CTIX v3
CTIX Pack.#
This Integration is part of theThis is example Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 3.0.0 of CTIX
#
Configure CTIX in CortexParameter | Description | Required |
---|---|---|
Endpoint URL | Enter the endpoint URL of your CTIX Instance. | True |
Access Key | Enter the Access Key from the CTIX application. | True |
Secret Key | Enter the Secret Key from the CTIX application. | True |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Fetch incidents | False | |
Incidents Fetch Interval | False | |
Incident type | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ctix-create-tagCreate new tag in the ctix platform
#
Base Commandctix-create-tag
#
InputArgument Name | Description | Required |
---|---|---|
tag_name | New tag's name. | Required |
color_code | New tag's hex colour code e.g #111111. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Tag.name | string | Name of the tag |
CTIX.Tag.tag_type | string | Type of the tag (manual) |
CTIX.Tag.colour_code | string | Colour Code of the tag |
CTIX.Tag.id | string | Id of the Created Tag |
CTIX.Tag.created | number | Created at timestamp |
CTIX.Tag.modified | number | Modified at timestamp |
#
Command Example!ctix-create-tag tag_name=xsoar_test_trial color_code=#95A1B1
#
Context Example#
ctix-get-tagsGet paginated list of tags
#
Base Commandctix-get-tags
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number for pagination. Default is 1. | Optional |
page_size | Page size for pagination. Default is 10. | Optional |
q | search query parameter. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Tag.name | string | Name of the tag |
CTIX.Tag.id | string | ID of the tag |
CTIX.Tag.colour_code | string | Hex colour code associated with tag |
CTIX.Tag.tag_type | string | Type of the tag |
CTIX.Tag.created | number | Created at timestamp |
CTIX.Tag.modified | number | Modified at timestamp |
#
Command Example!ctix-get-tags
#
Context Example#
ctix-delete-tagDelete a tag with given tag_name
#
Base Commandctix-delete-tag
#
InputArgument Name | Description | Required |
---|---|---|
tag_name | Name of the tag. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.DeleteTag.result | string | Status |
#
Command Example!ctix-delete-tag tag_name=xsoar_test_trial
#
Context Example#
ctix-allowed-iocsAdds list of same type of iocs to allowed
#
Base Commandctix-allowed-iocs
#
InputArgument Name | Description | Required |
---|---|---|
type | Type of ioc. Possible values are: ipv4-addr, ipv6-addr, autonomous-system, email-addr, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SSDEEP, url, cidr, domain-name, mutex, windows-registry-key, user-agent. | Required |
values | Values of the given type. | Required |
reason | Descriptive reason. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Details.invalid | unknown | Invalid iocs sent in request |
CTIX.Details.new_created | unknown | List of iocs added to whitelist |
CTIX.Details.already_exists | unknown | List of iocs already existing |
#
Command Example!ctix-allowed-iocs reason=test type="ipv4-addr" values=x.x.x.x,x.x.x.x
#
Context Example#
ctix-get-allowed-iocsget paginated list of allowed iocs
#
Base Commandctix-get-allowed-iocs
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number . Default is 1. | Optional |
page_size | Page size. Default is 10. | Optional |
q | query param for searching. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IOC.id | string | ID of the object |
CTIX.IOC.include_emails | boolean | If enabled then the emails to the corresponding emails will be whitelisted |
CTIX.IOC.include_sub_domains | boolean | If enabled then the emails to the corresponding sub domains will be whitelisted |
CTIX.IOC.include_urls | boolean | If enabled then the emails to the corresponding urls will be whitelisted |
CTIX.IOC.type | string | Type of the ioc |
CTIX.IOC.value | string | Value of the ioc |
CTIX.IOC.created | number | Created at timestamp |
CTIX.IOC.modified | number | Modified at timestamp |
#
Command Example!ctix-get-allowed-iocs q=type=indicator
#
Context Example#
ctix-remove-allowed-iocRemoves a alloweded ioc with given id
#
Base Commandctix-remove-allowed-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ids | allowed IOC ids. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
details | string | Operation result |
#
Command Example!ctix-remove-allowed-ioc ids=7a33a7ac-ab54-412f-a725-f35c208a54ea
#
Context Example#
ctix-get-threat-dataCommand for querying and listing threat data
#
Base Commandctix-get-threat-data
#
InputArgument Name | Description | Required |
---|---|---|
query | Query statement for the thread data, please refer to the documentation. | Required |
page | page. Default is 1. | Optional |
page_size | size of page. Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ThreatData.confidence_score | number | Confidence Score of the IOC |
CTIX.ThreatData.confidence_type | string | Confidence Type of the IOC |
CTIX.ThreatData.created | number | When the IOC was created in source |
CTIX.ThreatData.ctix_created | number | When the IOC was created in CTIX |
CTIX.ThreatData.ctix_modified | number | When the IOC was modified in CTIX |
CTIX.ThreatData.id | string | ID of the IOC in CTIX |
CTIX.ThreatData.indicator_type | string | Type of the Indicator |
CTIX.ThreatData.ioc_type | string | Type of IOC |
CTIX.ThreatData.is_actioned | boolean | Is Actioned |
CTIX.ThreatData.is_deprecated | boolean | Is Deprecated |
CTIX.ThreatData.is_false_positive | boolean | Is False Positive |
CTIX.ThreatData.is_reviewed | boolean | Is reviewed |
CTIX.ThreatData.is_revoked | boolean | Is revoked |
CTIX.ThreatData.is_watchlist | boolean | Is Watchlist |
CTIX.ThreatData.is_whitelisted | boolean | Is alloweded |
CTIX.ThreatData.modified | boolean | When the indicator modified |
CTIX.ThreatData.name | boolean | Name of the indicator |
CTIX.ThreatData.risk_severity | boolean | risk severity of the indicator |
CTIX.ThreatData.source_collections | unknown | Source Collections of the Indicator |
CTIX.ThreatData.source_confidence | string | Source Confidence of the indicator |
CTIX.ThreatData.sources | unknown | sources of the indicator |
CTIX.ThreatData.sub_type | string | Sub Type of the IOC |
CTIX.ThreatData.tlp | string | TLP of the indicator |
CTIX.ThreatData.type | string | Type of the IOC |
CTIX.ThreatData.valid_from | number | Date from which IOC is valid |
#
Command Example!ctix-get-threat-data query=type=indicator
#
Context Example#
ctix-get-saved-searchesSaved Search listing api with pagination
#
Base Commandctix-get-saved-searches
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 5. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SavedSearch.id | string | ID of the object |
CTIX.SavedSearch.editable | boolean | |
CTIX.SavedSearch.is_threat_data_search | boolean | |
CTIX.SavedSearch.name | string | |
CTIX.SavedSearch.order | number | |
CTIX.SavedSearch.pinned | boolean | |
CTIX.SavedSearch.query | string | |
CTIX.SavedSearch.shared_type | string | |
CTIX.SavedSearch.type | string | |
CTIX.SavedSearch.meta_data | unknown |
#
Command Example!ctix-get-saved-searches
#
Context Example#
ctix-get-server-collectionsSource Collection listing api with pagination
#
Base Commandctix-get-server-collections
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 15. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ServerCollection.name | string | Name of the server |
CTIX.ServerCollection.id | string | ID of the object |
CTIX.ServerCollection.inbox | boolean | Inbox is enabled or not |
CTIX.ServerCollection.is_active | boolean | Object if active or not |
CTIX.ServerCollection.is_editable | boolean | Object if editable or not |
CTIX.ServerCollection.polling | boolean | Object polling is enabled or not |
CTIX.ServerCollection.type | string | Object type |
CTIX.ServerCollection.description | string | description of the object |
CTIX.ServerCollection.created | number | Created timestamp |
#
Command Example!ctix-get-server-collections
#
Context Example#
ctix-get-actionsEnrichment tools listing API
#
Base Commandctix-get-actions
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 15. | Optional |
object_type | object type. | Optional |
action_type | action type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Action.action_name | string | Name of the Action |
CTIX.Action.action_type | unknown | Description of the action |
CTIX.Action.actioned_on | number | Timestamp of when the action was taken |
CTIX.Action.app_name | string | Name of the app for the action |
CTIX.app_type | string | Type of the app |
CTIX.Action.id | string | ID of the action |
CTIX.Action.object_type | string | Type of the action |
#
Command Example!ctix-get-actions action_type=manual object_type=indicator
#
Context Example#
ctix-add-indicator-as-false-positive#
Base Commandctix-add-indicator-as-false-positive
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | , seperated list of indicator ids. | Required |
object_type | Type of object. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorFalsePositive.message | unknown | Indicator change result |
#
Command Example!ctix-add-indicator-as-false-positive object_ids=19176d96-716d-48aa-af15-dfeff22e72e2,531e47a6-d7cd-47be-ae21-a3260518d4a5 object_type=indicator
#
Context Example#
ctix-ioc-manual-reviewAdds ioc to manual review bulk api
#
Base Commandctix-ioc-manual-review
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | Object ids of the items to be added for manual review. | Required |
object_type | object type. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IOCManualReview.message | unknown | IOC Manual Review result |
#
Command Example!ctix-ioc-manual-review object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator
#
Context Example#
ctix-deprecate-iocDeprecate ioc bulk api
#
Base Commandctix-deprecate-ioc
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | Object ids . | Required |
object_type | object type. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.DeprecateIOC | unknown | Result of the IOC deprecation request |
#
Command Example!ctix-deprecate-ioc object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator
#
Context Example#
ctix-add-analyst-tlpAdd Analyst TLP
#
Base Commandctix-add-analyst-tlp
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. | Required |
object_type | object type. | Required |
data | data. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.AddAnalystTLP | unknown | Result of the addition of analyst TLP |
#
Command Example!ctix-add-analyst-tlp object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator data={\"analyst_tlp\":\"GREEN\"}
#
Context Example#
ctix-add-analyst-scoreAdd Analyst Score for a Threat data
#
Base Commandctix-add-analyst-score
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. | Required |
object_type | object type. | Required |
data | data. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.AddAnalystScore | unknown | Result of adding analyst score to threat data |
#
Command Example!ctix-add-analyst-score data={"analyst_score":10} object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator
#
Context Example#
ctix-saved-result-setSaved Result Set
#
Base Commandctix-saved-result-set
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
label_name | label name. | Optional |
query | CQL. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SavedResultSet.analyst_score | number | Analyst score of the IOC |
CTIX.SavedResultSet.analyst_tlp | string | Analyst TLP of the IOC |
CTIX.SavedResultSet.confidence_score | number | Confidence score of the IOC |
CTIX.SavedResultSet.confidence_type | string | Confidence type of the IOC |
CTIX.SavedResultSet.country | string | Country of origin for the IOC |
CTIX.SavedResultSet.created | number | IOC creation date |
CTIX.SavedResultSet.ctix_created | number | IOC date of creation in CTIX |
CTIX.SavedResultSet.ctix_modified | number | IOC date of modification in CTIX |
CTIX.SavedResultSet.first_seen | date | IOC timestamp when it was first seen |
CTIX.SavedResultSet.id | number | IOC ID |
CTIX.SavedResultSet.indicator_type | string | Type of the indicator |
CTIX.SavedResultSet.ioc_type | string | Type of the IOC |
CTIX.SavedResultSet.is_actioned | boolean | If there is any action taken on the indicator |
CTIX.SavedResultSet.is_deprecated | boolean | If the indicator is deprecated or not |
CTIX.SavedResultSet.is_false_positive | boolean | Value of the indicator is false positive or not |
CTIX.SavedResultSet.is_reviewed | boolean | Whether the indicator reviewed or not |
CTIX.SavedResultSet.is_revoked | boolean | Whether the indicator is revoked or not |
CTIX.SavedResultSet.is_watchlist | boolean | Whether the indicator is under watchlist or not |
CTIX.SavedResultSet.is_whitelisted | boolean | Whether the indicator is whitelisted or not |
CTIX.SavedResultSet.last_seen | date | Timestamp of the when the IOC was last seen |
CTIX.SavedResultSet.modified | date | Timestamp of the when the IOC was modified |
CTIX.SavedResultSet.name | string | Name of the indicator |
CTIX.SavedResultSet.null | unknown | null |
CTIX.SavedResultSet.primary_attribute | string | Primary attribute of the IOC |
CTIX.SavedResultSet.published_collections | unknown | Published collections of the IOC |
CTIX.SavedResultSet.risk_severity | unknown | Risk severity of the IOC |
CTIX.SavedResultSet.source_collections | unknown | Source collections of the IOC |
CTIX.SavedResultSet.name | string | Name of the IOC |
CTIX.SavedResultSet.sources | unknown | Sources of the IOC |
CTIX.SavedResultSet.sub_type | unknown | Sub type of the IOC |
CTIX.SavedResultSet.subscriber_collections | unknown | Subscription collections of the IOC |
CTIX.SavedResultSet.subscribers | unknown | Subscribers of the IOC |
CTIX.SavedResultSet.tags | unknown | Tags on the IOC |
CTIX.SavedResultSet.tlp | unknown | TLP of the IOC |
CTIX.SavedResultSet.type | unknown | Type of the IOC |
CTIX.SavedResultSet.valid_from | unknown | Timestamp from when the IOC is valid |
CTIX.SavedResultSet.valid_until | unknown | Timestamp till then the IOC is valid |
#
Command Example!ctix-saved-result-set label_name=test query=type=indicator
#
Context Example#
ctix-add-tag-indicatorAdding Tag to Indicator
#
Base Commandctix-add-tag-indicator
#
InputArgument Name | Description | Required |
---|---|---|
page | page from where data will be taken. Default is 1. | Optional |
page_size | total number of results to be fetched. Default is 10. | Optional |
q | query. | Optional |
object_id | object id. Default is "". | Optional |
object_type | object type. Default is "" | Optional |
tag_id | tag id. Default is "" | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.TagUpdation.meesage | unknown | Result of the add indicator tag request |
#
Command Example!ctix-add-tag-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372
#
Context Example#
ctix-remove-tag-from-indicatorRemove Tag From Indicator
#
Base Commandctix-remove-tag-from-indicator
#
InputArgument Name | Description | Required |
---|---|---|
page | which page to bring the data from. Default is 1. | Optional |
page_size | number of pages to bring data from. Default is 10. | Optional |
q | query. | Optional |
object_id | object_id. Default is "". | Optional |
object_type | object_type. Default is "". | Optional |
tag_id | tag_id. Default is "". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.TagUpdation.message | unknown | Result of the remove indicator tag request |
#
Command Example!ctix-remove-tag-from-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372
#
Context Example#
ctix-search-for-tagSearch for tag
#
Base Commandctix-search-for-tag
#
InputArgument Name | Description | Required |
---|---|---|
page | number of page from where data needs to brought. Default is 1. | Optional |
page_size | size of the result. Default is 10. | Optional |
q | query. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SearchTag.colour_code | unknown | Colour code of the tag |
CTIX.SearchTag.created | number | Timestamp of when the tag was created |
CTIX.SearchTag.created_by | unknown | details of the person who created the tag |
CTIX.SearchTag.id | string | ID of the tag |
CTIX.SearchTag.modified | number | Timestamp of when the tag was modified |
CTIX.SearchTag.modified_by | unknown | Details of the person who modified the tag |
CTIX.SearchTag.name | unknown | Name of the tag |
CTIX.SearchTag.type | unknown | type of the tag |
#
Command Example!ctix-search-for-tag q=xsoar_test_trial
#
Context Example#
ctix-get-indicator-detailsGet Indicator Details
#
Base Commandctix-get-indicator-details
#
InputArgument Name | Description | Required |
---|---|---|
page | from where data has to be brought. Default is 1. | Optional |
page_size | total number of results. Default is 10. | Optional |
object_id | object id. Default is "". | Optional |
object_type | object type. Default is "". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorDetails.aliases | string | Aliases of the tag if any |
CTIX.IndicatorDetails.analyst_description | string | Analyst description provided if any |
CTIX.IndicatorDetails.analyst_score | number | Analyst score of the indicator |
CTIX.IndicatorDetails.analyst_tlp | string | Analyst provided TLP on the indicator |
CTIX.IndicatorDetails.asn | string | ASN of the indicator |
CTIX.IndicatorDetails.attribute_field | string | Attribute field of the indicator |
CTIX.IndicatorDetails.attribute_value | string | Attribute value of the indicator |
CTIX.IndicatorDetails.base_type | string | Base type of the indicator |
CTIX.IndicatorDetails.confidence_score | number | Confidence score of the IOC |
CTIX.IndicatorDetails.confidence_type | string | Confidence type of the IOC |
CTIX.IndicatorDetails.country | string | Country of origin of the IOC |
CTIX.IndicatorDetails.created | number | Timestamp of when the indicator was created |
CTIX.IndicatorDetails.ctix_created | number | Timestamp of when the indicator was created in CTIX |
CTIX.IndicatorDetails.ctix_modified | number | Timestamp of when the indicator was modified in CTIX |
CTIX.IndicatorDetails.ctix_score | number | CTIX score of the indicator |
CTIX.IndicatorDetails.ctix_tlp | string | CTIX assigned TLP of the indicator |
CTIX.IndicatorDetails.defang_analyst_description | string | Defanged analyst description of the indicator |
CTIX.IndicatorDetails.description | string | Description of the indicator |
CTIX.IndicatorDetails.fang_analyst_description | string | Fang analyst description of the indicator |
CTIX.IndicatorDetails.first_seen | number | Timestamp of then the indicator was first seen |
CTIX.IndicatorDetails.last_seen | number | Timestamp of then the indicator was last seen |
CTIX.IndicatorDetails.modified | number | Timestamp of then the indicator was modified |
CTIX.IndicatorDetails.name | string | Name of the indicator |
CTIX.IndicatorDetails.pattern | string | STIX pattern of the indicator |
CTIX.IndicatorDetails.pattern_type | string | pattern type of the indicator |
CTIX.IndicatorDetails.pattern_version | string | STIX pattern version |
CTIX.IndicatorDetails.sources | unknown | Sources of the indicator |
CTIX.IndicatorDetails.sub_type | string | Sub type of the indicator |
CTIX.IndicatorDetails.tld | string | TLD of the indicator |
CTIX.IndicatorDetails.tlp | string | TLP of the indicator |
CTIX.IndicatorDetails.type | string | Type of the indicator |
CTIX.IndicatorDetails.types | string | Types of the indicator |
CTIX.IndicatorDetails.valid_from | number | Timestamp of the indicator from then it was valid |
CTIX.IndicatorDetails.valid_until | unknown | Timestamp of the indicator till |
#
Command Example!ctix-get-indicator-details object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-tagsGet Indicator Tags
#
Base Commandctix-get-indicator-tags
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. Default is "". | Optional |
object_type | object type. Default is "". | Optional |
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorTags.notes | unknown | Notes on the indicator's tag |
CTIX.IndicatorTags.is_deprecated | boolean | If the indicator's tag deprecated or not |
CTIX.IndicatorTags.is_revoked | boolean | If the indicator's tag revoked or not |
CTIX.IndicatorTags.ctix_created | number | Timestamp of when the Indicator tag was created in CTIX |
CTIX.IndicatorTags.is_false_positive | boolean | If the indicator's tag is false positive or not |
CTIX.IndicatorTags.name | string | Name of the indicator |
CTIX.IndicatorTags.is_reviewed | boolean | If the indicator reviewed or not |
CTIX.IndicatorTags.is_whitelisted | boolean | If the indicator whitelisted or not |
CTIX.IndicatorTags.is_under_review | boolean | If the indicator is under review or not |
CTIX.IndicatorTags.is_watchlist | boolean | If the indicator is under watchlist or not |
CTIX.IndicatorTags.tags | unknown | Tags of the indicator |
CTIX.IndicatorTags.sub_type | unknown | Sub type of the indicator |
CTIX.IndicatorTags.type | unknown | Type of Indicator |
#
Command Example!ctix-get-indicator-tags object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-relationsGet Indicator Relations
#
Base Commandctix-get-indicator-relations
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
object_id | object id. Default is "". | Optional |
object_type | object type. Default is "". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorRelations.relationship_type | unknown | Indicator relation types |
CTIX.IndicatorRelations.sources | unknown | Indicator sources |
CTIX.IndicatorRelations.target_ref | unknown | Indicator target reference |
#
Command Example!ctix-get-indicator-relations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-observationsGet Indicator Observations
#
Base Commandctix-get-indicator-observations
#
InputArgument Name | Description | Required |
---|---|---|
page | page. | Optional |
page_size | page size. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorObservations.custom_attributes | unknown | Custom attributes if any |
CTIX.IndicatorObservations.ctix_modified | number | Timestamp when indicator was modified in CTIX |
CTIX.IndicatorObservations.created | number | Timestamp when indicator was created |
CTIX.IndicatorObservations.pattern_type | string | Pattern type of Indicator |
CTIX.IndicatorObservations.modified | number | Timestamp when indicator was modified |
CTIX.IndicatorObservations.ctix_created | number | Timestamp when indicator was created in CTIX |
CTIX.IndicatorObservations.pattern_version | string | STIX Pattern version of indicator |
CTIX.IndicatorObservations.confidence | string | Confidence level of the indicator |
CTIX.IndicatorObservations.valid_from | number | Timestamp when indicator was valid from |
CTIX.IndicatorObservations.pattern | string | STIX pattern |
CTIX.IndicatorObservations.fang_description | string | FANG description |
CTIX.IndicatorObservations.defang_description | string | DEFANG description |
CTIX.IndicatorObservations.spec_version | string | STIX Spec version |
CTIX.IndicatorObservations.tags | unknown | Tags attached to the indicator |
CTIX.IndicatorObservations.received_id | string | STIX ID when indicator was received |
CTIX.IndicatorObservations.types | unknown | STIX Types attached to the indicator |
CTIX.IndicatorObservations.source | unknown | STIX source of the indicator |
CTIX.IndicatorObservations.id | string | id of the indicator |
CTIX.IndicatorObservations.valid_until | number | Timestamp till when the indicator is valid |
CTIX.IndicatorObservations.sco_object_id | unknown | SCO object ID |
CTIX.IndicatorObservations.unique_hash | unknown | unique hash of the indicator |
CTIX.IndicatorObservations.description | unknown | description of the indicator |
CTIX.IndicatorObservations.granular_markings | unknown | Granular Markings if any |
CTIX.IndicatorObservations.collection | unknown | Collection details of the indicator |
#
Command Example!ctix-get-indicator-observations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-conversion-feed-source#
Base Commandctix-get-conversion-feed-source
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ConversionFeedSource.created | number | Indicator creation timestamp |
CTIX.ConversionFeedSource.id | string | ID of the indicator |
CTIX.ConversionFeedSource.name | string | name of the indicator |
CTIX.ConversionFeedSource.taxii_option | string | TAXII option |
#
Command Example!ctix-get-conversion-feed-source object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-lookup-threat-dataLookup to get threat data
#
Base Commandctix-get-lookup-threat-data
#
InputArgument Name | Description | Required |
---|---|---|
object_type | object type. | Optional |
object_names | Will contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1. | Optional |
page_size | size of the page. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ThreatDataLookup.analyst_score | number | Analyst score of the indicator |
CTIX.ThreatDataLookup.analyst_tlp | string | Analyst TLP of the indicator |
CTIX.ThreatDataLookup.confidence_score | number | Confidence score of the indicator |
CTIX.ThreatDataLookup.confidence_type | string | Confidence type of the indicator |
CTIX.ThreatDataLookup.country | string | Indicator origin country |
CTIX.ThreatDataLookup.created | number | Timestamp of when the indicator was created |
CTIX.ThreatDataLookup.ctix_created | number | Timestamp of when the indicator was created in CTIX |
CTIX.ThreatDataLookup.ctix_modified | number | Timestamp of when the indicator was modified in CTIX |
CTIX.ThreatDataLookup.first_seen | number | Timestamp of when the indicator was first seen |
CTIX.ThreatDataLookup.id | string | Indicator ID |
CTIX.ThreatDataLookup.indicator_type | string | Indicator type |
CTIX.ThreatDataLookup.ioc_type | string | IOC type |
CTIX.ThreatDataLookup.is_actioned | boolean | Is actioned |
CTIX.ThreatDataLookup.is_deprecated | boolean | is deprecated |
CTIX.ThreatDataLookup.is_false_positive | boolean | is false positive |
CTIX.ThreatDataLookup.is_reviewed | boolean | is reviewed |
CTIX.ThreatDataLookup.is_revoked | boolean | is revoked |
CTIX.ThreatDataLookup.is_watchlist | boolean | is watchlisted |
CTIX.ThreatDataLookup.is_whitelisted | boolean | is allowed |
CTIX.ThreatDataLookup.last_seen | number | Timestamp of when the indicator was last seen |
CTIX.ThreatDataLookup.modified | number | Timestamp of when the indicator was modified |
CTIX.ThreatDataLookup.name | string | name of the indicator |
CTIX.ThreatDataLookup.null | unknown | null |
CTIX.ThreatDataLookup.primary_attribute | string | Primary Attribute |
CTIX.ThreatDataLookup.published_collections | unknown | published collections |
CTIX.ThreatDataLookup.risk_severity | string | Risk severity |
CTIX.ThreatDataLookup.source_collections | unknown | sources collections |
CTIX.ThreatDataLookup.source_confidence | string | Source confidence |
CTIX.ThreatDataLookup.sources | unknown | sources |
CTIX.ThreatDataLookup.sub_type | string | Sub type |
CTIX.ThreatDataLookup.subscriber_collections | unknown | subscriber collections |
CTIX.ThreatDataLookup.subscribers | unknown | subscribers |
CTIX.ThreatDataLookup.tags | unknown | Tags |
CTIX.ThreatDataLookup.tlp | string | TLP |
CTIX.ThreatDataLookup.type | string | Type |
CTIX.ThreatDataLookup.valid_from | number | Timestamp from when the indicator was valid |
CTIX.ThreatDataLookup.valid_until | number | Timestamp till when the indicator was valid |
#
Command example!ctix-get-lookup-threat-data object_names=example.com,3.4.5.6 object_type=indicator
#
Context Example#
Human Readable Output#
Lookup Data
confidence_score confidence_type created ctix_created ctix_modified id indicator_type ioc_type is_actioned is_deprecated is_false_positive is_reviewed is_revoked is_watchlist is_whitelisted modified name severity source_collections source_confidence sources sub_type tags tlp type valid_from 100 ctix 1674080000 1674080000 1674080000 6779a969-6404-4dd7-97ef-dec877c03c4f domain-name domain-name false false false false false false false 1674080001 example.com UNKNOWN {'id': 'a9d67cc1-5de8-460b-8bf4-63abc7ceaa54', 'name': 'anotherone (OpenAPI)'} HIGH {'id': '38102b0e-1af4-4ee2-a62e-dd5f2ffaff5a', 'name': 'testing (OpenAPI)', 'source_type': 'MISCELLANEOUS'} value {'colour_code': '#5236E2', 'id': '9635c41b-80fb-4a98-a1f3-e5796c72bb29', 'name': 'created_using_openapi_lookup'} AMBER indicator 1674080000
#
ctix-get-create-threat-dataGets or creates threat data
#
Base Commandctix-get-create-threat-data
#
InputArgument Name | Description | Required |
---|---|---|
object_type | object type. | Optional |
object_names | Will contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1. | Required |
page_size | size of the page. Default is 10. | Optional |
source | The source of the threat data. | Optional |
collection | The collection to store the threat data in. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ThreatDataGetCreate.Found.analyst_score | number | Analyst score of the indicator |
CTIX.ThreatDataGetCreate.Found.analyst_tlp | string | Analyst TLP of the indicator |
CTIX.ThreatDataGetCreate.Found.confidence_score | number | Confidence score of the indicator |
CTIX.ThreatDataGetCreate.Found.confidence_type | string | Confidence type of the indicator |
CTIX.ThreatDataGetCreate.Found.country | string | Indicator origin country |
CTIX.ThreatDataGetCreate.Found.created | number | Timestamp of when the indicator was created |
CTIX.ThreatDataGetCreate.Found.ctix_created | number | Timestamp of when the indicator was created in CTIX |
CTIX.ThreatDataGetCreate.Found.ctix_modified | number | Timestamp of when the indicator was modified in CTIX |
CTIX.ThreatDataGetCreate.Found.first_seen | number | Timestamp of when the indicator was first seen |
CTIX.ThreatDataGetCreate.Found.id | string | Indicator ID |
CTIX.ThreatDataGetCreate.Found.indicator_type | string | Indicator type |
CTIX.ThreatDataGetCreate.Found.ioc_type | string | IOC type |
CTIX.ThreatDataGetCreate.Found.is_actioned | boolean | Is actioned |
CTIX.ThreatDataGetCreate.Found.is_deprecated | boolean | is deprecated |
CTIX.ThreatDataGetCreate.Found.is_false_positive | boolean | is false positive |
CTIX.ThreatDataGetCreate.Found.is_reviewed | boolean | is reviewed |
CTIX.ThreatDataGetCreate.Found.is_revoked | boolean | is revoked |
CTIX.ThreatDataGetCreate.Found.is_watchlist | boolean | is watchlisted |
CTIX.ThreatDataGetCreate.Found.is_whitelisted | boolean | is allowed |
CTIX.ThreatDataGetCreate.Found.last_seen | number | Timestamp of when the indicator was last seen |
CTIX.ThreatDataGetCreate.Found.modified | number | Timestamp of when the indicator was modified |
CTIX.ThreatDataGetCreate.Found.name | string | name of the indicator |
CTIX.ThreatDataGetCreate.Found.null | unknown | null |
CTIX.ThreatDataGetCreate.Found.primary_attribute | string | Primary Attribute |
CTIX.ThreatDataGetCreate.Found.published_collections | unknown | published collections |
CTIX.ThreatDataGetCreate.Found.risk_severity | string | Risk severity |
CTIX.ThreatDataGetCreate.Found.source_collections | unknown | sources collections |
CTIX.ThreatDataGetCreate.Found.source_confidence | string | Source confidence |
CTIX.ThreatDataGetCreate.Found.sources | unknown | sources |
CTIX.ThreatDataGetCreate.Found.sub_type | string | Sub type |
CTIX.ThreatDataGetCreate.Found.subscriber_collections | unknown | subscriber collections |
CTIX.ThreatDataGetCreate.Found.subscribers | unknown | subscribers |
CTIX.ThreatDataGetCreate.Found.tags | unknown | Tags |
CTIX.ThreatDataGetCreate.Found.tlp | string | TLP |
CTIX.ThreatDataGetCreate.Found.type | string | Type |
CTIX.ThreatDataGetCreate.Found.valid_from | number | Timestamp from when the indicator was valid |
CTIX.ThreatDataGetCreate.Found.valid_until | number | Timestamp till when the indicator was valid |
CTIX.ThreatDataGetCreate.NotFoundCreated | string | IOCs that weren't found, and therefore were created |
CTIX.ThreatDataGetCreate.NotFoundInvalid | string | IOCs that were found to be invalid, so they were not created |
#
Command example!ctix-get-create-threat-data object_names=example.com,x.x.x.x,zzzzz collection=some_collection source=some_source
#
Context Example#
Human Readable Output#
Not Found: Invalid
Name zzzzz
#
domainLookup domain threat data
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Will contain domain SDO values. Example: If you need to get the object_ids of indicator example.com then the value will be example.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
Domain.Name | String | The domain name, for example: "google.com". |
#
Command example!domain domain="example.com" using="CTIX v3 Beta_instance"
#
Context Example#
Human Readable Output#
Lookup Data
confidence_score confidence_type created ctix_created ctix_modified id indicator_type ioc_type is_actioned is_deprecated is_false_positive is_reviewed is_revoked is_watchlist is_whitelisted modified name risk_severity source_collections source_confidence sources sub_type tlp type valid_from 31 ctix 1666709826 1666874647 1670548277 10104a10-74a9-45d7-a412-f11531d64a38 domain-name domain-name false false false false false false false 1667442806 example.com UNKNOWN {'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'},
{'id': '5f4230a4-cc3a-4d32-b3ee-c53a373e2a8f', 'name': 'https://www.example.com/index.xml'},
{'id': '2dc18ee7-ee80-4fa7-953d-4df824f8e8ce', 'name': 'https://www.example.com/index.xml'}MEDIUM {'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'},
{'id': '87e622e3-e8e5-4692-9b79-00efead3f874', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'},
{'id': '0647eb19-c559-4d27-a441-b70117315e18', 'name': 'https://www.example.com/index.xml', 'source_type': 'RSS_FEED'}value AMBER indicator 1530174464
#
ipLookup ip threat data
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | Will contain IP SDO values. Example: If you need to get the object_ids of indicator 1.2.3.4 then the value will be 1.2.3.4. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
IP.Address | String | The IP address, for example: 1.2.3.4. |
#
Command example!ip ip="x.x.x.x" using="CTIX v3 Beta_instance"
#
Context Example#
Human Readable Output#
Lookup Data
confidence_score confidence_type country created ctix_created ctix_modified id indicator_type ioc_type is_actioned is_deprecated is_false_positive is_reviewed is_revoked is_watchlist is_whitelisted modified name risk_severity source_collections source_confidence sources sub_type tags tlp type valid_from 100 ctix United States 1666710084 1666874647 1671604244 5c2517a2-759f-4eb8-b9fa-346ff20cfaaf ipv4-addr ipv4-addr false false false false false false false 1669170873 x.x.x.x UNKNOWN {'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'},
{'id': 'fe150b23-6354-4a9b-8c27-202abc758ba3', 'name': 'NCAS JG Test'}HIGH {'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'},
{'id': '50cbaaee-8083-494c-b42a-7c7fb73ca2dc', 'name': 'NCAS JG Test', 'source_type': 'RSS_FEED'}value {'colour_code': '#5236E2', 'id': 'f82fa004-75cc-4824-b129-914ec13728b5', 'name': 'Destruction'} AMBER indicator 1409607591
#
fileLookup file threat data
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | Will contain file SDO values. Example: If you need to get the object_ids of a file hash 3ed0a30799543fa2c3a913c7985bffed then the value will be 3ed0a30799543fa2c3a913c7985bffed. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
#
Command example!file file="9c57753557ed258d731987834c56fa4c" using="CTIX v3 Beta_instance"
#
Context Example#
Human Readable Output#
Lookup Data
confidence_score confidence_type created ctix_created ctix_modified id indicator_type ioc_type is_actioned is_deprecated is_false_positive is_reviewed is_revoked is_watchlist is_whitelisted modified name risk_severity source_collections source_confidence sources sub_type tlp type valid_from 100 ctix 1673710318 1674124925 1674124925 4ea5874d-0d6e-4a65-a8db-61d825d9fb8e file MD5 false false false false false false false 1673710318 9c57753557ed258d731987834c56fa4c UNKNOWN {'id': '2a5a9989-030d-466b-b676-223d2b1f4d1e', 'name': 'Indicators v4'} HIGH {'id': '131392bb-ecdf-45ae-8f22-b1160cf03401', 'name': 'Mandiant Threat Intelligence', 'source_type': 'API_FEEDS'} MD5 AMBER indicator 1671281161
#
urlLookup url threat data
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | Will contain URL SDO values. Example: If you need to get the object_ids of a URL https://cyware.com/ then the value will be https://cyware.com/. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
URL.Data | String | The URL |
#
Command example!url url="http://example.com/" using="CTIX v3 Beta_instance"
#
Context Example#
Human Readable Output#
Lookup Data
confidence_score confidence_type created ctix_created ctix_modified id indicator_type ioc_type is_actioned is_deprecated is_false_positive is_reviewed is_revoked is_watchlist is_whitelisted modified name published_collections risk_severity source_collections source_confidence sources sub_type tlp type valid_from 100 ctix 1674166009 1674166009 1674166009 dcada258-5fc2-4c42-b7d6-e8ffda6c5a9e url url false false false false false false false 1674166010 http://example.com/ {'id': 'ad842594-8faa-49fb-841e-7ff99a685718', 'name': None} UNKNOWN {'id': '5432c580-e1f9-40c3-b40a-a47686dfcf22', 'name': 'Free Text'} HIGH {'id': '7eb93036-688e-4916-ab1f-fe9015c16b78', 'name': 'Import', 'source_type': 'CUSTOM_STIX_SOURCES'} value AMBER indicator 1674166009
#
ctix-get-all-notesGet paginated list of Notes
#
Base Commandctix-get-all-notes
#
InputArgument Name | Description | Required |
---|---|---|
object_id | if set, this will only retrieve Notes associated with the Threat Data object with ID=object_id . | Optional |
page | the page number of the Notes to look up, default is the first page. Default is 1. | Optional |
page_size | size of the result. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Note.created | integer | The timestamp when the Note was created |
CTIX.Note.created_by | unknown | The user who created the Note |
CTIX.Note.created_by.email | string | The email of the user who created the Note |
CTIX.Note.created_by.first_name | string | The first name of the user who created the Note |
CTIX.Note.created_by.id | string | The ID of the user who created the Note |
CTIX.Note.created_by.last_name | string | The last name of the user who created the Note |
CTIX.Note.id | string | The ID of the Note |
CTIX.Note.is_json | boolean | A flag indicating whether the Note is in JSON format |
CTIX.Note.meta_data | unknown | Meta data for the Note |
CTIX.Note.meta_data.component | string | The component for the Note |
CTIX.Note.modified | integer | The timestamp when the Note was last modified |
CTIX.Note.modified_by | unknown | The user who last modified the Note |
CTIX.Note.modified_by.email | string | The email of the user who last modified the Note |
CTIX.Note.modified_by.first_name | string | The first name of the user who last modified the Note |
CTIX.Note.modified_by.id | string | The ID of the user who last modified the Note |
CTIX.Note.modified_by.last_name | string | The last name of the user who last modified the Note |
CTIX.Note.object_id | string | The object ID of the Note |
CTIX.Note.text | string | The text of the Note |
CTIX.Note.title | string | The title of the Note |
CTIX.Note.type | string | The type of the Note |
#
Command example!ctix-get-all-notes page_size=1
#
Context Example#
Human Readable Output#
Note Data
created created_by id is_json meta_data modified modified_by object_id text type 1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userf8f67182-bf72-47df-9a90-31b2bd829a9d false component: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userba82b524-15b3-4071-8008-e58754f8d134 this is the old text threatdata
#
ctix-get-note-detailsGet details of a Note as specified by its ID
#
Base Commandctix-get-note-details
#
InputArgument Name | Description | Required |
---|---|---|
id | the id of the Note. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Note.created | integer | The timestamp when the Note was created |
CTIX.Note.created_by | unknown | The user who created the Note |
CTIX.Note.created_by.email | string | The email of the user who created the Note |
CTIX.Note.created_by.first_name | string | The first name of the user who created the Note |
CTIX.Note.created_by.id | string | The ID of the user who created the Note |
CTIX.Note.created_by.last_name | string | The last name of the user who created the Note |
CTIX.Note.id | string | The ID of the Note |
CTIX.Note.is_json | boolean | A flag indicating whether the Note is in JSON format |
CTIX.Note.meta_data | unknown | Meta data for the Note |
CTIX.Note.meta_data.component | string | The component for the Note |
CTIX.Note.modified | integer | The timestamp when the Note was last modified |
CTIX.Note.modified_by | unknown | The user who last modified the Note |
CTIX.Note.modified_by.email | string | The email of the user who last modified the Note |
CTIX.Note.modified_by.first_name | string | The first name of the user who last modified the Note |
CTIX.Note.modified_by.id | string | The ID of the user who last modified the Note |
CTIX.Note.modified_by.last_name | string | The last name of the user who last modified the Note |
CTIX.Note.object_id | string | The object ID of the Note |
CTIX.Note.text | string | The text of the Note |
CTIX.Note.title | string | The title of the Note |
CTIX.Note.type | string | The type of the Note |
#
Command example!ctix-get-note-details id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"
#
Context Example#
Human Readable Output#
Note Detail Data
created created_by id is_json meta_data modified modified_by object_id text type 1671821868 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user7d739870-ce7d-415b-bbbf-25f4bbc6be66 false component: threatdata
object_id: fake
type: indicator1674173787 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userfake this is the new text threatdata
#
ctix-create-noteCreates a new Note from the parameter 'text'
#
Base Commandctix-create-note
#
InputArgument Name | Description | Required |
---|---|---|
text | the text that you want the note to have. | Required |
object_id | if set, will associate Note to the Threat Data object with the provided ID. | Optional |
object_type | only required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Note.created | integer | The timestamp when the Note was created |
CTIX.Note.created_by | unknown | The user who created the Note |
CTIX.Note.created_by.email | string | The email of the user who created the Note |
CTIX.Note.created_by.first_name | string | The first name of the user who created the Note |
CTIX.Note.created_by.id | string | The ID of the user who created the Note |
CTIX.Note.created_by.last_name | string | The last name of the user who created the Note |
CTIX.Note.id | string | The ID of the Note |
CTIX.Note.is_json | boolean | A flag indicating whether the Note is in JSON format |
CTIX.Note.meta_data | unknown | Meta data for the Note |
CTIX.Note.meta_data.component | string | The component for the Note |
CTIX.Note.modified | integer | The timestamp when the Note was last modified |
CTIX.Note.modified_by | unknown | The user who last modified the Note |
CTIX.Note.modified_by.email | string | The email of the user who last modified the Note |
CTIX.Note.modified_by.first_name | string | The first name of the user who last modified the Note |
CTIX.Note.modified_by.id | string | The ID of the user who last modified the Note |
CTIX.Note.modified_by.last_name | string | The last name of the user who last modified the Note |
CTIX.Note.object_id | string | The object ID of the Note |
CTIX.Note.text | string | The text of the Note |
CTIX.Note.title | string | The title of the Note |
CTIX.Note.type | string | The type of the Note |
#
Command example!ctix-create-note text="hello world x100"
#
Context Example#
Human Readable Output#
Created Note Data
created created_by id is_json meta_data modified modified_by text type 1674173831 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user35ee1841-8357-43e0-b372-aff9800cdc55 false component: notes 1674173831 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userhello world x100 notes
#
Command example!ctix-create-note text="hello world x100" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator
#
Context Example#
Human Readable Output#
Created Note Data
created created_by id is_json meta_data modified modified_by object_id text type 1674173838 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: usere5584583-6d45-4fe8-82b4-a802007c38f0 false component: threatdata
object_id: da1a6268-e589-4231-a334-68fb0c2cc1e0
type: indicator1674173838 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userda1a6268-e589-4231-a334-68fb0c2cc1e0 hello world x100 threatdata
#
ctix-update-noteUpdates the Note text from an existing Note, as specified by its ID
#
Base Commandctix-update-note
#
InputArgument Name | Description | Required |
---|---|---|
id | the id of the Note. | Required |
text | the updated text that you want the note to have. | Optional |
object_id | if set, will associate Note to the Threat Data object with the provided ID. | Optional |
object_type | only required if object_id is set, used to specify the type of object object_id is. Possible values are: indicator, malware, threat-actor, vulnerability, attack-pattern, campaign, course-of-action, identity, infrastructure, intrusion-set, location, malware-analysis, observed-data, opinion, tool, report, custom-object, observable, incident, note. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Note.created | integer | The timestamp when the Note was created |
CTIX.Note.created_by | unknown | The user who created the Note |
CTIX.Note.created_by.email | string | The email of the user who created the Note |
CTIX.Note.created_by.first_name | string | The first name of the user who created the Note |
CTIX.Note.created_by.id | string | The ID of the user who created the Note |
CTIX.Note.created_by.last_name | string | The last name of the user who created the Note |
CTIX.Note.id | string | The ID of the Note |
CTIX.Note.is_json | boolean | A flag indicating whether the Note is in JSON format |
CTIX.Note.meta_data | unknown | Meta data for the Note |
CTIX.Note.meta_data.component | string | The component for the Note |
CTIX.Note.modified | integer | The timestamp when the Note was last modified |
CTIX.Note.modified_by | unknown | The user who last modified the Note |
CTIX.Note.modified_by.email | string | The email of the user who last modified the Note |
CTIX.Note.modified_by.first_name | string | The first name of the user who last modified the Note |
CTIX.Note.modified_by.id | string | The ID of the user who last modified the Note |
CTIX.Note.modified_by.last_name | string | The last name of the user who last modified the Note |
CTIX.Note.object_id | string | The object ID of the Note |
CTIX.Note.text | string | The text of the Note |
CTIX.Note.title | string | The title of the Note |
CTIX.Note.type | string | The type of the Note |
#
Command example!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" text="this is a test"
#
Context Example#
Human Readable Output#
Updated Note Data
created created_by id is_json meta_data modified modified_by object_id text type 1671821868 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user7d739870-ce7d-415b-bbbf-25f4bbc6be66 false component: threatdata
object_id: fake
type: indicator1674173815 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userfake this is a test threatdata
#
Command example!ctix-update-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66" object_id="da1a6268-e589-4231-a334-68fb0c2cc1e0" object_type=indicator
#
Context Example#
Human Readable Output#
Updated Note Data
created created_by id is_json meta_data modified modified_by object_id text type 1671821868 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user7d739870-ce7d-415b-bbbf-25f4bbc6be66 false component: threatdata
object_id: fake
type: indicator1674173824 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userda1a6268-e589-4231-a334-68fb0c2cc1e0 this is a test threatdata
#
ctix-delete-noteDeletes an existing Note, as specified by its ID
#
Base Commandctix-delete-note
#
InputArgument Name | Description | Required |
---|---|---|
id | the id of the Note. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Note.deletion.details | string | Returns "success" if the deletion request was successful, otherwise "failure" |
#
Command example!ctix-delete-note id="7d739870-ce7d-415b-bbbf-25f4bbc6be66"
#
Context Example#
Human Readable Output#
Deleted Note Data
details success
#
ctix-make-requestallows you to make any HTTP request using CTIX endpoints
#
Base Commandctix-make-request
#
InputArgument Name | Description | Required |
---|---|---|
type | the HTTP method you would like to call. Possible values are: GET, POST, PUT, DELETE. | Required |
endpoint | URL suffix of the API call to CTIX. | Required |
body | any data you would like to pass, in JSON format. | Optional |
params | any parameters you would like to pass, in JSON format. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!ctix-make-request type=POST endpoint=ingestion/notes/ body="{\"text\": \"this is the old text\",\"type\": \"threatdata\",\"meta_data\": {\"component\": \"threatdata\",\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\",\"type\": \"indicator\"},\"object_id\": \"ba82b524-15b3-4071-8008-e58754f8d134\"}"
#
Context Example#
Human Readable Output#
HTTP Response Data
created created_by id is_json meta_data modified modified_by object_id text type 1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userf8f67182-bf72-47df-9a90-31b2bd829a9d false component: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userba82b524-15b3-4071-8008-e58754f8d134 this is the old text threatdata
#
Command example!ctix-make-request type=GET endpoint=ingestion/notes/ params="{\"page\": 1, \"page_size\": 1}"
#
Context Example#
Human Readable Output#
HTTP Response Data
created created_by id is_json meta_data modified modified_by object_id text type 1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userf8f67182-bf72-47df-9a90-31b2bd829a9d false component: threatdata
object_id: ba82b524-15b3-4071-8008-e58754f8d134
type: indicator1674173772 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userba82b524-15b3-4071-8008-e58754f8d134 this is the old text threatdata
#
Command example!ctix-make-request type=PUT endpoint=ingestion/notes/7d739870-ce7d-415b-bbbf-25f4bbc6be66/ body="{\"text\": \"this is the new text\"}"
#
Context Example#
Human Readable Output#
HTTP Response Data
created created_by id is_json meta_data modified modified_by object_id text type 1671821868 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: user7d739870-ce7d-415b-bbbf-25f4bbc6be66 false component: threatdata
object_id: fake
type: indicator1674173787 email: some.user@example.com
first_name: some
id: 5b03c17e-a1f8-43ab-b0d5-9e178fb95c4a
last_name: userfake this is the new text threatdata
#
Command example!ctix-make-request type=DELETE endpoint=ingestion/notes/1e2f348b-8168-4330-933b-24263ab9116a/
#
Context Example#
Human Readable Output#
HTTP Response Data
details success
#
ctix-get-vulnerability-dataLookup vulnerability info
#
Base Commandctix-get-vulnerability-data
#
InputArgument Name | Description | Required |
---|---|---|
cve | The CVE identifier to look up information about | Required |
extra_fields | A comma separated list of extra fields to return in the response | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.VulnerabilityLookup.cpes | string | CPEs |
CTIX.VulnerabilityLookup.cvss2 | number | CVSS2 |
CTIX.VulnerabilityLookup.cvss3 | number | CVSS3 |
CTIX.VulnerabilityLookup.dbot_reputation | integer | DbotReputation |
CTIX.VulnerabilityLookup.description | string | Description |
CTIX.VulnerabilityLookup.last_modified | string | LastModified |
CTIX.VulnerabilityLookup.created | string | LastPublished |
CTIX.VulnerabilityLookup.name | string | Name |
CTIX.VulnerabilityLookup.uuid | string | UUID |
CTIX.VulnerabilityLookup.extra_data | string | Extra data |
#
Command example`!ctix-get-vulnerability-data cve=CVE-2023-30837
#
Human Readable Output#
HTTP Response Data
cpes | cvss2 | cvss3 | dbot_reputation | description | extra_data | last_modified | last_published | name |
---|---|---|---|---|---|---|---|---|
cpe:2.3🅰️vyper_project:vyper:::::::: | None | None | 3 | Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host. A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow. Further details are not available at the time of this writing. ACTI will update this report as more details become available. | {} | 2023-05-08 05:48:58 | 2023-05-08 05:48:58 | CVE-2023-30837 |
#
cveLookup vulnerability info
#
Base Commandcve
#
InputArgument Name | Description | Required |
---|---|---|
cve | The CVE identifier to look up information about | Required |
extra_fields | A comma separated list of extra fields to return in the response | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.VulnerabilityLookup.cpes | string | CPEs |
CTIX.VulnerabilityLookup.cvss2 | number | CVSS2 |
CTIX.VulnerabilityLookup.cvss3 | number | CVSS3 |
CTIX.VulnerabilityLookup.dbot_reputation | integer | DbotReputation |
CTIX.VulnerabilityLookup.description | string | Description |
CTIX.VulnerabilityLookup.last_modified | string | LastModified |
CTIX.VulnerabilityLookup.created | string | LastPublished |
CTIX.VulnerabilityLookup.name | string | Name |
CTIX.VulnerabilityLookup.uuid | string | UUID |
CTIX.VulnerabilityLookup.extra_data | string | Extra data |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
#
Command example`!cve cve=CVE-2023-30837
#
Human Readable Output#
HTTP Response Data
cpes | cvss2 | cvss3 | dbot_reputation | description | extra_data | last_modified | last_published | name |
---|---|---|---|---|---|---|---|---|
cpe:2.3🅰️vyper_project:vyper:::::::: | None | None | 3 | Remote exploitation of a design error vulnerability in Vyper_project Vyper could could allow an attacker to cause a Denial of Service (DoS) condition on the targeted host. A design error vulnerability has been identified in Vyper. Specifically, this issue occurs due to storage allocator overflow. Further details are not available at the time of this writing. ACTI will update this report as more details become available. | {} | 2023-05-08 05:48:58 | 2023-05-08 05:48:58 | CVE-2023-30837 |