CTIX v3

This Integration is part of the CTIX Pack.

This is example Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 3.0.0 of CTIX

Configure CTIX on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for CTIX.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Description	Required
   Endpoint URL	Enter the endpoint URL of your CTIX Instance.	True
   Access Key	Enter the Access Key from the CTIX application.	True
   Secret Key	Enter the Secret Key from the CTIX application.	True
   Trust any certificate (not secure)		False
   Use system proxy settings		False
   Fetch incidents		False
   Incidents Fetch Interval		False
   Incident type		False

4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ctix-create-tag

---

Create new tag in the ctix platform

Base Command

ctix-create-tag

Input

Argument Name	Description	Required
tag_name	New tag's name.	Required
color_code	New tag's hex colour code e.g #111111.	Required

Context Output

Path	Type	Description
CTIX.Tag.name	string	Name of the tag
CTIX.Tag.tag_type	string	Type of the tag (manual)
CTIX.Tag.colour_code	string	Colour Code of the tag
CTIX.Tag.id	string	Id of the Created Tag
CTIX.Tag.created	number	Created at timestamp
CTIX.Tag.modified	number	Modified at timestamp

Command Example

!ctix-create-tag tag_name=xsoar_test_trial color_code=#95A1B1

Context Example

{

"colour_code": null,

"created": 1652077948,

"created_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",

"id": "47662c77-b419-419c-9bcf-420e05b01067",

"modified": 1652077948,

"modified_by": "40ab0f84-fb39-4444-95b2-cd155f574aa2",

"name": "xsoar_test_temp",

"type": "manual"

}

ctix-get-tags

---

Get paginated list of tags

Base Command

ctix-get-tags

Input

Argument Name	Description	Required
page	Page number for pagination. Default is 1.	Optional
page_size	Page size for pagination. Default is 10.	Optional
q	search query parameter.	Optional

Context Output

Path	Type	Description
CTIX.Tag.name	string	Name of the tag
CTIX.Tag.id	string	ID of the tag
CTIX.Tag.colour_code	string	Hex colour code associated with tag
CTIX.Tag.tag_type	string	Type of the tag
CTIX.Tag.created	number	Created at timestamp
CTIX.Tag.modified	number	Modified at timestamp

Command Example

!ctix-get-tags

Context Example

{"next": "tags/?page=2&page_size=1&AccessID=sasfafs-asasvsfasf-vasvasf&Expires=1652078371&Signature=jndjaksbdakbsjdkabscbkjb",

"page_size": 1,

"previous": null,

"results": [{"colour_code": null,

"created": 1652077948,

"created_by": {"email": "dummy.account@test.com",

"first_name": "dummy",

"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",

"last_name": "account"},

"id": "47662c77-b419-419c-9bcf-420e05b01067",

"modified": 1652077948,

"modified_by": {"email": "dummy.account@test.com",

"first_name": "dummy",

"id": "40ab0f84-fb39-4444-95b2-cd155f574aa2",

"last_name": "account"},

"name": "xsoar_test_temp",

"type": "manual"}],

"total": 10}

ctix-delete-tag

---

Delete a tag with given tag_name

Base Command

ctix-delete-tag

Input

Argument Name	Description	Required
tag_name	Name of the tag.	Required

Context Output

Path	Type	Description
CTIX.DeleteTag.result	string	Status

Command Example

!ctix-delete-tag tag_name=xsoar_test_trial

Context Example

{"result": "Action Successfully Executed"}

ctix-allowed-iocs

---

Adds list of same type of iocs to allowed

Base Command

ctix-allowed-iocs

Input

Argument Name	Description	Required
type	Type of ioc. Possible values are: ipv4-addr, ipv6-addr, autonomous-system, email-addr, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SSDEEP, url, cidr, domain-name, mutex, windows-registry-key, user-agent.	Required
values	Values of the given type.	Required
reason	Descriptive reason.	Required

Context Output

Path	Type	Description
CTIX.Details.invalid	unknown	Invalid iocs sent in request
CTIX.Details.new_created	unknown	List of iocs added to whitelist
CTIX.Details.already_exists	unknown	List of iocs already existing

Command Example

!ctix-allowed-iocs reason=test type="ipv4-addr" values=x.x.x.x,x.x.x.x

Context Example

{

"details":{

"already_exists": [

"x.x.x.x",

"x.x.x.x"

],

"invalid": [],

"new_created": []

}

}

ctix-get-allowed-iocs

---

get paginated list of allowed iocs

Base Command

ctix-get-allowed-iocs

Input

Argument Name	Description	Required
page	Page number . Default is 1.	Optional
page_size	Page size. Default is 10.	Optional
q	query param for searching.	Optional

Context Output

Path	Type	Description
CTIX.IOC.id	string	ID of the object
CTIX.IOC.include_emails	boolean	If enabled then the emails to the corresponding emails will be whitelisted
CTIX.IOC.include_sub_domains	boolean	If enabled then the emails to the corresponding sub domains will be whitelisted
CTIX.IOC.include_urls	boolean	If enabled then the emails to the corresponding urls will be whitelisted
CTIX.IOC.type	string	Type of the ioc
CTIX.IOC.value	string	Value of the ioc
CTIX.IOC.created	number	Created at timestamp
CTIX.IOC.modified	number	Modified at timestamp

Command Example

!ctix-get-allowed-iocs q=type=indicator

Context Example

{"next": "allowed/?page=2&page_size=1", "page_size": 1, "previous": null,

"results": [{"created": 1652084983, "created_by": {"email":

"dumy.account@example.com", "first_name": "dumy", "id":

"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "follow":

true, "id": "2df4a0ad-b1dd-4a4c-bf71-dcdefce0dcf9", "include_emails": false,

"include_subdomains": false, "include_urls": false, "modified": 1652097309,

"modified_by": {"email": "dummt.acount@example.com", "first_name": "", "id":

"4a5f744c-800a-4fcd-be06-53f4b1b8f966", "last_name": ""}, "type":

"ipv4-addr", "value": "x.x.x.x"}], "total": 5}

ctix-remove-allowed-ioc

---

Removes a alloweded ioc with given id

Base Command

ctix-remove-allowed-ioc

Input

Argument Name	Description	Required
ids	allowed IOC ids.	Required

Context Output

Path	Type	Description
details	string	Operation result

Command Example

!ctix-remove-allowed-ioc ids=7a33a7ac-ab54-412f-a725-f35c208a54ea

Context Example

{

"details": "Action applied succesfully"

}

ctix-get-threat-data

---

Command for querying and listing threat data

Base Command

ctix-get-threat-data

Input

Argument Name	Description	Required
query	Query statement for the thread data, please refer to the documentation.	Required
page	page. Default is 1.	Optional
page_size	size of page. Default is 1.	Optional

Context Output

Path	Type	Description
CTIX.ThreatData.confidence_score	number	Confidence Score of the IOC
CTIX.ThreatData.confidence_type	string	Confidence Type of the IOC
CTIX.ThreatData.created	number	When the IOC was created in source
CTIX.ThreatData.ctix_created	number	When the IOC was created in CTIX
CTIX.ThreatData.ctix_modified	number	When the IOC was modified in CTIX
CTIX.ThreatData.id	string	ID of the IOC in CTIX
CTIX.ThreatData.indicator_type	string	Type of the Indicator
CTIX.ThreatData.ioc_type	string	Type of IOC
CTIX.ThreatData.is_actioned	boolean	Is Actioned
CTIX.ThreatData.is_deprecated	boolean	Is Deprecated
CTIX.ThreatData.is_false_positive	boolean	Is False Positive
CTIX.ThreatData.is_reviewed	boolean	Is reviewed
CTIX.ThreatData.is_revoked	boolean	Is revoked
CTIX.ThreatData.is_watchlist	boolean	Is Watchlist
CTIX.ThreatData.is_whitelisted	boolean	Is alloweded
CTIX.ThreatData.modified	boolean	When the indicator modified
CTIX.ThreatData.name	boolean	Name of the indicator
CTIX.ThreatData.risk_severity	boolean	risk severity of the indicator
CTIX.ThreatData.source_collections	unknown	Source Collections of the Indicator
CTIX.ThreatData.source_confidence	string	Source Confidence of the indicator
CTIX.ThreatData.sources	unknown	sources of the indicator
CTIX.ThreatData.sub_type	string	Sub Type of the IOC
CTIX.ThreatData.tlp	string	TLP of the indicator
CTIX.ThreatData.type	string	Type of the IOC
CTIX.ThreatData.valid_from	number	Date from which IOC is valid

Command Example

!ctix-get-threat-data query=type=indicator

Context Example

{

"next": null,

"page_size": 10,

"previous": null,

"results": [

{"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 50,

"confidence_type": "ctix",

"country": null,

"created": 1652081902,

"ctix_created": 1652081903,

"ctix_modified": 1652081903,

"first_seen": null,

"id": "1ff2a18a-0574-4015-bbec-bc7692dccb14",

"indicator_type": "domain-name",

"ioc_type": "domain-name",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1652081902,

"name": "example.com",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": "UNKNOWN",

"source_collections": [{"id": "1981f5f6-49d4-4cad-97b7-8b2d276d2956",

"name": "dummy"}],

"source_confidence": "HIGH",

"sources": [{"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",

"name": "dummy",

"source_type": "RSS_FEED"}],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1652081902,

"valid_until": null}],

"total": 1}

ctix-get-saved-searches

---

Saved Search listing api with pagination

Base Command

ctix-get-saved-searches

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 5.	Optional

Context Output

Path	Type	Description
CTIX.SavedSearch.id	string	ID of the object
CTIX.SavedSearch.editable	boolean
CTIX.SavedSearch.is_threat_data_search	boolean
CTIX.SavedSearch.name	string
CTIX.SavedSearch.order	number
CTIX.SavedSearch.pinned	boolean
CTIX.SavedSearch.query	string
CTIX.SavedSearch.shared_type	string
CTIX.SavedSearch.type	string
CTIX.SavedSearch.meta_data	unknown

Command Example

!ctix-get-saved-searches

Context Example

{

"next": null,

"page_size": 10,

"previous": null,

"results": [

{

"created_by": {

"email": "system.default@example.com",

"first_name": "System",

"id": "e99b5f93-4ae8-4560-a848-a4fbae3f4f26",

"last_name": "Default"

},

"description": null,

"editable": false,

"id": "d5b54bc7-3b3f-424b-b08d-5e8cf746e998",

"is_threat_data_search": true,

"meta_data": null,

"name": "Indicator",

"order": 0,

"pinned": false,

"query": "type =indicator",

"shared_type": "global",

"shared_users": [

],

"type": "cql"

}

],

"total": 1

}

ctix-get-server-collections

---

Source Collection listing api with pagination

Base Command

ctix-get-server-collections

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 15.	Optional

Context Output

Path	Type	Description
CTIX.ServerCollection.name	string	Name of the server
CTIX.ServerCollection.id	string	ID of the object
CTIX.ServerCollection.inbox	boolean	Inbox is enabled or not
CTIX.ServerCollection.is_active	boolean	Object if active or not
CTIX.ServerCollection.is_editable	boolean	Object if editable or not
CTIX.ServerCollection.polling	boolean	Object polling is enabled or not
CTIX.ServerCollection.type	string	Object type
CTIX.ServerCollection.description	string	description of the object
CTIX.ServerCollection.created	number	Created timestamp

Command Example

!ctix-get-server-collections

Context Example

{"next": "collection/?page=2&page_size=1", "previous": null, "page_size": 1,

"total": 7, "results": [{"id": "83b5fd74-8ca0-4f28-a173-1d6863b2acb4",

"name": "collection", "description": "with description", "is_active": true,

"type": "DATA_FEED", "is_editable": true, "polling": false, "inbox": true,

"created": 1652080268, "has_subscribed": null}], "subscriber_name": ""}

ctix-get-actions

---

Enrichment tools listing API

Base Command

ctix-get-actions

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 15.	Optional
object_type	object type.	Optional
action_type	action type.	Optional

Context Output

Path	Type	Description
CTIX.Action.action_name	string	Name of the Action
CTIX.Action.action_type	unknown	Description of the action
CTIX.Action.actioned_on	number	Timestamp of when the action was taken
CTIX.Action.app_name	string	Name of the app for the action
CTIX.app_type	string	Type of the app
CTIX.Action.id	string	ID of the action
CTIX.Action.object_type	string	Type of the action

Command Example

!ctix-get-actions action_type=manual object_type=indicator

Context Example

{

"next": "actions/?page=2&page_size=1&actions_type=manual&object_type=indicator",

"page_size": 1,

"previous": null,

"results": [

{

"action_name": "Update Analyst Score",

"action_type": "manual",

"actioned_by": {

"email": "dummy.email@test.com",

"first_name": "test",

"id":"40ab0f84-fb39-4444-95b2-cd155f574aa2",

"last_name": "account"

},

"actioned_on": 1651646873,

"app_name": "CTIX",

"app_response": {

},

"app_type": "ctix",

"id": "e8fe8d27-6329-4c0b-a3c0-be104be4de55",

"object_id": "19176d96-716d-48aa-af15-dfeff22e72e2",

"object_type": "indicator",

"rule_id": null,

"rule_name": null,

"source_id": null,

"tool": null

}

],

"total": 38459

}

ctix-add-indicator-as-false-positive

---

Base Command

ctix-add-indicator-as-false-positive

Input

Argument Name	Description	Required
object_ids	, seperated list of indicator ids.	Required
object_type	Type of object. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.	Required

Context Output

Path	Type	Description
CTIX.IndicatorFalsePositive.message	unknown	Indicator change result

Command Example

!ctix-add-indicator-as-false-positive object_ids=19176d96-716d-48aa-af15-dfeff22e72e2,531e47a6-d7cd-47be-ae21-a3260518d4a5 object_type=indicator

Context Example

{"message":"Action Successfully Executed"}

ctix-ioc-manual-review

---

Adds ioc to manual review bulk api

Base Command

ctix-ioc-manual-review

Input

Argument Name	Description	Required
object_ids	Object ids of the items to be added for manual review.	Required
object_type	object type. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate.	Required

Context Output

Path	Type	Description
CTIX.IOCManualReview.message	unknown	IOC Manual Review result

Command Example

!ctix-ioc-manual-review object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example

{

"message": "Action Successfully Executed"

}

ctix-deprecate-ioc

---

Deprecate ioc bulk api

Base Command

ctix-deprecate-ioc

Input

Argument Name	Description	Required
object_ids	Object ids .	Required
object_type	object type.	Required

Context Output

Path	Type	Description
CTIX.DeprecateIOC	unknown	Result of the IOC deprecation request

Command Example

!ctix-deprecate-ioc object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator

Context Example

{

"message": "Action Successfully Executed"

}

ctix-add-analyst-tlp

---

Add Analyst TLP

Base Command

ctix-add-analyst-tlp

Input

Argument Name	Description	Required
object_id	object id.	Required
object_type	object type.	Required
data	data.	Required

Context Output

Path	Type	Description
CTIX.AddAnalystTLP	unknown	Result of the addition of analyst TLP

Command Example

!ctix-add-analyst-tlp object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator data={\"analyst_tlp\":\"GREEN\"}

Context Example

{

"message": "Action Successfully Executed"

}

ctix-add-analyst-score

---

Add Analyst Score for a Threat data

Base Command

ctix-add-analyst-score

Input

Argument Name	Description	Required
object_id	object id.	Required
object_type	object type.	Required
data	data.	Required

Context Output

Path	Type	Description
CTIX.AddAnalystScore	unknown	Result of adding analyst score to threat data

Command Example

!ctix-add-analyst-score data={"analyst_score":10} object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator

Context Example

{

"message": "Action Successfully Executed"

}

ctix-saved-result-set

---

Saved Result Set

Base Command

ctix-saved-result-set

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 10.	Optional
label_name	label name.	Optional
query	CQL.	Optional

Context Output

Path	Type	Description
CTIX.SavedResultSet.analyst_score	number	Analyst score of the IOC
CTIX.SavedResultSet.analyst_tlp	string	Analyst TLP of the IOC
CTIX.SavedResultSet.confidence_score	number	Confidence score of the IOC
CTIX.SavedResultSet.confidence_type	string	Confidence type of the IOC
CTIX.SavedResultSet.country	string	Country of origin for the IOC
CTIX.SavedResultSet.created	number	IOC creation date
CTIX.SavedResultSet.ctix_created	number	IOC date of creation in CTIX
CTIX.SavedResultSet.ctix_modified	number	IOC date of modification in CTIX
CTIX.SavedResultSet.first_seen	date	IOC timestamp when it was first seen
CTIX.SavedResultSet.id	number	IOC ID
CTIX.SavedResultSet.indicator_type	string	Type of the indicator
CTIX.SavedResultSet.ioc_type	string	Type of the IOC
CTIX.SavedResultSet.is_actioned	boolean	If there is any action taken on the indicator
CTIX.SavedResultSet.is_deprecated	boolean	If the indicator is deprecated or not
CTIX.SavedResultSet.is_false_positive	boolean	Value of the indicator is false positive or not
CTIX.SavedResultSet.is_reviewed	boolean	Whether the indicator reviewed or not
CTIX.SavedResultSet.is_revoked	boolean	Whether the indicator is revoked or not
CTIX.SavedResultSet.is_watchlist	boolean	Whether the indicator is under watchlist or not
CTIX.SavedResultSet.is_whitelisted	boolean	Whether the indicator is whitelisted or not
CTIX.SavedResultSet.last_seen	date	Timestamp of the when the IOC was last seen
CTIX.SavedResultSet.modified	date	Timestamp of the when the IOC was modified
CTIX.SavedResultSet.name	string	Name of the indicator
CTIX.SavedResultSet.null	unknown	null
CTIX.SavedResultSet.primary_attribute	string	Primary attribute of the IOC
CTIX.SavedResultSet.published_collections	unknown	Published collections of the IOC
CTIX.SavedResultSet.risk_severity	unknown	Risk severity of the IOC
CTIX.SavedResultSet.source_collections	unknown	Source collections of the IOC
CTIX.SavedResultSet.name	string	Name of the IOC
CTIX.SavedResultSet.sources	unknown	Sources of the IOC
CTIX.SavedResultSet.sub_type	unknown	Sub type of the IOC
CTIX.SavedResultSet.subscriber_collections	unknown	Subscription collections of the IOC
CTIX.SavedResultSet.subscribers	unknown	Subscribers of the IOC
CTIX.SavedResultSet.tags	unknown	Tags on the IOC
CTIX.SavedResultSet.tlp	unknown	TLP of the IOC
CTIX.SavedResultSet.type	unknown	Type of the IOC
CTIX.SavedResultSet.valid_from	unknown	Timestamp from when the IOC is valid
CTIX.SavedResultSet.valid_until	unknown	Timestamp till then the IOC is valid

Command Example

!ctix-saved-result-set label_name=test query=type=indicator

Context Example

{"next": "threat-data/list/?page=2&page_size=1", "page_size": 1, "previous":

null, "results": [{"analyst_score": null, "analyst_tlp": null,

"confidence_score": null, "confidence_type": "ctix", "country": null,

"created": 1652111918, "ctix_created": 1652111957, "ctix_modified":

1652111957, "first_seen": null, "id":

"670afacb-2f72-42fe-84cc-b2022ba6a7ed", "indicator_type": null, "ioc_type":

null, "is_actioned": false, "is_deprecated": false, "is_false_positive":

false, "is_reviewed": false, "is_revoked": false, "is_watchlist": false,

"is_whitelisted": false, "last_seen": null, "modified": 1652111949, "name":

"Test12344", "null": [], "primary_attribute": null, "published_collections":

[], "risk_severity": null, "source_collections": [{"id":

"32b98724-8625-4af2-ad83-43b4b5c50885", "name": "Test12344"}],

"source_confidence": "NONE", "sources": [{"id":

"5968d895-424f-4271-a1d3-2b01041a17bb", "name": "Test12344", "source_type":

"WEB_SCRAPPER"}], "sub_type": null, "subscriber_collections": [],

"subscribers": [], "tags": [], "tlp": "AMBER", "type": "report",

"valid_from": null, "valid_until": null}], "total": 353243}

ctix-add-tag-indicator

---

Adding Tag to Indicator

Base Command

ctix-add-tag-indicator

Input

Argument Name	Description	Required
page	page from where data will be taken. Default is 1.	Optional
page_size	total number of results to be fetched. Default is 10.	Optional
q	query.	Optional
object_id	object id. Default is "".	Optional
object_type	object type. Default is ""	Optional
tag_id	tag id. Default is ""	Optional

Context Output

Path	Type	Description
CTIX.TagUpdation.meesage	unknown	Result of the add indicator tag request

Command Example

!ctix-add-tag-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example

{

"message": "Action Successfully Executed"

}

ctix-remove-tag-from-indicator

---

Remove Tag From Indicator

Base Command

ctix-remove-tag-from-indicator

Input

Argument Name	Description	Required
page	which page to bring the data from. Default is 1.	Optional
page_size	number of pages to bring data from. Default is 10.	Optional
q	query.	Optional
object_id	object_id. Default is "".	Optional
object_type	object_type. Default is "".	Optional
tag_id	tag_id. Default is "".	Optional

Context Output

Path	Type	Description
CTIX.TagUpdation.message	unknown	Result of the remove indicator tag request

Command Example

!ctix-remove-tag-from-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372

Context Example

{

"message": "Action Successfully Executed"

}

ctix-search-for-tag

---

Search for tag

Base Command

ctix-search-for-tag

Input

Argument Name	Description	Required
page	number of page from where data needs to brought. Default is 1.	Optional
page_size	size of the result. Default is 10.	Optional
q	query.	Optional

Context Output

Path	Type	Description
CTIX.SearchTag.colour_code	unknown	Colour code of the tag
CTIX.SearchTag.created	number	Timestamp of when the tag was created
CTIX.SearchTag.created_by	unknown	details of the person who created the tag
CTIX.SearchTag.id	string	ID of the tag
CTIX.SearchTag.modified	number	Timestamp of when the tag was modified
CTIX.SearchTag.modified_by	unknown	Details of the person who modified the tag
CTIX.SearchTag.name	unknown	Name of the tag
CTIX.SearchTag.type	unknown	type of the tag

Command Example

!ctix-search-for-tag q=xsoar_test_trial

Context Example

{"next": "tags/?page=2&page_size=1", "page_size": 1, "previous": null,

"results": [{"colour_code": null, "created": 1652113918, "created_by":

{"email": "dummy.account@example.com", "first_name": "dummy", "id":

"40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name": "account"}, "id":

"68981db8-6deb-41f0-9727-74ad81cf47b2", "modified": 1652113918,

"modified_by": {"email": "dummy.account@example.com", "first_name":

"dummy", "id": "40ab0f84-fb39-4444-95b2-cd155f574aa2", "last_name":

"account"}, "name": "xsoar_test", "type": "manual"}], "total": 39893}

ctix-get-indicator-details

---

Get Indicator Details

Base Command

ctix-get-indicator-details

Input

Argument Name	Description	Required
page	from where data has to be brought. Default is 1.	Optional
page_size	total number of results. Default is 10.	Optional
object_id	object id. Default is "".	Optional
object_type	object type. Default is "".	Optional

Context Output

Path	Type	Description
CTIX.IndicatorDetails.aliases	string	Aliases of the tag if any
CTIX.IndicatorDetails.analyst_description	string	Analyst description provided if any
CTIX.IndicatorDetails.analyst_score	number	Analyst score of the indicator
CTIX.IndicatorDetails.analyst_tlp	string	Analyst provided TLP on the indicator
CTIX.IndicatorDetails.asn	string	ASN of the indicator
CTIX.IndicatorDetails.attribute_field	string	Attribute field of the indicator
CTIX.IndicatorDetails.attribute_value	string	Attribute value of the indicator
CTIX.IndicatorDetails.base_type	string	Base type of the indicator
CTIX.IndicatorDetails.confidence_score	number	Confidence score of the IOC
CTIX.IndicatorDetails.confidence_type	string	Confidence type of the IOC
CTIX.IndicatorDetails.country	string	Country of origin of the IOC
CTIX.IndicatorDetails.created	number	Timestamp of when the indicator was created
CTIX.IndicatorDetails.ctix_created	number	Timestamp of when the indicator was created in CTIX
CTIX.IndicatorDetails.ctix_modified	number	Timestamp of when the indicator was modified in CTIX
CTIX.IndicatorDetails.ctix_score	number	CTIX score of the indicator
CTIX.IndicatorDetails.ctix_tlp	string	CTIX assigned TLP of the indicator
CTIX.IndicatorDetails.defang_analyst_description	string	Defanged analyst description of the indicator
CTIX.IndicatorDetails.description	string	Description of the indicator
CTIX.IndicatorDetails.fang_analyst_description	string	Fang analyst description of the indicator
CTIX.IndicatorDetails.first_seen	number	Timestamp of then the indicator was first seen
CTIX.IndicatorDetails.last_seen	number	Timestamp of then the indicator was last seen
CTIX.IndicatorDetails.modified	number	Timestamp of then the indicator was modified
CTIX.IndicatorDetails.name	string	Name of the indicator
CTIX.IndicatorDetails.pattern	string	STIX pattern of the indicator
CTIX.IndicatorDetails.pattern_type	string	pattern type of the indicator
CTIX.IndicatorDetails.pattern_version	string	STIX pattern version
CTIX.IndicatorDetails.sources	unknown	Sources of the indicator
CTIX.IndicatorDetails.sub_type	string	Sub type of the indicator
CTIX.IndicatorDetails.tld	string	TLD of the indicator
CTIX.IndicatorDetails.tlp	string	TLP of the indicator
CTIX.IndicatorDetails.type	string	Type of the indicator
CTIX.IndicatorDetails.types	string	Types of the indicator
CTIX.IndicatorDetails.valid_from	number	Timestamp of the indicator from then it was valid
CTIX.IndicatorDetails.valid_until	unknown	Timestamp of the indicator till

Command Example

!ctix-get-indicator-details object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example

{"aliases": null, "analyst_description": null, "analyst_score": null,

"analyst_tlp": null, "asn": null, "attribute_field": "value",

"attribute_value": "x.x.x.x", "base_type": "sdo", "confidence_score":

18, "confidence_type": "CTIX", "country": "Netherlands", "created":

1651648700, "ctix_created": 1651648700, "ctix_modified": 1652113922,

"ctix_score": 18, "ctix_tlp": null, "defang_analyst_description": null,

"description": null, "fang_analyst_description": null, "first_seen": null,

"last_seen": null, "modified": 1651648700, "name": "x.x.x.x",

"pattern": "[ipv4-addr:value = x.x.x.x]", "pattern_type": "stix",

"pattern_version": "2.1", "sources": [{"id":

"e941f6fb-387b-452c-b77d-b5b05c5e9df2", "name": "Dummy",

"source_type": "API_FEEDS"}], "sub_type": "ipv4-addr", "tld": "", "tlp":

"WHITE", "type": "indicator", "types": ["anomalous-activity"], "valid_from":

1644335851, "valid_until": null}

ctix-get-indicator-tags

---

Get Indicator Tags

Base Command

ctix-get-indicator-tags

Input

Argument Name	Description	Required
object_id	object id. Default is "".	Optional
object_type	object type. Default is "".	Optional
page	page. Default is 1.	Optional
page_size	page size. Default is 10.	Optional

Context Output

Path	Type	Description
CTIX.IndicatorTags.notes	unknown	Notes on the indicator's tag
CTIX.IndicatorTags.is_deprecated	boolean	If the indicator's tag deprecated or not
CTIX.IndicatorTags.is_revoked	boolean	If the indicator's tag revoked or not
CTIX.IndicatorTags.ctix_created	number	Timestamp of when the Indicator tag was created in CTIX
CTIX.IndicatorTags.is_false_positive	boolean	If the indicator's tag is false positive or not
CTIX.IndicatorTags.name	string	Name of the indicator
CTIX.IndicatorTags.is_reviewed	boolean	If the indicator reviewed or not
CTIX.IndicatorTags.is_whitelisted	boolean	If the indicator whitelisted or not
CTIX.IndicatorTags.is_under_review	boolean	If the indicator is under review or not
CTIX.IndicatorTags.is_watchlist	boolean	If the indicator is under watchlist or not
CTIX.IndicatorTags.tags	unknown	Tags of the indicator
CTIX.IndicatorTags.sub_type	unknown	Sub type of the indicator
CTIX.IndicatorTags.type	unknown	Type of Indicator

Command Example

!ctix-get-indicator-tags object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example

{

"notes": [],

"is_deprecated": false,

"is_revoked": false,

"ctix_created": 1651648700,

"is_false_positive": false,

"name": "x.x.x.x",

"is_reviewed": false,

"is_whitelisted": false,

"is_under_review": false,

"is_watchlist": false,

"tags": [

{

"colour_code": null,

"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",

"name": "test crowd"

},

{

"colour_code": null,

"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",

"name": "MaliciousConfidence/Low"

}

],

"sub_type": "ipv4-addr",

"type": "indicator"

}

ctix-get-indicator-relations

---

Get Indicator Relations

Base Command

ctix-get-indicator-relations

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 10.	Optional
object_id	object id. Default is "".	Optional
object_type	object type. Default is "".	Optional

Context Output

Path	Type	Description
CTIX.IndicatorRelations.relationship_type	unknown	Indicator relation types
CTIX.IndicatorRelations.sources	unknown	Indicator sources
CTIX.IndicatorRelations.target_ref	unknown	Indicator target reference

Command Example

!ctix-get-indicator-relations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example

{

"next": null,

"page_size": 10,

"previous": null,

"results": [

{

"relationship_type": "related-to",

"sources": [

{

"id": "48e5966e-5d1b-4cf9-8e79-306aa8702a28",

"name": "dummy",

"source_type": "RSS_FEED"

}

],

"target_ref": {

"created": 1652081903,

"id": "cb728d0e-3e31-4c3d-8f7d-09726a8bf7a8",

"modified": 1652081903,

"name": "Feed 6",

"object_type": "report",

"sub_type": null,

"tlp": "AMBER"

}

}

],

"total": 1

}

ctix-get-indicator-observations

---

Get Indicator Observations

Base Command

ctix-get-indicator-observations

Input

Argument Name	Description	Required
page	page.	Optional
page_size	page size.	Optional
object_id	object id.	Optional
object_type	object type.	Optional

Context Output

Path	Type	Description
CTIX.IndicatorObservations.custom_attributes	unknown	Custom attributes if any
CTIX.IndicatorObservations.ctix_modified	number	Timestamp when indicator was modified in CTIX
CTIX.IndicatorObservations.created	number	Timestamp when indicator was created
CTIX.IndicatorObservations.pattern_type	string	Pattern type of Indicator
CTIX.IndicatorObservations.modified	number	Timestamp when indicator was modified
CTIX.IndicatorObservations.ctix_created	number	Timestamp when indicator was created in CTIX
CTIX.IndicatorObservations.pattern_version	string	STIX Pattern version of indicator
CTIX.IndicatorObservations.confidence	string	Confidence level of the indicator
CTIX.IndicatorObservations.valid_from	number	Timestamp when indicator was valid from
CTIX.IndicatorObservations.pattern	string	STIX pattern
CTIX.IndicatorObservations.fang_description	string	FANG description
CTIX.IndicatorObservations.defang_description	string	DEFANG description
CTIX.IndicatorObservations.spec_version	string	STIX Spec version
CTIX.IndicatorObservations.tags	unknown	Tags attached to the indicator
CTIX.IndicatorObservations.received_id	string	STIX ID when indicator was received
CTIX.IndicatorObservations.types	unknown	STIX Types attached to the indicator
CTIX.IndicatorObservations.source	unknown	STIX source of the indicator
CTIX.IndicatorObservations.id	string	id of the indicator
CTIX.IndicatorObservations.valid_until	number	Timestamp till when the indicator is valid
CTIX.IndicatorObservations.sco_object_id	unknown	SCO object ID
CTIX.IndicatorObservations.unique_hash	unknown	unique hash of the indicator
CTIX.IndicatorObservations.description	unknown	description of the indicator
CTIX.IndicatorObservations.granular_markings	unknown	Granular Markings if any
CTIX.IndicatorObservations.collection	unknown	Collection details of the indicator

Command Example

!ctix-get-indicator-observations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example

{

"result": {

"next": null,

"page_size": 10,

"previous": null,

"results": [

{

"custom_attributes": [],

"ctix_modified": 1651648700,

"created": 1644335851,

"pattern_type": "stix",

"modified": 1651648700,

"ctix_created": 1651648700,

"pattern_version": "2.1",

"confidence": "LOW",

"valid_from": 1644335851,

"pattern": "[ipv4-addr:value = 'x.x.x.x']",

"fang_description": null,

"defang_description": null,

"spec_version": "2.1",

"tags": [

{

"colour_code": null,

"id": "e2139fd5-fe05-48c5-8aaf-a5dfce900919",

"name": "test crowd"

},

{

"colour_code": null,

"id": "fb22e904-ad74-4b6e-987e-46e81caec9ed",

"name": "MaliciousConfidence/Low"

}

],

"received_id": "indicator--16a66ac2-3524-44a6-9b9d-5bec6bc80d91",

"types": [

"anomalous-activity"

],

"source": {

"id": "e941f6fb-387b-452c-b77d-b5b05c5e9df2",

"name": "Dummy",

"source_type": "API_FEEDS"

},

"id": "0a11d417-3501-4230-8454-c70e700cf1b8",

"valid_until": null,

"sco_object_id": "20067ec2-8ad1-470e-b0bb-3c4a72b15883",

"unique_hash": "babea09af794cc5ae1403302e9ec5c2d",

"description": "None",

"granular_markings": [],

"collection": {

"id": "3d7df0f3-8c88-43d2-8742-deee21eb6ee0",

"name": "test-crowd-ip"

}

}

],

"total": 1

}

}

ctix-get-conversion-feed-source

---

Base Command

ctix-get-conversion-feed-source

Input

Argument Name	Description	Required
page	page. Default is 1.	Optional
page_size	page size. Default is 10.	Optional
object_id	object id.	Optional
object_type	object type.	Optional

Context Output

Path	Type	Description
CTIX.ConversionFeedSource.created	number	Indicator creation timestamp
CTIX.ConversionFeedSource.id	string	ID of the indicator
CTIX.ConversionFeedSource.name	string	name of the indicator
CTIX.ConversionFeedSource.taxii_option	string	TAXII option

Command Example

!ctix-get-conversion-feed-source object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator

Context Example

{

"result": {

"next": "feed-sources/?page=2&page_size=10&object_id=1ff2a18a-0574-4015-bbec-bc7692dccb14&object_type=indicator",

"page_size": 10,

"previous": null,

"results": [

{

"created": 1651841206,

"id": "9c82a682-254f-410d-a1c0-dc3514415f79",

"name": "dummy-threatmailbox",

"taxii_option": "2.1"

}

],

"total": 31

}

}

ctix-get-lookup-threat-data

---

Lookup to get threat data

Base Command

ctix-get-lookup-threat-data

Input

Argument Name	Description	Required
object_type	object type.	Optional
object_names	Will contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1.	Optional
page_size	size of the page. Default is 10.	Optional

Context Output

Path	Type	Description
CTIX.ThreatDataLookup.analyst_score	number	Analyst score of the indicator
CTIX.ThreatDataLookup.analyst_tlp	string	Analyst TLP of the indicator
CTIX.ThreatDataLookup.confidence_score	number	Confidence score of the indicator
CTIX.ThreatDataLookup.confidence_type	string	Confidence type of the indicator
CTIX.ThreatDataLookup.country	string	Indicator origin country
CTIX.ThreatDataLookup.created	number	Timestamp of when the indicator was created
CTIX.ThreatDataLookup.ctix_created	number	Timestamp of when the indicator was created in CTIX
CTIX.ThreatDataLookup.ctix_modified	number	Timestamp of when the indicator was modified in CTIX
CTIX.ThreatDataLookup.first_seen	number	Timestamp of when the indicator was first seen
CTIX.ThreatDataLookup.id	string	Indicator ID
CTIX.ThreatDataLookup.indicator_type	string	Indicator type
CTIX.ThreatDataLookup.ioc_type	string	IOC type
CTIX.ThreatDataLookup.is_actioned	boolean	Is actioned
CTIX.ThreatDataLookup.is_deprecated	boolean	is deprecated
CTIX.ThreatDataLookup.is_false_positive	boolean	is false positive
CTIX.ThreatDataLookup.is_reviewed	boolean	is reviewed
CTIX.ThreatDataLookup.is_revoked	boolean	is revoked
CTIX.ThreatDataLookup.is_watchlist	boolean	is watchlisted
CTIX.ThreatDataLookup.is_whitelisted	boolean	is allowed
CTIX.ThreatDataLookup.last_seen	number	Timestamp of when the indicator was last seen
CTIX.ThreatDataLookup.modified	number	Timestamp of when the indicator was modified
CTIX.ThreatDataLookup.name	string	name of the indicator
CTIX.ThreatDataLookup.null	unknown	null
CTIX.ThreatDataLookup.primary_attribute	string	Primary Attribute
CTIX.ThreatDataLookup.published_collections	unknown	published collections
CTIX.ThreatDataLookup.risk_severity	string	Risk severity
CTIX.ThreatDataLookup.source_collections	unknown	sources collections
CTIX.ThreatDataLookup.source_confidence	string	Source confidence
CTIX.ThreatDataLookup.sources	unknown	sources
CTIX.ThreatDataLookup.sub_type	string	Sub type
CTIX.ThreatDataLookup.subscriber_collections	unknown	subscriber collections
CTIX.ThreatDataLookup.subscribers	unknown	subscribers
CTIX.ThreatDataLookup.tags	unknown	Tags
CTIX.ThreatDataLookup.tlp	string	TLP
CTIX.ThreatDataLookup.type	string	Type
CTIX.ThreatDataLookup.valid_from	number	Timestamp from when the indicator was valid
CTIX.ThreatDataLookup.valid_until	number	Timestamp till when the indicator was valid

Command example

!ctix-get-lookup-threat-data object_names=example.com,3.4.5.6 object_type=indicator

Context Example

{

"CTIX": {

"ThreatDataLookup": {

"analyst_cvss_score": null,

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 100,

"confidence_type": "ctix",

"country": null,

"created": 1674080000,

"ctix_created": 1674080000,

"ctix_modified": 1674080000,

"custom_attributes": [],

"first_seen": null,

"id": "6779a969-6404-4dd7-97ef-dec877c03c4f",

"indicator_type": "domain-name",

"ioc_type": "domain-name",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1674080001,

"name": "example.com",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": null,

"severity": "UNKNOWN",

"source_collections": [

{

"id": "a9d67cc1-5de8-460b-8bf4-63abc7ceaa54",

"name": "anotherone (OpenAPI)"

}

],

"source_confidence": "HIGH",

"sources": [

{

"id": "38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a",

"name": "testing (OpenAPI)",

"source_type": "MISCELLANEOUS"

}

],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [

{

"colour_code": "#5236E2",

"id": "9635c41b-80fb-4a98-a1f3-e5796c72bb29",

"name": "created_using_openapi_lookup"

}

],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1674080000,

"valid_until": null

}

},

"DBotScore": {

"Indicator": "example.com",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "domain",

"Vendor": "CTIX v3 Beta"

},

"Domain": {

"Malicious": {

"Description": null,

"Vendor": "CTIX v3 Beta"

},

"Name": "example.com"

}

}

Human Readable Output

Lookup Data

confidence_score	confidence_type	created	ctix_created	ctix_modified	id	indicator_type	ioc_type	is_actioned	is_deprecated	is_false_positive	is_reviewed	is_revoked	is_watchlist	is_whitelisted	modified	name	severity	source_collections	source_confidence	sources	sub_type	tags	tlp	type	valid_from
100	ctix	1674080000	1674080000	1674080000	6779a969-6404-4dd7-97ef-dec877c03c4f	domain-name	domain-name	false	false	false	false	false	false	false	1674080001	example.com	UNKNOWN	{'id': 'a9d67cc1-5de8-460b-8bf4-63abc7ceaa54', 'name': 'anotherone (OpenAPI)'}	HIGH	{'id': '38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a', 'name': 'testing (OpenAPI)', 'source_type': 'MISCELLANEOUS'}	value	{'colour_code': '#5236E2', 'id': '9635c41b-80fb-4a98-a1f3-e5796c72bb29', 'name': 'created_using_openapi_lookup'}	AMBER	indicator	1674080000

ctix-get-create-threat-data

---

Gets or creates threat data

Base Command

ctix-get-create-threat-data

Input

Argument Name	Description	Required
object_type	object type.	Optional
object_names	Will contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1.	Required
page_size	size of the page. Default is 10.	Optional
source	The source of the threat data.	Optional
collection	The collection to store the threat data in.	Optional

Context Output

Path	Type	Description
CTIX.ThreatDataGetCreate.Found.analyst_score	number	Analyst score of the indicator
CTIX.ThreatDataGetCreate.Found.analyst_tlp	string	Analyst TLP of the indicator
CTIX.ThreatDataGetCreate.Found.confidence_score	number	Confidence score of the indicator
CTIX.ThreatDataGetCreate.Found.confidence_type	string	Confidence type of the indicator
CTIX.ThreatDataGetCreate.Found.country	string	Indicator origin country
CTIX.ThreatDataGetCreate.Found.created	number	Timestamp of when the indicator was created
CTIX.ThreatDataGetCreate.Found.ctix_created	number	Timestamp of when the indicator was created in CTIX
CTIX.ThreatDataGetCreate.Found.ctix_modified	number	Timestamp of when the indicator was modified in CTIX
CTIX.ThreatDataGetCreate.Found.first_seen	number	Timestamp of when the indicator was first seen
CTIX.ThreatDataGetCreate.Found.id	string	Indicator ID
CTIX.ThreatDataGetCreate.Found.indicator_type	string	Indicator type
CTIX.ThreatDataGetCreate.Found.ioc_type	string	IOC type
CTIX.ThreatDataGetCreate.Found.is_actioned	boolean	Is actioned
CTIX.ThreatDataGetCreate.Found.is_deprecated	boolean	is deprecated
CTIX.ThreatDataGetCreate.Found.is_false_positive	boolean	is false positive
CTIX.ThreatDataGetCreate.Found.is_reviewed	boolean	is reviewed
CTIX.ThreatDataGetCreate.Found.is_revoked	boolean	is revoked
CTIX.ThreatDataGetCreate.Found.is_watchlist	boolean	is watchlisted
CTIX.ThreatDataGetCreate.Found.is_whitelisted	boolean	is allowed
CTIX.ThreatDataGetCreate.Found.last_seen	number	Timestamp of when the indicator was last seen
CTIX.ThreatDataGetCreate.Found.modified	number	Timestamp of when the indicator was modified
CTIX.ThreatDataGetCreate.Found.name	string	name of the indicator
CTIX.ThreatDataGetCreate.Found.null	unknown	null
CTIX.ThreatDataGetCreate.Found.primary_attribute	string	Primary Attribute
CTIX.ThreatDataGetCreate.Found.published_collections	unknown	published collections
CTIX.ThreatDataGetCreate.Found.risk_severity	string	Risk severity
CTIX.ThreatDataGetCreate.Found.source_collections	unknown	sources collections
CTIX.ThreatDataGetCreate.Found.source_confidence	string	Source confidence
CTIX.ThreatDataGetCreate.Found.sources	unknown	sources
CTIX.ThreatDataGetCreate.Found.sub_type	string	Sub type
CTIX.ThreatDataGetCreate.Found.subscriber_collections	unknown	subscriber collections
CTIX.ThreatDataGetCreate.Found.subscribers	unknown	subscribers
CTIX.ThreatDataGetCreate.Found.tags	unknown	Tags
CTIX.ThreatDataGetCreate.Found.tlp	string	TLP
CTIX.ThreatDataGetCreate.Found.type	string	Type
CTIX.ThreatDataGetCreate.Found.valid_from	number	Timestamp from when the indicator was valid
CTIX.ThreatDataGetCreate.Found.valid_until	number	Timestamp till when the indicator was valid
CTIX.ThreatDataGetCreate.NotFoundCreated	string	IOCs that weren't found, and therefore were created
CTIX.ThreatDataGetCreate.NotFoundInvalid	string	IOCs that were found to be invalid, so they were not created

Command example

!ctix-get-create-threat-data object_names=example.com,x.x.x.x,zzzzz collection=some_collection source=some_source

Context Example

{

"CTIX": {

"ThreatDataGetCreate": {

"Found": {

"analyst_cvss_score": null,

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 100,

"confidence_type": "ctix",

"country": null,

"created": 1674080000,

"ctix_created": 1674080000,

"ctix_modified": 1674080000,

"custom_attributes": [],

"first_seen": null,

"id": "6779a969-6404-4dd7-97ef-dec877c03c4f",

"indicator_type": "domain-name",

"ioc_type": "domain-name",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1674080001,

"name": "example.com",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": null,

"severity": "UNKNOWN",

"source_collections": [

{

"id": "a9d67cc1-5de8-460b-8bf4-63abc7ceaa54",

"name": "anotherone (OpenAPI)"

}

],

"source_confidence": "HIGH",

"sources": [

{

"id": "38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a",

"name": "testing (OpenAPI)",

"source_type": "MISCELLANEOUS"

}

],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [

{

"colour_code": "#5236E2",

"id": "9635c41b-80fb-4a98-a1f3-e5796c72bb29",

"name": "created_using_openapi_lookup"

}

],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1674080000,

"valid_until": null

},

"NotFoundCreated": [

"x.x.x.x"

],

"NotFoundInvalid": [

"zzzzz"

]

}

},

"DBotScore": {

"Indicator": "example.com",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "domain",

"Vendor": "CTIX v3 Beta"

},

"Domain": {

"Malicious": {

"Description": null,

"Vendor": "CTIX v3 Beta"

},

"Name": "example.com"

}

}

Human Readable Output

Not Found: Invalid

Name
zzzzz

domain

---

Lookup domain threat data

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

domain

Input

Argument Name	Description	Required
domain	Will contain domain SDO values. Example: If you need to get the object_ids of indicator example.com then the value will be example.com.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The actual score.
Domain.Name	String	The domain name, for example: "google.com".

Command example

!domain domain="example.com" using="CTIX v3 Beta_instance"

Context Example

{

"CTIX": {

"ThreatDataLookup": {

"Found": {

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 31,

"confidence_type": "ctix",

"country": null,

"created": 1666709826,

"ctix_created": 1666874647,

"ctix_modified": 1670548277,

"first_seen": null,

"id": "10104a10-74a9-45d7-a412-f11531d64a38",

"indicator_type": "domain-name",

"ioc_type": "domain-name",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1667442806,

"name": "example.com",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": "UNKNOWN",

"source_collections": [

{

"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",

"name": "Indicators v4"

},

{

"id": "5f4230a4-cc3a-4d32-b3ee-c53a373e2a8f",

"name": "https://www.example.com/index.xml"

},

{

"id": "2dc18ee7-ee80-4fa7-953d-4df824f8e8ce",

"name": "https://www.example.com/index.xml"

}

],

"source_confidence": "MEDIUM",

"sources": [

{

"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",

"name": "Mandiant Threat Intelligence",

"source_type": "API_FEEDS"

},

{

"id": "87e622e3-e8e5-4692-9b79-00efead3f874",

"name": "https://www.example.com/index.xml",

"source_type": "RSS_FEED"

},

{

"id": "0647eb19-c559-4d27-a441-b70117315e18",

"name": "https://www.example.com/index.xml",

"source_type": "RSS_FEED"

}

],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1530174464,

"valid_until": null

}

}

},

"DBotScore": {

"Indicator": "example.com",

"Reliability": "C - Fairly reliable",

"Score": 2,

"Type": "domain",

"Vendor": "CTIX v3 Beta"

},

"Domain": {

"Name": "example.com"

}

}

Human Readable Output

Lookup Data

confidence_score	confidence_type	created	ctix_created	ctix_modified	id	indicator_type	ioc_type	is_actioned	is_deprecated	is_false_positive	is_reviewed	is_revoked	is_watchlist	is_whitelisted	modified	name	risk_severity	source_collections	source_confidence	sources	sub_type	tlp	type	valid_from
31	ctix	1666709826	1666874647	1670548277	10104a10-74a9-45d7-a412-f11531d64a38	domain-name	domain-name	false	false	false	false	false	false	false	1667442806	example.com	UNKNOWN	{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'}, {'id': '5f4230a4-cc3a-4d32-b3ee-c53a373e2a8f', 'name': 'https://www.example.com/index.xml'}, {'id': '2dc18ee7-ee80-4fa7-953d-4df824f8e8ce', 'name': 'https://www.example.com/index.xml'}	MEDIUM	{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'}, {'id': '87e622e3-e8e5-4692-9b79-00efead3f874', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'}, {'id': '0647eb19-c559-4d27-a441-b70117315e18', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'}	value	AMBER	indicator	1530174464

ip

---

Lookup ip threat data

Base Command

ip

Input

Argument Name	Description	Required
ip	Will contain IP SDO values. Example: If you need to get the object_ids of indicator 1.2.3.4 then the value will be 1.2.3.4.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The actual score.
IP.Address	String	The IP address, for example: 1.2.3.4.

Command example

!ip ip="x.x.x.x" using="CTIX v3 Beta_instance"

Context Example

{

"CTIX": {

"ThreatDataLookup": {

"Found": {

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 100,

"confidence_type": "ctix",

"country": "United States",

"created": 1666710084,

"ctix_created": 1666874647,

"ctix_modified": 1671604244,

"first_seen": null,

"id": "5c2517a2-759f-4eb8-b9fa-346ff20cfaaf",

"indicator_type": "ipv4-addr",

"ioc_type": "ipv4-addr",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1669170873,

"name": "x.x.x.x",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": "UNKNOWN",

"source_collections": [

{

"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",

"name": "Indicators v4"

},

{

"id": "fe150b23-6354-4a9b-8c27-202abc758ba3",

"name": "NCAS JG Test"

}

],

"source_confidence": "HIGH",

"sources": [

{

"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",

"name": "Mandiant Threat Intelligence",

"source_type": "API_FEEDS"

},

{

"id": "50cbaaee-8083-494c-b42a-7c7fb73ca2dc",

"name": "NCAS JG Test",

"source_type": "RSS_FEED"

}

],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [

{

"colour_code": "#5236E2",

"id": "f82fa004-75cc-4824-b129-914ec13728b5",

"name": "Destruction"

}

],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1409607591,

"valid_until": null

}

}

},

"DBotScore": {

"Indicator": "x.x.x.x",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "ip",

"Vendor": "CTIX v3 Beta"

},

"IP": {

"Address": "x.x.x.x",

"Malicious": {

"Description": null,

"Vendor": "CTIX v3 Beta"

}

}

}

Human Readable Output

Lookup Data

confidence_score	confidence_type	country	created	ctix_created	ctix_modified	id	indicator_type	ioc_type	is_actioned	is_deprecated	is_false_positive	is_reviewed	is_revoked	is_watchlist	is_whitelisted	modified	name	risk_severity	source_collections	source_confidence	sources	sub_type	tags	tlp	type	valid_from
100	ctix	United States	1666710084	1666874647	1671604244	5c2517a2-759f-4eb8-b9fa-346ff20cfaaf	ipv4-addr	ipv4-addr	false	false	false	false	false	false	false	1669170873	x.x.x.x	UNKNOWN	{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'}, {'id': 'fe150b23-6354-4a9b-8c27-202abc758ba3', 'name': 'NCAS JG Test'}	HIGH	{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'}, {'id': '50cbaaee-8083-494c-b42a-7c7fb73ca2dc', 'name': 'NCAS JG Test', 'source_type': 'RSS_FEED'}	value	{'colour_code': '#5236E2', 'id': 'f82fa004-75cc-4824-b129-914ec13728b5', 'name': 'Destruction'}	AMBER	indicator	1409607591

file

---

Lookup file threat data

Base Command

file

Input

Argument Name	Description	Required
file	Will contain file SDO values. Example: If you need to get the object_ids of a file hash 3ed0a30799543fa2c3a913c7985bffed then the value will be 3ed0a30799543fa2c3a913c7985bffed.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The actual score.
File.MD5	String	The MD5 hash of the file.
File.SHA1	String	The SHA1 hash of the file.
File.SHA256	String	The SHA256 hash of the file.

Command example

!file file="9c57753557ed258d731987834c56fa4c" using="CTIX v3 Beta_instance"

Context Example

{

"CTIX": {

"ThreatDataLookup": {

"Found": {

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 100,

"confidence_type": "ctix",

"country": null,

"created": 1673710318,

"ctix_created": 1674124925,

"ctix_modified": 1674124925,

"first_seen": null,

"id": "4ea5874d-0d6e-4a65-a8db-61d825d9fb8e",

"indicator_type": "file",

"ioc_type": "MD5",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1673710318,

"name": "9c57753557ed258d731987834c56fa4c",

"null": [],

"primary_attribute": null,

"published_collections": [],

"risk_severity": "UNKNOWN",

"source_collections": [

{

"id": "2a5a9989-030d-466b-b676-223d2b1f4d1e",

"name": "Indicators v4"

}

],

"source_confidence": "HIGH",

"sources": [

{

"id": "131392bb-ecdf-45ae-8f22-b1160cf03401",

"name": "Mandiant Threat Intelligence",

"source_type": "API_FEEDS"

}

],

"sub_type": "MD5",

"subscriber_collections": [],

"subscribers": [],

"tags": [],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1671281161,

"valid_until": null

}

}

},

"DBotScore": {

"Indicator": "9c57753557ed258d731987834c56fa4c",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "file",

"Vendor": "CTIX v3 Beta"

},

"File": {

"Hashes": [],

"Malicious": {

"Description": null,

"Vendor": "CTIX v3 Beta"

},

"Name": "9c57753557ed258d731987834c56fa4c"

}

}

Human Readable Output

Lookup Data

confidence_score	confidence_type	created	ctix_created	ctix_modified	id	indicator_type	ioc_type	is_actioned	is_deprecated	is_false_positive	is_reviewed	is_revoked	is_watchlist	is_whitelisted	modified	name	risk_severity	source_collections	source_confidence	sources	sub_type	tlp	type	valid_from
100	ctix	1673710318	1674124925	1674124925	4ea5874d-0d6e-4a65-a8db-61d825d9fb8e	file	MD5	false	false	false	false	false	false	false	1673710318	9c57753557ed258d731987834c56fa4c	UNKNOWN	{'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'}	HIGH	{'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'}	MD5	AMBER	indicator	1671281161

url

---

Lookup url threat data

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

url

Input

Argument Name	Description	Required
url	Will contain URL SDO values. Example: If you need to get the object_ids of a URL https://cyware.com/ then the value will be https://cyware.com/.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The actual score.
URL.Data	String	The URL

Command example

!url url="http://example.com/" using="CTIX v3 Beta_instance"

Context Example

{

"CTIX": {

"ThreatDataLookup": {

"Found": {

"analyst_score": null,

"analyst_tlp": null,

"confidence_score": 100,

"confidence_type": "ctix",

"country": null,

"created": 1674166009,

"ctix_created": 1674166009,

"ctix_modified": 1674166009,

"first_seen": null,

"id": "dcada258-5fc2-4c42-b7d6-e8ffda6c5a9e",

"indicator_type": "url",

"ioc_type": "url",

"is_actioned": false,

"is_deprecated": false,

"is_false_positive": false,

"is_reviewed": false,

"is_revoked": false,

"is_watchlist": false,

"is_whitelisted": false,

"last_seen": null,

"modified": 1674166010,

"name": "http://example.com/",

"null": [],

"primary_attribute": null,

"published_collections": [

{

"id": "ad842594-8faa-49fb-841e-7ff99a685718",

"name": null

}

],

"risk_severity": "UNKNOWN",

"source_collections": [

{

"id": "5432c580-e1f9-40c3-b40a-a47686dfcf22",

"name": "Free Text"

}

],

"source_confidence": "HIGH",

"sources": [

{

"id": "7eb93036-688e-4916-ab1f-fe9015c16b78",

"name": "Import",

"source_type": "CUSTOM_STIX_SOURCES"

}

],

"sub_type": "value",

"subscriber_collections": [],

"subscribers": [],

"tags": [],

"tlp": "AMBER",

"type": "indicator",

"valid_from": 1674166009,

"valid_until": null

}

}

},

"DBotScore": {

"Indicator": "http://example.com/",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "url",

"Vendor": "CTIX v3 Beta"

},

"URL": {

"Data": "http://example.com/",

"Malicious": {

"Description": null,

"Vendor": "CTIX v3 Beta"

}

}

}

Human Readable Output

Lookup Data

confidence_score	confidence_type	created	ctix_created	ctix_modified	id	indicator_type	ioc_type	is_actioned	is_deprecated	is_false_positive	is_reviewed	is_revoked	is_watchlist	is_whitelisted	modified	name	published_collections	risk_severity	source_collections	source_confidence	sources	sub_type	tlp	type	valid_from
100	ctix	1674166009	1674166009	1674166009	dcada258-5fc2-4c42-b7d6-e8ffda6c5a9e	url	url	false	false	false	false	false	false	false	1674166010	http://example.com/	{'id': 'ad842594-8faa-49fb-841e-7ff99a685718', 'name': None}	UNKNOWN	{'id': '5432c580-e1f9-40c3-b40a-a47686dfcf22', 'name': 'Free Text'}	HIGH	{'id': '7eb93036-688e-4916-ab1f-fe9015c16b78', 'name': 'Import', 'source_type': 'CUSTOM_STIX_SOURCES'}	value	AMBER	indicator	1674166009

ctix-get-all-notes

---

Get paginated list of Notes

Base Command

ctix-get-all-notes

Input

Argument Name	Description	Required
object_id	if set, this will only retrieve Notes associated with the Threat Data object with ID=object_id.	Optional
page	the page number of the Notes to look up, default is the first page. Default is 1.	Optional
page_size	size of the result. Default is 10.	Optional

Context Output

Path	Type	Description
CTIX.Note.created	integer	The timestamp when the Note was created
CTIX.Note.created_by	unknown	The user who created the Note
CTIX.Note.created_by.email	string	The email of the user who created the Note
CTIX.Note.created_by.first_name	string	The first name of the user who created the Note
CTIX.Note.created_by.id	string	The ID of the user who created the Note
CTIX.Note.created_by.last_name	string	The last name of the user who created the Note
CTIX.Note.id	string	The ID of the Note
CTIX.Note.is_json	boolean	A flag indicating whether the Note is in JSON format
CTIX.Note.meta_data	unknown	Meta data for the Note
CTIX.Note.meta_data.component	string	The component for the Note
CTIX.Note.modified	integer	The timestamp when the Note was last modified
CTIX.Note.modified_by	unknown	The user who last modified the Note
CTIX.Note.modified_by.email	string	The email of the user who last modified the Note
CTIX.Note.modified_by.first_name	string	The first name of the user who last modified the Note
CTIX.Note.modified_by.id	string	The ID of the user who last modified the Note
CTIX.Note.modified_by.last_name	string	The last name of the user who last modified the Note
CTIX.Note.object_id	string	The object ID of the Note
CTIX.Note.text	string	The text of the Note
CTIX.Note.title	string	The title of the Note
CTIX.Note.type	string	The type of the Note

Command example

!ctix-get-all-notes page_size=1

Context Example

{

"CTIX": {

"Note": {

"created": 1674173772,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"type": "indicator"

},

"modified": 1674173772,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"text": "this is the old text",

"title": null,

"type": "threatdata"

}

}

}

Human Readable Output

Note Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	f8f67182-bf72-47df-9a90-31b2bd829a9d	false	component: threatdata object_id: ba82b524-15b3-4071-8008-e58754f8d134 type: indicator	1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	ba82b524-15b3-4071-8008-e58754f8d134	this is the old text	threatdata

ctix-get-note-details

---

Get details of a Note as specified by its ID

Base Command

ctix-get-note-details

Input

Argument Name	Description	Required
id	the id of the Note.	Required

Context Output

Path	Type	Description
CTIX.Note.created	integer	The timestamp when the Note was created
CTIX.Note.created_by	unknown	The user who created the Note
CTIX.Note.created_by.email	string	The email of the user who created the Note
CTIX.Note.created_by.first_name	string	The first name of the user who created the Note
CTIX.Note.created_by.id	string	The ID of the user who created the Note
CTIX.Note.created_by.last_name	string	The last name of the user who created the Note
CTIX.Note.id	string	The ID of the Note
CTIX.Note.is_json	boolean	A flag indicating whether the Note is in JSON format
CTIX.Note.meta_data	unknown	Meta data for the Note
CTIX.Note.meta_data.component	string	The component for the Note
CTIX.Note.modified	integer	The timestamp when the Note was last modified
CTIX.Note.modified_by	unknown	The user who last modified the Note
CTIX.Note.modified_by.email	string	The email of the user who last modified the Note
CTIX.Note.modified_by.first_name	string	The first name of the user who last modified the Note
CTIX.Note.modified_by.id	string	The ID of the user who last modified the Note
CTIX.Note.modified_by.last_name	string	The last name of the user who last modified the Note
CTIX.Note.object_id	string	The object ID of the Note
CTIX.Note.text	string	The text of the Note
CTIX.Note.title	string	The title of the Note
CTIX.Note.type	string	The type of the Note

Command example

!ctix-get-note-details id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"

Context Example

{

"CTIX": {

"Note": {

"created": 1671821868,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "fake",

"type": "indicator"

},

"modified": 1674173787,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "fake",

"text": "this is the new text",

"title": null,

"type": "threatdata"

}

}

}

Human Readable Output

Note Detail Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1671821868	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	7d739870-ce7d-415b-bbbf-25f4bbc6be66	false	component: threatdata object_id: fake type: indicator	1674173787	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	fake	this is the new text	threatdata

ctix-create-note

---

Creates a new Note from the parameter 'text'

Base Command

ctix-create-note

Input

Argument Name	Description	Required
text	the text that you want the note to have.	Required
object_id	if set, will associate Note to the Threat Data object with the provided ID.	Optional
object_type	only required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note.	Optional

Context Output

Path	Type	Description
CTIX.Note.created	integer	The timestamp when the Note was created
CTIX.Note.created_by	unknown	The user who created the Note
CTIX.Note.created_by.email	string	The email of the user who created the Note
CTIX.Note.created_by.first_name	string	The first name of the user who created the Note
CTIX.Note.created_by.id	string	The ID of the user who created the Note
CTIX.Note.created_by.last_name	string	The last name of the user who created the Note
CTIX.Note.id	string	The ID of the Note
CTIX.Note.is_json	boolean	A flag indicating whether the Note is in JSON format
CTIX.Note.meta_data	unknown	Meta data for the Note
CTIX.Note.meta_data.component	string	The component for the Note
CTIX.Note.modified	integer	The timestamp when the Note was last modified
CTIX.Note.modified_by	unknown	The user who last modified the Note
CTIX.Note.modified_by.email	string	The email of the user who last modified the Note
CTIX.Note.modified_by.first_name	string	The first name of the user who last modified the Note
CTIX.Note.modified_by.id	string	The ID of the user who last modified the Note
CTIX.Note.modified_by.last_name	string	The last name of the user who last modified the Note
CTIX.Note.object_id	string	The object ID of the Note
CTIX.Note.text	string	The text of the Note
CTIX.Note.title	string	The title of the Note
CTIX.Note.type	string	The type of the Note

Command example

!ctix-create-note text="hello world x100"

Context Example

{

"CTIX": {

"Note": {

"created": 1674173831,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "35ee1841-8357-43e0-b372-aff9800cdc55",

"is_json": false,

"meta_data": {

"component": "notes"

},

"modified": 1674173831,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": null,

"text": "hello world x100",

"title": null,

"type": "notes"

}

}

}

Human Readable Output

Created Note Data

created	created_by	id	is_json	meta_data	modified	modified_by	text	type
1674173831	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	35ee1841-8357-43e0-b372-aff9800cdc55	false	component: notes	1674173831	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	hello world x100	notes

Command example

!ctix-create-note text="hello world x100" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator

Context Example

{

"CTIX": {

"Note": {

"created": 1674173838,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "e5584583-6d45-4fe8-82b4-a802007c38f0",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",

"type": "indicator"

},

"modified": 1674173838,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",

"text": "hello world x100",

"title": null,

"type": "threatdata"

}

}

}

Human Readable Output

Created Note Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1674173838	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	e5584583-6d45-4fe8-82b4-a802007c38f0	false	component: threatdata object_id: da1a6268-e589-4231-a334-68fb0c2cc1e0 type: indicator	1674173838	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	da1a6268-e589-4231-a334-68fb0c2cc1e0	hello world x100	threatdata

ctix-update-note

---

Updates the Note text from an existing Note, as specified by its ID

Base Command

ctix-update-note

Input

Argument Name	Description	Required
id	the id of the Note.	Required
text	the updated text that you want the note to have.	Optional
object_id	if set, will associate Note to the Threat Data object with the provided ID.	Optional
object_type	only required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note.	Optional

Context Output

Path	Type	Description
CTIX.Note.created	integer	The timestamp when the Note was created
CTIX.Note.created_by	unknown	The user who created the Note
CTIX.Note.created_by.email	string	The email of the user who created the Note
CTIX.Note.created_by.first_name	string	The first name of the user who created the Note
CTIX.Note.created_by.id	string	The ID of the user who created the Note
CTIX.Note.created_by.last_name	string	The last name of the user who created the Note
CTIX.Note.id	string	The ID of the Note
CTIX.Note.is_json	boolean	A flag indicating whether the Note is in JSON format
CTIX.Note.meta_data	unknown	Meta data for the Note
CTIX.Note.meta_data.component	string	The component for the Note
CTIX.Note.modified	integer	The timestamp when the Note was last modified
CTIX.Note.modified_by	unknown	The user who last modified the Note
CTIX.Note.modified_by.email	string	The email of the user who last modified the Note
CTIX.Note.modified_by.first_name	string	The first name of the user who last modified the Note
CTIX.Note.modified_by.id	string	The ID of the user who last modified the Note
CTIX.Note.modified_by.last_name	string	The last name of the user who last modified the Note
CTIX.Note.object_id	string	The object ID of the Note
CTIX.Note.text	string	The text of the Note
CTIX.Note.title	string	The title of the Note
CTIX.Note.type	string	The type of the Note

Command example

!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" text="this is a test"

Context Example

{

"CTIX": {

"Note": {

"created": 1671821868,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "fake",

"type": "indicator"

},

"modified": 1674173815,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "fake",

"text": "this is a test",

"title": null,

"type": "threatdata"

}

}

}

Human Readable Output

Updated Note Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1671821868	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	7d739870-ce7d-415b-bbbf-25f4bbc6be66	false	component: threatdata object_id: fake type: indicator	1674173815	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	fake	this is a test	threatdata

Command example

!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator

Context Example

{

"CTIX": {

"Note": {

"created": 1671821868,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "fake",

"type": "indicator"

},

"modified": 1674173824,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "da1a6268-e589-4231-a334-68fb0c2cc1e0",

"text": "this is a test",

"title": null,

"type": "threatdata"

}

}

}

Human Readable Output

Updated Note Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1671821868	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	7d739870-ce7d-415b-bbbf-25f4bbc6be66	false	component: threatdata object_id: fake type: indicator	1674173824	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	da1a6268-e589-4231-a334-68fb0c2cc1e0	this is a test	threatdata

ctix-delete-note

---

Deletes an existing Note, as specified by its ID

Base Command

ctix-delete-note

Input

Argument Name	Description	Required
id	the id of the Note.	Required

Context Output

Path	Type	Description
CTIX.Note.deletion.details	string	Returns "success" if the deletion request was successful, otherwise "failure"

Command example

!ctix-delete-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"

Context Example

{

"CTIX": {

"Note": {

"details": "success"

}

}

}

Human Readable Output

Deleted Note Data

details
success

ctix-make-request

---

allows you to make any HTTP request using CTIX endpoints

Base Command

ctix-make-request

Input

Argument Name	Description	Required
type	the HTTP method you would like to call. Possible values are: GET, POST, PUT, DELETE.	Required
endpoint	URL suffix of the API call to CTIX.	Required
body	any data you would like to pass, in JSON format.	Optional
params	any parameters you would like to pass, in JSON format.	Optional

Context Output

There is no context output for this command.

Command example

!ctix-make-request type=POST endpoint=ingestion/notes/ body="{\"text\": \"this is the old text\",\"type\": \"threatdata\",\"meta_data\": {\"component\": \"threatdata\",\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\",\"type\": \"indicator\"},\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\"}"

Context Example

{

"CTIX": {

"Request": {

"POST": {

"ingestion/notes/": {

"created": 1674173772,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"type": "indicator"

},

"modified": 1674173772,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"text": "this is the old text",

"title": null,

"type": "threatdata"

}

}

}

}

}

Human Readable Output

HTTP Response Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	f8f67182-bf72-47df-9a90-31b2bd829a9d	false	component: threatdata object_id: ba82b524-15b3-4071-8008-e58754f8d134 type: indicator	1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	ba82b524-15b3-4071-8008-e58754f8d134	this is the old text	threatdata

Command example

!ctix-make-request type=GET endpoint=ingestion/notes/ params="{\"page\": 1, \"page_size\": 1}"

Context Example

{

"CTIX": {

"Request": {

"GET": {

"ingestion/notes/": {

"created": 1674173772,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "f8f67182-bf72-47df-9a90-31b2bd829a9d",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"type": "indicator"

},

"modified": 1674173772,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "ba82b524-15b3-4071-8008-e58754f8d134",

"text": "this is the old text",

"title": null,

"type": "threatdata"

}

}

}

}

}

Human Readable Output

HTTP Response Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	f8f67182-bf72-47df-9a90-31b2bd829a9d	false	component: threatdata object_id: ba82b524-15b3-4071-8008-e58754f8d134 type: indicator	1674173772	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	ba82b524-15b3-4071-8008-e58754f8d134	this is the old text	threatdata

Command example

!ctix-make-request type=PUT endpoint=ingestion/notes/7d739870-ce7d-415b-bbbf-25f4bbc6be66/ body="{\"text\": \"this is the new text\"}"

Context Example

{

"CTIX": {

"Request": {

"PUT": {

"ingestion/notes/7d739870-ce7d-415b-bbbf-25f4bbc6be66/": {

"created": 1671821868,

"created_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"id": "7d739870-ce7d-415b-bbbf-25f4bbc6be66",

"is_json": false,

"meta_data": {

"component": "threatdata",

"object_id": "fake",

"type": "indicator"

},

"modified": 1674173787,

"modified_by": {

"email": "some.user@example.com",

"first_name": "some",

"id": "5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a",

"last_name": "user"

},

"object_id": "fake",

"text": "this is the new text",

"title": null,

"type": "threatdata"

}

}

}

}

}

Human Readable Output

HTTP Response Data

created	created_by	id	is_json	meta_data	modified	modified_by	object_id	text	type
1671821868	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	7d739870-ce7d-415b-bbbf-25f4bbc6be66	false	component: threatdata object_id: fake type: indicator	1674173787	email: some.user@example.com first_name: some id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a last_name: user	fake	this is the new text	threatdata

Command example

!ctix-make-request type=DELETE endpoint=ingestion/notes/1e2f348b-8168-4330-933b-24263ab9116a/

Context Example

{

"CTIX": {

"Request": {

"DELETE": {

"ingestion/notes/1e2f348b-8168-4330-933b-24263ab9116a/": {

"details": "success"

}

}

}

}

}

Human Readable Output

HTTP Response Data

details
success

ctix-get-vulnerability-data

---

Lookup vulnerability info

Base Command

ctix-get-vulnerability-data

Input

Argument Name	Description	Required
cve	The CVE identifier to look up information about	Required
extra_fields	A comma separated list of extra fields to return in the response	Optional

Context Output

Path	Type	Description
CTIX.VulnerabilityLookup.cpes	string	CPEs
CTIX.VulnerabilityLookup.cvss2	number	CVSS2
CTIX.VulnerabilityLookup.cvss3	number	CVSS3
CTIX.VulnerabilityLookup.dbot_reputation	integer	DbotReputation
CTIX.VulnerabilityLookup.description	string	Description
CTIX.VulnerabilityLookup.last_modified	string	LastModified
CTIX.VulnerabilityLookup.created	string	LastPublished
CTIX.VulnerabilityLookup.name	string	Name
CTIX.VulnerabilityLookup.uuid	string	UUID
CTIX.VulnerabilityLookup.extra_data	string	Extra data

Command example

`!ctix-get-vulnerability-data cve=CVE-2023-30837

Human Readable Output

HTTP Response Data

cpes	cvss2	cvss3	dbot_reputation	description	extra_data	last_modified	last_published	name
cpe:2.3🅰️vyper_project:vyper::::::::	None	None	3	Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host. A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow. Further details are not available at the time of this writing. ACTI will update this report as more details become available.	{}	2023-05-08 05:48:58	2023-05-08 05:48:58	CVE-2023-30837

cve

---

Lookup vulnerability info

Base Command

cve

Input

Argument Name	Description	Required
cve	The CVE identifier to look up information about	Required
extra_fields	A comma separated list of extra fields to return in the response	Optional

Context Output

Path	Type	Description
CTIX.VulnerabilityLookup.cpes	string	CPEs
CTIX.VulnerabilityLookup.cvss2	number	CVSS2
CTIX.VulnerabilityLookup.cvss3	number	CVSS3
CTIX.VulnerabilityLookup.dbot_reputation	integer	DbotReputation
CTIX.VulnerabilityLookup.description	string	Description
CTIX.VulnerabilityLookup.last_modified	string	LastModified
CTIX.VulnerabilityLookup.created	string	LastPublished
CTIX.VulnerabilityLookup.name	string	Name
CTIX.VulnerabilityLookup.uuid	string	UUID
CTIX.VulnerabilityLookup.extra_data	string	Extra data
DBotScore.Indicator	string	The indicator that was tested.
DBotScore.Type	string	The indicator type.
DBotScore.Vendor	string	The vendor used to calculate the score.
DBotScore.Score	number	The actual score.

Command example

`!cve cve=CVE-2023-30837

Human Readable Output

HTTP Response Data

cpes	cvss2	cvss3	dbot_reputation	description	extra_data	last_modified	last_published	name
cpe:2.3🅰️vyper_project:vyper::::::::	None	None	3	Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host. A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow. Further details are not available at the time of this writing. ACTI will update this report as more details become available.	{}	2023-05-08 05:48:58	2023-05-08 05:48:58	CVE-2023-30837