Available Blocks

The integration provides the following reusable blocks:

Add-Remove IOC from Allowed List Block

This block evaluates indicators based on their confidence scores and determines whether they should be added to or removed from the allowed list in Cyware Intel Exchange. It is typically used within playbooks that automate indicator management.

Inputs

The block accepts the following inputs:

IOC Value: The indicator value to evaluate.
IOC Type: The type of indicator (for example, IPv4, domain, or URL).
Confidence Score: The confidence score associated with the indicator.

Workflow

The block performs the following sequence of steps:

The block retrieves the indicator details from Cyware Intel Exchange using the Get IOC Details action.
It evaluates the confidence score associated with each indicator.
Based on the score, the block performs the following actions:
- High Risk (confidence_score > 69): Indicators are removed from the allowed list.
- Medium Risk (30 ≤ confidence_score ≤ 69): No action is taken.
- Low Risk (confidence_score < 30): Indicators are added to the allowed list. A comment will be added with the following possible outcomes:
  - Added: IOC is added to the allowed list on Cyware Intel Exchange.
  - Invalid: IOC is invalid to add to the allowed list on Cyware Intel Exchange.
  - Already Exists: IOC already exists in the allowed list on Cyware Intel Exchange.

Manual IOC – JIRA Issue Creation Input Block

This block prepares the indicator information required to create Jira tickets for indicators that require manual investigation.