Skip to main content

Sixgill DarkFeed Enrichment

This Integration is part of the Sixgill Darkfeed - Annual Subscription Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Enrich IOCs such as domains, URLs, hashes, and IP addresses straight from XSOAR platform. This integration was integrated and tested with sixgill-clients

Configure Sixgill_Darkfeed_Enrichment on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Sixgill_Darkfeed_Enrichment.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    client_idSixgill API client IDTrue
    client_secretSixgill API client secretTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Returns information and a reputation for each IP in the input list.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IPs to check.Required
skipThe number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe score of the indicator.
DBotScore.TypeStringIndicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
SixgillDarkfeed.IP.createdDateThe timestamp when the indicator was created.
SixgillDarkfeed.IP.idStringThe unique ID of the indicator.
SixgillDarkfeed.IP.descriptionStringThe description of the indicator.
SixgillDarkfeed.IP.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.IP.modifiedDateThe timestamp when the indicator was last modified.
SixgillDarkfeed.IP.patternStringThe indicator IP address.
SixgillDarkfeed.IP.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.IP.sixgill_confidenceNumberThe indicator confidence score.
SixgillDarkfeed.IP.sixgill_feedidStringThe indicator subfeed ID.
SixgillDarkfeed.IP.sixgill_feednameStringThe indicator subfeed name.
SixgillDarkfeed.IP.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.IP.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.IP.sixgill_severityNumberThe indicator severity score.
SixgillDarkfeed.IP.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.IP.spec_versionStringThe STIX specification version.
SixgillDarkfeed.IP.typeStringThe STIX object type.
SixgillDarkfeed.IP.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.IP.labelsUnknownThe indicative labels of the indicator.
SixgillDarkfeed.IP.external_referenceUnknownLink to the IOC on VirusTotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
IP.AddressStringThe indicator IP address.

Command Example#

Human Readable Output#

domain#


Returns information and a reputation for each domain name in the input list.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of domain names to check.Required
skipThe number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe score of the indicator.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
SixgillDarkfeed.Domain.createdDateThe timestamp when the indicator was created.
SixgillDarkfeed.Domain.idStringThe unique ID of the indicator.
SixgillDarkfeed.Domain.descriptionStringThe description of the indicator.
SixgillDarkfeed.Domain.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.Domain.modifiedDateThe timestamp when the indicator was last modified.
SixgillDarkfeed.Domain.patternStringThe indicator domain name.
SixgillDarkfeed.Domain.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.Domain.sixgill_confidenceNumberThe indicator confidence score.
SixgillDarkfeed.Domain.sixgill_feedidStringThe indicator subfeed ID.
SixgillDarkfeed.Domain.sixgill_feednameStringThe indicator subfeed name.
SixgillDarkfeed.Domain.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.Domain.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.Domain.sixgill_severityNumberThe indicator severity score.
SixgillDarkfeed.Domain.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.Domain.spec_versionStringThe STIX specification version.
SixgillDarkfeed.Domain.typeStringThe STIX object type.
SixgillDarkfeed.Domain.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.Domain.labelsUnknownThe indicative labels of the indicator.
SixgillDarkfeed.Domain.external_referenceUnknownLink to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
Domain.NameStringThe indicator domain name.

Command Example#

Human Readable Output#

url#


Returns information and a reputation for each URL in the input list.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs to check.Required
skipThe number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe score of the indicator.
DBotScore.TypeStringIndicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
SixgillDarkfeed.URL.createdDateThe timestamp when the indicator was created.
SixgillDarkfeed.URL.idStringThe unique ID of the indicator.
SixgillDarkfeed.URL.descriptionStringThe description of the indicator.
SixgillDarkfeed.URL.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.URL.modifiedDateThe timestamp when the indicator was last modified.
SixgillDarkfeed.URL.patternStringThe indicator URL.
SixgillDarkfeed.URL.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.URL.sixgill_confidenceNumberThe indicator confidence score.
SixgillDarkfeed.URL.sixgill_feedidStringThe indicator subfeed ID.
SixgillDarkfeed.URL.sixgill_feednameStringThe indicator subfeed name.
SixgillDarkfeed.URL.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.URL.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.URL.sixgill_severityNumberThe indicator severity score.
SixgillDarkfeed.URL.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.URL.spec_versionStringThe STIX specification version.
SixgillDarkfeed.URL.typeStringThe STIX object type.
SixgillDarkfeed.URL.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.URL.labelsUnknownThe indicative labels of the indicator.
URL.DatastringThe indicator URL.
SixgillDarkfeed.URL.external_referenceUnknownLink to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.

Command Example#

Human Readable Output#

file#


Returns information and a reputation for each file hash in the input list.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA comma-separated list of file hashes to check.Required
skipThe number of outputs per indicator to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe score of the indicator.
DBotScore.TypeStringIndicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
SixgillDarkfeed.File.createdDateThe timestamp when the indicator was created.
SixgillDarkfeed.File.idStringThe unique ID of the indicator.
SixgillDarkfeed.File.descriptionStringThe description of the indicator.
SixgillDarkfeed.File.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.File.modifiedDateThe timestamp when the indicator was last modified.
SixgillDarkfeed.File.patternStringThe indicator file hash (hashes include MD5, SHA-1 and SHA-256 when possible).
SixgillDarkfeed.File.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.File.sixgill_confidenceNumberThe indicator confidence score.
SixgillDarkfeed.File.sixgill_feedidStringThe indicator subfeed ID.
SixgillDarkfeed.File.sixgill_feednameStringThe indicator subfeed name.
SixgillDarkfeed.File.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.File.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.File.sixgill_severityNumberThe indicator severity score.
SixgillDarkfeed.File.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.File.spec_versionStringThe STIX specification version.
SixgillDarkfeed.File.typeStringThe STIX object type.
SixgillDarkfeed.File.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.File.labelsUnknownThe indicative labels of the indicator.
SixgillDarkfeed.File.external_referenceUnknownLink to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
File.SHA256stringThe SHA256 file hash.
File.SHA512stringThe SHA512 file hash.
File.SHA1stringThe SHA1 file hash.
File.MD5stringThe MD5 file hash.

Command Example#

Human Readable Output#

sixgill-get-actor#


Returns information and a reputation for each actor in the input list.

Base Command#

sixgill-get-actor

Input#

Argument NameDescriptionRequired
actorA comma-separated list of actors to check.Required
skipThe number of outputs per actor to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
SixgillDarkfeed.Actor.createdDateThe timestamp when the actor shared their first IOC.
SixgillDarkfeed.Actor.idStringThe unique ID of the actor.
SixgillDarkfeed.Actor.descriptionStringThe description of the actor.
SixgillDarkfeed.Actor.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.Actor.modifiedDateThe timestamp when the actor was last modified.
SixgillDarkfeed.Actor.patternStringA list of the IOCs shared by the actor.
SixgillDarkfeed.Actor.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.Actor.sixgill_confidenceNumberThe confidence score of the actor.
SixgillDarkfeed.Actor.sixgill_feedidStringThe Subfeed ID of the actor.
SixgillDarkfeed.Actor.sixgill_feednameStringThe Subfeed name of the actor.
SixgillDarkfeed.Actor.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.Actor.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.Actor.sixgill_severityNumberThe severity score of the actor.
SixgillDarkfeed.Actor.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.Actor.spec_versionStringThe STIX specification version.
SixgillDarkfeed.Actor.typeStringThe STIX object type.
SixgillDarkfeed.Actor.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.Actor.labelsUnknownThe indicative labels of the actor.
SixgillDarkfeed.Actor.external_referenceUnknownLink to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.

Command Example#

Human Readable Output#

sixgill-get-post-id#


Returns information and a reputation for each post ID in the input list.

Base Command#

sixgill-get-post-id

Input#

Argument NameDescriptionRequired
post_idA comma-separated list of post IDs to check.Required
skipThe number of outputs per post ID to be skipped when returning the result set. Default is 0. Default is 0.Optional

Context Output#

PathTypeDescription
SixgillDarkfeed.Postid.createdDateThe timestamp when an IOC was first included in the post.
SixgillDarkfeed.Postid.idStringThe unique ID of the post.
SixgillDarkfeed.Postid.descriptionStringThe description of the post ID.
SixgillDarkfeed.Postid.langStringThe language of the original post in the Sixgill portal.
SixgillDarkfeed.Postid.modifiedDateThe timestamp when the post ID information was last modified.
SixgillDarkfeed.Postid.patternStringA list of the IOCs included in the post.
SixgillDarkfeed.Postid.sixgill_actorStringThe actor of the original post on the dark web.
SixgillDarkfeed.Postid.sixgill_confidenceNumberThe confidence score of the post ID.
SixgillDarkfeed.Postid.sixgill_feedidStringThe Subfeed ID of the post ID.
SixgillDarkfeed.Postid.sixgill_feednameStringThe Subfeed name of the post ID.
SixgillDarkfeed.Postid.sixgill_postidStringThe ID of the post in the Sixgill portal.
SixgillDarkfeed.Postid.sixgill_posttitleStringThe title of the post in the Sixgill portal.
SixgillDarkfeed.Postid.sixgill_severityNumberThe severity score of the post ID.
SixgillDarkfeed.Postid.sixgill_sourceStringThe source of the post in the Sixgill portal.
SixgillDarkfeed.Postid.spec_versionStringThe STIX specification version.
SixgillDarkfeed.Postid.typeStringThe STIX object type.
SixgillDarkfeed.Postid.valid_fromDateThe creation date of the post in the Sixgill portal.
SixgillDarkfeed.Postid.labelsUnknownThe indicative labels of the post ID.
SixgillDarkfeed.Postid.external_referenceUnknownLink to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.

Command Example#

Human Readable Output#