Skip to main content

Flashpoint Ignite

This Integration is part of the Flashpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Use the Flashpoint Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more. This integration was integrated and tested with API v1 of Ignite.

Auto Extract Indicator#

Both incident types Ignite Alert and Flashpoint Compromised Credentials support the auto extraction feature by default. This feature extracts indicators and enriches their reputations using commands and scripts defined for the indicator type (Refer to Indicator extraction (Cortex XSOAR 6.13) or Indicator extraction (Cortex XSOAR 8 Cloud) or Indicator extraction (Cortex XSOAR 8.7 On-prem) for more details).

If you are upgrading from a Flashpoint integration, please refer to the Migration Guide for guidance.

Configure Flashpoint Ignite on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Flashpoint Ignite.
  3. Click Add instance to create and configure a new integration instance.
  4. To fetch Ignite alerts, refer to the section "Configuration for fetching Ignite Alerts as a Cortex XSOAR Incident".
  5. To fetch Ignite compromised credentials, refer to the section "Configuration for fetching Ignite Compromised Credentials as a Cortex XSOAR Incident".
| **Parameter** | **Description** | **Required** |
| --- | --- | --- |
| Fetch incidents | | False |
| Incident type | | False |
| Server URL | Server URL to connect to Ignite. | True |
| API Key | API key used for secure communication with the Ignite platform. | True |
| Maximum number of incidents per fetch | The maximum limit is 200 for alerts and compromised credentials. | False |
| First fetch time | Date or relative timestamp to start fetching the incidents from. \(Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.\). | False |
| Fetch Type | Whether to fetch the Ignite alerts or the compromised credentials. Defaults to "Compromised Credentials" if nothing selected. | False |
| Severity for Incidents | Set the default severity for the incidents using this instance. | False |
| Alert Status | Filters the incoming alerts with the provided alert status. | False |
| Alert Origin | Filters the incoming alerts with the origin of the alert. | False |
| Alert Sources | Filters the incoming alerts with the source of the alert. | False |
| Fetch fresh compromised credentials alerts | Adds the 'is_fresh' flag to compromised credential queries so it only ingests username/password combinations if they haven't been seen before. | False |
| Source Reliability | Reliability of the source providing the intelligence data. | False |
| Create relationships | Create relationships between indicators as part of enrichment. | False |
| Trust any certificate (not secure) | | False |
| Use system proxy settings | | False |
  1. Click Test to validate the URLs, token, and connection.

Configuration for fetching Ignite Alerts as a Cortex XSOAR Incident#

  1. Select Fetches incidents.
  2. Under Classifier, select "N/A".
  3. Under Incident type, select "Ignite Alert".
  4. Under Mapper (incoming), select "Ignite Alert - Incoming Mapper" for default mapping.
  5. Enter the connection parameters (Server URL, API key).
  6. Under the Fetch Type, select "Alerts".
  7. Select "Alert Status" based on your requirement to filter the alerts. By default, it will fetch all status of alerts.
  8. Select "Alert Origin" based on your requirement to filter the alerts. By default, it will fetch all origins of alerts.
  9. Select "Alert Sources" based on your requirement to filter the alerts. By default, it will fetch all sources of alerts.
  10. Select "Severity for Incidents" based on your requirement to set the default severity for the incidents. By default, it will set the Unknown severity for all incidents.
  11. Update "First fetch time" and "Max Fetch Count" based on your requirements.

Configuration for fetching Ignite Compromised Credentials as a Cortex XSOAR Incident#

  1. Select Fetches incidents.
  2. Under Classifier, select "N/A".
  3. Under Incident type, select "Flashpoint Compromised Credentials".
  4. Under Mapper (incoming), select "Flashpoint Compromised Credentials - Incoming Mapper" for default mapping.
  5. Enter the connection parameters (Server URL, API key).
  6. Under the Fetch Type, select "Compromised Credentials".
  7. Select "Fetch fresh compromised credentials alerts" so that it only ingests username/password combinations if they haven't been seen before.
  8. Update "First fetch time" and "Max Fetch Count" based on your requirements.

Troubleshooting#

Error: The maximum records to fetch for the given first fetch can not exceed 10,000#

  • The maximum number of records that can be fetched using the first fetch time is limited to 10,000 by the API.
  • To resolve this issue, you can reduce the first fetch time to a shorter time period, ensuring that the total number of records fetched during the specified time falls within the 10,000 limit.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

flashpoint-ignite-intelligence-report-search#


Search for the Intelligence Reports using a keyword.

Base Command#

flashpoint-ignite-intelligence-report-search

Input#

Argument NameDescriptionRequired
report_searchSearch report using keyword or text.Required

Context Output#

PathTypeDescription
Ignite.Report.NotifiedAtstringNotify date of report.
Ignite.Report.PlatformUrlstringPlatform URL of the report. Used to help redirect the Ignite platform.
Ignite.Report.PostedAtnumberPosted date of the report.
Ignite.Report.SummarystringSummary of the report.
Ignite.Report.TitlestringTitle of the report.
Ignite.Report.UpdatedAtstringLast updated date of the report.
Ignite.Report.ReportIdstringUnique ID of the report.

Command example#

!flashpoint-ignite-intelligence-report-search report_search=ChatGpt

Context Example#

{
"Ignite": {
"Report": [
{
"NotifiedAt": "2024-04-17T19:23:51.870+00:00",
"PlatformUrl": "https://app.flashpoint.io/cti/intelligence/report/00000000000000000001",
"PostedAt": "2024-04-17T19:23:51.870+00:00",
"ReportId": "00000000000000000001",
"Summary": "This report covers evolving events that impact the advancement of AI technology and highlights notable developments that impact safety for users and organizations.",
"Title": "Artificial Intelligence Threat Landscape",
"UpdatedAt": "2024-04-17T19:23:51.870+00:00"
}
]
}
}

Human Readable Output#

Ignite Intelligence reports related to search: ChatGpt#

Top 5 reports: 1) Artificial Intelligence Threat Landscape Summary: This report covers evolving events that impact the advancement of AI technology and highlights notable developments that impact safety for users and organizations.

Link to Report-search on Ignite platform: https://app.flashpoint.io/cti/intelligence/search?query=ChatGpt

flashpoint-ignite-compromised-credentials-list#


Retrieves the compromised credentials based on the filter values provided in the command arguments.

Base Command#

flashpoint-ignite-compromised-credentials-list

Input#

Argument NameDescriptionRequired
start_dateFilters the data based on the start date of the breach (UTC). Note: Will consider current time as default for end_date if start_date is initialized.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Optional
end_dateFilters the data based on the end date of the breach (UTC). Note: Requires start_date along with the given argument.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Optional
filter_dateFilters the compromised credential's breach data by either created or first observed date.
Note: Requires the argument value for at least 'start_date' and 'end_date'. Possible values are: created_at, first_observed_at.
Optional
page_sizeThe maximum number of result objects to return per page. Note: The maximum value is 1,000. Default is 50.Optional
page_numberSpecify a page number to retrieve the compromised credentials. Note: The multiplication of page_size and page_number parameters cannot exceed 10,000. Default is 1.Optional
sort_dateSort the compromised credential's breach data by either created or first observed date. Note: Will consider ascending as default for sort_order if sort_date is initialized. Possible values are: created_at, first_observed_at.Optional
sort_orderSpecify the order to sort the data in. Note: Requires sort_date along with the given argument. Possible values are: asc, desc.Optional
is_freshWhether to fetch the fresh compromised credentials or not. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Ignite.CompromisedCredential._idStringID of the IoC.
Ignite.CompromisedCredential._source.affected_domainStringAffected domain of the IoC.
Ignite.CompromisedCredential._source.basetypesUnknownThe array contains the underlying type of the credentials object, in this case ["credential-sighting"].
Ignite.CompromisedCredential._source.body.rawStringThis is the raw content captured from the breach Flashpoint discovered.
Ignite.CompromisedCredential._source.breach._headerStringThis is the breach header object.
Ignite.CompromisedCredential._source.breach.basetypesUnknownArray containing the underlying base type of the breach object, i.e., ["breach"].
Ignite.CompromisedCredential._source.breach.breach_typeStringConstant for future use.
Ignite.CompromisedCredential._source.breach.created_at.date-timeDateThe datetime when the source breach was created, formatted as YYYY-mm-ddTHH:MM:SSZ.
Ignite.CompromisedCredential._source.breach.created_at.timestampNumberThe UNIX timestamp when the source breach was created.
Ignite.CompromisedCredential._source.breach.first_observed_at.date-timeDateDatetime when the source breach was first observed, formatted as YYYY-mm-ddTHH:MM:SSZ.
Ignite.CompromisedCredential._source.breach.first_observed_at.timestampNumberThe UNIX timestamp when the source breach was first observed.
Ignite.CompromisedCredential._source.breach.fpidStringFlashpoint ID of the breach.
Ignite.CompromisedCredential._source.breach.sourceStringData source of breach (i.e., Analyst Research, CredentialStealer, etc.).
Ignite.CompromisedCredential._source.breach.source_typeStringType of source of the breach.
Ignite.CompromisedCredential._source.breach.titleStringTitle of the breach.
Ignite.CompromisedCredential._source.breach.victimStringVictim of the breach.
Ignite.CompromisedCredential._source.credential_record_fpidStringThe Flashpoint ID of the associated record object. Used to retrieve sightings for a credential.
Ignite.CompromisedCredential._source.customer_idStringCustomer ID of the IoC.
Ignite.CompromisedCredential._source.domainStringThe domain object extracted off of the email address.
Ignite.CompromisedCredential._source.emailStringThe email address for the compromised credential.
Ignite.CompromisedCredential._source.usernameStringThe username for the compromised credential.
Ignite.CompromisedCredential._source.extraction_idStringExtraction ID of the IoC.
Ignite.CompromisedCredential._source.extraction_record_idStringExtraction record ID of the IoC.
Ignite.CompromisedCredential._source.fpidStringThe Flashpoint ID of this credentials object.
Ignite.CompromisedCredential.source.header.indexed_atStringTimestamp for when this document was indexed into the Flashpoint database.
Ignite.CompromisedCredential.source.header.pipeline_durationStringPipeline duration header information of the IoC.
Ignite.CompromisedCredential._source.is_freshBoolean"true" if the credential has not been seen before, and it hasn't been marked "not fresh" by an analyst. (Historical breaches are not "fresh".).
Ignite.CompromisedCredential._source.last_observed_at.date-timeDateIf exists, time object for when the credential was previously observed. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Ignite.CompromisedCredential._source.last_observed_at.timestampNumberThe UNIX timestamp when the source breach was first observed.
Ignite.CompromisedCredential._source.passwordStringThe password for the credential (in plain text, if possible).
Ignite.CompromisedCredential._source.password_complexity.has_lowercaseBooleanWhether lowercase letters are present.
Ignite.CompromisedCredential._source.password_complexity.has_numberBooleanWhether numbers are present.
Ignite.CompromisedCredential._source.password_complexity.has_symbolBooleanWhether symbols are present.
Ignite.CompromisedCredential._source.password_complexity.has_uppercaseBooleanWhether uppercase letters are present.
Ignite.CompromisedCredential._source.password_complexity.lengthNumberInteger value that represents the number of characters in the password.
Ignite.CompromisedCredential._source.password_complexity.probable_hash_algorithmsUnknownList of possible hash algorithms suspected based on the text pattern of the password. (May include values like "MD5", "SHA-1", "SHA-256", "bcrypt", etc.)
Ignite.CompromisedCredential._source.times_seenNumberInteger representing the number of times the credential has been seen at Flashpoint.
Ignite.CompromisedCredential._typeStringType of the IoC.
Ignite.CompromisedCredential.matched_queriesUnknownMatching queries of the IoC.
Ignite.CompromisedCredential.sortUnknownSort value of the IoC.

Command example#

!flashpoint-ignite-compromised-credentials-list start_date="2 weeks" end_date="1 days" filter_date=created_at is_fresh=true page_number=2 page_size=1 sort_date=created_at sort_order=asc

Context Example#

{
"Ignite": {
"CompromisedCredential": {
"_id": "sample_id",
"_source": {
"affected_domain": "example",
"affected_url": "https://dummy_url",
"basetypes": [
"credential-sighting"
],
"body": {
"raw": "URL: https://dummy_url\r\nUsername: someone@example.com\r\nPassword: pass_123\r\nApplication: Microsoft_[Edge]_Default"
},
"breach": {
"basetypes": [
"breach"
],
"breach_type": "credential",
"created_at": {
"date-time": "2024-05-10T16:13:33Z",
"timestamp": 1715789613
},
"first_observed_at": {
"date-time": "2024-05-10T16:13:34Z",
"timestamp": 1715789614
},
"fpid": "sample_fpid",
"source": "Analyst Research",
"source_type": "Credential Stealer",
"title": "Compromised Users from Redline Stealer Malware \"logs_05_10_2024-160709.zip\" May152024"
},
"credential_record_fpid": "sample_credential_record_fpid",
"customer_id": "sample_customer_id",
"domain": "example.com",
"email": "someone@example.com",
"extraction_id": "sample_extraction_id",
"extraction_record_id": "sample_extraction_record_id",
"fpid": "sample_fpid",
"header_": {
"indexed_at": 1715793565,
"pipeline_duration": 63883012765
},
"is_fresh": true,
"last_observed_at": {
"date-time": "2024-05-10T16:13:34Z",
"timestamp": 1715789614
},
"password": "pass_123",
"password_complexity": {
"has_lowercase": true,
"has_number": true,
"has_symbol": true,
"has_uppercase": true,
"length": 9
},
"times_seen": 1,
"username": "someone@example.com"
},
"_type": "_doc",
"matched_queries": [
"data.example"
],
"sort": [
1715789613000
]
}
}
}

Human Readable Output#

Total number of records found: 150#

Compromised Credential(s)#

FPIDEmailUsernameBreach SourceBreach Source TypePasswordCreated Date (UTC)First Observed Date (UTC)
sample_fpidsomeone@example.comsomeone@example.comAnalyst ResearchCredential Stealerpass_123May 10, 2024 16:13May 10, 2024 16:13

flashpoint-ignite-event-list#


Searches for events within the specified time period, the Flashpoint report ID, or attack IDs.

Base Command#

flashpoint-ignite-event-list

Input#

Argument NameDescriptionRequired
time_periodThe time period for the search.Optional
report_fpidThe Flashpoint report ID. To retrieve the Flashpoint report ID, run the flashpoint-ignite-intelligence-related-report-list command.Optional
limitThe maximum number of records. Default is 10.Optional
attack_idsA comma-separated list of attack IDs for which to search. Attack IDs can be found in event information or on the Ignite platform by filtering events by attack IDs.Optional

Context Output#

PathTypeDescription
Ignite.Event.EventCreatorEmailstringThe email of the event creator.
Ignite.Event.EventIdstringThe ID of the event.
Ignite.Event.UUIDstringThe UUID of the event.
Ignite.Event.HrefstringThe hyperlink of the event.
Ignite.Event.MalwareDescriptionstringThe description of the malware.
Ignite.Event.NamestringThe name of the event.
Ignite.Event.ObservedTimestringThe date that the event was triggered.
Ignite.Event.TagsstringThe tags of the event.

Command example#

!flashpoint-ignite-event-list limit="2" attack_ids=T1001

Context Example#

{
"Ignite": {
"Event": [
{
"Name": "Observation: strike \"0000000000000000000000000000000000000000000000000000000000000001\" [2024-05-31 03:49:12]",
"Tags": "mitre:T1001",
"EventCreatorEmail": "info@flashpoint-intel.com",
"EventId": "0000000000000000000001",
"UUID": "00000000-0000-0000-0000-0001",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/event/0000000000000000000001",
"ObservedTime": "May 31, 2024 04:03",
"MalwareDescription": "This malicious adoption has caused difficulties in determining whether observed activity is related to an ongoing criminal attack."
},
{
"Name": "Observation: strike \"0000000000000000000000000000000000000000000000000000000000000002\" [2024-05-31 00:01:14]",
"Tags": "mitre:T1001",
"EventCreatorEmail": "info@flashpoint-intel.com",
"EventId": "0000000000000000000002",
"UUID": "00000000-0000-0000-0000-0002",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/event/0000000000000000000002",
"ObservedTime": "May 31, 2024 01:00",
"MalwareDescription": "Strike became popular among threat actors as an initial access payload, as well as a second-stage tool threat actors use once access is achieved."
}
]
}
}

Human Readable Output#

Ignite Events#

Below are the detail found:#

Observed time (UTC)NameTagsMalware Description
May 31, 2024 04:03Observation: strike "0000000000000000000000000000000000000000000000000000000000000001" [2024-05-31 03:49:12]mitre:T1001This malicious adoption has caused difficulties in determining whether observed activity is related to an ongoing criminal attack.
May 31, 2024 01:00Observation: strike "0000000000000000000000000000000000000000000000000000000000000002" [2024-05-31 00:01:14]mitre:T1001Strike became popular among threat actors as an initial access payload, as well as a second-stage tool threat actors use once access is achieved.

All events and details (ignite): https://mock_dummy.com/cti/malware/iocs

flashpoint-ignite-event-get#


Retrieves the details of a single event using event FPID or UUID.

Base Command#

flashpoint-ignite-event-get

Input#

Argument NameDescriptionRequired
event_idThe FPID or UUID that identifies a particular event. The event ID can be fetched from the output context path (Ignite.Event.EventId) of the flashpoint-ignite-event-list command, or the indicator reputation command response or some other investigation.Required

Context Output#

PathTypeDescription
Ignite.Event.EventCreatorEmailstringThe email of the event creator.
Ignite.Event.EventIdstringThe ID of the event.
Ignite.Event.UUIDstringThe UUID of the event.
Ignite.Event.HrefstringThe hyperlink of the event.
Ignite.Event.MalwareDescriptionstringThe description of the malware.
Ignite.Event.NamestringThe name of the event.
Ignite.Event.ObservedTimestringThe date that the event was triggered.
Ignite.Event.TagsstringThe tags of the event.

Command example#

!flashpoint-ignite-event-get event_id=0000000000000000000001

Context Example#

{
"Ignite": {
"Event": {
"Name": "Observation: strike \"0000000000000000000000000000000000000000000000000000000000000001\" [2024-05-31 03:49:12]",
"Tags": "mitre:T1001",
"EventCreatorEmail": "info@flashpoint-intel.com",
"EventId": "0000000000000000000001",
"UUID": "00000000-0000-0000-0000-0001",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/event/0000000000000000000001",
"ObservedTime": "May 31, 2024 04:03",
"MalwareDescription": "This malicious adoption has caused difficulties in determining whether observed activity is related to an ongoing criminal attack."
}
}
}

Human Readable Output#

Ignite Event details#

Below are the detail found:#

Observed time (UTC)NameTagsMalware Description
May 31, 2024 04:03Observation: strike "0000000000000000000000000000000000000000000000000000000000000001" [2024-05-31 03:49:12]mitre:T1001This malicious adoption has caused difficulties in determining whether observed activity is related to an ongoing criminal attack.

flashpoint-ignite-intelligence-report-get#


Get single report details using the report id.

Base Command#

flashpoint-ignite-intelligence-report-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the report for which the details are to be fetched. The report ID can be retrieved from the output context path (Ignite.Report.ReportId) of the flashpoint-ignite-intelligence-report-search command or some other investigation.Required

Context Output#

PathTypeDescription
Ignite.Report.NotifiedAtstringNotify date of the report.
Ignite.Report.PlatformUrlstringPlatform URL of the report. Used to help redirect the Ignite platform.
Ignite.Report.PostedAtnumberPosted date of the report.
Ignite.Report.SummarystringSummary of the report.
Ignite.Report.TitlestringTitle of the report.
Ignite.Report.UpdatedAtstringLast updated date of the report.
Ignite.Report.ReportIdstringUnique ID of the report.
Ignite.Report.TagsstringTags of the report.

Command example#

!flashpoint-ignite-intelligence-report-get report_id=00000000000000000001

Context Example#

{
"Ignite": {
"Report": {
"NotifiedAt": "2022-02-10T22:25:51.190+00:00",
"PlatformUrl": "https://app.flashpoint.io/cti/intelligence/report/00000000000000000001",
"PostedAt": "2022-02-10T22:25:51.190+00:00",
"ReportId": "00000000000000000001",
"Summary": "A weekly update on major developments in XYZ.",
"Title": "Key Developments: XYZ (February 3-10, 2022)",
"UpdatedAt": "2022-02-10T22:25:51.190+00:00",
"Tags": "Energy, Government & Policymakers, XYZ, Law Enforcement & Military, Intelligence Report, Technology & Internet, Right-Wing Extremist, Media & Telecom, Protests, Cyber Threats, Physical Threats, Government, Technology, Right-wing extremism, Media, Direct action and protests, Key Developments: XYZ "
}
}
}

Human Readable Output#

Ignite Intelligence Report details#

Below are the details found:#

TitleDate Published (UTC)SummaryTags
Key Developments: XYZ (February 3-10, 2022)Feb 10, 2022 22:25A weekly update on major developments in XYZ.Energy, Government & Policymakers, XYZ, Law Enforcement & Military, Intelligence Report, Technology & Internet, Right-Wing Extremist, Media & Telecom, Protests, Cyber Threats, Physical Threats, Government, Technology, Right-wing extremism, Media, Direct action and protests, Key Developments: XYZ

flashpoint-ignite-intelligence-related-report-list#


List related reports for a particular report using the report ID.

Base Command#

flashpoint-ignite-intelligence-related-report-list

Input#

Argument NameDescriptionRequired
report_idThe report-id of the report of which the related reports are to be fetched. The report id can be known from output context path (Ignite.Report.ReportId) of flashpoint-ignite-intelligence-report-search command or some other investigation.Required

Context Output#

PathTypeDescription
Ignite.Report.NotifiedAtstringNotify date of report.
Ignite.Report.PlatformUrlstringPlatform URL of the report. Used to help redirect the Ignite platform.
Ignite.Report.PostedAtnumberPosted date of the report.
Ignite.Report.SummarystringSummary of the report.
Ignite.Report.TitlestringTitle of the report.
Ignite.Report.UpdatedAtstringLast updated date of the report.
Ignite.Report.ReportIdstringUnique ID of the report.

Command example#

!flashpoint-ignite-intelligence-related-report-list report_id=00000000000000000003

Context Example#

{
"Ignite": {
"Report": [
{
"NotifiedAt": "2023-04-13T21:18:35.557+00:00",
"PlatformUrl": "https://app.flashpoint.io/cti/intelligence/report/00000000000000000003",
"PostedAt": "2023-04-13T21:18:35.557+00:00",
"ReportId": "00000000000000000003",
"Summary": "A weekly report on the major developments in XYZ. ",
"Title": "Key Developments: XYZ (April 7-13, 2023)",
"UpdatedAt": "2023-04-13T21:18:35.557+00:00"
}
]
}
}

Human Readable Output#

Ignite Intelligence related reports:#

Top 5 related reports:

1) Key Developments: XYZ (April 7-13, 2023) Summary: A weekly report on the major developments in XYZ.

Link to the given Report on Ignite platform: https://app.flashpoint.io/cti/intelligence/report/00000000000000000001#detail

flashpoint-ignite-alert-list#


Retrieves a list of alerts based on the filter values provided in the command arguments.

Base Command#

flashpoint-ignite-alert-list

Input#

Argument NameDescriptionRequired
sizeThe number of alerts to return. Default is 10.Optional
created_afterReturns alerts that occurred after the specified date. (Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc).Optional
created_beforeReturns alerts that occurred before the specified date. (Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc).Optional
cursorThe cursor to retrieve next page data. Used for pagination only. The value of the cursor can be found from the output context path (Ignite.PageToken.Alert.cursor) or the HR output of the flashpoint-ignite-alert-list command.Optional
statusFilter alerts by status. Possible values are: Archived, Starred, Sent, None.Optional
originFilter alerts by origin. Possible values are: Searches, Assets.Optional
sourcesFilter alerts by source. Possible values are: Github, Gitlab, Bitbucket, Communities, Images, Marketplaces.Optional
tagsA comma-separated list of alerts filtered by tags.Optional
asset_typeFilter alerts by asset type.Optional
asset_ipFilter alerts by asset IP.Optional
asset_idsA comma-separated list of alerts filtered by asset IDs.Optional
query_idsA comma-separated list of alerts filtered by search IDs.Optional

Context Output#

PathTypeDescription
Ignite.Alert.idStringThe unique identifier for the alert.
Ignite.Alert.resource.idStringThe identifier for the resource associated with the alert.
Ignite.Alert.resource.basetypesStringBase types of the resource related to the alert.
Ignite.Alert.resource.container.container.nameStringThe name of the nested container within the resource that holds the alert.
Ignite.Alert.resource.container.container.native_idStringThe native identifier for the nested container within the resource.
Ignite.Alert.resource.container.container.titleStringThe title of the nested container within the resource.
Ignite.Alert.resource.container.nameStringThe name of the container that holds the resource associated with the alert.
Ignite.Alert.resource.container.native_idStringThe native identifier for the container that holds the resource.
Ignite.Alert.resource.container.titleStringThe title of the container that holds the resource associated with the alert.
Ignite.Alert.resource.created_at.date-timeStringThe date and time when the resource associated with the alert was created in ISO 8601 format.
Ignite.Alert.resource.created_at.rawDateThe raw timestamp or other date-time representation when the resource was created.
Ignite.Alert.resource.created_at.timestampNumberThe UNIX timestamp representing when the resource associated with the alert was created.
Ignite.Alert.resource.media_v2.sha1StringThe SHA1 hash of the media file related to the alert.
Ignite.Alert.resource.media_v2.phashStringThe perceptual hash (pHash) of the media file, used to find visually similar images.
Ignite.Alert.resource.media_v2.media_typeStringThe type of media (e.g., image, video) associated with the alert.
Ignite.Alert.resource.media_v2.mime_typeStringThe MIME type of the media file associated with the alert.
Ignite.Alert.resource.media_v2.storage_uriStringThe storage URI where the media file related to the alert is located.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.racyNumberA score indicating the likelihood that the image contains racy content.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.spoofNumberA score indicating the likelihood that the image contains spoofed content.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.medicalNumberA score indicating the likelihood that the image contains medical content.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.adultNumberA score indicating the likelihood that the image contains sexual content.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.adultNumberA score indicating the likelihood that the image contains adult content.
Ignite.Alert.resource.media_v2.image_enrichment.enrichments.v1.image-analysis.safe_search.violenceNumberA score indicating the likelihood that the image contains violent content.
Ignite.Alert.resource.titleStringThe title of the resource associated with the alert.
Ignite.Alert.resource.sectionStringThe section of the platform or service where the resource is categorized or located.
Ignite.Alert.resource.repoStringRepository of the resource related to the alert.
Ignite.Alert.resource.snippetStringSnippet of the resource related to the alert.
Ignite.Alert.resource.sourceStringSource of the resource related to the alert.
Ignite.Alert.resource.urlStringURL of the resource related to the alert.
Ignite.Alert.resource.ownerStringOwner of the resource related to the alert.
Ignite.Alert.resource.fileStringFile associated with the resource related to the alert.
Ignite.Alert.resource.parent_basetypesStringThe parent base types that categorize the resource.
Ignite.Alert.resource.site_actor.names.handleStringThe username or handle of the site actor related to the resource.
Ignite.Alert.resource.site_actor.native_idStringThe native identifier for the site actor associated with the resource.
Ignite.Alert.resource.sort_dateDateThe date and time used for sorting the resource, typically the creation or publication date.
Ignite.Alert.resource.site.titleStringThe title of the site or platform associated with the resource.
Ignite.Alert.resource.shodan_host.asnStringThe ASN (Autonomous System Number) of the Shodan host.
Ignite.Alert.resource.shodan_host.countryStringThe country of the Shodan host.
Ignite.Alert.resource.shodan_host.orgStringThe organization of the Shodan host.
Ignite.Alert.resource.shodan_host.shodan_urlStringThe Shodan URL of the Shodan host.
Ignite.Alert.resource.shodan_host.vulnsUnknownThe vulnerabilities related to the Shodan host.
Ignite.Alert.reason.idStringID of the reason for the alert.
Ignite.Alert.reason.nameStringName of the reason for the alert.
Ignite.Alert.reason.textStringText related to the reason for the alert.
Ignite.Alert.reason.originStringOrigin of the reason for the alert.
Ignite.Alert.reason.details.sourcesStringSources related to the reason for the alert.
Ignite.Alert.reason.details.paramsUnknownParameters related to the reason for the alert.
Ignite.Alert.reason.details.params.include.date.endStringThe end date for the included date range in the alert's reason details.
Ignite.Alert.reason.details.params.include.date.labelStringThe label describing the included date range in the alert's reason details.
Ignite.Alert.reason.details.params.include.date.startStringThe start date for the included date range in the alert's reason details.
Ignite.Alert.reason.details.typeStringThe type of details related to the reason for the alert.
Ignite.Alert.reason.entity.idStringID of the entity related to the reason for the alert.
Ignite.Alert.reason.entity.nameStringName of the entity related to the reason for the alert.
Ignite.Alert.reason.entity.typeStringType of the entity related to the reason for the alert.
Ignite.Alert.statusStringStatus of the alert.
Ignite.Alert.generated_atDateDate when the alert was generated.
Ignite.Alert.created_atDateDate when the alert was created.
Ignite.Alert.tagsUnknownTags associated with the alert.
Ignite.Alert.highlights.media_v2.image_enrichment.enrichments.v1.image-analysis.text.valueStringThe text value extracted from the image analysis in the alert's highlights.
Ignite.Alert.highlights.portsStringThe highlighted ports related to the alert.
Ignite.Alert.highlights.servicesStringThe highlighted services related to the alert.
Ignite.Alert.highlight_textStringThe highlighted text associated with the alert.
Ignite.Alert.data_typeStringData type of the alert.
Ignite.Alert.parent_data_typeStringParent data type of the alert.
Ignite.Alert.sourceStringSource of the alert.
Ignite.Alert.is_readBooleanIndicates if the alert has been read.
Ignite.Alert.highlights.body.text/plainStringThe plain text extracted from the body of the content highlighted in the alert.
Ignite.Alert.reason.details.params.include.ships_fromStringThe shipping origin included in the alert's reason details.
Ignite.Alert.highlights.snippetStringA snippet or excerpt highlighted in the alert.
Ignite.PageToken.Alert.created_afterDateDate for filtering alerts created after a specific time.
Ignite.PageToken.Alert.created_beforeDateDate for filtering alerts created before a specific time.
Ignite.PageToken.Alert.sizeStringSize of the page for pagination.
Ignite.PageToken.Alert.cursorDateCursor for pagination to retrieve the next set of alerts.
Ignite.PageToken.Alert.nameStringThe name of the command.

Command example#

!flashpoint-ignite-alert-list created_after="2024-06-11T05:54:25Z" created_before="2024-06-12T05:54:27Z" size=1

Context Example#

{
"Ignite": {
"Alert": {
"id": "00000000-0000-0000-0000-000000000001",
"resource": {
"id": "00000000-0000-0000-0000-000000000001",
"basetypes": [
"code",
"file",
"github",
"repository"
],
"file": "2024/06/17/My First Blog/index.html",
"url": "https://dummyurl.com/naive-gabrie-white",
"owner": "naive-gabrie-white",
"source": "github",
"repo": "naive-gabrie-white.github.io",
"snippet": "data-image=\"https://i.dummyurl.net/2021/02/24/000000000000001.png\" data-sites=\"facebook,twitter,wechat,weibo,qq\"></div><link rel=\"stylesheet\" href=\"https:..."
},
"reason": {
"id": "00000000-0000-0000-0000-000000000001",
"name": "fb",
"text": "facebook",
"origin": "searches",
"details": {
"sources": [
"data_exposure__github",
"data_exposure__gitlab",
"data_exposure__bitbucket"
]
},
"entity": {
"id": "000000000000000001",
"name": "Crest Data Systems",
"type": "organization"
}
},
"generated_at": "2024-06-17T05:54:19Z",
"created_at": "2024-06-17T05:54:22.158905Z",
"highlights": {
"snippet": [
"data-image=\"https://i.dummyurl.net/2021/02/24/000000000000001.png\" data-sites=\"<x-fp-highlight>facebook</x-fp-highlight>,twitter,wechat,weibo,qq\"></div><link rel=\"stylesheet\" href=\"https:..."
]
},
"highlight_text": "data-image=\"https://i.dummyurl.net/2021/02/24/000000000000001.png\" data-sites=\"<x-fp-highlight>facebook</x-fp-highlight>,twitter,wechat,weibo,qq\"></div><link rel=\"stylesheet\" href=\"https:...",
"data_type": "github",
"source": "data_exposure__github",
"is_read": false
},
{
"id": "00000000-0000-0000-0000-000000000005",
"resource": {
"id": "00000000000000000005",
"basetypes": [
"infrastructure",
"internet",
"shodan"
],
"source": "shodan",
"shodan_host": {
"asn": "AS0001",
"country": "United States",
"org": "Company LLC",
"shodan_url": "https://www.shodan.io/host/0.0.0.1"
}
},
"reason": {
"id": "00000000000000000005",
"name": "Company IP",
"text": "0.0.0.1",
"origin": "assets",
"details": {
"type": "ipv4s"
},
"entity": {
"id": "000000000000000001",
"name": "Crest Data Systems",
"type": "organization"
}
},
"generated_at": "2024-07-02T16:43:17Z",
"created_at": "2024-07-02T16:43:37.476237Z",
"highlights": {
"ports": [
"<x-fp-highlight>53</x-fp-highlight>",
"<x-fp-highlight>443</x-fp-highlight>"
],
"services": [
"<x-fp-highlight>Unknown Service (Port 01)</x-fp-highlight>",
"<x-fp-highlight>Unknown Service (Port 02)</x-fp-highlight>"
]
},
"highlight_text": "<x-fp-highlight>53</x-fp-highlight>",
"data_type": "unknown",
"is_read": false
},
"PageToken": {
"Alert": {
"created_after": "2024-06-14T05:54:25Z",
"created_before": "2024-06-17T05:54:25Z",
"cursor": "1718603662.158905",
"name": "flashpoint-ignite-alert-list",
"size": "1"
}
}
}
}

Human Readable Output#

Alerts#

IDCreated at (UTC)QuerySourceResource URLSite TitleShodan HostRepositoryOwnerOriginPortsServicesHighlight Text
00000000-0000-0000-0000-000000000001Jun 17, 2024 05:54facebookdata_exposure__githubhttps://dummyurl.com/naive-gabrie-whitenaive-gabrie-white.github.ionaive-gabrie-whitesearchesdata-image="https://i.dummyurl.net/2021/02/24/000000000000001.png" data-sites="<x-fp-highlight>facebook</x-fp-highlight>,twitter,wechat,weibo,qq"><link rel="stylesheet" href="https:...>
00000000-0000-0000-0000-000000000005Jul 02, 2024 16:430.0.0.1asn: AS0001
country: United States
org: Company LLC
shodan_url: https://www.shodan.io/host/0.0.0.1
assets53, 443Unknown Service (Port 01), Unknown Service (Port 02)<x-fp-highlight>53</x-fp-highlight>

To retrieve the next set of result use,#

created_after = 2024-06-14T05:54:25Z created_before = 2024-06-17T05:54:25Z size = 1 cursor = 1718603662.158905

email#


Looks up the "Email" type indicator details. The reputation of Email is considered malicious if there's at least one IoC event in the Ignite database matching the Email indicator.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailA comma-separated list of emails.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
Ignite.Email.Event.HrefstringA list of reference links of the indicator.
Ignite.Email.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.Email.Event.CategorystringThe category of the indicator.
Ignite.Email.Event.FpidstringThe Flashpoint ID of the indicator.
Ignite.Email.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.Email.Event.TypestringThe indicator type.
Ignite.Email.Event.UuidstringThe UUID of the indicator.
Ignite.Email.Event.CommentstringThe comment that was provided when the indicator was observed.
Account.DescriptionstringThe description of the indicator.
Account.Email.NamestringName of indicator.

Command Example#

!email email="dummy@dummy.com"

Context Example#

{
"DBotScore": {
"Indicator": "dummy@dummy.com",
"Type": "email",
"Vendor": "Ignite",
"Score": 3
},
"Account": {
"Description": "Found in malicious indicators dataset"
"Email": {
"Address": "dummy@dummy.com"
},
},
"Ignite.Email.Event": [
{
"EventDetails": {
"RelatedEvent": [],
"Tags": ["sample_tags"],
"attack_ids": [],
"event_uuid": "dummy_uuid",
"fpid": "dummy_fpid",
"href": "https://mock_dummy.com/technical-intelligence/v1/event/00000001",
"info": "sample info", "reports": [], "timestamp": "00001"
},
"Category": "sample_category",
"Fpid": "dummy_fpid",
"Href": "https://mock_dummy.com/technical-intelligence/v1/attribute/0000001",
"Timestamp": "00001",
"Type": "email",
"Uuid": "dummy_uuid",
"Comment": "sample comment"
}
]
}

Human Readable Output#

Ignite Email reputation for dummy@dummy.com#

Reputation: Malicious

Events in which this IOC observed#
Date Observed (UTC)NameTags
Jan 01, 1970 00:00sample infosample_tags

All events and details (ignite): https://mock_dummy.com/cti/malware/iocs?sort_date=All%20Time&types=email-dst,email-src,email-src-display-name,email-subject,email&query=%22dummy%40dummy.com%22

filename#


Looks up the "Filename" type indicator details. The reputation of Filename is considered malicious if there's at least one IoC event in the Ignite database matching the Filename indicator.

Base Command#

filename

Input#

Argument NameDescriptionRequired
filenameA comma-separated list of filenames.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
Ignite.Filename.Event.HrefstringA list of reference links of the indicator.
Ignite.Filename.Event.FilenamestringFilename of the indicator.
Ignite.Filename.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.Filename.Event.CategorystringThe category of the indicator.
Ignite.Filename.Event.FpidstringThe Ignite ID of the indicator.
Ignite.Filename.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.Filename.Event.TypestringThe indicator type.
Ignite.Filename.Event.UuidstringThe UUID of the indicator.
Ignite.Filename.Event.CommentstringThe comment that was provided when the indicator was observed.
Filename.Malicious.DescriptionstringThe description of the malicious indicator.
Filename.Malicious.VendorstringVendor of the malicious filename.
Filename.NamestringThe filename.
Filename.DescriptionstringThe description of the indicator.

Command Example#

!filename filename="dummy.log"

Context Example#

{
"DBotScore": {
"Indicator": "dummy.log",
"Type": "filename",
"Vendor": "Ignite",
"Score": 3
},
"Filename": {
"Name": "dummy.log",
"Malicious": {
"Vendor": "Ignite",
"Description": "Found in malicious indicators dataset"
}
},
"Ignite.Filename.Event": [
{
"Filename": "dummy.log",
"Category": "test category",
"Fpid": "dummy_fpid",
"Href": "https://mock_dummy.com/technical-intelligence/v1/attribute/00001",
"Timestamp": "0000000001",
"Type": "filename",
"Uuid": "dummy_uuid",
"EventDetails": {
"RelatedEvent": [],
"Tags": [
"sample_tags"
],
"attack_ids": [],
"event_uuid": "dummy_uuid",
"fpid": "dummy_fpid",
"href": "https://mock_dummy.com/technical-intelligence/v1/event/0001",
"info": "test info",
"reports": [],
"timestamp": "0000000001"
},
"Comment": ""
}
]
}

Human Readable Output#

Ignite Filename reputation for dummy.log#

Reputation: Malicious

Events in which this IOC observed#
Date Observed (UTC)NameTags
Jan 01, 1970 00:00test infosample_tags

All events and details (ignite): https://mock_dummy.com/cti/malware/iocs?sort_date=All%20Time&types=filename&query=%22dummy.log%22

ip#


Looks up details of an IP indicator. The reputation of the IP address is considered malicious if there's at least one IoC event in the Ignite database that matches the IP indicator. Alternatively, the IP address is considered suspicious if it matches any one of the community's peer IP addresses.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IP addresses.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address.
IP.Malicious.DescriptionstringThe description of the malicious indicator.
IP.Malicious.VendorstringThe vendor used to calculate the severity of the IP address.
IP.DescriptionstringThe description of the indicator.
Ignite.IP.Event.HrefstringA list of reference links of the indicator.
Ignite.IP.Event.AddressstringThe IP address of the indicator.
Ignite.IP.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.IP.Event.CategorystringThe category of the indicator.
Ignite.IP.Event.FpidstringThe Ignite ID of the indicator.
Ignite.IP.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.IP.Event.TypestringThe indicator type.
Ignite.IP.Event.UuidstringThe UUID of the indicator.
Ignite.IP.Event.CommentstringThe comment that was provided when the indicator was observed.
IP.Relationships.EntityAstringThe source of the relationship.
IP.Relationships.EntityBstringThe destination of the relationship.
IP.Relationships.RelationshipstringThe name of the relationship.
IP.Relationships.EntityATypestringThe type of the source of the relationship.
IP.Relationships.EntityBTypestringThe type of the destination of the relationship.
Ignite.IP.idStringUnique identifier for the document.
Ignite.IP.authorStringThe author of the document.
Ignite.IP.author_idStringThe ID of the author of the document.
Ignite.IP.dateDateThe date associated with the document.
Ignite.IP.container_idStringUnique identifier of the container.
Ignite.IP.container_titleStringTitle of the container.
Ignite.IP.enrichments.binsNumberNumber of bins associated with the document.
Ignite.IP.enrichments.bitcoin_addressesStringBitcoin addresses associated with the document.
Ignite.IP.enrichments.cve_idsStringCVE IDs associated with the document.
Ignite.IP.enrichments.email_addressesStringEmail addresses associated with the document.
Ignite.IP.enrichments.ethereum_addressesStringEthereum addresses associated with the document.
Ignite.IP.enrichments.ip_addressesStringIP addresses associated with the document.
Ignite.IP.enrichments.location.country_codeStringCountry code of the location associated with the document.
Ignite.IP.enrichments.location.nameStringName of the location associated with the document.
Ignite.IP.enrichments.location.latNumberLatitude of the location associated with the document.
Ignite.IP.enrichments.location.longNumberLongitude of the location associated with the document.
Ignite.IP.enrichments.monero_addressesStringMonero addresses associated with the document.
Ignite.IP.enrichments.social_media_handlesStringSocial media handles associated with the document.
Ignite.IP.enrichments.social_media_sitesStringSocial media sites associated with the document.
Ignite.IP.enrichments.translation.languageStringLanguage of the translation associated with the document.
Ignite.IP.enrichments.translation.messageStringTranslation message associated with the document.
Ignite.IP.enrichments.url_domainsStringURL domains associated with the document.
Ignite.IP.first_observed_atDateThe first observed date of the document.
Ignite.IP.last_observed_atDateThe last observed date of the document.
Ignite.IP.media.idStringUnique identifier of the media.
Ignite.IP.media.file_nameStringFile name of the media.
Ignite.IP.media.mime_typeStringMIME type of the media.
Ignite.IP.media.phashStringPerceptual hash of the media.
Ignite.IP.media.safe_searchStringSafe search value of the media.
Ignite.IP.media.sizeNumberSize of the media.
Ignite.IP.media.sort_dateDateDate used for sorting the media.
Ignite.IP.media.storage_uriStringStorage URI of the media.
Ignite.IP.media.typeStringType of the media.
Ignite.IP.messageStringMessage associated with the document.
Ignite.IP.message_idStringID of the message associated with the document.
Ignite.IP.native_idStringNative ID of the document.
Ignite.IP.message_hashStringHash of the message associated with the document.
Ignite.IP.parent_container_titleStringTitle of the parent container.
Ignite.IP.sectionStringSection of the document.
Ignite.IP.section_idStringID of the section.
Ignite.IP.siteStringThe site associated with the document.
Ignite.IP.site_actor_handleStringActor handle of the site associated with the document.
Ignite.IP.site_actor_aliasStringActor alias of the site associated with the document.
Ignite.IP.site_actor_urlStringActor URL of the site associated with the document.
Ignite.IP.site_actor_usernameStringActor username of the site associated with the document.
Ignite.IP.site_source_uriStringSource URI of the site associated with the document.
Ignite.IP.site_titleStringTitle of the site associated with the document.
Ignite.IP.sort_dateDateDate used for sorting the document.
Ignite.IP.source_uriStringSource URI of the document.
Ignite.IP.titleStringTitle of the document.
Ignite.IP.title_idStringID of the title.
Ignite.IP.typeStringType of the document.

Command example#

!ip ip=0.0.0.1

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.1",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "ip",
"Vendor": "Ignite"
},
"IP": {
"Address": "0.0.0.1",
"Malicious": {
"Description": "Found in malicious indicators dataset",
"Vendor": "Ignite"
},
"Relationships": [
{
"EntityA": "0.0.0.1",
"EntityAType": "IP",
"EntityB": "T1071",
"EntityBType": "Attack Pattern",
"Relationship": "indicator-of"
}
]
},
"Ignite": {
"IP": {
"Event": [
{
"Address": "0.0.0.1",
"Category": "Network activity",
"Comment": "",
"EventDetails": {
"RelatedEvent": [],
"Tags": [
"asn:as11878",
"infrastructure:c2",
"mitre:T1071",
"source:masscan",
"tool:cobaltstrike"
],
"attack_ids": [
"T1071"
],
"event_uuid": "00000000-0000-0000-0000-000000000001",
"fpid": "0000000000000000000001",
"href": "https://api.flashpoint.io/technical-intelligence/v1/event/0000000000000000000001",
"info": "Observation: CobaltStrikeVariant [2024-06-09 14:08:21]",
"reports": [],
"timestamp": "1717964206"
},
"Fpid": "0000000000000000000001",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/attribute/0000000000000000000001",
"Timestamp": "1717950039",
"Type": "ip-dst",
"Uuid": "00000000-0000-0000-0000-000000000001"
}
]
}
}
}

Human Readable Output#

Ignite IP Address reputation for 0.0.0.1#

Reputation: Malicious

Events in which this IOC observed#

Date Observed (UTC)NameTags
Jun 09, 2024 20:16Observation: CobaltStrikeVariant [2024-06-09 14:08:21]asn:as11878, infrastructure:c2, mitre:T1071, source:masscan, tool:cobaltstrike

All events and details (ignite): https://app.flashpoint.io/cti/malware/iocs?query=%220.0.0.1%22&sort_date=All%20Time&types=ip-dst,ip-src,ip-dst|port

flashpoint-ignite-common-lookup#


Looks up any type of indicator.

Base Command#

flashpoint-ignite-common-lookup

Input#

Argument NameDescriptionRequired
indicatorList of indicators.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.

Command example#

!flashpoint-ignite-common-lookup indicator="dummy@dummy.com"

Context Example#

{
"DBotScore": [
{
"Indicator": "dummy@dummy.com",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "email",
"Vendor": "Ignite"
}
]
}

Human Readable Output#

Ignite reputation for dummy@dummy.com#

Reputation: Malicious

Events in which this IOC observed#

Date Observed (UTC)NameTags
Feb 06, 2021 01:29Observation: reported BazarLoader iocs [2021-02-05 15:30:30]event:observation, malware:bazar, source:osint, type:64bit, misp-galaxy:mitre-enterprise-attack-attack-pattern="Exfiltration Over Command and Control Channel - 00001"

All events and details (ignite): https://app.flashpoint.io/cti/malware/iocs?sort_date=All%20Time&query=%22dummy%40dummy.com%22

url#


Looks up the "URL" type indicator details. The reputation of the URL is considered malicious if there's at least one IoC event in the Ignite database matching the URL indicator.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
Ignite.Url.Event.HrefstringA list of reference links of the indicator.
Ignite.Url.Event.UrlstringURL of the indicator.
Ignite.Url.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.Url.Event.CategorystringThe category of the indicator.
Ignite.Url.Event.FpidstringThe Flashpoint ID of the indicator.
Ignite.Url.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.Url.Event.TypestringThe indicator type.
Ignite.Url.Event.UuidstringThe UUID of the indicator.
Ignite.Url.Event.CommentstringThe comment that was provided when the indicator was observed.
URL.Malicious.DescriptionstringThe description of the malicious indicator.
URL.Malicious.VendorstringVendor of the malicious URL.
URL.DatastringThe URL.
URL.Relationships.EntityAstringThe source of the relationship.
URL.Relationships.EntityBstringThe destination of the relationship.
URL.Relationships.RelationshipstringThe name of the relationship.
URL.Relationships.EntityATypestringThe type of the source of the relationship.
URL.Relationships.EntityBTypestringThe type of the destination of the relationship.
URL.DescriptionstringThe description of the indicator.

Command Example#

!url url="http://dummy.com"

Context Example#

{
"URL": [
{
"Data": "http://dummy.com",
"Malicious": {
"Vendor": "Ignite",
"Description": "Found in malicious indicators dataset"
},
"Relationships": [
{
"Relationship": "indicator-of",
"EntityA": "http://dummy.com",
"EntityAType": "URL",
"EntityB": "T1016",
"EntityBType": "Attack Pattern"
},
{
"Relationship": "indicator-of",
"EntityA": "http://dummy.com",
"EntityAType": "URL",
"EntityB": "T1027",
"EntityBType": "Attack Pattern"
}
]
}
],
"DBotScore": [
{
"Indicator": "http://dummy.com",
"Type": "url",
"Vendor": "Ignite",
"Score": 3
}
],
"Ignite.URL.Event": [
{
"Fpid": "sample_fpid",
"EventDetails": {
"RelatedEvent": [],
"Tags": [
"sample_tags"
],
"attack_ids": [
"T1016",
"T1027"
],
"event_uuid": "sample_uuid",
"fpid": "sample_fpid",
"href": "https://api.flashpoint.io/technical-intelligence/v1/event/sample_fpid",
"info": "Sample info",
"reports": [],
"timestamp": "1000000001"
},
"Category": "Network activity",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/attribute/sample_fpid",
"Timestamp": "1000000001",
"Type": "url",
"Uuid": "sample_uuid",
"Comment": "",
"Url": "http://dummy.com"
}
]
}

Human Readable Output#

Ignite URL reputation for http://dummy.com#

Reputation: Malicious

Events in which this IOC observed#
Date Observed (UTC)NameTags
Jan 01, 2001 12:00Sample infosample_tags

All events and details (ignite): https://mock_dummy.com/cti/malware/iocs?sort_date=All%20Time&types=url&query=%22http%3A//dummy.com%22

domain#


Looks up the "Domain" type indicator details. The reputation of Domain is considered malicious if there's at least one IoC event in the Ignite database matching the Domain indicator.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of domains.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
Ignite.Domain.Event.HrefstringA list of reference links of the indicator.
Ignite.Domain.Event.DomainstringThe domain of the indicator.
Ignite.Domain.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.Domain.Event.CategorystringThe category of the indicator.
Ignite.Domain.Event.FpidstringThe Ignite ID of the indicator.
Ignite.Domain.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.Domain.Event.TypestringThe indicator type.
Ignite.Domain.Event.UuidstringThe UUID of the indicator.
Ignite.Domain.Event.CommentstringThe comment that was provided when the indicator was observed.
Domain.Malicious.DescriptionstringThe description of the malicious indicator.
Domain.Malicious.VendorstringVendor of the malicious indicator.
Domain.NamestringName of the domain.
Domain.DescriptionstringThe description of the indicator.
Domain.Relationships.EntityAstringThe source of the relationship.
Domain.Relationships.EntityBstringThe destination of the relationship.
Domain.Relationships.RelationshipstringThe name of the relationship.
Domain.Relationships.EntityATypestringThe type of the source of the relationship.
Domain.Relationships.EntityBTypestringThe type of the destination of the relationship.

Command example#

!domain domain="dummy.com"

Context Example#

{
"DBotScore": {
"Indicator": "dummy.com",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "domain",
"Vendor": "Ignite"
},
"Domain": {
"Malicious": {
"Description": "Found in malicious indicators dataset",
"Vendor": "Ignite"
},
"Name": "dummy.com"
},
"Ignite": {
"Domain": {
"Event": {
"Category": "Network activity",
"Comment": "",
"Domain": "dummy.com",
"EventDetails": {
"RelatedEvent": [],
"Tags": [
"actor:APT",
"actor:Lazarus",
"event:observation",
"source:osint"
],
"attack_ids": [],
"event_uuid": "00000000-0000-0000-0000-000000000001",
"fpid": "0000000000000000000001",
"href": "https://api.flashpoint.io/technical-intelligence/v1/event/0000000000000000000001",
"info": "Observation: APT Lazarus Reported IOCs [2021-07-28 21:10:34]",
"reports": [],
"timestamp": "1627527286"
},
"Fpid": "0000000000000000000001",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/attribute/0000000000000000000001",
"Timestamp": "1569436997",
"Type": "domain",
"Uuid": "00000000-0000-0000-0000-000000000001"
}
}
}
}

Human Readable Output#

Ignite Domain reputation for dummy.com#

Reputation: Malicious

Events in which this IOC observed#

Date Observed (UTC)NameTags
Sep 25, 2019 19:51Observation: APT Lazarus Reported IOCs [2021-07-28 21:10:34]actor:APT, actor:Lazarus, event:observation, source:osint

All events and details (ignite): https://app.flashpoint.io/cti/malware/iocs?sort_date=All%20Time&types=domain&query=%22dummy.com%22

file#


Looks up the "File" type indicator details. The reputation of File hash is considered malicious if there's at least one IoC event in the Ignite database matching the File hash indicator.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of files.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ReliabilitystringThe reliability of the vendor.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
Ignite.File.Event.HrefstringA list of reference links of the indicator.
Ignite.File.Event.MD5stringMD5 file hash of the indicator.
Ignite.File.Event.SHA1stringSHA1 file hash of the indicator.
Ignite.File.Event.SHA256stringSHA256 file hash of the indicator.
Ignite.File.Event.SHA512stringSHA512 file hash of the indicator.
Ignite.File.Event.SSDeepstringSSDeep file hash of the indicator.
Ignite.File.Event.EventDetailsstringThe event details in which the indicator was observed.
Ignite.File.Event.CategorystringThe category of the indicator.
Ignite.File.Event.FpidstringThe Ignite ID of the indicator.
Ignite.File.Event.TimestampstringThe time and date that the indicator was observed.
Ignite.File.Event.TypestringThe indicator type.
Ignite.File.Event.UuidstringThe UUID of the indicator.
Ignite.File.Event.CommentstringThe comment that was provided when the indicator was observed.
File.Malicious.DescriptionstringThe description of the malicious indicator.
File.Malicious.VendorstringVendor of the malicious file.
File.MD5stringMD5 type file.
File.SHA1stringSHA1 type file.
File.SHA256stringSHA256 type file.
File.SHA512stringSHA512 type file.
File.SSDeepstringSSDeep type file.
File.Relationships.EntityAstringThe source of the relationship.
File.Relationships.EntityBstringThe destination of the relationship.
File.Relationships.RelationshipstringThe name of the relationship.
File.Relationships.EntityATypestringThe type of the source of the relationship.
File.Relationships.EntityBTypestringThe type of the destination of the relationship.

Command Example#

!file file="00000000000000000000000000000001"

Context Example#

{
"File": [
{
"Hashes": [
{
"type": "MD5",
"value": "00000000000000000000000000000001"
}
],
"MD5": "00000000000000000000000000000001",
"Malicious": {
"Vendor": "Ignite",
"Description": "Found in malicious indicators dataset"
},
"Relationships": [
{
"Relationship": "indicator-of",
"EntityA": "00000000000000000000000000000001",
"EntityAType": "file",
"EntityB": "T1010",
"EntityBType": "Attack Pattern"
},
{
"Relationship": "indicator-of",
"EntityA": "00000000000000000000000000000001",
"EntityAType": "file",
"EntityB": "T1027",
"EntityBType": "Attack Pattern"
}
]
}
],
"DBotScore": [
{
"Indicator": "00000000000000000000000000000001",
"Type": "file",
"Vendor": "Ignite",
"Score": 3
}
],
"Ignite.File.Event": [
{
"MD5": "00000000000000000000000000000001",
"EventDetails": {
"RelatedEvent": [],
"Tags": [
"sample_tags"
],
"attack_ids": [
"T1010",
"T1027"
],
"event_uuid": "sample_uuid",
"fpid": "sample_fpid",
"href": "https://api.flashpoint.io/technical-intelligence/v1/event/sample_fpid",
"info": "Observation: test_info [\"00000000000000000000000000000001\"]",
"reports": [],
"timestamp": "0000000001"
},
"Category": "sample category",
"Fpid": "sample_fpid",
"Href": "https://api.flashpoint.io/technical-intelligence/v1/attribute/sample_fpid",
"Timestamp": "0000000001",
"Type": "md5",
"Uuid": "sample_uuid",
"Comment": ""
}
]
}

Human Readable Output#

Ignite File reputation for 00000000000000000000000000000001#

Reputation: Malicious

Events in which this IOC observed#
Date Observed (UTC)NameTags
Jan 01, 1970 00:00Observation: test_info ["00000000000000000000000000000001"]sample_tags

All events and details (ignite): https://mock_dummy.com/cti/malware/iocs?sort_date=All%20time&types=md5,sha1,sha256,sha512,ssdeep&query=%2200000000000000000000000000000001%22

Migration Guide#

Note:
For fetching incidents, set the First Fetch time to the previous integration's Incidents Fetch Interval time. This might create duplicate alerts, but it will ensure that no alert data is lost.

Migrated Commands#

Some of the previous integration's commands have been migrated to new commands. Below is the table showing the commands that have been migrated to the new ones.

Flashpoint CommandMigrated Ignite Command
ipip
domaindomain
filenamefilename
urlurl
filefile
emailemail
flashpoint-search-intelligence-reportsflashpoint-ignite-intelligence-report-search
flashpoint-get-single-intelligence-reportflashpoint-ignite-intelligence-report-get
flashpoint-get-related-reportsflashpoint-ignite-intelligence-related-report-list
flashpoint-get-single-eventflashpoint-ignite-event-get
flashpoint-get-eventsflashpoint-ignite-event-list
flashpoint-common-lookupflashpoint-ignite-common-lookup
flashpoint-alert-listflashpoint-ignite-alert-list
flashpoint-compromised-credentials-listflashpoint-ignite-compromised-credentials-list

Deprecated Commands#

Some of the previous integration's commands have been deprecated from the Flashpoint API side. Below is the table showing the commands that have been deprecated for which, there is no replacement available.

Deprecated Command
flashpoint-get-forum-details
flashpoint-get-forum-room-details
flashpoint-get-forum-user-details
flashpoint-get-forum-post-details
flashpoint-search-forum-sites
flashpoint-search-forum-posts