTIX.ServerCollection.pollingbooleanObject polling is enabled or not
CTIX.ServerCollection.typestringObject type
CTIX.ServerCollection.descriptionstringdescription of the object
CTIX.ServerCollection.creatednumberCreated timestamp

Command Example#

!ctix-get-server-collections

Context Example#

{"next": "collection/?page=2&page_size=1", "previous": null, "page_size": 1,
"total": 7, "results": [{"id": "83b5fd74-8ca0-4f28-a173-1d6863b2acb4",
"name": "collection", "description": "with description", "is_active": true,
"type": "DATA_FEED", "is_editable": true, "polling": false, "inbox": true,
"created": 1652080268, "has_subscribed": null}], "subscriber_name": ""}

ctix-get-actions#


Enrichment tools listing API

Base Command#

ctix-get-actions

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 15.Optional
object_typeobject type.Optional
action_typeaction type.Optional

Context Output#

PathTypeDescription
CTIX.Action.action_namestringName of the Action
CTIX.Action.action_typeunknownDescription of the action
CTIX.Action.actioned_onnumberTimestamp of when the action was taken
CTIX.Action.app_namestringName of the app for the action
CTIX.app_typestringType of the app
CTIX.Action.idstringID of the action
CTIX.Action.object_typestringType of the action

Command Example#

!ctix-get-actions action_type=manual object_type=indicator

Context Example#

{
"next": "actions/?page=2&page_size=1&actions_type=manual&object_type=indicator",
"page_size": 1,
"previous": null,
"results": [
{
"action_name": "Update Analyst Score",
"action_type": "manual",
"actioned_by": {
"email": "dummy.email@test.com",
"first_name": "test",
"id":"40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"
},
"actioned_on": 1651646873,
"app_name": "CTIX",
"app_response": {
},
"app_type": "ctix",
"id": "e8fe8d27-6329-4c0b-a3c0-be104be4de55",
"object_id": "19176d96-716d-48aa-af15-dfeff22e72e2",
"object_type": "indicator",
"rule_id": null,
"rule_name": null,
"source_id": null,
"tool": null
}
],
"total": 38459
}

ctix-add-indicator-as-false-positive#


Base Command#

ctix-add-indicator-as-false-positive

Input#

Argument NameDescriptionRequired
object_ids, seperated list of indicator ids.Required
object_typeType of object. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.Required

Context Output#

PathTypeDescription
CTIX.IndicatorFalsePositive.messageunknownIndicator change result

Command Example#

!ctix-add-indicator-as-false-positive object_ids=19176d96-716d-48aa-af15-dfeff22e72e2,531e47a6-d7cd-47be-ae21-a3260518d4a5 object_type=indicator

Context Example#

{"message":"Action Successfully Executed"}

ctix-ioc-manual-review#


Adds ioc to manual review bulk api

Base Command#

ctix-ioc-manual-review

Input#

Argument NameDescriptionRequired
object_idsObject ids of the items to be added for manual review.Required
object_typeobject type. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.Required

Context Output#

PathTypeDescription
CTIX.IOCManualReview.messageunknownIOC Manual Review result

Command Example#

!ctix-ioc-manual-review object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-deprecate-ioc#


Deprecate ioc bulk api

Base Command#

ctix-deprecate-ioc

Input#

Argument NameDescriptionRequired
object_idsObject ids .Required
object_typeobject type.Required

Context Output#

PathTypeDescription
CTIX.DeprecateIOCunknownResult of the IOC deprecation request

Command Example#

!ctix-deprecate-ioc object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-add-analyst-tlp#


Add Analyst TLP

Base Command#

ctix-add-analyst-tlp

Input#

Argument NameDescriptionRequired
object_idobject id.Required
object_typeobject type.Required
datadata.Required

Context Output#

PathTypeDescription
CTIX.AddAnalystTLPunknownResult of the addition of analyst TLP

Command Example#

!ctix-add-analyst-tlp object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator data={\"analyst_tlp\":\"GREEN\"}

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-add-analyst-score#


Add Analyst Score for a Threat data

Base Command#

ctix-add-analyst-score

Input#

Argument NameDescriptionRequired
object_idobject id.Required
object_typeobject type.Required
datadata.Required

Context Output#

PathTypeDescription
CTIX.AddAnalystScoreunknownResult of adding analyst score to threat data

Command Example#

!ctix-add-analyst-score data={"analyst_score":10} object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-saved-result-set#


Saved Result Set

Base Command#

ctix-saved-result-set

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
label_namelabel name.Optional
queryCQL.Optional

Context Output#

PathTypeDescription
CTIX.SavedResultSet.analyst_scorenumberAnalyst score of the IOC
CTIX.SavedResultSet.analyst_tlpstringAnalyst TLP of the IOC
CTIX.SavedResultSet.confidence_scorenumberConfidence score of the IOC
CTIX.SavedResultSet.confidence_typestringConfidence type of the IOC
CTIX.SavedResultSet.countrystringCountry of origin for the IOC
CTIX.SavedResultSet.creatednumberIOC creation date
CTIX.SavedResultSet.ctix_creatednumberIOC date of creation in CTIX
CTIX.SavedResultSet.ctix_modifiednumberIOC date of modification in CTIX
CTIX.SavedResultSet.first_seendateIOC timestamp when it was first seen
CTIX.SavedResultSet.idnumberIOC ID
CTIX.SavedResultSet.indicator_typestringType of the indicator
CTIX.SavedResultSet.ioc_typestringType of the IOC
CTIX.SavedResultSet.is_actionedbooleanIf there is any action taken on the indicator
CTIX.SavedResultSet.is_deprecatedbooleanIf the indicator is deprecated or not
CTIX.SavedResultSet.is_false_positivebooleanValue of the indicator is false positive or not
CTIX.SavedResultSet.is_reviewedbooleanWhether the indicator reviewed or not
CTIX.SavedResultSet.is_revokedbooleanWhether the indicator is revoked or not
CTIX.SavedResultSet.is_watchlistbooleanWhether the indicator is under watchlist or not
CTIX.SavedResultSet.is_whitelistedbooleanWhether the indicator is whitelisted or not
CTIX.SavedResultSet.last_seendateTimestamp of the when the IOC was last seen
CTIX.SavedResultSet.modifieddateTimestamp of the when the IOC was modified
CTIX.SavedResultSet.namestringName of the indicator
CTIX.SavedResultSet.nullunknownnull
CTIX.SavedResultSet.primary_attributestringPrimary attribute of the IOC
CTIX.SavedResultSet.published_collectionsunknownPublished collections of the IOC
CTIX.SavedResultSet.risk_severityunknownRisk severity of the IOC
CTIX.SavedResultSet.source_collectionsunknownSource collections of the IOC
CTIX.SavedResultSet.namestringName of the IOC
CTIX.SavedResultSet.sourcesunknownSources of the IOC
CTIX.SavedResultSet.sub_typeunknownSub type of the IOC
CTIX.SavedResultSet.subscriber_collectionsunknownSubscription collections of the IOC
CTIX.SavedResultSet.subscribersunknownSubscribers of the IOC
CTIX.SavedResultSet.tagsunknownTags on the IOC
CTIX.SavedResultSet.tlpunknownTLP of the IOC
CTIX.SavedResultSet.typeunknownType of the IOC
CTIX.SavedResultSet.valid_fromunknownTimestamp from when the IOC is valid
CTIX.SavedResultSet.valid_untilunknownTimestamp till then the IOC is valid

Command Example#

!ctix-saved-result-set label_name=test query=type=indicator

Context Example#

{"next": "threat-data/list/?page=2&page_size=1", "page_size": 1, "previous":
null, "results": [{"analyst_score": null, "analyst_tlp": null,
"confidence_score": null, "confidence_type": "ctix", "country": null,
"created": 1652111918, "ctix_created": 1652111957, "ctix_modified":
1652111957, "first_seen": null, "id":
"670afacb-2f72-42fe-84cc-b2022ba6a7ed", "indicator_type": null, "ioc_type":
null, "is_actioned": false, "is_deprecated": false, "is_false_positive":
false, "is_reviewed": false, "is_revoked": false, "is_watchlist": false,
"is_whitelisted": false, "last_seen": null, "modified": 1652111949, "name":
"Test12344", "null": [], "primary_attribute": null, "published_collections":
[], "risk_severity": null, "source_collections": [{"id":
"32b98724-8625-4af2-ad83-43b4b5c50885", "name": "Test12344"}],
"source_confidence": "NONE", "sources": [{"id":
"5968d895-424f-4271-a1d3-2b01041a17bb", "name": "Test12344", "source_type":
"WEB_SCRAPPER"}], "sub_type": null, "subscriber_collections": [],
"subscribers": [], "tags": [], "tlp": "AMBER", "type": "report",
"valid_from": null, "valid_until": null}], "total": 353243}

ctix-add-tag-indicator#


Adding Tag to Indicator

Base Command#

ctix-add-tag-indicator

Input#

Argument NameDescriptionRequired
pagepage from where data will be taken. Default is 1.Optional
page_sizetotal number of results to be fetched. Default is 10.Optional
qquery.Optional
object_idobject id. Default is "".Optional
object_typeobject type. Default is ""Optional
tag_idtag id. Default is ""Optional

Context Output#

PathTypeDescription
CTIX.TagUpdation.meesageunknownResult of the add indicator tag request

Command Example#

!ctix-add-tag-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-remove-tag-from-indicator#


Remove Tag From Indicator

Base Command#

ctix-remove-tag-from-indicator

Input#

Argument NameDescriptionRequired
pagewhich page to bring the data from. Default is 1.Optional
page_sizenumber of pages to bring data from. Default is 10.Optional
qquery.Optional
object_idobject_id. Default is "".Optional
object_typeobject_type. Default is "".Optional
tag_idtag_id. Default is "".Optional

Context Output#

PathTypeDescription
CTIX.TagUpdation.messageunknownResult of the remove indicator tag request

Command Example#

!ctix-remove-tag-from-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-search-for-tag#


Search for tag

Base Command#

ctix-search-for-tag

Input#

Argument NameDescriptionRequired
pagenumber of page from where data needs to brought. Default is 1.Optional
page_sizesize of the result. Default is 10.Optional
qquery.Optional

Context Output#

PathTypeDescription
CTIX.SearchTag.colour_codeunknownColour code of the tag
CTIX.SearchTag.creatednumberTimestamp of when the tag was created
CTIX.SearchTag.created_byunknowndetails of the person who created the tag
CTIX.SearchTag.idstringID of the tag
CTIX.SearchTag.modifiednumberTimestamp of when the tag was modified
CTIX.SearchTag.modified_byunknownDetails of the person who modified the tag
CTIX.SearchTag.nameunknownName of the tag
CTIX.SearchTag.typeunknowntype of the tag

Command Example#

!ctix-search-for-tag q=xsoar_test_trial

Context Example#

{"next": "tags/?page=2&page_size=1", "page_size": 1, "previous": null,
"results": [{"colour_code": null, "created": 1652113918, "created_by":
{"email": "dummy.account@example.com", "first_name": "dummy", "id":
"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "id":
"68981db8-6deb-41f0-9727-74ad81cf47b2", "modified": 1652113918,
"modified_by": {"email": "dummy.account@example.com", "first_name":
"dummy", "id": "40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name":
"account"}, "name": "xsoar_test", "type": "manual"}], "total": 39893}

ctix-get-indicator-details#


Get Indicator Details

Base Command#

ctix-get-indicator-details

Input#

Argument NameDescriptionRequired
pagefrom where data has to be brought. Default is 1.Optional
page_sizetotal number of results. Default is 10.Optional
object_idobject id. Default is "".Optional
object_typeobject type. Default is "".Optional

Context Output#

PathTypeDescription
CTIX.IndicatorDetails.aliasesstringAliases of the tag if any
CTIX.IndicatorDetails.analyst_descriptionstringAnalyst description provided if any
CTIX.IndicatorDetails.analyst_scorenumberAnalyst score of the indicator
CTIX.IndicatorDetails.analyst_tlpstringAnalyst provided TLP on the indicator
CTIX.IndicatorDetails.asnstringASN of the indicator
CTIX.IndicatorDetails.attribute_fieldstringAttribute field of the indicator
CTIX.IndicatorDetails.attribute_valuestringAttribute value of the indicator
CTIX.IndicatorDetails.base_typestringBase type of the indicator
CTIX.IndicatorDetails.confidence_scorenumberConfidence score of the IOC
CTIX.IndicatorDetails.confidence_typestringConfidence type of the IOC
CTIX.IndicatorDetails.countrystringCountry of origin of the IOC
CTIX.IndicatorDetails.creatednumberTimestamp of when the indicator was created
CTIX.IndicatorDetails.ctix_creatednumberTimestamp of when the indicator was created in CTIX
CTIX.IndicatorDetails.ctix_modifiednumberTimestamp of when the indicator was modified in CTIX
CTIX.IndicatorDetails.ctix_scorenumberCTIX score of the indicator
CTIX.IndicatorDetails.ctix_tlpstringCTIX assigned TLP of the indicator
CTIX.IndicatorDetails.defang_analyst_descriptionstringDefanged analyst description of the indicator
CTIX.IndicatorDetails.descriptionstringDescription of the indicator
CTIX.IndicatorDetails.fang_analyst_descriptionstringFang analyst description of the indicator
CTIX.IndicatorDetails.first_seennumberTimestamp of then the indicator was first seen
CTIX.IndicatorDetails.last_seennumberTimestamp of then the indicator was last seen
CTIX.IndicatorDetails.modifiednumberTimestamp of then the indicator was modified
CTIX.IndicatorDetails.namestringName of the indicator
CTIX.IndicatorDetails.patternstringSTIX pattern of the indicator
CTIX.IndicatorDetails.pattern_typestringpattern type of the indicator
CTIX.IndicatorDetails.pattern_versionstringSTIX pattern version
CTIX.IndicatorDetails.sourcesunknownSources of the indicator
CTIX.IndicatorDetails.sub_typestringSub type of the indicator
CTIX.IndicatorDetails.tldstringTLD of the indicator
CTIX.IndicatorDetails.tlpstringTLP of the indicator
CTIX.IndicatorDetails.typestringType of the indicator
CTIX.IndicatorDetails.typesstringTypes of the indicator
CTIX.IndicatorDetails.valid_fromnumberTimestamp of the indicator from then it was valid
CTIX.IndicatorDetails.valid_untilunknownTimestamp of the indicator till

Command Example#

!ctix-get-indicator-details object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{"aliases": null, "analyst_description": null, "analyst_score": null,
"analyst_tlp": null, "asn": null, "attribute_field": "value",
"attribute_value": "x.x.x.x", "base_type": "sdo", "confidence_score":
18, "confidence_type": "CTIX", "country": "Netherlands", "created":
1651648700, "ctix_created": 1651648700, "ctix_modified": 1652113922,
"ctix_score": 18, "ctix_tlp": null, "defang_analyst_description": null,
"description": null, "fang_analyst_description": null, "first_seen": null,
"last_seen": null, "modified": 1651648700, "name": "x.x.x.x",
"pattern": "[ipv4-addr:value = x.x.x.x]", "pattern_type": "stix",
"pattern_version": "2.1", "sources": [{"id":
"e941f6fb-387b-452c-b77d-b5b05c5e9df2", "name": "Dummy",
"source_type": "API_FEEDS"}], "sub_type": "ipv4-addr", "tld": "", "tlp":
"WHITE", "type": "indicator", "types": ["anomalous-activity"], "valid_from":
1644335851, "valid_until": null}

ctix-get-indicator-tags#


Get Indicator Tags

Base Command#

ctix-get-indicator-tags

Input#

Argument NameDescriptionRequired
object_idobject id. Default is "".Optional
object_typeobject type. Default is "".Optional
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorTags.notesunknownNotes on the indicator's tag
CTIX.IndicatorTags.is_deprecatedbooleanIf the indicator's tag deprecated or not
CTIX.IndicatorTags.is_revokedbooleanIf the indicator's tag revoked or not
CTIX.IndicatorTags.ctix_creatednumberTimestamp of when the Indicator tag was created in CTIX
CTIX.IndicatorTags.is_false_positivebooleanIf the indicator's tag is false positive or not
CTIX.IndicatorTags.namestringName of the indicator
CTIX.IndicatorTags.is_reviewedbooleanIf the indicator reviewed or not
CTIX.IndicatorTags.is_whitelistedbooleanIf the indicator whitelisted or not
CTIX.IndicatorTags.is_under_reviewbooleanIf the indicator is under review or not
CTIX.IndicatorTags.is_watchlistbooleanIf the indicator is under watchlist or not
CTIX.IndicatorTags.tagsunknownTags of the indicator
CTIX.IndicatorTags.sub_typeunknownSub type of the indicator
CTIX.IndicatorTags.typeunknownType of Indicator

Command Example#

!ctix-get-indicator-tags object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"notes": [],
"is_deprecated": false,
"is_revoked": false,
"ctix_created": 1651648700,
"is_false_positive": false,
"name": "x.x.x.x",
"is_reviewed": false,
"is_whitelisted": false,
"is_under_review": false,
"is_watchlist": false,
"tags": [
{
"colour_code": null,
"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",
"name": "test crowd"
},
{
"colour_code": null,
"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",
"name": "MaliciousConfidence/Low"
}
],
"sub_type": "ipv4-addr",
"type": "indicator"
}

ctix-get-indicator-relations#


Get Indicator Relations

Base Command#

ctix-get-indicator-relations

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
object_idobject id. Default is "".Optional
object_typeobject type. Default is "".Optional

Context Output#

PathTypeDescription
CTIX.IndicatorRelations.relationship_typeunknownIndicator relation types
CTIX.IndicatorRelations.sourcesunknownIndicator sources
CTIX.IndicatorRelations.target_refunknownIndicator target reference

Command Example#

!ctix-get-indicator-relations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"relationship_type": "related-to",
"sources": [
{
"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",
"name": "dummy",
"source_type": "RSS_FEED"
}
],
"target_ref": {
"created": 1652081903,
"id": "cb728d0e-3e31-4c3d-8f7d-09726a8bf7a8",
"modified": 1652081903,
"name": "Feed 6",
"object_type": "report",
"sub_type": null,
"tlp": "AMBER"
}
}
],
"total": 1
}

ctix-get-indicator-observations#


Get Indicator Observations

Base Command#

ctix-get-indicator-observations

Input#

Argument NameDescriptionRequired
pagepage.Optional
page_sizepage size.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorObservations.custom_attributesunknownCustom attributes if any
CTIX.IndicatorObservations.ctix_modifiednumberTimestamp when indicator was modified in CTIX
CTIX.IndicatorObservations.creatednumberTimestamp when indicator was created
CTIX.IndicatorObservations.pattern_typestringPattern type of Indicator
CTIX.IndicatorObservations.modifiednumberTimestamp when indicator was modified
CTIX.IndicatorObservations.ctix_creatednumberTimestamp when indicator was created in CTIX
CTIX.IndicatorObservations.pattern_versionstringSTIX Pattern version of indicator
CTIX.IndicatorObservations.confidencestringConfidence level of the indicator
CTIX.IndicatorObservations.valid_fromnumberTimestamp when indicator was valid from
CTIX.IndicatorObservations.patternstringSTIX pattern
CTIX.IndicatorObservations.fang_descriptionstringFANG description
CTIX.IndicatorObservations.defang_descriptionstringDEFANG description
CTIX.IndicatorObservations.spec_versionstringSTIX Spec version
CTIX.IndicatorObservations.tagsunknownTags attached to the indicator
CTIX.IndicatorObservations.received_idstringSTIX ID when indicator was received
CTIX.IndicatorObservations.typesunknownSTIX Types attached to the indicator
CTIX.IndicatorObservations.sourceunknownSTIX source of the indicator
CTIX.IndicatorObservations.idstringid of the indicator
CTIX.IndicatorObservations.valid_untilnumberTimestamp till when the indicator is valid
CTIX.IndicatorObservations.sco_object_idunknownSCO object ID
CTIX.IndicatorObservations.unique_hashunknownunique hash of the indicator
CTIX.IndicatorObservations.descriptionunknowndescription of the indicator
CTIX.IndicatorObservations.granular_markingsunknownGranular Markings if any
CTIX.IndicatorObservations.collectionunknownCollection details of the indicator

Command Example#

!ctix-get-indicator-observations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"result": {
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"custom_attributes": [],
"ctix_modified": 1651648700,
"created": 1644335851,
"pattern_type": "stix",
"modified": 1651648700,
"ctix_created": 1651648700,
"pattern_version": "2.1",
"confidence": "LOW",
"valid_from": 1644335851,
"pattern": "[ipv4-addr:value = 'x.x.x.x']",
"fang_description": null,
"defang_description": null,
"spec_version": "2.1",
"tags": [
{
"colour_code": null,
"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",
"name": "test crowd"
},
{
"colour_code": null,
"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",
"name": "MaliciousConfidence/Low"
}
],
"received_id": "indicator--16a66ac2-3524-44a6-9b9d-5bec6bc80d91",
"types": [
"anomalous-activity"
],
"source": {
"id": "e941f6fb-387b-452c-b77d-b5b05c5e9df2",
"name": "Dummy",
"source_type": "API_FEEDS"
},
"id": "0a11d417-3501-4230-8454-c70e700cf1b8",
"valid_until": null,
"sco_object_id": "20067ec2-8ad1-470e-b0bb-3c4a72b15883",
"unique_hash": "babea09af794cc5ae1403302e9ec5c2d",
"description": "None",
"granular_markings": [],
"collection": {
"id": "3d7df0f3-8c88-43d2-8742-deee21eb6ee0",
"name": "test-crowd-ip"
}
}
],
"total": 1
}
}

ctix-get-conversion-feed-source#


Base Command#

ctix-get-conversion-feed-source

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.ConversionFeedSource.creatednumberIndicator creation timestamp
CTIX.ConversionFeedSource.idstringID of the indicator
CTIX.ConversionFeedSource.namestringname of the indicator
CTIX.ConversionFeedSource.taxii_optionstringTAXII option

Command Example#

!ctix-get-conversion-feed-source object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"result": {
"next": "feed-sources/?page=2&page_size=10&object_id=1ff2a18a-0574-4015-bbec-bc7692dccb14&object_type=indicator",
"page_size": 10,
"previous": null,
"results": [
{
"created": 1651841206,
"id": "9c82a682-254f-410d-a1c0-dc3514415f79",
"name": "dummy-threatmailbox",
"taxii_option": "2.1"
}
],
"total": 31
}
}

ctix-get-lookup-threat-data#


Lookup to get threat data

Base Command#

ctix-get-lookup-threat-data

Input#

Argument NameDescriptionRequired
object_typeobject type.Optional
object_namesWill contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1.Optional
page_sizesize of the page. Default is 10.Optional

Context Output#

PathTypeDescription
CTIX.ThreatDataLookup.analyst_scorenumberAnalyst score of the indicator
CTIX.ThreatDataLookup.analyst_tlpstringAnalyst TLP of the indicator
CTIX.ThreatDataLookup.confidence_scorenumberConfidence score of the indicator
CTIX.ThreatDataLookup.confidence_typestringConfidence type of the indicator
CTIX.ThreatDataLookup.countrystringIndicator origin country
CTIX.ThreatDataLookup.creatednumberTimestamp of when the indicator was created
CTIX.ThreatDataLookup.ctix_creatednumberTimestamp of when the indicator was created in CTIX
CTIX.ThreatDataLookup.ctix_modifiednumberTimestamp of when the indicator was modified in CTIX
CTIX.ThreatDataLookup.first_seennumberTimestamp of when the indicator was first seen
CTIX.ThreatDataLookup.idstringIndicator ID
CTIX.ThreatDataLookup.indicator_typestringIndicator type
CTIX.ThreatDataLookup.ioc_typestringIOC type
CTIX.ThreatDataLookup.is_actionedbooleanIs actioned
CTIX.ThreatDataLookup.is_deprecatedbooleanis deprecated
CTIX.ThreatDataLookup.is_false_positivebooleanis false positive
CTIX.ThreatDataLookup.is_reviewedbooleanis reviewed
CTIX.ThreatDataLookup.is_revokedbooleanis revoked
CTIX.ThreatDataLookup.is_watchlistbooleanis watchlisted
CTIX.ThreatDataLookup.is_whitelistedbooleanis allowed
CTIX.ThreatDataLookup.last_seennumberTimestamp of when the indicator was last seen
CTIX.ThreatDataLookup.modifiednumberTimestamp of when the indicator was modified
CTIX.ThreatDataLookup.namestringname of the indicator
CTIX.ThreatDataLookup.nullunknownnull
CTIX.ThreatDataLookup.primary_attributestringPrimary Attribute
CTIX.ThreatDataLookup.published_collectionsunknownpublished collections
CTIX.ThreatDataLookup.risk_severitystringRisk severity
CTIX.ThreatDataLookup.source_collectionsunknownsources collections
CTIX.ThreatDataLookup.source_confidencestringSource confidence
CTIX.ThreatDataLookup.sourcesunknownsources
CTIX.ThreatDataLookup.sub_typestringSub type
CTIX.ThreatDataLookup.subscriber_collectionsunknownsubscriber collections
CTIX.ThreatDataLookup.subscribersunknownsubscribers
CTIX.ThreatDataLookup.tagsunknownTags
CTIX.ThreatDataLookup.tlpstringTLP
CTIX.ThreatDataLookup.typestringType
CTIX.ThreatDataLookup.valid_fromnumberTimestamp from when the indicator was valid
CTIX.ThreatDataLookup.valid_untilnumberTimestamp till when the indicator was valid

Command example#

!ctix-get-lookup-threat-data object_names=example.com,3.4.5.6 object_type=indicator

Context Example#

{
"CTIX": {
"ThreatDataLookup": {
"analyst_cvss_score": null,
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 100,
"confidence_type": "ctix",
"country": null,
"created": 1674080000,
"ctix_created": 1674080000,
"ctix_modified": 1674080000,
"custom_attributes": [],
"first_seen": null,
"id": "6779a969-6404-4dd7-97ef-dec877c03c4f",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1674080001,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": null,
"severity": "UNKNOWN",
"source_collections": [
{
"id": "a9d67cc1-5de8-460b-8bf4-63abc7ceaa54",
"name": "anotherone (OpenAPI)"
}
],
"source_confidence": "HIGH",
"sources": [
{
"id": "38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a",
"name": "testing (OpenAPI)",
"source_type": "MISCELLANEOUS"
}
],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [
{
"colour_code": "#5236E2",
"id": "9635c41b-80fb-4a98-a1f3-e5796c72bb29",
"name": "created_using_openapi_lookup"
}
],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1674080000,
"valid_until": null
}
},
"DBotScore": {
"Indicator": "example.com",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "domain",
"Vendor": "CTIX v3 Beta"
},
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "CTIX v3 Beta"
},
"Name": "example.com"
}
}

Human Readable Output#

Lookup Data#

confidence_scoreconfidence_typecreatedctix_createdctix_modifiedidindicator_typeioc_typeis_actionedis_deprecatedis_false_positiveis_reviewedis_revokedis_watchlistis_whitelistedmodifiednameseveritysource_collectionssource_confidencesourcessub_typetagstlptypevalid_from
100ctix1674080000167408000016740800006779a969-6404-4dd7-97ef-dec877c03c4fdomain-namedomain-namefalsefalsefalsefalsefalsefalsefalse1674080001example.comUNKNOWN{'id': 'a9d67cc1-5de8-460b-8bf4-63abc7ceaa54', 'name': 'anotherone (OpenAPI)'}HIGH{'id': '38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a', 'name': 'testing (OpenAPI)', 'source_type': 'MISCELLANEOUS'}value{'colour_code': '#5236E2', 'id': '9635c41b-80fb-4a98-a1f3-e5796c72bb29', 'name': 'created_using_openapi_lookup'}AMBERindicator1674080000

ctix-get-create-threat-data#


Gets or creates threat data

Base Command#

ctix-get-create-threat-data

Input#

Argument NameDescriptionRequired
object_typeobject type.Optional
object_namesWill contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1.Required
page_sizesize of the page. Default is 10.Optional
sourceThe source of the threat data.Optional
collectionThe collection to store the threat data in.Optional

Context Output#

PathTypeDescription
CTIX.ThreatDataGetCreate.Found.analyst_scorenumberAnalyst score of the indicator
CTIX.ThreatDataGetCreate.Found.analyst_tlpstringAnalyst TLP of the indicator
CTIX.ThreatDataGetCreate.Found.confidence_scorenumberConfidence score of the indicator
CTIX.ThreatDataGetCreate.Found.confidence_typestringConfidence type of the indicator
CTIX.ThreatDataGetCreate.Found.countrystringIndicator origin country
CTIX.ThreatDataGetCreate.Found.creatednumberTimestamp of when the indicator was created
CTIX.ThreatDataGetCreate.Found.ctix_creatednumberTimestamp of when the indicator was created in CTIX
CTIX.ThreatDataGetCreate.Found.ctix_modifiednumberTimestamp of when the indicator was modified in CTIX
CTIX.ThreatDataGetCreate.Found.first_seennumberTimestamp of when the indicator was first seen
CTIX.ThreatDataGetCreate.Found.idstringIndicator ID
CTIX.ThreatDataGetCreate.Found.indicator_typestringIndicator type
CTIX.ThreatDataGetCreate.Found.ioc_typestringIOC type
CTIX.ThreatDataGetCreate.Found.is_actionedbooleanIs actioned
CTIX.ThreatDataGetCreate.Found.is_deprecatedbooleanis deprecated
CTIX.ThreatDataGetCreate.Found.is_false_positivebooleanis false positive
CTIX.ThreatDataGetCreate.Found.is_reviewedbooleanis reviewed
CTIX.ThreatDataGetCreate.Found.is_revokedbooleanis revoked
CTIX.ThreatDataGetCreate.Found.is_watchlistbooleanis watchlisted
CTIX.ThreatDataGetCreate.Found.is_whitelistedbooleanis allowed
CTIX.ThreatDataGetCreate.Found.last_seennumberTimestamp of when the indicator was last seen
CTIX.ThreatDataGetCreate.Found.modifiednumberTimestamp of when the indicator was modified
CTIX.ThreatDataGetCreate.Found.namestringname of the indicator
CTIX.ThreatDataGetCreate.Found.nullunknownnull
CTIX.ThreatDataGetCreate.Found.primary_attributestringPrimary Attribute
CTIX.ThreatDataGetCreate.Found.published_collectionsunknownpublished collections
CTIX.ThreatDataGetCreate.Found.risk_severitystringRisk severity
CTIX.ThreatDataGetCreate.Found.source_collectionsunknownsources collections
CTIX.ThreatDataGetCreate.Found.source_confidencestringSource confidence
CTIX.ThreatDataGetCreate.Found.sourcesunknownsources
CTIX.ThreatDataGetCreate.Found.sub_typestringSub type
CTIX.ThreatDataGetCreate.Found.subscriber_collectionsunknownsubscriber collections
CTIX.ThreatDataGetCreate.Found.subscribersunknownsubscribers
CTIX.ThreatDataGetCreate.Found.tagsunknownTags
CTIX.ThreatDataGetCreate.Found.tlpstringTLP
CTIX.ThreatDataGetCreate.Found.typestringType
CTIX.ThreatDataGetCreate.Found.valid_fromnumberTimestamp from when the indicator was valid
CTIX.ThreatDataGetCreate.Found.valid_untilnumberTimestamp till when the indicator was valid
CTIX.ThreatDataGetCreate.NotFoundCreatedstringIOCs that weren't found, and therefore were created
CTIX.ThreatDataGetCreate.NotFoundInvalidstringIOCs that were found to be invalid, so they were not created

Command example#

!ctix-get-create-threat-data object_names=example.com,x.x.x.x,zzzzz collection=some_collection source=some_source

Context Example#

{
"CTIX": {
"ThreatDataGetCreate": {
"Found": {
"analyst_cvss_score": null,
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 100,
"confidence_type": "ctix",
"country": null,
"created": 1674080000,
"ctix_created": 1674080000,
"ctix_modified": 1674080000,
"custom_attributes": [],
"first_seen": null,
"id": "6779a969-6404-4dd7-97ef-dec877c03c4f",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1674080001,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": null,
"severity": "UNKNOWN",
"source_collections": [
{
"id": "a9d67cc1-5de8-460b-8bf4-63abc7ceaa54",
"name": "anotherone (OpenAPI)"
}
],
"source_confidence": "HIGH",
"sources": [
{
"id": "38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a",
"name": "testing (OpenAPI)",
"source_type": "MISCELLANEOUS"
}
],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [
{
"colour_code": "#5236E2",
"id": "9635c41b-80fb-4a98-a1f3-e5796c72bb29",
"name": "created_using_openapi_lookup"
}
],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1674080000,
"valid_until": null
},
"NotFoundCreated": [
"x.x.x.x"
],
"NotFoundInvalid": [
"zzzzz"
]
}
},
"DBotScore": {
"Indicator": "example.com",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "domain",
"Vendor": "CTIX v3 Beta"
},
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "CTIX v3 Beta"
},
"Name": "example.com"
}
}

Human Readable Output#

Not Found: Invalid#

Name
zzzzz

domain#


Lookup domain threat data

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainWill contain domain SDO values. Example: If you need to get the object_ids of indicator example.com then the value will be example.com.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name, for example: "google.com".

Command example#

!domain domain="example.com" using="CTIX v3 Beta_instance"

Context Example#

{
"CTIX": {
"ThreatDataLookup": {
"Found": {
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 31,
"confidence_type": "ctix",
"country": null,
"created": 1666709826,
"ctix_created": 1666874647,
"ctix_modified": 1670548277,
"first_seen": null,
"id": "10104a10-74a9-45d7-a412-f11531d64a38",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1667442806,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [
{
"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",
"name": "Indicators v4"
},
{
"id": "5f4230a4-cc3a-4d32-b3ee-c53a373e2a8f",
"name": "https://www.example.com/index.xml"
},
{
"id": "2dc18ee7-ee80-4fa7-953d-4df824f8e8ce",
"name": "https://www.example.com/index.xml"
}
],
"source_confidence": "MEDIUM",
"sources": [
{
"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",
"name": "Mandiant Threat Intelligence",
"source_type": "API_FEEDS"
},
{
"id": "87e622e3-e8e5-4692-9b79-00efead3f874",
"name": "https://www.example.com/index.xml",
"source_type": "RSS_FEED"
},
{
"id": "0647eb19-c559-4d27-a441-b70117315e18",
"name": "https://www.example.com/index.xml",
"source_type": "RSS_FEED"
}
],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1530174464,
"valid_until": null
}
}
},
"DBotScore": {
"Indicator": "example.com",
"Reliability": "C - Fairly reliable",
"Score": 2,
"Type": "domain",
"Vendor": "CTIX v3 Beta"
},
"Domain": {
"Name": "example.com"
}
}

Human Readable Output#

Lookup Data#

confidence_scoreconfidence_typecreatedctix_createdctix_modifiedidindicator_typeioc_typeis_actionedis_deprecatedis_false_positiveis_reviewedis_revokedis_watchlistis_whitelistedmodifiednamerisk_severitysource_collectionssource_confidencesourcessub_typetlptypevalid_from
31ctix16667098261666874647167054827710104a10-74a9-45d7-a412-f11531d64a38domain-namedomain-namefalsefalsefalsefalsefalsefalsefalse1667442806example.comUNKNOWN{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'},
{'id': '5f4230a4-cc3a-4d32-b3ee-c53a373e2a8f', 'name': 'https://www.example.com/index.xml'},
{'id': '2dc18ee7-ee80-4fa7-953d-4df824f8e8ce', 'name': 'https://www.example.com/index.xml'}
MEDIUM{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'},
{'id': '87e622e3-e8e5-4692-9b79-00efead3f874', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'},
{'id': '0647eb19-c559-4d27-a441-b70117315e18', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'}
valueAMBERindicator1530174464

ip#


Lookup ip threat data

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipWill contain IP SDO values. Example: If you need to get the object_ids of indicator 1.2.3.4 then the value will be 1.2.3.4.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP address, for example: 1.2.3.4.

Command example#

!ip ip="x.x.x.x" using="CTIX v3 Beta_instance"

Context Example#

{
"CTIX": {
"ThreatDataLookup": {
"Found": {
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 100,
"confidence_type": "ctix",
"country": "United States",
"created": 1666710084,
"ctix_created": 1666874647,
"ctix_modified": 1671604244,
"first_seen": null,
"id": "5c2517a2-759f-4eb8-b9fa-346ff20cfaaf",
"indicator_type": "ipv4-addr",
"ioc_type": "ipv4-addr",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1669170873,
"name": "x.x.x.x",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [
{
"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",
"name": "Indicators v4"
},
{
"id": "fe150b23-6354-4a9b-8c27-202abc758ba3",
"name": "NCAS JG Test"
}
],
"source_confidence": "HIGH",
"sources": [
{
"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",
"name": "Mandiant Threat Intelligence",
"source_type": "API_FEEDS"
},
{
"id": "50cbaaee-8083-494c-b42a-7c7fb73ca2dc",
"name": "NCAS JG Test",
"source_type": "RSS_FEED"
}
],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [
{
"colour_code": "#5236E2",
"id": "f82fa004-75cc-4824-b129-914ec13728b5",
"name": "Destruction"
}
],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1409607591,
"valid_until": null
}
}
},
"DBotScore": {
"Indicator": "x.x.x.x",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "ip",
"Vendor": "CTIX v3 Beta"
},
"IP": {
"Address": "x.x.x.x",
"Malicious": {
"Description": null,
"Vendor": "CTIX v3 Beta"
}
}
}

Human Readable Output#

Lookup Data#

confidence_scoreconfidence_typecountrycreatedctix_createdctix_modifiedidindicator_typeioc_typeis_actionedis_deprecatedis_false_positiveis_reviewedis_revokedis_watchlistis_whitelistedmodifiednamerisk_severitysource_collectionssource_confidencesourcessub_typetagstlptypevalid_from
100ctixUnited States1666710084166687464716716042445c2517a2-759f-4eb8-b9fa-346ff20cfaafipv4-addripv4-addrfalsefalsefalsefalsefalsefalsefalse1669170873x.x.x.xUNKNOWN{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'},
{'id': 'fe150b23-6354-4a9b-8c27-202abc758ba3', 'name': 'NCAS JG Test'}
HIGH{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'},
{'id': '50cbaaee-8083-494c-b42a-7c7fb73ca2dc', 'name': 'NCAS JG Test', 'source_type': 'RSS_FEED'}
value{'colour_code': '#5236E2', 'id': 'f82fa004-75cc-4824-b129-914ec13728b5', 'name': 'Destruction'}AMBERindicator1409607591

file#


Lookup file threat data

Base Command#

file

Input#

Argument NameDescriptionRequired
fileWill contain file SDO values. Example: If you need to get the object_ids of a file hash 3ed0a30799543fa2c3a913c7985bffed then the value will be 3ed0a30799543fa2c3a913c7985bffed.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.

Command example#

!file file="9c57753557ed258d731987834c56fa4c" using="CTIX v3 Beta_instance"

Context Example#

{
"CTIX": {
"ThreatDataLookup": {
"Found": {
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 100,
"confidence_type": "ctix",
"country": null,
"created": 1673710318,
"ctix_created": 1674124925,
"ctix_modified": 1674124925,
"first_seen": null,
"id": "4ea5874d-0d6e-4a65-a8db-61d825d9fb8e",
"indicator_type": "file",
"ioc_type": "MD5",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1673710318,
"name": "9c57753557ed258d731987834c56fa4c",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [
{
"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",
"name": "Indicators v4"
}
],
"source_confidence": "HIGH",
"sources": [
{
"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",
"name": "Mandiant Threat Intelligence",
"source_type": "API_FEEDS"
}
],
"sub_type": "MD5",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1671281161,
"valid_until": null
}
}
},
"DBotScore": {
"Indicator": "9c57753557ed258d731987834c56fa4c",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "file",
"Vendor": "CTIX v3 Beta"
},
"File": {
"Hashes": [],
"Malicious": {
"Description": null,
"Vendor": "CTIX v3 Beta"
},
"Name": "9c57753557ed258d731987834c56fa4c"
}
}

Human Readable Output#

Lookup Data#

confidence_scoreconfidence_typecreatedctix_createdctix_modifiedidindicator_typeioc_typeis_actionedis_deprecatedis_false_positiveis_reviewedis_revokedis_watchlistis_whitelistedmodifiednamerisk_severitysource_collectionssource_confidencesourcessub_typetlptypevalid_from
100ctix1673710318167412492516741249254ea5874d-0d6e-4a65-a8db-61d825d9fb8efileMD5falsefalsefalsefalsefalsefalsefalse16737103189c57753557ed258d731987834c56fa4cUNKNOWN{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'}HIGH{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'}MD5AMBERindicator1671281161

url#


Lookup url threat data

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlWill contain URL SDO values. Example: If you need to get the object_ids of a URL https://cyware.com/ then the value will be https://cyware.com/.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
URL.DataStringThe URL

Command example#

!url url="http://example.com/" using="CTIX v3 Beta_instance"

Context Example#

{
"CTIX": {
"ThreatDataLookup": {
"Found": {
"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 100,
"confidence_type": "ctix",
"country": null,
"created": 1674166009,
"ctix_created": 1674166009,
"ctix_modified": 1674166009,
"first_seen": null,
"id": "dcada258-5fc2-4c42-b7d6-e8ffda6c5a9e",
"indicator_type": "url",
"ioc_type": "url",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1674166010,
"name": "http://example.com/",
"null": [],
"primary_attribute": null,
"published_collections": [
{
"id": "ad842594-8faa-49fb-841e-7ff99a685718",
"name": null
}
],
"risk_severity": "UNKNOWN",
"source_collections": [
{
"id": "5432c580-e1f9-40c3-b40a-a47686dfcf22",
"name": "Free Text"
}
],
"source_confidence": "HIGH",
"sources": [
{
"id": "7eb93036-688e-4916-ab1f-fe9015c16b78",
"name": "Import",
"source_type": "CUSTOM_STIX_SOURCES"
}
],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1674166009,
"valid_until": null
}
}
},
"DBotScore": {
"Indicator": "http://example.com/",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "url",
"Vendor": "CTIX v3 Beta"
},
"URL": {
"Data": "http://example.com/",
"Malicious": {
"Description": null,
"Vendor": "CTIX v3 Beta"
}
}
}

Human Readable Output#

Lookup Data#

confidence_scoreconfidence_typecreatedctix_createdctix_modifiedidindicator_typeioc_typeis_actionedis_deprecatedis_false_positiveis_reviewedis_revokedis_watchlistis_whitelistedmodifiednamepublished_collectionsrisk_severitysource_collectionssource_confidencesourcessub_typetlptypevalid_from
100ctix167416600916741660091674166009dcada258-5fc2-4c42-b7d6-e8ffda6c5a9eurlurlfalsefalsefalsefalsefalsefalsefalse1674166010http://example.com/{'id': 'ad842594-8faa-49fb-841e-7ff99a685718', 'name': None}UNKNOWN{'id': '5432c580-e1f9-40c3-b40a-a47686dfcf22', 'name': 'Free Text'}HIGH{'id': '7eb93036-688e-4916-ab1f-fe9015c16b78', 'name': 'Import', 'source_type': 'CUSTOM_STIX_SOURCES'}valueAMBERindicator1674166009

ctix-get-all-notes#


Get paginated list of Notes

Base Command#

ctix-get-all-notes

Input#

Argument NameDescriptionRequired
object_idif set, this will only retrieve Notes associated with the Threat Data object with ID=object_id.Optional
pagethe page number of the Notes to look up, default is the first page. Default is 1.Optional
page_sizesize of the result. Default is 10.Optional

Context Output#

PathTypeDescription
CTIX.Note.createdintegerThe timestamp when the Note was created
CTIX.Note.created_byunknownThe user who created the Note
CTIX.Note.created_by.emailstringThe email of the user who created the Note
CTIX.Note.created_by.first_namestringThe first name of the user who created the Note
CTIX.Note.created_by.idstringThe ID of the user who created the Note
CTIX.Note.created_by.last_namestringThe last name of the user who created the Note
CTIX.Note.idstringThe ID of the Note
CTIX.Note.is_jsonbooleanA flag indicating whether the Note is in JSON format
CTIX.Note.meta_dataunknownMeta data for the Note
CTIX.Note.meta_data.componentstringThe component for the Note
CTIX.Note.modifiedintegerThe timestamp when the Note was last modified
CTIX.Note.modified_byunknownThe user who last modified the Note
CTIX.Note.modified_by.emailstringThe email of the user who last modified the Note
CTIX.Note.modified_by.first_namestringThe first name of the user who last modified the Note
CTIX.Note.modified_by.idstringThe ID of the user who last modified the Note
CTIX.Note.modified_by.last_namestringThe last name of the user who last modified the Note
CTIX.Note.object_idstringThe object ID of the Note
CTIX.Note.textstringThe text of the Note
CTIX.Note.titlestringThe title of the Note
CTIX.Note.typestringThe type of the Note

Command example#

!ctix-get-all-notes page_size=1

Context Example#

{
"CTIX": {
"Note": {
"created": 1674173772,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"type": "indicator"
},
"modified": 1674173772,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"text": "this is the old text",
"title": null,
"type": "threatdata"
}
}
}

Human Readable Output#

Note Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
f8f67182-bf72-47df-9a90-31b2bd829a9dfalsecomponent: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
ba82b524-15b3-4071-8008-e58754f8d134this is the old textthreatdata

ctix-get-note-details#


Get details of a Note as specified by its ID

Base Command#

ctix-get-note-details

Input#

Argument NameDescriptionRequired
idthe id of the Note.Required

Context Output#

PathTypeDescription
CTIX.Note.createdintegerThe timestamp when the Note was created
CTIX.Note.created_byunknownThe user who created the Note
CTIX.Note.created_by.emailstringThe email of the user who created the Note
CTIX.Note.created_by.first_namestringThe first name of the user who created the Note
CTIX.Note.created_by.idstringThe ID of the user who created the Note
CTIX.Note.created_by.last_namestringThe last name of the user who created the Note
CTIX.Note.idstringThe ID of the Note
CTIX.Note.is_jsonbooleanA flag indicating whether the Note is in JSON format
CTIX.Note.meta_dataunknownMeta data for the Note
CTIX.Note.meta_data.componentstringThe component for the Note
CTIX.Note.modifiedintegerThe timestamp when the Note was last modified
CTIX.Note.modified_byunknownThe user who last modified the Note
CTIX.Note.modified_by.emailstringThe email of the user who last modified the Note
CTIX.Note.modified_by.first_namestringThe first name of the user who last modified the Note
CTIX.Note.modified_by.idstringThe ID of the user who last modified the Note
CTIX.Note.modified_by.last_namestringThe last name of the user who last modified the Note
CTIX.Note.object_idstringThe object ID of the Note
CTIX.Note.textstringThe text of the Note
CTIX.Note.titlestringThe title of the Note
CTIX.Note.typestringThe type of the Note

Command example#

!ctix-get-note-details id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"

Context Example#

{
"CTIX": {
"Note": {
"created": 1671821868,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "fake",
"type": "indicator"
},
"modified": 1674173787,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "fake",
"text": "this is the new text",
"title": null,
"type": "threatdata"
}
}
}

Human Readable Output#

Note Detail Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1671821868email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
7d739870-ce7d-415b-bbbf-25f4bbc6be66falsecomponent: threatdata
object_id: fake
type: indicator
1674173787email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
fakethis is the new textthreatdata

ctix-create-note#


Creates a new Note from the parameter 'text'

Base Command#

ctix-create-note

Input#

Argument NameDescriptionRequired
textthe text that you want the note to have.Required
object_idif set, will associate Note to the Threat Data object with the provided ID.Optional
object_typeonly required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note.Optional

Context Output#

PathTypeDescription
CTIX.Note.createdintegerThe timestamp when the Note was created
CTIX.Note.created_byunknownThe user who created the Note
CTIX.Note.created_by.emailstringThe email of the user who created the Note
CTIX.Note.created_by.first_namestringThe first name of the user who created the Note
CTIX.Note.created_by.idstringThe ID of the user who created the Note
CTIX.Note.created_by.last_namestringThe last name of the user who created the Note
CTIX.Note.idstringThe ID of the Note
CTIX.Note.is_jsonbooleanA flag indicating whether the Note is in JSON format
CTIX.Note.meta_dataunknownMeta data for the Note
CTIX.Note.meta_data.componentstringThe component for the Note
CTIX.Note.modifiedintegerThe timestamp when the Note was last modified
CTIX.Note.modified_byunknownThe user who last modified the Note
CTIX.Note.modified_by.emailstringThe email of the user who last modified the Note
CTIX.Note.modified_by.first_namestringThe first name of the user who last modified the Note
CTIX.Note.modified_by.idstringThe ID of the user who last modified the Note
CTIX.Note.modified_by.last_namestringThe last name of the user who last modified the Note
CTIX.Note.object_idstringThe object ID of the Note
CTIX.Note.textstringThe text of the Note
CTIX.Note.titlestringThe title of the Note
CTIX.Note.typestringThe type of the Note

Command example#

!ctix-create-note text="hello world x100"

Context Example#

{
"CTIX": {
"Note": {
"created": 1674173831,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "35ee1841-8357-43e0-b372-aff9800cdc55",
"is_json": false,
"meta_data": {
"component": "notes"
},
"modified": 1674173831,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": null,
"text": "hello world x100",
"title": null,
"type": "notes"
}
}
}

Human Readable Output#

Created Note Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_bytexttype
1674173831email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
35ee1841-8357-43e0-b372-aff9800cdc55falsecomponent: notes1674173831email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
hello world x100notes

Command example#

!ctix-create-note text="hello world x100" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator

Context Example#

{
"CTIX": {
"Note": {
"created": 1674173838,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "e5584583-6d45-4fe8-82b4-a802007c38f0",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",
"type": "indicator"
},
"modified": 1674173838,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",
"text": "hello world x100",
"title": null,
"type": "threatdata"
}
}
}

Human Readable Output#

Created Note Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1674173838email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
e5584583-6d45-4fe8-82b4-a802007c38f0falsecomponent: threatdata
object_id: da1a6268-e589-4231-a334-68fb0c2cc1e0
type: indicator
1674173838email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
da1a6268-e589-4231-a334-68fb0c2cc1e0hello world x100threatdata

ctix-update-note#


Updates the Note text from an existing Note, as specified by its ID

Base Command#

ctix-update-note

Input#

Argument NameDescriptionRequired
idthe id of the Note.Required
textthe updated text that you want the note to have.Optional
object_idif set, will associate Note to the Threat Data object with the provided ID.Optional
object_typeonly required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note.Optional

Context Output#

PathTypeDescription
CTIX.Note.createdintegerThe timestamp when the Note was created
CTIX.Note.created_byunknownThe user who created the Note
CTIX.Note.created_by.emailstringThe email of the user who created the Note
CTIX.Note.created_by.first_namestringThe first name of the user who created the Note
CTIX.Note.created_by.idstringThe ID of the user who created the Note
CTIX.Note.created_by.last_namestringThe last name of the user who created the Note
CTIX.Note.idstringThe ID of the Note
CTIX.Note.is_jsonbooleanA flag indicating whether the Note is in JSON format
CTIX.Note.meta_dataunknownMeta data for the Note
CTIX.Note.meta_data.componentstringThe component for the Note
CTIX.Note.modifiedintegerThe timestamp when the Note was last modified
CTIX.Note.modified_byunknownThe user who last modified the Note
CTIX.Note.modified_by.emailstringThe email of the user who last modified the Note
CTIX.Note.modified_by.first_namestringThe first name of the user who last modified the Note
CTIX.Note.modified_by.idstringThe ID of the user who last modified the Note
CTIX.Note.modified_by.last_namestringThe last name of the user who last modified the Note
CTIX.Note.object_idstringThe object ID of the Note
CTIX.Note.textstringThe text of the Note
CTIX.Note.titlestringThe title of the Note
CTIX.Note.typestringThe type of the Note

Command example#

!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" text="this is a test"

Context Example#

{
"CTIX": {
"Note": {
"created": 1671821868,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "fake",
"type": "indicator"
},
"modified": 1674173815,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "fake",
"text": "this is a test",
"title": null,
"type": "threatdata"
}
}
}

Human Readable Output#

Updated Note Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1671821868email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
7d739870-ce7d-415b-bbbf-25f4bbc6be66falsecomponent: threatdata
object_id: fake
type: indicator
1674173815email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
fakethis is a testthreatdata

Command example#

!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator

Context Example#

{
"CTIX": {
"Note": {
"created": 1671821868,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "fake",
"type": "indicator"
},
"modified": 1674173824,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",
"text": "this is a test",
"title": null,
"type": "threatdata"
}
}
}

Human Readable Output#

Updated Note Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1671821868email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
7d739870-ce7d-415b-bbbf-25f4bbc6be66falsecomponent: threatdata
object_id: fake
type: indicator
1674173824email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
da1a6268-e589-4231-a334-68fb0c2cc1e0this is a testthreatdata

ctix-delete-note#


Deletes an existing Note, as specified by its ID

Base Command#

ctix-delete-note

Input#

Argument NameDescriptionRequired
idthe id of the Note.Required

Context Output#

PathTypeDescription
CTIX.Note.deletion.detailsstringReturns "success" if the deletion request was successful, otherwise "failure"

Command example#

!ctix-delete-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"

Context Example#

{
"CTIX": {
"Note": {
"details": "success"
}
}
}

Human Readable Output#

Deleted Note Data#

details
success

ctix-make-request#


allows you to make any HTTP request using CTIX endpoints

Base Command#

ctix-make-request

Input#

Argument NameDescriptionRequired
typethe HTTP method you would like to call. Possible values are: GET, POST, PUT, DELETE.Required
endpointURL suffix of the API call to CTIX.Required
bodyany data you would like to pass, in JSON format.Optional
paramsany parameters you would like to pass, in JSON format.Optional

Context Output#

There is no context output for this command.

Command example#

!ctix-make-request type=POST endpoint=ingestion/notes/ body="{\"text\": \"this is the old text\",\"type\": \"threatdata\",\"meta_data\": {\"component\": \"threatdata\",\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\",\"type\": \"indicator\"},\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\"}"

Context Example#

{
"CTIX": {
"Request": {
"POST": {
"ingestion/notes/": {
"created": 1674173772,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"type": "indicator"
},
"modified": 1674173772,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"text": "this is the old text",
"title": null,
"type": "threatdata"
}
}
}
}
}

Human Readable Output#

HTTP Response Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
f8f67182-bf72-47df-9a90-31b2bd829a9dfalsecomponent: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
ba82b524-15b3-4071-8008-e58754f8d134this is the old textthreatdata

Command example#

!ctix-make-request type=GET endpoint=ingestion/notes/ params="{\"page\": 1, \"page_size\": 1}"

Context Example#

{
"CTIX": {
"Request": {
"GET": {
"ingestion/notes/": {
"created": 1674173772,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"type": "indicator"
},
"modified": 1674173772,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",
"text": "this is the old text",
"title": null,
"type": "threatdata"
}
}
}
}
}

Human Readable Output#

HTTP Response Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
f8f67182-bf72-47df-9a90-31b2bd829a9dfalsecomponent: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator
1674173772email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
ba82b524-15b3-4071-8008-e58754f8d134this is the old textthreatdata

Command example#

!ctix-make-request type=PUT endpoint=ingestion/notes/7d739870-ce7d-415b-bbbf-25f4bbc6be66/ body="{\"text\": \"this is the new text\"}"

Context Example#

{
"CTIX": {
"Request": {
"PUT": {
"ingestion/notes/7d739870-ce7d-415b-bbbf-25f4bbc6be66/": {
"created": 1671821868,
"created_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",
"is_json": false,
"meta_data": {
"component": "threatdata",
"object_id": "fake",
"type": "indicator"
},
"modified": 1674173787,
"modified_by": {
"email": "some.user@example.com",
"first_name": "some",
"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",
"last_name": "user"
},
"object_id": "fake",
"text": "this is the new text",
"title": null,
"type": "threatdata"
}
}
}
}
}

Human Readable Output#

HTTP Response Data#

createdcreated_byidis_jsonmeta_datamodifiedmodified_byobject_idtexttype
1671821868email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
7d739870-ce7d-415b-bbbf-25f4bbc6be66falsecomponent: threatdata
object_id: fake
type: indicator
1674173787email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user
fakethis is the new textthreatdata

Command example#

!ctix-make-request type=DELETE endpoint=ingestion/notes/1e2f348b-8168-4330-933b-24263ab9116a/

Context Example#

{
"CTIX": {
"Request": {
"DELETE": {
"ingestion/notes/1e2f348b-8168-4330-933b-24263ab9116a/": {
"details": "success"
}
}
}
}
}

Human Readable Output#

HTTP Response Data#

details
success

ctix-get-vulnerability-data#


Lookup vulnerability info

Base Command#

ctix-get-vulnerability-data

Input#

Argument NameDescriptionRequired
cveThe CVE identifier to look up information aboutRequired
extra_fieldsA comma separated list of extra fields to return in the responseOptional

Context Output#

PathTypeDescription
CTIX.VulnerabilityLookup.cpesstringCPEs
CTIX.VulnerabilityLookup.cvss2numberCVSS2
CTIX.VulnerabilityLookup.cvss3numberCVSS3
CTIX.VulnerabilityLookup.dbot_reputationintegerDbotReputation
CTIX.VulnerabilityLookup.descriptionstringDescription
CTIX.VulnerabilityLookup.last_modifiedstringLastModified
CTIX.VulnerabilityLookup.createdstringLastPublished
CTIX.VulnerabilityLookup.namestringName
CTIX.VulnerabilityLookup.uuidstringUUID
CTIX.VulnerabilityLookup.extra_datastringExtra data

Command example#

`!ctix-get-vulnerability-data cve=CVE-2023-30837

Human Readable Output#

HTTP Response Data#

cpescvss2cvss3dbot_reputationdescriptionextra_datalast_modifiedlast_publishedname
cpe:2.3🅰️vyper_project:vyper::::::::NoneNone3Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host.

A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow.

Further details are not available at the time of this writing. ACTI will update this report as more details become available.
{}2023-05-08 05:48:582023-05-08 05:48:58CVE-2023-30837

cve#


Lookup vulnerability info

Base Command#

cve

Input#

Argument NameDescriptionRequired
cveThe CVE identifier to look up information aboutRequired
extra_fieldsA comma separated list of extra fields to return in the responseOptional

Context Output#

PathTypeDescription
CTIX.VulnerabilityLookup.cpesstringCPEs
CTIX.VulnerabilityLookup.cvss2numberCVSS2
CTIX.VulnerabilityLookup.cvss3numberCVSS3
CTIX.VulnerabilityLookup.dbot_reputationintegerDbotReputation
CTIX.VulnerabilityLookup.descriptionstringDescription
CTIX.VulnerabilityLookup.last_modifiedstringLastModified
CTIX.VulnerabilityLookup.createdstringLastPublished
CTIX.VulnerabilityLookup.namestringName
CTIX.VulnerabilityLookup.uuidstringUUID
CTIX.VulnerabilityLookup.extra_datastringExtra data
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.

Command example#

`!cve cve=CVE-2023-30837

Human Readable Output#

HTTP Response Data#

cpescvss2cvss3dbot_reputationdescriptionextra_datalast_modifiedlast_publishedname
cpe:2.3🅰️vyper_project:vyper::::::::NoneNone3Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host.

A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow.

Further details are not available at the time of this writing. ACTI will update this report as more details become available.
{}2023-05-08 05:48:582023-05-08 05:48:58CVE-2023-30837