Sixgill DarkFeed Enrichment
This Integration is part of the Sixgill Darkfeed - Annual Subscription Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Enrich IOCs such as domains, URLs, hashes, and IP addresses straight from XSOAR platform. This integration was integrated and tested with sixgill-clients
Configure Sixgill_Darkfeed_Enrichment in Cortex#
| Parameter | Description | Required |
|---|---|---|
| client_id | Sixgill API client ID | True |
| client_secret | Sixgill API client secret | True |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
ip#
Returns information and a reputation for each IP in the input list.
Base Command#
ip
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip | A comma-separated list of IPs to check. | Required |
| skip | The number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The score of the indicator. |
| DBotScore.Type | String | Indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| SixgillDarkfeed.IP.created | Date | The timestamp when the indicator was created. |
| SixgillDarkfeed.IP.id | String | The unique ID of the indicator. |
| SixgillDarkfeed.IP.description | String | The description of the indicator. |
| SixgillDarkfeed.IP.lang | String | The language of the original post in the Sixgill portal. |
| SixgillDarkfeed.IP.modified | Date | The timestamp when the indicator was last modified. |
| SixgillDarkfeed.IP.pattern | String | The indicator IP address. |
| SixgillDarkfeed.IP.sixgill_actor | String | The actor of the original post on the dark web. |
| SixgillDarkfeed.IP.sixgill_confidence | Number | The indicator confidence score. |
| SixgillDarkfeed.IP.sixgill_feedid | String | The indicator subfeed ID. |
| SixgillDarkfeed.IP.sixgill_feedname | String | The indicator subfeed name. |
| SixgillDarkfeed.IP.sixgill_postid | String | The ID of the post in the Sixgill portal. |
| SixgillDarkfeed.IP.sixgill_posttitle | String | The title of the post in the Sixgill portal. |
| SixgillDarkfeed.IP.sixgill_severity | Number | The indicator severity score. |
| SixgillDarkfeed.IP.sixgill_source | String | The source of the post in the Sixgill portal. |
| SixgillDarkfeed.IP.spec_version | String | The STIX specification version. |
| SixgillDarkfeed.IP.type | String | The STIX object type. |
| SixgillDarkfeed.IP.valid_from | Date | The creation date of the post in the Sixgill portal. |
| SixgillDarkfeed.IP.labels | Unknown | The indicative labels of the indicator. |
| SixgillDarkfeed.IP.external_reference | Unknown | Link to the IOC on VirusTotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques. |
| IP.Address | String | The indicator IP address. |
Command Example#
Human Readable Output#
url#
Returns information and a reputation for each URL in the input list.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
url
Input#
| Argument Name | Description | Required |
|---|---|---|
| url | A comma-separated list of URLs to check. | Required |
| skip | The number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The score of the indicator. |
| DBotScore.Type | String | Indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| SixgillDarkfeed.URL.created | Date | The timestamp when the indicator was created. |
| SixgillDarkfeed.URL.id | String | The unique ID of the indicator. |
| SixgillDarkfeed.URL.description | String | The description of the indicator. |
| SixgillDarkfeed.URL.lang | String | The language of the original post in the Sixgill portal. |
| SixgillDarkfeed.URL.modified | Date | The timestamp when the indicator was last modified. |
| SixgillDarkfeed.URL.pattern | String | The indicator URL. |
| SixgillDarkfeed.URL.sixgill_actor | String | The actor of the original post on the dark web. |
| SixgillDarkfeed.URL.sixgill_confidence | Number | The indicator confidence score. |
| SixgillDarkfeed.URL.sixgill_feedid | String | The indicator subfeed ID. |
| SixgillDarkfeed.URL.sixgill_feedname | String | The indicator subfeed name. |
| SixgillDarkfeed.URL.sixgill_postid | String | The ID of the post in the Sixgill portal. |
| SixgillDarkfeed.URL.sixgill_posttitle | String | The title of the post in the Sixgill portal. |
| SixgillDarkfeed.URL.sixgill_severity | Number | The indicator severity score. |
| SixgillDarkfeed.URL.sixgill_source | String | The source of the post in the Sixgill portal. |
| SixgillDarkfeed.URL.spec_version | String | The STIX specification version. |
| SixgillDarkfeed.URL.type | String | The STIX object type. |
| SixgillDarkfeed.URL.valid_from | Date | The creation date of the post in the Sixgill portal. |
| SixgillDarkfeed.URL.labels | Unknown | The indicative labels of the indicator. |
| URL.Data | string | The indicator URL. |
| SixgillDarkfeed.URL.external_reference | Unknown | Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques. |
Command Example#
Human Readable Output#
sixgill-get-actor#
Returns information and a reputation for each actor in the input list.
Base Command#
sixgill-get-actor
Input#
| Argument Name | Description | Required |
|---|---|---|
| actor | A comma-separated list of actors to check. | Required |
| skip | The number of outputs per actor to be skipped when returning the result set. Default is 0. Default is 0. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SixgillDarkfeed.Actor.created | Date | The timestamp when the actor shared their first IOC. |
| SixgillDarkfeed.Actor.id | String | The unique ID of the actor. |
| SixgillDarkfeed.Actor.description | String | The description of the actor. |
| SixgillDarkfeed.Actor.lang | String | The language of the original post in the Sixgill portal. |
| SixgillDarkfeed.Actor.modified | Date | The timestamp when the actor was last modified. |
| SixgillDarkfeed.Actor.pattern | String | A list of the IOCs shared by the actor. |
| SixgillDarkfeed.Actor.sixgill_actor | String | The actor of the original post on the dark web. |
| SixgillDarkfeed.Actor.sixgill_confidence | Number | The confidence score of the actor. |
| SixgillDarkfeed.Actor.sixgill_feedid | String | The Subfeed ID of the actor. |
| SixgillDarkfeed.Actor.sixgill_feedname | String | The Subfeed name of the actor. |
| SixgillDarkfeed.Actor.sixgill_postid | String | The ID of the post in the Sixgill portal. |
| SixgillDarkfeed.Actor.sixgill_posttitle | String | The title of the post in the Sixgill portal. |
| SixgillDarkfeed.Actor.sixgill_severity | Number | The severity score of the actor. |
| SixgillDarkfeed.Actor.sixgill_source | String | The source of the post in the Sixgill portal. |
| SixgillDarkfeed.Actor.spec_version | String | The STIX specification version. |
| SixgillDarkfeed.Actor.type | String | The STIX object type. |
| SixgillDarkfeed.Actor.valid_from | Date | The creation date of the post in the Sixgill portal. |
| SixgillDarkfeed.Actor.labels | Unknown | The indicative labels of the actor. |
| SixgillDarkfeed.Actor.external_reference | Unknown | Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques. |