CTIX v3
CTIX Pack.#
This Integration is part of theThis is example Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. This integration was integrated and tested with version 3.0.0 of CTIX
#
Configure CTIX on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for CTIX.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Endpoint URL Enter the endpoint URL of your CTIX Instance. True Access Key Enter the Access Key from the CTIX application. True Secret Key Enter the Secret Key from the CTIX application. True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Incidents Fetch Interval False Incident type False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ctix-create-tagCreate new tag in the ctix platform
#
Base Commandctix-create-tag
#
InputArgument Name | Description | Required |
---|---|---|
tag_name | New tag's name. | Required |
color_code | New tag's hex colour code e.g #111111. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Tag.name | string | Name of the tag |
CTIX.Tag.tag_type | string | Type of the tag (manual) |
CTIX.Tag.colour_code | string | Colour Code of the tag |
CTIX.Tag.id | string | Id of the Created Tag |
CTIX.Tag.created | number | Created at timestamp |
CTIX.Tag.modified | number | Modified at timestamp |
#
Command Example!ctix-create-tag tag_name=xsoar_test_trial color_code=#95A1B1
#
Context Example#
ctix-get-tagsGet paginated list of tags
#
Base Commandctix-get-tags
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number for pagination. Default is 1. | Optional |
page_size | Page size for pagination. Default is 10. | Optional |
q | search query parameter. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Tag.name | string | Name of the tag |
CTIX.Tag.id | string | ID of the tag |
CTIX.Tag.colour_code | string | Hex colour code associated with tag |
CTIX.Tag.tag_type | string | Type of the tag |
CTIX.Tag.created | number | Created at timestamp |
CTIX.Tag.modified | number | Modified at timestamp |
#
Command Example!ctix-get-tags
#
Context Example#
ctix-delete-tagDelete a tag with given tag_name
#
Base Commandctix-delete-tag
#
InputArgument Name | Description | Required |
---|---|---|
tag_name | Name of the tag. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.DeleteTag.result | string | Status |
#
Command Example!ctix-delete-tag tag_name=xsoar_test_trial
#
Context Example#
ctix-allowed-iocsAdds list of same type of iocs to allowed
#
Base Commandctix-allowed-iocs
#
InputArgument Name | Description | Required |
---|---|---|
type | Type of ioc. Possible values are: ipv4-addr, ipv6-addr, autonomous-system, email-addr, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SSDEEP, url, cidr, domain-name, mutex, windows-registry-key, user-agent. | Required |
values | Values of the given type. | Required |
reason | Descriptive reason. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Details.invalid | unknown | Invalid iocs sent in request |
CTIX.Details.new_created | unknown | List of iocs added to whitelist |
CTIX.Details.already_exists | unknown | List of iocs already existing |
#
Command Example!ctix-allowed-iocs reason=test type="ipv4-addr" values=x.x.x.x,x.x.xx.x
#
Context Example#
ctix-get-allowed-iocsget paginated list of allowed iocs
#
Base Commandctix-get-allowed-iocs
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number . Default is 1. | Optional |
page_size | Page size. Default is 10. | Optional |
q | query param for searching. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IOC.id | string | ID of the object |
CTIX.IOC.include_emails | boolean | If enabled then the emails to the corresponding emails will be whitelisted |
CTIX.IOC.include_sub_domains | boolean | If enabled then the emails to the corresponding sub domains will be whitelisted |
CTIX.IOC.include_urls | boolean | If enabled then the emails to the corresponding urls will be whitelisted |
CTIX.IOC.type | string | Type of the ioc |
CTIX.IOC.value | string | Value of the ioc |
CTIX.IOC.created | number | Created at timestamp |
CTIX.IOC.modified | number | Modified at timestamp |
#
Command Example!ctix-get-allowed-iocs q=type=indicator
#
Context Example#
ctix-remove-allowed-iocRemoves a alloweded ioc with given id
#
Base Commandctix-remove-allowed-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ids | allowed IOC ids. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
details | string | Operation result |
#
Command Example!ctix-remove-allowed-ioc ids=7a33a7ac-ab54-412f-a725-f35c208a54ea
#
Context Example#
ctix-get-threat-dataCommand for querying and listing threat data
#
Base Commandctix-get-threat-data
#
InputArgument Name | Description | Required |
---|---|---|
query | Query statement for the thread data, please refer to the documentation. | Required |
page | page. Default is 1. | Optional |
page_size | size of page. Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ThreatData.confidence_score | number | Confidence Score of the IOC |
CTIX.ThreatData.confidence_type | string | Confidence Type of the IOC |
CTIX.ThreatData.created | number | When the IOC was created in source |
CTIX.ThreatData.ctix_created | number | When the IOC was created in CTIX |
CTIX.ThreatData.ctix_modified | number | When the IOC was modified in CTIX |
CTIX.ThreatData.id | string | ID of the IOC in CTIX |
CTIX.ThreatData.indicator_type | string | Type of the Indicator |
CTIX.ThreatData.ioc_type | string | Type of IOC |
CTIX.ThreatData.is_actioned | boolean | Is Actioned |
CTIX.ThreatData.is_deprecated | boolean | Is Deprecated |
CTIX.ThreatData.is_false_positive | boolean | Is False Positive |
CTIX.ThreatData.is_reviewed | boolean | Is reviewed |
CTIX.ThreatData.is_revoked | boolean | Is revoked |
CTIX.ThreatData.is_watchlist | boolean | Is Watchlist |
CTIX.ThreatData.is_whitelisted | boolean | Is alloweded |
CTIX.ThreatData.modified | boolean | When the indicator modified |
CTIX.ThreatData.name | boolean | Name of the indicator |
CTIX.ThreatData.risk_severity | boolean | risk severity of the indicator |
CTIX.ThreatData.source_collections | unknown | Source Collections of the Indicator |
CTIX.ThreatData.source_confidence | string | Source Confidence of the indicator |
CTIX.ThreatData.sources | unknown | sources of the indicator |
CTIX.ThreatData.sub_type | string | Sub Type of the IOC |
CTIX.ThreatData.tlp | string | TLP of the indicator |
CTIX.ThreatData.type | string | Type of the IOC |
CTIX.ThreatData.valid_from | number | Date from which IOC is valid |
#
Command Example!ctix-get-threat-data query=type=indicator
#
Context Example#
ctix-get-saved-searchesSaved Search listing api with pagination
#
Base Commandctix-get-saved-searches
#
InputArgument Name | Description | Required |
---|---|---|
page | page. | Optional |
page_size | page size. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SavedSearch.id | string | ID of the object |
CTIX.SavedSearch.editable | boolean | |
CTIX.SavedSearch.is_threat_data_search | boolean | |
CTIX.SavedSearch.name | string | |
CTIX.SavedSearch.order | number | |
CTIX.SavedSearch.pinned | boolean | |
CTIX.SavedSearch.query | string | |
CTIX.SavedSearch.shared_type | string | |
CTIX.SavedSearch.type | string | |
CTIX.SavedSearch.meta_data | unknown |
#
Command Example!ctix-get-saved-searches
#
Context Example#
ctix-get-server-collectionsSource Collection listing api with pagination
#
Base Commandctix-get-server-collections
#
InputArgument Name | Description | Required |
---|---|---|
page | page. | Optional |
page_size | page size. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ServerCollection.name | string | Name of the server |
CTIX.ServerCollection.id | string | ID of the object |
CTIX.ServerCollection.inbox | boolean | Inbox is enabled or not |
CTIX.ServerCollection.is_active | boolean | Object if active or not |
CTIX.ServerCollection.is_editable | boolean | Object if editable or not |
CTIX.ServerCollection.polling | boolean | Object polling is enabled or not |
CTIX.ServerCollection.type | string | Object type |
CTIX.ServerCollection.description | string | description of the object |
CTIX.ServerCollection.created | number | Created timestamp |
#
Command Example!ctix-get-server-collections
#
Context Example#
ctix-get-actionsEnrichment tools listing API
#
Base Commandctix-get-actions
#
InputArgument Name | Description | Required |
---|---|---|
page | page. | Optional |
page_size | page size. | Optional |
object_type | object type. | Optional |
action_type | action type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.Action.action_name | string | Name of the Action |
CTIX.Action.action_type | unknown | Description of the action |
CTIX.Action.actioned_on | number | Timestamp of when the action was taken |
CTIX.Action.app_name | string | Name of the app for the action |
CTIX.app_type | string | Type of the app |
CTIX.Action.id | string | ID of the action |
CTIX.Action.object_type | string | Type of the action |
#
Command Example!ctix-get-actions action_type=manual object_type=indicator
#
Context Example#
ctix-add-indicator-as-false-positive#
Base Commandctix-add-indicator-as-false-positive
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | , seperated list of indicator ids. | Required |
object_type | Type of object. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorFalsePositive.message | unknown | Indicator change result |
#
Command Example!ctix-add-indicator-as-false-positive object_ids=19176d96-716d-48aa-af15-dfeff22e72e2,531e47a6-d7cd-47be-ae21-a3260518d4a5 object_type=indicator
#
Context Example#
ctix-ioc-manual-reviewAdds ioc to manual review bulk api
#
Base Commandctix-ioc-manual-review
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | Object ids of the items to be added for manual review. | Required |
object_type | object type. Possible values are: attack-pattern, campaign, course-of-action, custom-object, grouping, identity, indicator, infrastructure, intrusion-set, location, malware, malware-analysis, observed-data, opinion, report, threat-actor, tool, note, vulnerability, artifact, directory, email-addr, user-account, email-message, file, ipv4-addr, ipv6-addr, mac-addr, autonomous-system, network-traffic, domain-name, process, software, windows-registry-key, mutex, url, observable, x509-certificate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IOCManualReview.message | unknown | IOC Manual Review result |
#
Command Example!ctix-ioc-manual-review object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator
#
Context Example#
ctix-deprecate-iocDeprecate ioc bulk api
#
Base Commandctix-deprecate-ioc
#
InputArgument Name | Description | Required |
---|---|---|
object_ids | Object ids . | Required |
object_type | object type. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.DeprecateIOC | unknown | Result of the IOC deprecation request |
#
Command Example!ctix-deprecate-ioc object_ids=f3064a83-304e-4801-bec2-2f26a432bfd2,0aced40d-9a83-46cd-a92b-0c776c92594c object_type=indicator
#
Context Example#
ctix-add-analyst-tlpAdd Analyst TLP
#
Base Commandctix-add-analyst-tlp
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. | Required |
object_type | object type. | Required |
data | data. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.AddAnalystTLP | unknown | Result of the addition of analyst TLP |
#
Command Example!ctix-add-analyst-tlp object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator data={\"analyst_tlp\":\"GREEN\"}
#
Context Example#
ctix-add-analyst-scoreAdd Analyst Score for a Threat data
#
Base Commandctix-add-analyst-score
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. | Required |
object_type | object type. | Required |
data | data. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.AddAnalystScore | unknown | Result of adding analyst score to threat data |
#
Command Example!ctix-add-analyst-score data={"analyst_score":10} object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator
#
Context Example#
ctix-saved-result-setSaved Result Set
#
Base Commandctix-saved-result-set
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
label_name | label name. | Optional |
query | CQL. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SavedResultSet.analyst_score | number | Analyst score of the IOC |
CTIX.SavedResultSet.analyst_tlp | string | Analyst TLP of the IOC |
CTIX.SavedResultSet.confidence_score | number | Confidence score of the IOC |
CTIX.SavedResultSet.confidence_type | string | Confidence type of the IOC |
CTIX.SavedResultSet.country | string | Country of origin for the IOC |
CTIX.SavedResultSet.created | number | IOC creation date |
CTIX.SavedResultSet.ctix_created | number | IOC date of creation in CTIX |
CTIX.SavedResultSet.ctix_modified | number | IOC date of modification in CTIX |
CTIX.SavedResultSet.first_seen | date | IOC timestamp when it was first seen |
CTIX.SavedResultSet.id | number | IOC ID |
CTIX.SavedResultSet.indicator_type | string | Type of the indicator |
CTIX.SavedResultSet.ioc_type | string | Type of the IOC |
CTIX.SavedResultSet.is_actioned | boolean | If there is any action taken on the indicator |
CTIX.SavedResultSet.is_deprecated | boolean | If the indicator is deprecated or not |
CTIX.SavedResultSet.is_false_positive | boolean | Value of the indicator is false positive or not |
CTIX.SavedResultSet.is_reviewed | boolean | Whether the indicator reviewed or not |
CTIX.SavedResultSet.is_revoked | boolean | Whether the indicator is revoked or not |
CTIX.SavedResultSet.is_watchlist | boolean | Whether the indicator is under watchlist or not |
CTIX.SavedResultSet.is_whitelisted | boolean | Whether the indicator is whitelisted or not |
CTIX.SavedResultSet.last_seen | date | Timestamp of the when the IOC was last seen |
CTIX.SavedResultSet.modified | date | Timestamp of the when the IOC was modified |
CTIX.SavedResultSet.name | string | Name of the indicator |
CTIX.SavedResultSet.null | unknown | null |
CTIX.SavedResultSet.primary_attribute | string | Primary attribute of the IOC |
CTIX.SavedResultSet.published_collections | unknown | Published collections of the IOC |
CTIX.SavedResultSet.risk_severity | unknown | Risk severity of the IOC |
CTIX.SavedResultSet.source_collections | unknown | Source collections of the IOC |
CTIX.SavedResultSet.name | string | Name of the IOC |
CTIX.SavedResultSet.sources | unknown | Sources of the IOC |
CTIX.SavedResultSet.sub_type | unknown | Sub type of the IOC |
CTIX.SavedResultSet.subscriber_collections | unknown | Subscription collections of the IOC |
CTIX.SavedResultSet.subscribers | unknown | Subscribers of the IOC |
CTIX.SavedResultSet.tags | unknown | Tags on the IOC |
CTIX.SavedResultSet.tlp | unknown | TLP of the IOC |
CTIX.SavedResultSet.type | unknown | Type of the IOC |
CTIX.SavedResultSet.valid_from | unknown | Timestamp from when the IOC is valid |
CTIX.SavedResultSet.valid_until | unknown | Timestamp till then the IOC is valid |
#
Command Example!ctix-saved-result-set label_name=test query=type=indicator
#
Context Example#
ctix-add-tag-indicatorAdding Tag to Indicator
#
Base Commandctix-add-tag-indicator
#
InputArgument Name | Description | Required |
---|---|---|
page | page from where data will be taken. Default is 1. | Optional |
page_size | total number of results to be fetched. Default is 10. | Optional |
q | query. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
tag_id | tag id. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.TagUpdation.meesage | unknown | Result of the add indicator tag request |
#
Command Example!ctix-add-tag-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372
#
Context Example#
ctix-remove-tag-from-indicatorRemove Tag From Indicator
#
Base Commandctix-remove-tag-from-indicator
#
InputArgument Name | Description | Required |
---|---|---|
page | which page to bring the data from. Default is 1. | Optional |
page_size | number of pages to bring data from. Default is 10. | Optional |
q | query. | Optional |
object_id | object_id. | Optional |
object_type | object_type. | Optional |
tag_id | tag_id. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.TagUpdation.message | unknown | Result of the remove indicator tag request |
#
Command Example!ctix-remove-tag-from-indicator object_id=19176d96-716d-48aa-af15-dfeff22e72e2 object_type=indicator tag_id=fb35000b-82e7-4440-8f18-8b63bba5b372
#
Context Example#
ctix-search-for-tagSearch for tag
#
Base Commandctix-search-for-tag
#
InputArgument Name | Description | Required |
---|---|---|
page | number of page from where data needs to brought. Default is 1. | Optional |
page_size | size of the result. Default is 10. | Optional |
q | query. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.SearchTag.colour_code | unknown | Colour code of the tag |
CTIX.SearchTag.created | number | Timestamp of when the tag was created |
CTIX.SearchTag.created_by | unknown | details of the person who created the tag |
CTIX.SearchTag.id | string | ID of the tag |
CTIX.SearchTag.modified | number | Timestamp of when the tag was modified |
CTIX.SearchTag.modified_by | unknown | Details of the person who modified the tag |
CTIX.SearchTag.name | unknown | Name of the tag |
CTIX.SearchTag.type | unknown | type of the tag |
#
Command Example!ctix-search-for-tag q=xsoar_test_trial
#
Context Example#
ctix-get-indicator-detailsGet Indicator Details
#
Base Commandctix-get-indicator-details
#
InputArgument Name | Description | Required |
---|---|---|
page | from where data has to be brought. Default is 1. | Optional |
page_size | total number of results. Default is 10. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorDetails.aliases | string | Aliases of the tag if any |
CTIX.IndicatorDetails.analyst_description | string | Analyst description provided if any |
CTIX.IndicatorDetails.analyst_score | number | Analyst score of the indicator |
CTIX.IndicatorDetails.analyst_tlp | string | Analyst provided TLP on the indicator |
CTIX.IndicatorDetails.asn | string | ASN of the indicator |
CTIX.IndicatorDetails.attribute_field | string | Attribute field of the indicator |
CTIX.IndicatorDetails.attribute_value | string | Attribute value of the indicator |
CTIX.IndicatorDetails.base_type | string | Base type of the indicator |
CTIX.IndicatorDetails.confidence_score | number | Confidence score of the IOC |
CTIX.IndicatorDetails.confidence_type | string | Confidence type of the IOC |
CTIX.IndicatorDetails.country | string | Country of origin of the IOC |
CTIX.IndicatorDetails.created | number | Timestamp of when the indicator was created |
CTIX.IndicatorDetails.ctix_created | number | Timestamp of when the indicator was created in CTIX |
CTIX.IndicatorDetails.ctix_modified | number | Timestamp of when the indicator was modified in CTIX |
CTIX.IndicatorDetails.ctix_score | number | CTIX score of the indicator |
CTIX.IndicatorDetails.ctix_tlp | string | CTIX assigned TLP of the indicator |
CTIX.IndicatorDetails.defang_analyst_description | string | Defanged analyst description of the indicator |
CTIX.IndicatorDetails.description | string | Description of the indicator |
CTIX.IndicatorDetails.fang_analyst_description | string | Fang analyst description of the indicator |
CTIX.IndicatorDetails.first_seen | number | Timestamp of then the indicator was first seen |
CTIX.IndicatorDetails.last_seen | number | Timestamp of then the indicator was last seen |
CTIX.IndicatorDetails.modified | number | Timestamp of then the indicator was modified |
CTIX.IndicatorDetails.name | string | Name of the indicator |
CTIX.IndicatorDetails.pattern | string | STIX pattern of the indicator |
CTIX.IndicatorDetails.pattern_type | string | pattern type of the indicator |
CTIX.IndicatorDetails.pattern_version | string | STIX pattern version |
CTIX.IndicatorDetails.sources | unknown | Sources of the indicator |
CTIX.IndicatorDetails.sub_type | string | Sub type of the indicator |
CTIX.IndicatorDetails.tld | string | TLD of the indicator |
CTIX.IndicatorDetails.tlp | string | TLP of the indicator |
CTIX.IndicatorDetails.type | string | Type of the indicator |
CTIX.IndicatorDetails.types | string | Types of the indicator |
CTIX.IndicatorDetails.valid_from | number | Timestamp of the indicator from then it was valid |
CTIX.IndicatorDetails.valid_until | unknown | Timestamp of the indicator till |
#
Command Example!ctix-get-indicator-details object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-tagsGet Indicator Tags
#
Base Commandctix-get-indicator-tags
#
InputArgument Name | Description | Required |
---|---|---|
object_id | object id. | Optional |
object_type | object type. | Optional |
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorTags.notes | unknown | Notes on the indicator's tag |
CTIX.IndicatorTags.is_deprecated | boolean | If the indicator's tag deprecated or not |
CTIX.IndicatorTags.is_revoked | boolean | If the indicator's tag revoked or not |
CTIX.IndicatorTags.ctix_created | number | Timestamp of when the Indicator tag was created in CTIX |
CTIX.IndicatorTags.is_false_positive | boolean | If the indicator's tag is false positive or not |
CTIX.IndicatorTags.name | string | Name of the indicator |
CTIX.IndicatorTags.is_reviewed | boolean | If the indicator reviewed or not |
CTIX.IndicatorTags.is_whitelisted | boolean | If the indicator whitelisted or not |
CTIX.IndicatorTags.is_under_review | boolean | If the indicator is under review or not |
CTIX.IndicatorTags.is_watchlist | boolean | If the indicator is under watchlist or not |
CTIX.IndicatorTags.tags | unknown | Tags of the indicator |
CTIX.IndicatorTags.sub_type | unknown | Sub type of the indicator |
CTIX.IndicatorTags.type | unknown | Type of Indicator |
#
Command Example!ctix-get-indicator-tags object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-relationsGet Indicator Relations
#
Base Commandctix-get-indicator-relations
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorRelations.relationship_type | unknown | Indicator relation types |
CTIX.IndicatorRelations.sources | unknown | Indicator sources |
CTIX.IndicatorRelations.target_ref | unknown | Indicator target reference |
#
Command Example!ctix-get-indicator-relations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-indicator-observationsGet Indicator Observations
#
Base Commandctix-get-indicator-observations
#
InputArgument Name | Description | Required |
---|---|---|
page | page. | Optional |
page_size | page size. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.IndicatorObservations.custom_attributes | unknown | Custom attributes if any |
CTIX.IndicatorObservations.ctix_modified | number | Timestamp when indicator was modified in CTIX |
CTIX.IndicatorObservations.created | number | Timestamp when indicator was created |
CTIX.IndicatorObservations.pattern_type | string | Pattern type of Indicator |
CTIX.IndicatorObservations.modified | number | Timestamp when indicator was modified |
CTIX.IndicatorObservations.ctix_created | number | Timestamp when indicator was created in CTIX |
CTIX.IndicatorObservations.pattern_version | string | STIX Pattern version of indicator |
CTIX.IndicatorObservations.confidence | string | Confidence level of the indicator |
CTIX.IndicatorObservations.valid_from | number | Timestamp when indicator was valid from |
CTIX.IndicatorObservations.pattern | string | STIX pattern |
CTIX.IndicatorObservations.fang_description | string | FANG description |
CTIX.IndicatorObservations.defang_description | string | DEFANG description |
CTIX.IndicatorObservations.spec_version | string | STIX Spec version |
CTIX.IndicatorObservations.tags | unknown | Tags attached to the indicator |
CTIX.IndicatorObservations.received_id | string | STIX ID when indicator was received |
CTIX.IndicatorObservations.types | unknown | STIX Types attached to the indicator |
CTIX.IndicatorObservations.source | unknown | STIX source of the indicator |
CTIX.IndicatorObservations.id | string | id of the indicator |
CTIX.IndicatorObservations.valid_until | number | Timestamp till when the indicator is valid |
CTIX.IndicatorObservations.sco_object_id | unknown | SCO object ID |
CTIX.IndicatorObservations.unique_hash | unknown | unique hash of the indicator |
CTIX.IndicatorObservations.description | unknown | description of the indicator |
CTIX.IndicatorObservations.granular_markings | unknown | Granular Markings if any |
CTIX.IndicatorObservations.collection | unknown | Collection details of the indicator |
#
Command Example!ctix-get-indicator-observations object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-conversion-feed-source#
Base Commandctix-get-conversion-feed-source
#
InputArgument Name | Description | Required |
---|---|---|
page | page. Default is 1. | Optional |
page_size | page size. Default is 10. | Optional |
object_id | object id. | Optional |
object_type | object type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ConversionFeedSource.created | number | Indicator creation timestamp |
CTIX.ConversionFeedSource.id | string | ID of the indicator |
CTIX.ConversionFeedSource.name | string | name of the indicator |
CTIX.ConversionFeedSource.taxii_option | string | TAXII option |
#
Command Example!ctix-get-conversion-feed-source object_id=20067ec2-8ad1-470e-b0bb-3c4a72b15883 object_type=indicator
#
Context Example#
ctix-get-lookup-threat-dataLookup to get threat data
#
Base Commandctix-get-lookup-threat-data
#
InputArgument Name | Description | Required |
---|---|---|
object_type | object type. | Optional |
object_names | Will contain the SDO values. Example: If you need to get the object_ids of indicator 127.0.0.1 then the value will be 127.0.0.1. | Optional |
page_size | size of the page. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CTIX.ThreatDataLookup.analyst_score | number | Analyst score of the indicator |
CTIX.ThreatDataLookup.analyst_tlp | string | Analyst TLP of the indicator |
CTIX.ThreatDataLookup.confidence_score | number | Confidence score of the indicator |
CTIX.ThreatDataLookup.confidence_type | string | Confidence type of the indicator |
CTIX.ThreatDataLookup.country | string | Indicator origin country |
CTIX.ThreatDataLookup.created | number | Timestamp of when the indicator was created |
CTIX.ThreatDataLookup.ctix_created | number | Timestamp of when the indicator was created in CTIX |
CTIX.ThreatDataLookup.ctix_modified | number | Timestamp of when the indicator was modified in CTIX |
CTIX.ThreatDataLookup.first_seen | number | Timestamp of when the indicator was first seen |
CTIX.ThreatDataLookup.id | string | Indicator ID |
CTIX.ThreatDataLookup.indicator_type | string | Indicator type |
CTIX.ThreatDataLookup.ioc_type | string | IOC type |
CTIX.ThreatDataLookup.is_actioned | boolean | Is actioned |
CTIX.ThreatDataLookup.is_deprecated | boolean | is deprecated |
CTIX.ThreatDataLookup.is_false_positive | boolean | is false positive |
CTIX.ThreatDataLookup.is_reviewed | boolean | is reviewed |
CTIX.ThreatDataLookup.is_revoked | boolean | is revoked |
CTIX.ThreatDataLookup.is_watchlist | boolean | is watchlisted |
CTIX.ThreatDataLookup.is_whitelisted | boolean | is whitelisted |
CTIX.ThreatDataLookup.last_seen | number | Timestamp of when the indicator was last seen |
CTIX.ThreatDataLookup.modified | number | Timestamp of when the indicator was modified |
CTIX.ThreatDataLookup.name | string | name of the indicator |
CTIX.ThreatDataLookup.null | unknown | null |
CTIX.ThreatDataLookup.primary_attribute | string | Primary Attribute |
CTIX.ThreatDataLookup.published_collections | unknown | published collections |
CTIX.ThreatDataLookup.risk_severity | string | Risk severity |
CTIX.ThreatDataLookup.source_collections | unknown | sources collections |
CTIX.ThreatDataLookup.source_confidence | string | Source confidence |
CTIX.ThreatDataLookup.sources | unknown | sources |
CTIX.ThreatDataLookup.sub_type | string | Sub type |
CTIX.ThreatDataLookup.subscriber_collections | unknown | subscriber collections |
CTIX.ThreatDataLookup.subscribers | unknown | subscribers |
CTIX.ThreatDataLookup.tags | unknown | Tags |
CTIX.ThreatDataLookup.tlp | string | TLP |
CTIX.ThreatDataLookup.type | string | Type |
CTIX.ThreatDataLookup.valid_from | number | Timestamp from when the indicator was valid |
CTIX.ThreatDataLookup.valid_until | number | Timestamp till when the indicator was valid |
#
Command Example!ctix-get-lookup-threat-data object_names=example.com, test.com object_type=indicator