Skip to main content

CTIX v3

This Integration is part of the CTIX Pack.#

This is example Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 3.0.0 of CTIX

Configure CTIX on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CTIX.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Endpoint URLEnter the endpoint URL of your CTIX Instance.True
    Access KeyEnter the Access Key from the CTIX application.True
    Secret KeyEnter the Secret Key from the CTIX application.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ctix-create-tag#


Create new tag in the ctix platform

Base Command#

ctix-create-tag

Input#

Argument NameDescriptionRequired
tag_nameNew tag's name.Required
color_codeNew tag's hex colour code e.g #111111.Required

Context Output#

PathTypeDescription
CTIX.Tag.namestringName of the tag
CTIX.Tag.tag_typestringType of the tag (manual)
CTIX.Tag.colour_codestringColour Code of the tag
CTIX.Tag.idstringId of the Created Tag
CTIX.Tag.creatednumberCreated at timestamp
CTIX.Tag.modifiednumberModified at timestamp

Command Example#

!ctix-create-tag tag_name=xsoar_test_trial color_code=#95A1B1

Context Example#

{
"colour_code": null,
"created": 1652077948,
"created_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"id": "47662c77-b419-419c-9bcf-420e05b01067",
"modified": 1652077948,
"modified_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"name": "xsoar_test_temp",
"type": "manual"
}

ctix-get-tags#


Get paginated list of tags

Base Command#

ctix-get-tags

Input#

Argument NameDescriptionRequired
pagePage number for pagination. Default is 1.Optional
page_sizePage size for pagination. Default is 10.Optional
qsearch query parameter.Optional

Context Output#

PathTypeDescription
CTIX.Tag.namestringName of the tag
CTIX.Tag.idstringID of the tag
CTIX.Tag.colour_codestringHex colour code associated with tag
CTIX.Tag.tag_typestringType of the tag
CTIX.Tag.creatednumberCreated at timestamp
CTIX.Tag.modifiednumberModified at timestamp

Command Example#

!ctix-get-tags

Context Example#

{"next": "tags/?page=2&page_size=1&AccessID=sasfafs-asasvsfasf-vasvasf&Expires=1652078371&Signature=jndjaksbdakbsjdkabscbkjb",
"page_size": 1,
"previous": null,
"results": [{"colour_code": null,
"created": 1652077948,
"created_by": {"email": "dummy.account@test.com",
"first_name": "dummy",
"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"},
"id": "47662c77-b419-419c-9bcf-420e05b01067",
"modified": 1652077948,
"modified_by": {"email": "dummy.account@test.com",
"first_name": "dummy",
"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"},
"name": "xsoar_test_temp",
"type": "manual"}],
"total": 10}

ctix-delete-tag#


Delete a tag with given tag_name

Base Command#

ctix-delete-tag

Input#

Argument NameDescriptionRequired
tag_nameName of the tag.Required

Context Output#

PathTypeDescription
CTIX.DeleteTag.resultstringStatus

Command Example#

!ctix-delete-tag tag_name=xsoar_test_trial

Context Example#

{"result": "Action Successfully Executed"}

ctix-allowed-iocs#


Adds list of same type of iocs to allowed

Base Command#

ctix-allowed-iocs

Input#

Argument NameDescriptionRequired
typeType of ioc. Possible values are: ipv4-addr, ipv6-addr, autonomous-system, email-addr, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SSDEEP, url, cidr, domain-name, mutex, windows-registry-key, user-agent.Required
valuesValues of the given type.Required
reasonDescriptive reason.Required

Context Output#

PathTypeDescription
CTIX.Details.invalidunknownInvalid iocs sent in request
CTIX.Details.new_createdunknownList of iocs added to whitelist
CTIX.Details.already_existsunknownList of iocs already existing

Command Example#

!ctix-allowed-iocs reason=test type="ipv4-addr" values=x.x.x.x,x.x.xx.x

Context Example#

{
"details":{
"already_exists": [
"x.x.x.x",
"x.x.xx.x"
],
"invalid": [],
"new_created": []
}
}

ctix-get-allowed-iocs#


get paginated list of allowed iocs

Base Command#

ctix-get-allowed-iocs

Input#

Argument NameDescriptionRequired
pagePage number . Default is 1.Optional
page_sizePage size. Default is 10.Optional
qquery param for searching.Optional

Context Output#

PathTypeDescription
CTIX.IOC.idstringID of the object
CTIX.IOC.include_emailsbooleanIf enabled then the emails to the corresponding emails will be whitelisted
CTIX.IOC.include_sub_domainsbooleanIf enabled then the emails to the corresponding sub domains will be whitelisted
CTIX.IOC.include_urlsbooleanIf enabled then the emails to the corresponding urls will be whitelisted
CTIX.IOC.typestringType of the ioc
CTIX.IOC.valuestringValue of the ioc
CTIX.IOC.creatednumberCreated at timestamp
CTIX.IOC.modifiednumberModified at timestamp

Command Example#

!ctix-get-allowed-iocs q=type=indicator

Context Example#

{"next": "allowed/?page=2&page_size=1", "page_size": 1, "previous": null,
"results": [{"created": 1652084983, "created_by": {"email":
"dumy.account@example.com", "first_name": "dumy", "id":
"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "follow":
true, "id": "2df4a0ad-b1dd-4a4c-bf71-dcdefce0dcf9", "include_emails": false,
"include_subdomains": false, "include_urls": false, "modified": 1652097309,
"modified_by": {"email": "dummt.acount@example.com", "first_name": "", "id":
"4a5f744c-800a-4fcd-be06-53f4b1b8f966", "last_name": ""}, "type":
"ipv4-addr", "value": "x.x.x.x"}], "total": 5}

ctix-remove-allowed-ioc#


Removes a alloweded ioc with given id

Base Command#

ctix-remove-allowed-ioc

Input#

Argument NameDescriptionRequired
idsallowed IOC ids.Required

Context Output#

PathTypeDescription
detailsstringOperation result

Command Example#

!ctix-remove-allowed-ioc ids=7a33a7ac-ab54-412f-a725-f35c208a54ea

Context Example#

{
"details": "Action applied succesfully"
}

ctix-get-threat-data#


Command for querying and listing threat data

Base Command#

ctix-get-threat-data

Input#

Argument NameDescriptionRequired
queryQuery statement for the thread data, please refer to the documentation.Required
pagepage. Default is 1.Optional
page_sizesize of page. Default is 1.Optional

Context Output#

PathTypeDescription
CTIX.ThreatData.confidence_scorenumberConfidence Score of the IOC
CTIX.ThreatData.confidence_typestringConfidence Type of the IOC
CTIX.ThreatData.creatednumberWhen the IOC was created in source
CTIX.ThreatData.ctix_creatednumberWhen the IOC was created in CTIX
CTIX.ThreatData.ctix_modifiednumberWhen the IOC was modified in CTIX
CTIX.ThreatData.idstringID of the IOC in CTIX
CTIX.ThreatData.indicator_typestringType of the Indicator
CTIX.ThreatData.ioc_typestringType of IOC
CTIX.ThreatData.is_actionedbooleanIs Actioned
CTIX.ThreatData.is_deprecatedbooleanIs Deprecated
CTIX.ThreatData.is_false_positivebooleanIs False Positive
CTIX.ThreatData.is_reviewedbooleanIs reviewed
CTIX.ThreatData.is_revokedbooleanIs revoked
CTIX.ThreatData.is_watchlistbooleanIs Watchlist
CTIX.ThreatData.is_whitelistedbooleanIs alloweded
CTIX.ThreatData.modifiedbooleanWhen the indicator modified
CTIX.ThreatData.namebooleanName of the indicator
CTIX.ThreatData.risk_severitybooleanrisk severity of the indicator
CTIX.ThreatData.source_collectionsunknownSource Collections of the Indicator
CTIX.ThreatData.source_confidencestringSource Confidence of the indicator
CTIX.ThreatData.sourcesunknownsources of the indicator
CTIX.ThreatData.sub_typestringSub Type of the IOC
CTIX.ThreatData.tlpstringTLP of the indicator
CTIX.ThreatData.typestringType of the IOC
CTIX.ThreatData.valid_fromnumberDate from which IOC is valid

Command Example#

!ctix-get-threat-data query=type=indicator

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 50,
"confidence_type": "ctix",
"country": null,
"created": 1652081902,
"ctix_created": 1652081903,
"ctix_modified": 1652081903,
"first_seen": null,
"id": "1ff2a18a-0574-4015-bbec-bc7692dccb14",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1652081902,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [{"id": "1981f5f6-49d4-4cad-97b7-8b2d276d2956",
"name": "dummy"}],
"source_confidence": "HIGH",
"sources": [{"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",
"name": "dummy",
"source_type": "RSS_FEED"}],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1652081902,
"valid_until": null}],
"total": 1}

ctix-get-saved-searches#


Saved Search listing api with pagination

Base Command#

ctix-get-saved-searches

Input#

Argument NameDescriptionRequired
pagepage.Optional
page_sizepage size.Optional

Context Output#

PathTypeDescription
CTIX.SavedSearch.idstringID of the object
CTIX.SavedSearch.editableboolean
CTIX.SavedSearch.is_threat_data_searchboolean
CTIX.SavedSearch.namestring
CTIX.SavedSearch.ordernumber
CTIX.SavedSearch.pinnedboolean
CTIX.SavedSearch.querystring
CTIX.SavedSearch.shared_typestring
CTIX.SavedSearch.typestring
CTIX.SavedSearch.meta_dataunknown

Command Example#

!ctix-get-saved-searches

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"created_by": {
"email": "system.default@example.com",
"first_name": "System",
"id": "e99b5f93-4ae8-4560-a848-a4fbae3f4f26",
"last_name": "Default"
},
"description": null,
"editable": false,
"id": "d5b54bc7-3b3f-424b-b08d-5e8cf746e998",
"is_threat_data_search": true,
"meta_data": null,
"name": "Indicator",
"order": 0,
"pinned": false,
"query": "type =indicator",
"shared_type": "global",
"shared_users": [
],
"type": "cql"
}
],
"total": 1
}

ctix-get-server-collections#


Source Collection listing api with pagination

Base Command#

ctix-get-server-collections

Input#

Argument NameDescriptionRequired
pagepage.Optional
page_sizepage size.Optional

Context Output#

PathTypeDescription
CTIX.ServerCollection.namestringName of the server
CTIX.ServerCollection.idstringID of the object
CTIX.ServerCollection.inboxbooleanInbox is enabled or not
CTIX.ServerCollection.is_activebooleanObject if active or not
CTIX.ServerCollection.is_editablebooleanObject if editable or not
CTIX.ServerCollection.pollingbooleanObject polling is enabled or not
CTIX.ServerCollection.typestringObject type
CTIX.ServerCollection.descriptionstringdescription of the object
CTIX.ServerCollection.creatednumberCreated timestamp

Command Example#

!ctix-get-server-collections

Context Example#

{"next": "collection/?page=2&page_size=1", "previous": null, "page_size": 1,
"total": 7, "results": [{"id": "83b5fd74-8ca0-4f28-a173-1d6863b2acb4",
"name": "collection", "description": "with description", "is_active": true,
"type": "DATA_FEED", "is_editable": true, "polling": false, "inbox": true,
"created": 1652080268, "has_subscribed": null}], "subscriber_name": ""}

ctix-get-actions#


Enrichment tools listing API

Base Command#

ctix-get-actions

Input#

Argument NameDescriptionRequired
pagepage.Optional
page_sizepage size.Optional
object_typeobject type.Optional
action_typeaction type.Optional

Context Output#

PathTypeDescription
CTIX.Action.action_namestringName of the Action
CTIX.Action.action_typeunknownDescription of the action
CTIX.Action.actioned_onnumberTimestamp of when the action was taken
CTIX.Action.app_namestringName of the app for the action
CTIX.app_typestringType of the app
CTIX.Action.idstringID of the action
CTIX.Action.object_typestringType of the action

Command Example#

!ctix-get-actions action_type=manual object_type=indicator

Context Example#

{
"next": "actions/?page=2&page_size=1&actions_type=manual&object_type=indicator",
"page_size": 1,
"previous": null,
"results": [
{
"action_name": "Update Analyst Score",
"action_type": "manual",
"actioned_by": {
"email": "dummy.email@test.com",
"first_name": "test",
"id":"40ab0f84-fb39-4444-95b2-cd155f574aa2",
"last_name": "account"
},
"actioned_on": 1651646873,
"app_name": "CTIX",
"app_response": {
},
"app_type": "ctix",
"id": "e8fe8d27-6329-4c0b-a3c0-be104be4de55",
"object_id": "19176d96-716d-48aa-af15-dfeff22e72e2",
"object_type": "indicator",
"rule_id": null,
"rule_name": null,
"source_id": null,
"tool": null
}
],
"total": 38459
}

ctix-add-indicator-as-false-positive#


Base Command#

ctix-add-indicator-as-false-positive

Input#

Argument NameDescriptionRequired
object_ids, seperated list of indicator ids.Required
object_typeType of object. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.Required

Context Output#

PathTypeDescription
CTIX.IndicatorFalsePositive.messageunknownIndicator change result

Command Example#

!ctix-add-indicator-as-false-positive object_ids=19176d96-716d-48aa-af15-dfeff22e72e2,531e47a6-d7cd-47be-ae21-a3260518d4a5 object_type=indicator

Context Example#

{"message":"Action Successfully Executed"}

ctix-ioc-manual-review#


Adds ioc to manual review bulk api

Base Command#

ctix-ioc-manual-review

Input#

Argument NameDescriptionRequired
object_idsObject ids of the items to be added for manual review.Required
object_typeobject type. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.Required

Context Output#

PathTypeDescription
CTIX.IOCManualReview.messageunknownIOC Manual Review result

Command Example#

!ctix-ioc-manual-review object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-deprecate-ioc#


Deprecate ioc bulk api

Base Command#

ctix-deprecate-ioc

Input#

Argument NameDescriptionRequired
object_idsObject ids .Required
object_typeobject type.Required

Context Output#

PathTypeDescription
CTIX.DeprecateIOCunknownResult of the IOC deprecation request

Command Example#

!ctix-deprecate-ioc object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-add-analyst-tlp#


Add Analyst TLP

Base Command#

ctix-add-analyst-tlp

Input#

Argument NameDescriptionRequired
object_idobject id.Required
object_typeobject type.Required
datadata.Required

Context Output#

PathTypeDescription
CTIX.AddAnalystTLPunknownResult of the addition of analyst TLP

Command Example#

!ctix-add-analyst-tlp object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator data={\"analyst_tlp\":\"GREEN\"}

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-add-analyst-score#


Add Analyst Score for a Threat data

Base Command#

ctix-add-analyst-score

Input#

Argument NameDescriptionRequired
object_idobject id.Required
object_typeobject type.Required
datadata.Required

Context Output#

PathTypeDescription
CTIX.AddAnalystScoreunknownResult of adding analyst score to threat data

Command Example#

!ctix-add-analyst-score data={"analyst_score":10} object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-saved-result-set#


Saved Result Set

Base Command#

ctix-saved-result-set

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
label_namelabel name.Optional
queryCQL.Optional

Context Output#

PathTypeDescription
CTIX.SavedResultSet.analyst_scorenumberAnalyst score of the IOC
CTIX.SavedResultSet.analyst_tlpstringAnalyst TLP of the IOC
CTIX.SavedResultSet.confidence_scorenumberConfidence score of the IOC
CTIX.SavedResultSet.confidence_typestringConfidence type of the IOC
CTIX.SavedResultSet.countrystringCountry of origin for the IOC
CTIX.SavedResultSet.creatednumberIOC creation date
CTIX.SavedResultSet.ctix_creatednumberIOC date of creation in CTIX
CTIX.SavedResultSet.ctix_modifiednumberIOC date of modification in CTIX
CTIX.SavedResultSet.first_seendateIOC timestamp when it was first seen
CTIX.SavedResultSet.idnumberIOC ID
CTIX.SavedResultSet.indicator_typestringType of the indicator
CTIX.SavedResultSet.ioc_typestringType of the IOC
CTIX.SavedResultSet.is_actionedbooleanIf there is any action taken on the indicator
CTIX.SavedResultSet.is_deprecatedbooleanIf the indicator is deprecated or not
CTIX.SavedResultSet.is_false_positivebooleanValue of the indicator is false positive or not
CTIX.SavedResultSet.is_reviewedbooleanWhether the indicator reviewed or not
CTIX.SavedResultSet.is_revokedbooleanWhether the indicator is revoked or not
CTIX.SavedResultSet.is_watchlistbooleanWhether the indicator is under watchlist or not
CTIX.SavedResultSet.is_whitelistedbooleanWhether the indicator is whitelisted or not
CTIX.SavedResultSet.last_seendateTimestamp of the when the IOC was last seen
CTIX.SavedResultSet.modifieddateTimestamp of the when the IOC was modified
CTIX.SavedResultSet.namestringName of the indicator
CTIX.SavedResultSet.nullunknownnull
CTIX.SavedResultSet.primary_attributestringPrimary attribute of the IOC
CTIX.SavedResultSet.published_collectionsunknownPublished collections of the IOC
CTIX.SavedResultSet.risk_severityunknownRisk severity of the IOC
CTIX.SavedResultSet.source_collectionsunknownSource collections of the IOC
CTIX.SavedResultSet.namestringName of the IOC
CTIX.SavedResultSet.sourcesunknownSources of the IOC
CTIX.SavedResultSet.sub_typeunknownSub type of the IOC
CTIX.SavedResultSet.subscriber_collectionsunknownSubscription collections of the IOC
CTIX.SavedResultSet.subscribersunknownSubscribers of the IOC
CTIX.SavedResultSet.tagsunknownTags on the IOC
CTIX.SavedResultSet.tlpunknownTLP of the IOC
CTIX.SavedResultSet.typeunknownType of the IOC
CTIX.SavedResultSet.valid_fromunknownTimestamp from when the IOC is valid
CTIX.SavedResultSet.valid_untilunknownTimestamp till then the IOC is valid

Command Example#

!ctix-saved-result-set label_name=test query=type=indicator

Context Example#

{"next": "threat-data/list/?page=2&page_size=1", "page_size": 1, "previous":
null, "results": [{"analyst_score": null, "analyst_tlp": null,
"confidence_score": null, "confidence_type": "ctix", "country": null,
"created": 1652111918, "ctix_created": 1652111957, "ctix_modified":
1652111957, "first_seen": null, "id":
"670afacb-2f72-42fe-84cc-b2022ba6a7ed", "indicator_type": null, "ioc_type":
null, "is_actioned": false, "is_deprecated": false, "is_false_positive":
false, "is_reviewed": false, "is_revoked": false, "is_watchlist": false,
"is_whitelisted": false, "last_seen": null, "modified": 1652111949, "name":
"Test12344", "null": [], "primary_attribute": null, "published_collections":
[], "risk_severity": null, "source_collections": [{"id":
"32b98724-8625-4af2-ad83-43b4b5c50885", "name": "Test12344"}],
"source_confidence": "NONE", "sources": [{"id":
"5968d895-424f-4271-a1d3-2b01041a17bb", "name": "Test12344", "source_type":
"WEB_SCRAPPER"}], "sub_type": null, "subscriber_collections": [],
"subscribers": [], "tags": [], "tlp": "AMBER", "type": "report",
"valid_from": null, "valid_until": null}], "total": 353243}

ctix-add-tag-indicator#


Adding Tag to Indicator

Base Command#

ctix-add-tag-indicator

Input#

Argument NameDescriptionRequired
pagepage from where data will be taken. Default is 1.Optional
page_sizetotal number of results to be fetched. Default is 10.Optional
qquery.Optional
object_idobject id.Optional
object_typeobject type.Optional
tag_idtag id.Optional

Context Output#

PathTypeDescription
CTIX.TagUpdation.meesageunknownResult of the add indicator tag request

Command Example#

!ctix-add-tag-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-remove-tag-from-indicator#


Remove Tag From Indicator

Base Command#

ctix-remove-tag-from-indicator

Input#

Argument NameDescriptionRequired
pagewhich page to bring the data from. Default is 1.Optional
page_sizenumber of pages to bring data from. Default is 10.Optional
qquery.Optional
object_idobject_id.Optional
object_typeobject_type.Optional
tag_idtag_id.Optional

Context Output#

PathTypeDescription
CTIX.TagUpdation.messageunknownResult of the remove indicator tag request

Command Example#

!ctix-remove-tag-from-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example#

{
"message": "Action Successfully Executed"
}

ctix-search-for-tag#


Search for tag

Base Command#

ctix-search-for-tag

Input#

Argument NameDescriptionRequired
pagenumber of page from where data needs to brought. Default is 1.Optional
page_sizesize of the result. Default is 10.Optional
qquery.Optional

Context Output#

PathTypeDescription
CTIX.SearchTag.colour_codeunknownColour code of the tag
CTIX.SearchTag.creatednumberTimestamp of when the tag was created
CTIX.SearchTag.created_byunknowndetails of the person who created the tag
CTIX.SearchTag.idstringID of the tag
CTIX.SearchTag.modifiednumberTimestamp of when the tag was modified
CTIX.SearchTag.modified_byunknownDetails of the person who modified the tag
CTIX.SearchTag.nameunknownName of the tag
CTIX.SearchTag.typeunknowntype of the tag

Command Example#

!ctix-search-for-tag q=xsoar_test_trial

Context Example#

{"next": "tags/?page=2&page_size=1", "page_size": 1, "previous": null,
"results": [{"colour_code": null, "created": 1652113918, "created_by":
{"email": "dummy.account@example.com", "first_name": "dummy", "id":
"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "id":
"68981db8-6deb-41f0-9727-74ad81cf47b2", "modified": 1652113918,
"modified_by": {"email": "dummy.account@example.com", "first_name":
"dummy", "id": "40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name":
"account"}, "name": "xsoar_test", "type": "manual"}], "total": 39893}

ctix-get-indicator-details#


Get Indicator Details

Base Command#

ctix-get-indicator-details

Input#

Argument NameDescriptionRequired
pagefrom where data has to be brought. Default is 1.Optional
page_sizetotal number of results. Default is 10.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorDetails.aliasesstringAliases of the tag if any
CTIX.IndicatorDetails.analyst_descriptionstringAnalyst description provided if any
CTIX.IndicatorDetails.analyst_scorenumberAnalyst score of the indicator
CTIX.IndicatorDetails.analyst_tlpstringAnalyst provided TLP on the indicator
CTIX.IndicatorDetails.asnstringASN of the indicator
CTIX.IndicatorDetails.attribute_fieldstringAttribute field of the indicator
CTIX.IndicatorDetails.attribute_valuestringAttribute value of the indicator
CTIX.IndicatorDetails.base_typestringBase type of the indicator
CTIX.IndicatorDetails.confidence_scorenumberConfidence score of the IOC
CTIX.IndicatorDetails.confidence_typestringConfidence type of the IOC
CTIX.IndicatorDetails.countrystringCountry of origin of the IOC
CTIX.IndicatorDetails.creatednumberTimestamp of when the indicator was created
CTIX.IndicatorDetails.ctix_creatednumberTimestamp of when the indicator was created in CTIX
CTIX.IndicatorDetails.ctix_modifiednumberTimestamp of when the indicator was modified in CTIX
CTIX.IndicatorDetails.ctix_scorenumberCTIX score of the indicator
CTIX.IndicatorDetails.ctix_tlpstringCTIX assigned TLP of the indicator
CTIX.IndicatorDetails.defang_analyst_descriptionstringDefanged analyst description of the indicator
CTIX.IndicatorDetails.descriptionstringDescription of the indicator
CTIX.IndicatorDetails.fang_analyst_descriptionstringFang analyst description of the indicator
CTIX.IndicatorDetails.first_seennumberTimestamp of then the indicator was first seen
CTIX.IndicatorDetails.last_seennumberTimestamp of then the indicator was last seen
CTIX.IndicatorDetails.modifiednumberTimestamp of then the indicator was modified
CTIX.IndicatorDetails.namestringName of the indicator
CTIX.IndicatorDetails.patternstringSTIX pattern of the indicator
CTIX.IndicatorDetails.pattern_typestringpattern type of the indicator
CTIX.IndicatorDetails.pattern_versionstringSTIX pattern version
CTIX.IndicatorDetails.sourcesunknownSources of the indicator
CTIX.IndicatorDetails.sub_typestringSub type of the indicator
CTIX.IndicatorDetails.tldstringTLD of the indicator
CTIX.IndicatorDetails.tlpstringTLP of the indicator
CTIX.IndicatorDetails.typestringType of the indicator
CTIX.IndicatorDetails.typesstringTypes of the indicator
CTIX.IndicatorDetails.valid_fromnumberTimestamp of the indicator from then it was valid
CTIX.IndicatorDetails.valid_untilunknownTimestamp of the indicator till

Command Example#

!ctix-get-indicator-details object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{"aliases": null, "analyst_description": null, "analyst_score": null,
"analyst_tlp": null, "asn": null, "attribute_field": "value",
"attribute_value": "x.x.x.x", "base_type": "sdo", "confidence_score":
18, "confidence_type": "CTIX", "country": "Netherlands", "created":
1651648700, "ctix_created": 1651648700, "ctix_modified": 1652113922,
"ctix_score": 18, "ctix_tlp": null, "defang_analyst_description": null,
"description": null, "fang_analyst_description": null, "first_seen": null,
"last_seen": null, "modified": 1651648700, "name": "x.x.x.x",
"pattern": "[ipv4-addr:value = x.x.x.x]", "pattern_type": "stix",
"pattern_version": "2.1", "sources": [{"id":
"e941f6fb-387b-452c-b77d-b5b05c5e9df2", "name": "Dummy",
"source_type": "API_FEEDS"}], "sub_type": "ipv4-addr", "tld": "", "tlp":
"WHITE", "type": "indicator", "types": ["anomalous-activity"], "valid_from":
1644335851, "valid_until": null}

ctix-get-indicator-tags#


Get Indicator Tags

Base Command#

ctix-get-indicator-tags

Input#

Argument NameDescriptionRequired
object_idobject id.Optional
object_typeobject type.Optional
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorTags.notesunknownNotes on the indicator's tag
CTIX.IndicatorTags.is_deprecatedbooleanIf the indicator's tag deprecated or not
CTIX.IndicatorTags.is_revokedbooleanIf the indicator's tag revoked or not
CTIX.IndicatorTags.ctix_creatednumberTimestamp of when the Indicator tag was created in CTIX
CTIX.IndicatorTags.is_false_positivebooleanIf the indicator's tag is false positive or not
CTIX.IndicatorTags.namestringName of the indicator
CTIX.IndicatorTags.is_reviewedbooleanIf the indicator reviewed or not
CTIX.IndicatorTags.is_whitelistedbooleanIf the indicator whitelisted or not
CTIX.IndicatorTags.is_under_reviewbooleanIf the indicator is under review or not
CTIX.IndicatorTags.is_watchlistbooleanIf the indicator is under watchlist or not
CTIX.IndicatorTags.tagsunknownTags of the indicator
CTIX.IndicatorTags.sub_typeunknownSub type of the indicator
CTIX.IndicatorTags.typeunknownType of Indicator

Command Example#

!ctix-get-indicator-tags object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"notes": [],
"is_deprecated": false,
"is_revoked": false,
"ctix_created": 1651648700,
"is_false_positive": false,
"name": "x.x.x.x",
"is_reviewed": false,
"is_whitelisted": false,
"is_under_review": false,
"is_watchlist": false,
"tags": [
{
"colour_code": null,
"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",
"name": "test crowd"
},
{
"colour_code": null,
"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",
"name": "MaliciousConfidence/Low"
}
],
"sub_type": "ipv4-addr",
"type": "indicator"
}

ctix-get-indicator-relations#


Get Indicator Relations

Base Command#

ctix-get-indicator-relations

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorRelations.relationship_typeunknownIndicator relation types
CTIX.IndicatorRelations.sourcesunknownIndicator sources
CTIX.IndicatorRelations.target_refunknownIndicator target reference

Command Example#

!ctix-get-indicator-relations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"relationship_type": "related-to",
"sources": [
{
"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",
"name": "dummy",
"source_type": "RSS_FEED"
}
],
"target_ref": {
"created": 1652081903,
"id": "cb728d0e-3e31-4c3d-8f7d-09726a8bf7a8",
"modified": 1652081903,
"name": "Feed 6",
"object_type": "report",
"sub_type": null,
"tlp": "AMBER"
}
}
],
"total": 1
}

ctix-get-indicator-observations#


Get Indicator Observations

Base Command#

ctix-get-indicator-observations

Input#

Argument NameDescriptionRequired
pagepage.Optional
page_sizepage size.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.IndicatorObservations.custom_attributesunknownCustom attributes if any
CTIX.IndicatorObservations.ctix_modifiednumberTimestamp when indicator was modified in CTIX
CTIX.IndicatorObservations.creatednumberTimestamp when indicator was created
CTIX.IndicatorObservations.pattern_typestringPattern type of Indicator
CTIX.IndicatorObservations.modifiednumberTimestamp when indicator was modified
CTIX.IndicatorObservations.ctix_creatednumberTimestamp when indicator was created in CTIX
CTIX.IndicatorObservations.pattern_versionstringSTIX Pattern version of indicator
CTIX.IndicatorObservations.confidencestringConfidence level of the indicator
CTIX.IndicatorObservations.valid_fromnumberTimestamp when indicator was valid from
CTIX.IndicatorObservations.patternstringSTIX pattern
CTIX.IndicatorObservations.fang_descriptionstringFANG description
CTIX.IndicatorObservations.defang_descriptionstringDEFANG description
CTIX.IndicatorObservations.spec_versionstringSTIX Spec version
CTIX.IndicatorObservations.tagsunknownTags attached to the indicator
CTIX.IndicatorObservations.received_idstringSTIX ID when indicator was received
CTIX.IndicatorObservations.typesunknownSTIX Types attached to the indicator
CTIX.IndicatorObservations.sourceunknownSTIX source of the indicator
CTIX.IndicatorObservations.idstringid of the indicator
CTIX.IndicatorObservations.valid_untilnumberTimestamp till when the indicator is valid
CTIX.IndicatorObservations.sco_object_idunknownSCO object ID
CTIX.IndicatorObservations.unique_hashunknownunique hash of the indicator
CTIX.IndicatorObservations.descriptionunknowndescription of the indicator
CTIX.IndicatorObservations.granular_markingsunknownGranular Markings if any
CTIX.IndicatorObservations.collectionunknownCollection details of the indicator

Command Example#

!ctix-get-indicator-observations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"result": {
"next": null,
"page_size": 10,
"previous": null,
"results": [
{
"custom_attributes": [],
"ctix_modified": 1651648700,
"created": 1644335851,
"pattern_type": "stix",
"modified": 1651648700,
"ctix_created": 1651648700,
"pattern_version": "2.1",
"confidence": "LOW",
"valid_from": 1644335851,
"pattern": "[ipv4-addr:value = 'x.x.x.x']",
"fang_description": null,
"defang_description": null,
"spec_version": "2.1",
"tags": [
{
"colour_code": null,
"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",
"name": "test crowd"
},
{
"colour_code": null,
"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",
"name": "MaliciousConfidence/Low"
}
],
"received_id": "indicator--16a66ac2-3524-44a6-9b9d-5bec6bc80d91",
"types": [
"anomalous-activity"
],
"source": {
"id": "e941f6fb-387b-452c-b77d-b5b05c5e9df2",
"name": "Dummy",
"source_type": "API_FEEDS"
},
"id": "0a11d417-3501-4230-8454-c70e700cf1b8",
"valid_until": null,
"sco_object_id": "20067ec2-8ad1-470e-b0bb-3c4a72b15883",
"unique_hash": "babea09af794cc5ae1403302e9ec5c2d",
"description": "None",
"granular_markings": [],
"collection": {
"id": "3d7df0f3-8c88-43d2-8742-deee21eb6ee0",
"name": "test-crowd-ip"
}
}
],
"total": 1
}
}

ctix-get-conversion-feed-source#


Base Command#

ctix-get-conversion-feed-source

Input#

Argument NameDescriptionRequired
pagepage. Default is 1.Optional
page_sizepage size. Default is 10.Optional
object_idobject id.Optional
object_typeobject type.Optional

Context Output#

PathTypeDescription
CTIX.ConversionFeedSource.creatednumberIndicator creation timestamp
CTIX.ConversionFeedSource.idstringID of the indicator
CTIX.ConversionFeedSource.namestringname of the indicator
CTIX.ConversionFeedSource.taxii_optionstringTAXII option

Command Example#

!ctix-get-conversion-feed-source object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example#

{
"result": {
"next": "feed-sources/?page=2&page_size=10&object_id=1ff2a18a-0574-4015-bbec-bc7692dccb14&object_type=indicator",
"page_size": 10,
"previous": null,
"results": [
{
"created": 1651841206,
"id": "9c82a682-254f-410d-a1c0-dc3514415f79",
"name": "dummy-threatmailbox",
"taxii_option": "2.1"
}
],
"total": 31
}
}

ctix-get-lookup-threat-data#


Lookup to get threat data

Base Command#

ctix-get-lookup-threat-data

Input#

Argument NameDescriptionRequired
object_typeobject type.Optional
object_namesWill contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1.Optional
page_sizesize of the page. Default is 10.Optional

Context Output#

PathTypeDescription
CTIX.ThreatDataLookup.analyst_scorenumberAnalyst score of the indicator
CTIX.ThreatDataLookup.analyst_tlpstringAnalyst TLP of the indicator
CTIX.ThreatDataLookup.confidence_scorenumberConfidence score of the indicator
CTIX.ThreatDataLookup.confidence_typestringConfidence type of the indicator
CTIX.ThreatDataLookup.countrystringIndicator origin country
CTIX.ThreatDataLookup.creatednumberTimestamp of when the indicator was created
CTIX.ThreatDataLookup.ctix_creatednumberTimestamp of when the indicator was created in CTIX
CTIX.ThreatDataLookup.ctix_modifiednumberTimestamp of when the indicator was modified in CTIX
CTIX.ThreatDataLookup.first_seennumberTimestamp of when the indicator was first seen
CTIX.ThreatDataLookup.idstringIndicator ID
CTIX.ThreatDataLookup.indicator_typestringIndicator type
CTIX.ThreatDataLookup.ioc_typestringIOC type
CTIX.ThreatDataLookup.is_actionedbooleanIs actioned
CTIX.ThreatDataLookup.is_deprecatedbooleanis deprecated
CTIX.ThreatDataLookup.is_false_positivebooleanis false positive
CTIX.ThreatDataLookup.is_reviewedbooleanis reviewed
CTIX.ThreatDataLookup.is_revokedbooleanis revoked
CTIX.ThreatDataLookup.is_watchlistbooleanis watchlisted
CTIX.ThreatDataLookup.is_whitelistedbooleanis whitelisted
CTIX.ThreatDataLookup.last_seennumberTimestamp of when the indicator was last seen
CTIX.ThreatDataLookup.modifiednumberTimestamp of when the indicator was modified
CTIX.ThreatDataLookup.namestringname of the indicator
CTIX.ThreatDataLookup.nullunknownnull
CTIX.ThreatDataLookup.primary_attributestringPrimary Attribute
CTIX.ThreatDataLookup.published_collectionsunknownpublished collections
CTIX.ThreatDataLookup.risk_severitystringRisk severity
CTIX.ThreatDataLookup.source_collectionsunknownsources collections
CTIX.ThreatDataLookup.source_confidencestringSource confidence
CTIX.ThreatDataLookup.sourcesunknownsources
CTIX.ThreatDataLookup.sub_typestringSub type
CTIX.ThreatDataLookup.subscriber_collectionsunknownsubscriber collections
CTIX.ThreatDataLookup.subscribersunknownsubscribers
CTIX.ThreatDataLookup.tagsunknownTags
CTIX.ThreatDataLookup.tlpstringTLP
CTIX.ThreatDataLookup.typestringType
CTIX.ThreatDataLookup.valid_fromnumberTimestamp from when the indicator was valid
CTIX.ThreatDataLookup.valid_untilnumberTimestamp till when the indicator was valid

Command Example#

!ctix-get-lookup-threat-data object_names=example.com, test.com object_type=indicator

Context Example#

{"next": null,
"page_size": 10,
"previous": null,
"results": [{"analyst_score": null,
"analyst_tlp": null,
"confidence_score": 50,
"confidence_type": "ctix",
"country": null,
"created": 1652081902,
"ctix_created": 1652081903,
"ctix_modified": 1652081903,
"first_seen": null,
"id": "1ff2a18a-0574-4015-bbec-bc7692dccb14",
"indicator_type": "domain-name",
"ioc_type": "domain-name",
"is_actioned": false,
"is_deprecated": false,
"is_false_positive": false,
"is_reviewed": false,
"is_revoked": false,
"is_watchlist": false,
"is_whitelisted": false,
"last_seen": null,
"modified": 1652081902,
"name": "example.com",
"null": [],
"primary_attribute": null,
"published_collections": [],
"risk_severity": "UNKNOWN",
"source_collections": [{"id": "1981f5f6-49d4-4cad-97b7-8b2d276d2956",
"name": "dummy"}],
"source_confidence": "HIGH",
"sources": [{"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",
"name": "dummy",
"source_type": "RSS_FEED"}],
"sub_type": "value",
"subscriber_collections": [],
"subscribers": [],
"tags": [],
"tlp": "AMBER",
"type": "indicator",
"valid_from": 1652081902,
"valid_until": null}],
"total": 1}