Skip to main content

Cyware Orchestrate

CTIX V3

App Vendor: Cyware

App Category: Data Enrichment & Threat Intelligence

Connector Version: 1.11.0

API Version: 3.0.0

About App

Cyware Threat Intelligence Platform (CTIX) is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. The CTIX app enables security teams to integrate with the CTIX enterprise application for data ingestion, data enrichment, analysis, and bi-directional sharing of threat data within the trusted network.

The CTIX V3 connector app is configured with Orchestrate to perform the following actions:

Action on Rules 

This action performs actions on rules, such as activate, deactivate, and more.

Add Tag to Threat Data 

This action adds a tag to a threat object.

Add Whitelisted IOCs 

This action adds an indicator as whitelisted.

Bulk IOC Advance Lookup 

This action searches threat data objects in the CTIX application in bulk and retrieves the details of the objects.

Bulk Lookup and Create Intel 

This action fetches or creates the list of threat data objects present in the CTIX application. 

Create Collections 

This action creates a collection on CTIX.

Create CTIX Action 

This action creates an action on CTIX.

Create Enrichment Object

This action creates an enrichment for an object on CTIX.

Create Global Note

This action creates a global note for an object on CTIX.

Create Saved Search 

This action creates a saved search on CTIX.

Create Subscriber 

This action adds a subscriber in CTIX.

Create Tag

This action creates a tag on CTIX.

Create Threat Defender Content 

This action creates a threat defender content record.

Create Tool Account 

This action creates an account of a tool in CTIX.

Delete a Tag

This action deletes a tag.

Delete Report 

This action deletes a report from CTIX. This action is irreversible and the deleted report cannot be retrieved.

Generate Export Link 

This action generates an export link that is used to share data on CTIX.

Get Accounts of a Tool in CTIX

This action lists all the accounts of a tool in CTIX.

Get Advanced View of Object

This action is used to get an advanced view of the object.

Get License Info 

This action retrieves the license details. Use this action with caution as it exposes the license details.

Get Note Details

This action retrieves note details from CTIX.

Get Object Details by Table View

This action retrieves the object information for the given filters in a tabular format.

Get Object View of Indicator

This action retrieves basic correlated object information for an indicator object in CTIX.

Get Related Objects 

This action retrieves the related objects of an object type, such as the top threat actors in an industry or top TTPs used by a Threat Actor.

Get Report Details 

This action retrieves the details of a report.

Get Report Run Logs 

This action retrieves the report run log details.

Get Rule Details 

This action retrieves the details of a rule.

Get Saved Search Result 

This action retrieves the results of a saved search on CTIX.

Get Threat Object Relations

This action retrieves the relationships for an object on CTIX.

Get User Details 

This action retrieves the details of a user from the CTIX application.

Get User Group Details 

This action retrieves the user group details from the CTIX application.

Get Whitelisted IOC Details 

This action retrieves the details of a whitelisted object.

Get Widgets Data 

This action retrieves the details of a specific widget.

Import Intel

This action imports threat data to Intel Exchange.

Ingest STIX Data 

This action ingests STIX 2.0 data into CTIX.

List All Collections 

This action retrieves a list of all collections in CTIX.

List All Global Notes

This action lists all the global notes from CTIX.

List All Tags

This action lists all tags from CTIX.

List API Feeds 

This action retrieves a list of all API feeds available on CTIX.

List Enrichment Objects 

This action retrieves a list of all enrichment tools.

List Integrations 

This action retrieves a list of the integrations configured in CTIX.

List Quick Add Intel History

This action lists the intel added using Quick Add Intel.

List Reports 

This action retrieves a list of reports.

List Rules 

This action retrieves a list of all enrichment rules.

List Saved Result Set 

This action retrieves the data published using the Save Result Set and Save Result Set V3 actions in the rules.

List Saved Searches 

This action retrieves a list of saved searches on CTIX.

List Sources 

This action lists all the feed sources available in CTIX.

List Subscribers 

This action retrieves a list of subscribers configured in CTIX.

List User Groups 

This action lists the user groups from the CTIX application.

List Users 

This action lists the users of the CTIX application.

List Whitelisted IOCs 

This action retrieves a list of all whitelisted IOCs.

List Widgets 

This action retrieves a list of widgets configured in CTIX.

Perform Manual Action on IOC

This action applies actions to a threat data object.

Quick Add Indicators 

This action adds threat indicators data in CTIX.

Run Report 

This action runs a report.

Run Rule 

This action runs a rule on CTIX.

Search Threat Data 

This action searches for CTIX threat data.

Update Global Note

This action creates a global note for an object on CTIX.

Update User Details 

This action updates the user details on the CTIX application.

Update User Group Details 

This action updates the user group details on the CTIX.

View Detailed Page Source Description 

This action retrieves description, fanged description, and more for the given object type and object ID as received from the feed source.

View External References For Object 

This action retrieves all external references for an object.

View Object Source Details 

This action retrieves object information for the given object ID.

View Object Source List 

This action retrieves object details in retrospect to the source.

Generic Action

This action performs an action on CTIX to an undefined endpoint that is not handled by the app.

Action Name

Description

Configuration Parameters

The following configuration parameters are required for the CTIX V3 app to communicate with the CTIX V3 enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter the base URL of CTIX.

Example:

https://qa.cyware.com/ctixapi/

Text

Required

Base URL format:

https://tenant_code.cyware.com/ctixapi/

Access Key 

Enter the CTIX access ID to authenticate with.

Password

Required

Secret Key 

Enter the secret secret key to authenticate with.

Password

Required

SSL Verification 

Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is enabled.

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CTIX V3.

Integer

Optional

Allowed range:

15-120

Default value:

15

Action: Action on Rules

This action performs actions on rules, such as activate, deactivate, and more.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Rule ID List 

Enter the list of rule IDs to perform an action on.

Example:

$LIST[98230f-0e9f-45f4-a4c4-sdv89023hb3423]

List

Required

Action 

Enter the action to perform.

Example:

follow

Text

Required

Allowed values:

  • follow

  • unfollow

  • activate

  • inactivate

Example Request 

[
  {
    “rule_id_list”: [“98230f-0e9f-45f4-a4c4-sdv89023hb3423”],
    “action”: "follow"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.details 

String

Returns success message "Successful".

Action: Add Tag to Threat Data

This action adds a tag to a threat object.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Object ID 

Enter the object ID to which you need to add a tag.

Example: 

"05d1bb85-74ac-4bea-bdc2-284e6e57c4bd"

Text

Required

Tag to Add 

Enter a tag that you need to add to an object.

Example: 

"phishing"

Text

Required

Create New Tags 

Choose to create a new tag, if the entered tag does not exist.

Example: 

true

Boolean

Optional

Allowed values:

  • true

  • false

Object Type 

Enter the type of threat data object. 

Example: 

  • indicator

  • vulnerability

  • malware

Text

Optional

Default: 

Indicator

Example Request  

[
    {
        "object_id": "05d1bb85-74ac-4bea-bdc2-284e6e57c4bd",
        "tag_to_add": "phishing",
        "create_new_tags": true
    }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.message 

String

Returns success message "Action Successfully Executed".

Action: Add Whitelisted IOCs

This action adds an indicator as whitelisted.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

IOC Type 

Enter the type of the IOC.

Example:

ipv4-addr

Text

Required

IOC List 

Enter the list of IOCs to add to the whitelist.

Example:

$LIST[1.1.1.1, 2.2.2.2]

List

Required

Description 

Enter a description to pass with the whitelisting.

Text

Required

Include URLs 

Choose whether to include URLs in the whitelist.

Example:

false

Boolean

Optional

Default value:

false

Example Request 

[
 {
    “ioc_type”: “ipv4_addr”,
    “ioc_list”:  [“1.1.1.1”, ”2.2.2.2”],
    “description”: “Sample IOC description”,
    “include_urls”: false
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

invalid

Array

Returns the list of invalid IOCs passed.

new_created

Array

Returns the list of newly added valid IOCs.

already_exists

Array

Returns the list of IOCs that are already available in the allowed indicators list.

Action: Bulk IOC Advance Lookup

This action performs a bulk search of the threat data objects in the CTIX application and retrieves the details of the objects.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Object Type 

Enter the type of threat data object.

Example:

indicator, vulnerability, malware

Text

Required

You can retrieve this ID using the action List All Tags.

Enrichment Data 

Enter true to retrieve the latest five enrichment data of the threat data objects.

Boolean

Optional

Allowed values:

  • true

  • false 

Default value:

false

Relation Data 

Enter true to retrieve the latest 100 relations details of threat data objects.

Boolean

Optional

Allowed values:

  • true

  • false

Default value:

false

Object Value 

Enter a list of up to 100 threat data object values to look up.

Example:

$LIST[47.92.78.238, www.facebook.com]

List

Optional

Note that one of the Object ID or Object Value parameters is required.

Object ID 

Enter a list of up to 100 threat data object IDs to look up.

Example: $LIST['2b8d0163-da03-4a1d-86c5-f981f0920c0d']

List

Optional

Note that One of the Object ID or Object Value parameters is required.

Fields 

Enter a comma-separated list of fields to retrieve specific details of the objects.

Example:

relations,enrichment_data

Text

Optional

By default, it retrieves all field data.

Enrichment Tools 

Enter a comma-separated list of up to five enrichment tool names to retrieve the enriched threat data objects.

Example:

AbuseIPDB

Text

Optional

Extra Params 

Enter any additional parameters to pass with this request.

Example

{page_size: 1}

Key Value

Optional

Allowed values:

  • enrichment_data

  • relation_data

  • enrichment_tools

  • fields

  • page size

  • next

Example Request 

[
   {
      "object_type": "malware",
      "enrichment_data": true
   }
]

Action Response Parameters

Parameter

Type

Description

{app_instance}   

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response   

JSON Object

Includes the response received from the app action.

app_instance.response.analyst_score 

String

Returns the score assigned to the threat data object by an analyst.

app_instance.response.analyst_tlp 

String

Returns the TLP assigned to the threat data object by an analyst.

app_instance.response.country 

String

Returns the country name where the threat data object was seen.

app_instance.response.created 

Timestamp

Returns the source-created date and time of the threat data object.

app_instance.response.ctix_created 

Timestamp

Returns the created date and time of the threat data object in CTIX.

app_instance.response.ctix_modified 

Timestamp

Returns the last modified date and time of the threat data object in CTIX.

app_instance.response.custom_attributes 

Array

Returns a list of custom attributes with details, such as custom_attribute_name, custom_attribute_value, custom_attribute_value_integer, and custom_attribute_value_float

Examples: 

Custom Attribute Name:criticality

Custom Attribute Value: 2

app_instance.response.confidence_score 

Integer

Returns the Confidence Score calculated by the CTIX confidence score engine.

app_instance.response.description 

String

Returns the source description of the threat data.

app_instance.response.enrichment_data 

Array

Returns a list of enrichment objects retrieved from the enrichment tools.

app_instance.response.first_seen 

Timestamp

Returns the first seen date and time of the threat data object.

app_instance.response.id 

String

Returns the ID of the threat data object.

app_instance.response.ioc_type 

String

Returns the IOC type. 

Returns null if the threat data object is not an indicator. 

Returns hash type for hashes and the indicator type key for other indicators.

app_instance.response.is_deprecated 

Boolean

Returns true if the IOC is marked as deprecated in CTIX. Else, returns false.

app_instance.response.is_false_positive 

Boolean

Returns true if the IOC is marked as false positive in CTIX. Else, returns false.

app_instance.response.is_reviewed 

Boolean

Returns true if the threat data object is manually reviewed. Else, returns false.

app_instance.response.is_whitelisted 

Boolean

Returns true if the IOC is marked as an allowed indicator. Else, returns false.

app_instance.response.last seen 

Timestamp

Returns the last seen date and time of the threat data object.

app_instance.response.modified 

Timestamp

Returns the source-modified date and time of the threat data object.

app_instance.response.name 

String

Returns the value of the threat data object.

app_instance.response.object_type 

String

Returns the SDO type the threat data object type of the IOC.

app_instance.response.published_collections 

Array

Returns a list of JSON objects for the collections in which the IOC is published.

app_instance.response.relations 

JSON Object

Returns a list of related threat data objects.

app_instance.response.sources 

Array

Returns the list of sources that reported the threat data object.

app_instance.response.sub_type 

String

Returns the sub-type of an indicator. 

Returns null if the threat data object is not an indicator. 

Returns hash type for hashes and value for other indicators.

app_instance.response.tags 

Array

Returns the tags associated with the threat data object.

app_instance.response.tlp 

String

Returns the TLP assigned to the threat data object by the source.

app_instance.response.manual_review 

Boolean

Returns true if the threat data is marked for manual review by an analyst.

app_instance.response.valid_from 

Timestamp

Returns the date and time since when this threat data object is valid.

app_instance.response.valid_until 

Timestamp

Returns the date and time until when this threat data object is valid.

Action: Bulk Lookup and Create Intel

This action searches the threat data objects in the CTIX application and if the objects are not present, then it creates a list of threat data objects in the CTIX application.

Note

This action is available in CTIX from the release v3.3.1 and later versions.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Indicators 

Enter the list of indicators.

Example:

$LIST[76.77.xx3.225:80, 131.190.xx3.60, 56.15.xx5.2x8]

List

Required

Enrichment 

Enter true to add the last enriched information for each enriched object.

Example:

true

Boolean

Optional

Default value:

true

Allowed values:

  • true

  • false

Create 

Enter true to create new IOCs that were missed from the list of lookup IOCs.

Example:

true

Boolean

Optional

Default value:

true

Allowed values:

  • true

  • false

Metadata 

Enter additional information about the objects such as TLP, confidence score, and more while creating intel.

Example:

{'tlp':'RED'}

Key Value

Optional

Collection Name 

Enter the name of the collection to map the threat data objects.

Example: 

$LIST[76.77.213.225:80, 131.190.253.60, 56.15.255.238]"

Text

Optional

Source Name 

Enter the source name to map the threat data objects.

Example : 

Orchestrate

Text

Optional

Example Request

[
    {
        "create": true,
        "metadata": {},
        "enrichment": true,
        "indicators": [
            "131.190.xx3.60",
            "56.15.xx5.2x8"
        ],
        "collection_name": {"ctix_collection"}
    }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.found_iocs

JSON Object

Returns the details of the IOCs that exist in the platform.

app_instance.response.found_iocs.results

Array

Returns a list of JSON objects. Each object includes the details of the IOCs that exists in the platform. For more information, see The Results Objects.

app_instance.response.found_iocs.total

Integer

Returns the details of the IOCs that exist in the platform.

app_instance.response.values_not_found

JSON Object

Returns the details of the IOCs that do not exist in the platform.

app_instance.response.values_not_found.invalid_values

Array

Returns a list of invalid IOC values. Invalid IOC values will not be ingested into the platform.

app_instance.response.values_not_found.total_invalid

Integer

Returns the total count of invalid IOC values.

app_instance.response.values_not_found.valid_iocs

Array

Returns a list of all valid IOC values. All valid IOC values will be ingested into the platform if the query parameter create=true is passed with the request.

app_instance.response.values_not_found.total_valid

Integer

Returns the total number of valid IOC values.

Action: Create Tag

This action creates a tag on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name

Enter the name of the tag to add.

Text

Required

Color

Enter the color of the tag to assign.

Text

Optional

Default value:

#5236E2

Action: Create Collections

This action creates a collection on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name 

Enter the name of the collection.

Example:

Malicious URL

Text

Required

Description 

Enter a description of the collection.

Example:

A very common method for delivering malware to potential targets is to host it at a particular URL. Targets are then directed to that URL via a phishing e-mail or a link from another site and, when they reach it, are exploited. Sharing lists of malicious URLs can be an effective and cheap way to limit exposure to malicious code.

Text

Required

Polling 

Choose if you want to add the collection to poll data.

Example:

true

Boolean

Required

Inbox 

Choose if you want to add the collection to the inbox service.

Example:

true

Boolean

Required

Example Request  

[
 {
    “name”: “Malicious URL”,
    “description”: “A very common method for delivering malware to potential targets is to host it at a particular URL”,
    “polling”: “true”,
    “inbox”: “true”
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.status 

String

Returns “Success”.

Action: Create CTIX Action

This action creates an action on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Action Name 

Enter the action name to run.

Example:

pfsense actions

Text

Required

Action Type 

Enter the action type.

Example:

automatic

Text

Required

Rule Name 

Enter the rule name.

Example:

trigger playbook

Text

Required

App Type 

Enter the app type.

Example:

third_party

Text

Required

App Name 

Enter the app name.

Example:

pfsense

Text

Required

App Response 

Enter the app response. 

Example:

{"pfense": "third_party"}

Key Value

Required

Object ID 

Enter the object ID.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Object Type 

Enter the object type.

Example:

malware

Text

Required

Example Request 

[
  {
    "action_name": "Pfence Actions",
    "action_type": "automatic",
    "rule_name": "Trigger Playbook",
    "app_type": "third_party",
    "app_name": "Pfence",
    "app_response": {
      "pfense": "third_party"
    },
    "object_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e",
    "object_type": "malware"
  }
]
Action: Create Enrichment Object

This action creates an enrichment for an object on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tool ID

Enter the tool ID to create an enrichment object.

Example:

7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33

Text

Required

Verdict

Enter the enrichment verdict.

Example:

Malicious

Text

Required

Score

Enter the enrichment score.

Text

Required

This ranges between 1-100 with 1 being non-malicious and 100 being highly malicious.

Object ID

Enter the object ID to pass the enrichment to

Text

Required

Classification

Enter the classification of the enrichment.

Text

Optional

Object Type

Enter the object type that is being enriched.

Example:

malware, campaign, indicator

Text

Optional

Default value:

indicator

Tool Response

Enter a JSON tool response to pass with the enrichment.

Example:

{'status': 'Malicious'}

Key Value

Optional

Parsed Response

Pass the parsed response received from the tool.

Example:

{'status': 'Malicious'}

Key Value

Optional

Action: Create Global Note

This action creates a global note for an object on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Text

Enter the note to add to the object.

Example:

test note

Text

Required

Note Type

Enter the note type to create.

Text

Required

Allowed value:

report

Object ID

Enter the object ID to update the note.

Example:

2b8d0163-da03-4a1d-86c5-f981f0920c0d

Text

Optional

Meta Data

Enter any additional metadata associated with the note.

Example:

report_id: 2b8d0163-da03-4a1d-86c5-f981f0920c0d

Key Value

Optional

Action: Create Saved Search

This action creates a saved search on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Type

Enter the type of the saved search.

Example:

  • basic

  • CQL

Text

Required

Name

Enter the name of the saved search.

Example:

IOC Intel

Text

Required

Query

Enter the query to generate the report.

Example:

type=\"indicator\" and sub_type=\"file\" and created>\"2021-07-28\"

Text

Required

Shared Type

Enter the shared type of the saved search.

Example:

private

Text

Required

Allowed values:

  • public

  • private

Metadata

Enter the metadata of the saved search that helps in the transformation to the CQL query or threat data filters.

Text

Required

Example Request

[
 {
    "type": "basic",
    "name": "CQL Search",
    "query": "type=\"indicator\" and sub_type=\"file\" and created>\"2021-07-28\"",
    "shared_type": "private",
    "metadata": "This is a sample data addition"
 }
]
Action: Create Subscriber

This action creates a subscriber in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name

Enter the name of the subscriber.

Text

Required

Primary Contact Name

Enter the primary contact name of the subscriber.

Text

Required

Email

Enter the email ID of the subscriber.

Text

Required

Score

Enter the confidence score for the subscriber.

Integer

Required

Collection IDs

Enter the list of IDs of STIX collections to which the subscriber is to be added.

Example:

$LIST[9251d39e-c6d4-4c63-a55f-8201fd0d583d]

List

Required

Whitelisted IP Ranges

Enter the list of IPs from which the subscriber is allowed to make requests to TAXII/MISP server.

List

Optional

Extra Params

Enter the extra parameters to pass with the request payload.

Key Value

Optional

Example Request

[
 {
    “name”: “John Doe”,
    “primary_contact_name”:  “John Doe”,
    “email”: “johndoe@example.com”,
    “score”: 60,
    “collection_ids”: [“9251d39e-c6d4-4c63-a55f-8201fd0d583d”],
    “whitelisted_list_ranges”: [“1.1.1.1”, “3.3.3.3”]
  }
]
Action: Create Threat Defender Content

This action creates a threat defender content record.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Rule 

Enter the rule content. 

Example: 

'rule tdl1 : sample rule'.

Text

Required

Tags 

Enter the list of tag objects to apply to the content. 

Example: 

$LIST[{"id": "ef4fdadc-c98c-4e09-afd2-b9084706151e", "name": "yara", "colour_code": "#FF5330"}]

List 

Optional

Extra Params 

Enter any additional details to add to the threat data content.

Example: 

"external_variables": [{"type": "boolean", "key": "some_string_var", "value": true}]

Key_value

Optional

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.status_code 

Integer

Returns the HTTP status code 201 for a successful execution.

Action: Create Tool Account

This action creates an account of a tool in CTIX.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Tool ID

Enter the tool ID to create an account.

Example: 

7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33

Text

Required

Base URL

Enter the base URL of the product to connect.

Text

Optional

Secret Key

Enter the secret key to use for authentication.

Text

Optional

Access Key

Enter the access key to use for authentication.

Text

Optional

SSL Encrypted

Enter if we need to validate the SSL certificate.

Boolean

Optional

Default value: 

True

Is Active

Enter true, to set the status of the account as active, else enter false.

Boolean

Optional

Auth Type

Enter the authentication type. 

Example: user-pass. 

Text

Optional

Defaults value:

user-pass

Extra Fields

Enter if to pass any extra data in the extra field section of the request.

Key Value

Optional

Action: Delete a Tag

This action is used to delete a tag.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Tag ID 

Enter the ID of the tag to be deleted.

Example:

8818f140-62c6-4dee-bfb2-bc26bde9dfa1

Text

Required

You can retrieve this ID using the action List All Tags.

Example Request

[
   {
      "tag_id": 2025
   }
]
Action: Delete Report

This action deletes a report from CTIX. This action is irreversible and the deleted report cannot be retrieved.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID to be deleted.

Example:

"5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"

Text

Required

Extra Params

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request

[
 {
    "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"
  }
]
Action: Get Accounts of a Tool in CTIX

This action retrieves the list of all accounts of a tool in CTIX.

Parameter

Description

Field Type

Required/Optional

Comments

Tool ID

Enter the tool ID to get accounts.

Example:

7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33

Text

Required

Action: Get Advanced View of Object

This action retrieves additional information such as kill chains, external references, published collections for the given object ID, and password.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID to get an advanced view.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Example Request 

[
 {
    "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.kill_chain_phases 

Array of JSON Objects

Returns a list of kill chain phases with the phase ID, kill chain name, and phase name.

app_instance.response.published_collections 

Array of JSON Objects

Returns a list of published collections with the ID, action type, name, and published time.

Action: Get License Info

This action retrieves the license details. Use this action with caution as it exposes the license details.

Action Input Parameters

This action does not require any input parameter.

Action: Get Note Details

This action retrieves note details from CTIX.

Parameter

Description

Field Type

Required/Optional

Comments

Note ID

Enter the note ID to get details.

Text

Required

Action: Get Object Details by Table View

This action retrieves the object information for the given filters in a tabular format.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID to retrieve the details.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Object Type 

Enter the object type.

Example:

  • indicator

  • malware

Text

Required

Page No 

Enter the page number of the response.

Example:

1

Integer

Optional

Default value:

1

Page Size 

Enter the number of items to return from the entered page number.

Example:

10

Integer

Optional

Default value:

10

Example Request  

[
 {
    “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”,
    "object_type”: “malware”,
    “page_no”: 2,
    “page_size”: 5
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.results.collection

Dictionary

Returns the details of the collection the object has polled.

app_instance.response.results.collection.id

String

Returns the ID of the collection.

app_instance.response.results.collection.name

String

Returns the name of the collection.

app_instance.response.results.created

Timestamp

Returns the creation date of the object as received from the source.

app_instance.response.results.custom_attribute_count

Integer

Returns the total number of custom attributes received for the object from the source.

app_instance.response.results.first_seen

Timestamp

Returns the first seen date of the object as received from the source.

app_instance.response.results.id

String

Returns the unique ID of the record.

app_instance.response.results.last_seen

Timestamp

Returns the date on which the object was last seen as shared by the source.

app_instance.response.results.modified

Timestamp

Returns the date of modification of the object as shared by the source.

app_instance.response.results.source

String

Return details about the source.

app_instance.response.results.source.id

String

Returns the ID of the source.

app_instance.response.results.source.name

String

Returns the name of the source.

app_instance.response.results.source.source_type

String

Returns the type of source, such as RSS, API feed, or more.

app_instance.response.results.source_confidence

Integer

Returns the highest confidence score received from the source.

app_instance.response.results.tags

Array

Returns the list of all the labels or tags received from the source.

app_instance.response.results.times_reported

Integer

Returns the number of times the object has polled from the source.

app_instance.response.results.tlp

String

Returns the TLP of the object, such as RED, AMBER, GREEN, WHITE.

Action: Get Object View of Indicator

This action retrieves basic correlated object information for an indicator object in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the ID of the indicator to retrieve the object view.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Example Request 

[
 {
    “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.analyst_description 

String

Returns the description given by an analyst.

app_instance.response.analyst_score 

Integer

Returns the score given by an analyst.

app_instance.response.analyst_tlp 

String

Returns the TLP value given by an analyst.

app_instance.response.base_type 

String

Returns if the object was part of any SDO or has been observed.

app_instance.response.confidence_score 

String

Returns the confidence score of the object.

app_instance.response.confidence_type 

String

Returns the type of confidence score engine used to calculate the score.

app_instance.response.country 

String

Returns the country for a valid object.

app_instance.response.created 

Timestamp

Returns the STIX defined creation date of the object.

app_instance.response.ctix_created 

Timestamp

Returns the creation date of the object in the CTIX platform.

app_instance.response.ctix_modified 

Timestamp

Returns the modification date of the object in the CTIX platform.

app_instance.response.ctix_score 

Integer

Returns the score of an object in the CTIX platform.

app_instance.response.ctix_tlp 

String

Returns the TLP of the object in the CTIX platform.

app_instance.response.defang_analyst_description 

String

Returns the defanged description.

app_instance.response.description 

String

Returns the description of the object.

app_instance.response.fang_analyst_description 

String

Returns the fanged description of the object.

app_instance.response.first_seen 

Timestamp

Returns the STIX defined date on which the object was first observed.

app_instance.response.last_seen 

Timestamp

Returns the STIX-defined date on which the object was last observed.

app_instance.response.modified 

Timestamp

Returns the STIX defined date on which the object was modified.

app_instance.response.name 

String

Returns the name of the object.

app_instance.response.sources 

String

Returns the list of sources from where the object has been received.

app_instance.response.id 

String

Returns the ID of the source.

app_instance.response.name 

String

Returns the name of the source.

app_instance.response.source_type 

String

Returns the type of sources such as API Feed, RSS Feed, and more.

app_instance.response.sub_type 

String

Returns the valid subtype of the object such as an indicator is a valid subtype is a URL, domain, and more.

app_instance.response.tld 

String

Returns the Top Level Domain(TLD) value for Domain objects.

app_instance.response.tlp 

String

Returns the TLP of the object.

app_instance.response.type 

String

Returns the type of object.

app_instance.response.types 

Array

Returns the types of objects referred to by STIX as indicator types, malware types, and more.

app_instance.response.valid_from 

Timestamp

Returns the STIX defined as valid from the date of an object.

app_instance.response.valid_until 

Timestamp

Returns the STIX defined as valid until the date of an object.

Action: Get Report Details

This action retrieves the details of a report.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID 

Enter the report ID to query.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Type 

Enter the report type to query. 

Text

Required

Allowed values: 

  • basic

  • advanced

Default: 

basic

Example Request 

[
 {
    "report_id":  "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

Array of JSON Objects

Includes the response received from the app action. Each object represents one source.

app_instance.response.basic_report_type

String

Returns the type of basic report, such as saved or custom.

app_instance.response.schedule: id

String

Returns the unique ID of the schedule.

app_instance.response.schedule: repeat_type

String

Returns the time interval for the re-run of the report.

app_instance.response.schedule: start_datetime

Timestamp

Returns the starting date and time in EPOCH format from which the report captures the received data.

app_instance.response.schedule: repeat_value

Integer

Returns the schedule frequency.

app_instance.response.schedule: duration_type

String

Returns the end duration interval for the captured data.

app_instance.response.schedule: duration_value

Integer

Returns the duration in days to capture data in the report.

app_instance.response.query_key

String

Returns the sorting type in basic reports: 

  • ctix_created: Data in the report is sorted based on the system-created date. 

  • ctix_modified: Data in the report is sorted based on the system-modified date.

app_instance.response.name

String

Returns the name of the report.

app_instance.response.id

String

Returns the unique ID of the report.

app_instance.response.columns

Array of JSON objects

Returns the list of columns in a report.

app_instance.response.internal_recipients

JSON Object

Returns the list of internal recipients with whom to share the report.

app_instance.response.external_recipients

JSON Object

Returns the list of external recipients with whom to share the report.

app_instance.response.type

String

Returns the type of report, such as basic or advanced.

app_instance.response.file_types

Array

Returns the report formats, such as CSV, XLS.

app_instance.response.shared_type

String

Returns the shared type, such as global or private.

app_instance.response.date_last_run

Timestamp

Returns the date and time in EPOCH format at which the report was manually run.

app_instance.response.schedule_last_run

Timestamp

Returns the scheduled date and time in EPOCH format of the report generation.

app_instance.response.saved_search

JSON Object

Returns the saved search object for the corresponding report used for generating the report.

app_instance.response.created_by

JSON Object

Returns the details of the user who created the report.

Action: Get Report Run Logs

This action retrieves the report run log details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID 

Enter the report ID.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Type 

Enter the report type.

Text

Optional

Default value:

basic

Allowed values: 

  • basic

  • advanced 

Example Request 

[
 {
    "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"
  }
]
Action: Get Rule Details

This action retrieves the details of a rule.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Rule ID

Enter the rule ID to retrieve the details.

Example:

f44312d8-452a-4c7e-93b5-39af07d642db

Text

Required

Example Request

[
   {
      “rule_id”: "f44312d8-452a-4c7e-93b5-39af07d642db"
    }
]
Action: Get Saved Search Result

This action retrieves the results of a saved search on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Saved Search ID

Enter the ID of the saved search.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Example Request

[
 {
    “saved_search_id”: “5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e”
  }
]
Action: Get Threat Object Relations

This action retrieves the relationships for an object on CTIX.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Object ID 

Enter the object ID to retrieve relations.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Object Type 

Enter the object type.

Example:

indicator

Text

Required

For more information on the supported object types, see STIX

Page Size 

Enter the number of results to retrieve per page.

Integer

Optional

Default value:

10

Page Number 

Enter the page number to go to a specific results page.

Integer

Optional

Default value:

1

Example Request

[
   {
      "object_id":"eee70fcc-a23b-4d3b-a968-fc78b121d112",
      "object_type":"indicator",
      "page_no":1,
      "page_size":10
   }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.data

JSON Object

Includes the relationship details.

app_instance.response.data.results.relationship_type

String

Returns the STIX-defined relationship type between the objects.

app_instance.response.data.results.sources

Array

Returns the list of sources from where you received the relationship.

app_instance.response.data.results.target_ref

JSON Object

Returns the details of the target object such as ID, name, and type.

app_instance.response.data.next

String

Returns the URL link to the next page.

app_instance.response.data.previous

String

Returns the URL link of the previous page.

app_instance.response.data.total

Integer

Returns the total number of records.

app_instance.response.page_size

Integer

Returns the page size.

app_instance.response.data.results

Array

Returns the list of result objects.

Action: Get User Details

This action retrieves the details of a user from the CTIX application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User ID

Enter the user ID to retrieve the user details.

Example:

cf0e148b-5f7a-4f05-8f4d-081fa1743231

Text

Required

Example Request

[
   {
      "user_id":"cf0e148b-5f7a-4f05-8f4d-081fa1743231"
   }
]
Action: Get User Group Details

This action retrieves the user group details from the CTIX application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User Group ID

Enter the user group ID to retrieve the details of a user group.

Example:

cf0e148b-5f7a-4f05-8f4d-081fa1743231

Text

Required

Example Request

[
   {
      "usergroup_id":"cf0e148b-5f7a-4f05-8f4d-081fa1743231"
    
   }
]
Action: Get Whitelisted IOC Details

This action retrieves the details of a whitelisted object.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the whitelisted object ID.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Example Request 

[
 {
    “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

type

String

Returns the type of IOC.

value

String

Returns the value of the IOC.

id

String

Returns the unique ID of the allowed indicator.

modified_by

String

Returns the ID of the user who last modified the entry.

modified

Timestamp

Returns the last modified date and time in EPOCH format.

include_subdomains

Boolean

Returns true if the subdomains of a domain are allowed, else returns false.

include_urls

Boolean

Returns true if the URLs of a domain or IPv4 address are allowed, else returns false.

include_emails

Boolean

Returns true if the emails a domain are allowed, else returns false.

created_by

String

Returns the ID of the user that added the allowed indicator.

created

Timestamp

Returns the created date and time in EPOCH format.

Action: Get Widgets Data

This action retrieves the details of a specific widget.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Widget Slug 

Enter the widget slug to get the details. You can retrieve this value by using the List Widgets action.

Text

Required

You can retrieve the widget slug using the List Widgets action.

Created From 

Enter the timestamp to get data from.

Example: 

1650375753

Integer

Optional

Created Until

Enter the timestamp to get data till. 

Example: 

1650375753 

Integer

Optional

Size 

Enter the response size.

Integer

Optional

Example Request 

[
 {
    "widget_name": "top5_sdos",
    "created_from":  1624147200,
    "created_till": 1626825599,
    "size": 7
  }
]
Action: Import Intel

This action imports threat data to Intel Exchange.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File Path

Enter the file path. 

Text

Required

Allowed values:

.json, .xml, .csv, URL

Collection ID

Enter the ID of the collection to which the file is imported.

Example:

603dd2cf-2c3e-4a6b-8200-505d3586df1f

Text

Optional

Version

If the file format is stix1 or stix2, enter the STIX version.

String

Optional

Allowed values:

1.0, 2.0, 2.1

Default value is 2.1.

File Format

Enter the format for the import.

Text

Optional

Allowed values:

cy-csv, misp, openioc, stix1, stix2, stix20, stix1url, csv-recorded-future

Action: Ingest STIX Data

This action ingests STIX 2.0 data into CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the ID of the source to ingest the data.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Collection ID

Enter the ID of the collection to ingest the data.

Example:

777775a5-5ad2-4239-b5eb-aba1e48f2113

Text

Required

Source Type

Enter the type of source to ingest the data.

Example:

custom_stix_sources

Text

Required

STIX Bundle

Enter a valid STIX bundle to ingest the data.

Example:

{ "id": "bundle--eaa3295e-34bc-432b-9deb-111110fff237", "type": "bundle", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", "name": "spear phishing", "confidence": 0, "revoked": false } ] }

Text

Required

Timeout

Enter the timeout in seconds.

Example:

30

Integer

Required

Default value: 30

Example Request

[
 {
    "source_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112",
    "timeout": 15,
    "collection_id":  “777775a5-5ad2-4239-b5eb-aba1e48f2113”,
    "source_type": “CUSTOM_STIX_SOURCES”,
    “stix_bundle”: { "id": "bundle--eaa3295e-34bc-432b-9deb-111110fff237", "type": "bundle", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", "name": "Spear Phishing", "confidence": 0, "revoked": false } ] } 
  }
]
Action: List All Collections

This action retrieves a list of all collections in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Size 

Enter the size of responses per page.

Example:

10

Integer

Optional

Default value:

10

Page No 

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Example Request 

[
 {
    "page_size": 10,
    "page_no": 1
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next 

String

Returns the URL link to the next page.

app_instance.response.prev 

String

Returns the URL link of the previous page.

app_instance.response.total 

Integer

Returns the total number of records returned by the API.

app_instance.response.results 

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.page_size 

Integer

Returns the page size specified in the query parameters.

app_instance.response.results.id 

String

Returns the collection ID.

app_instance.response.results.name 

String

Returns the collection name.

app_instance.response.results.description 

String

Returns the collection description.

app_instance.response.results.is_active 

Boolean

Returns true if the collection is active, else returns false.

app_instance.response.results.type 

String

Returns the type of collection.

app_instance.response.results.is_editable 

Boolean

Returns true if the collection is editable, else returns false.

app_instance.response.results.polling 

Boolean

Returns true if the polling is allowed, else returns false.

app_instance.response.results.inbox 

Boolean

Returns true if the inbox is allowed for collection, else returns false.

app_instance.response.results.created 

Timestamp

Returns the date and time at which the collection was created.

app_instance.response.results.has_subscribed 

Boolean

Returns true if the collection is subscribed by any subscriber, else returns false.

Action: List All Global Notes

This action lists all global notes from CTIX.

Parameter

Description

Field Type

Required/Optional

Comments

Page Number

Enter the page number to go to a specific page.

Integer

Optional

Page Size

Enter the number of items per page.

Integer

Optional

Extra Params

Enter any additional parameters to pass with the payload.

Example:

created_from: 1628361607

Key Value

Optional

Allowed keys:

object_id, created_by, created_from, created_to, q

Action: List All Tags

This action lists all tags from CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Number

Enter the page number to go to a specific page.

Example:

1

Integer

Optional

Page Size

Enter the number of items to retrieve per page.

Example:

10

Integer

Optional

Extra Params

Enter any additional parameters to pass with the payload.

Example:

'created_from': '1628361607'

Key Value

Optional

Allowed keys:

created_from, created_to, created_by, modified_from, modified_to, tag_type

Action: List API Feeds

This action retrieves a list of all API feeds available on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No 

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Page Size 

Enter the page size of the responses.

Example:

10

Integer

Optional

Default value:

10

Intel Feed 

Choose whether to filter to see the connectors that generate intel feeds.

Example:

true

Boolean

Optional

Query 

Enter a query to filter intel feeds.

Text

Optional

This parameter is a free text match.

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request  

[
 {
    “page_no”: 1,
    “page_size”: 10,
    “intel_feed”: true     
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next

String

Returns the URL link to the next page.

app_instance.response.previous

String

Returns the URL link to the previous page.

app_instance.response.page_limit

Integer

Returns the number of entries on a page.

app_instance.response.total

Integer

Returns the total number of application connectors.

app_instance.response.results 

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.results.id 

String

Returns the ID of the feed source connector.

app_instance.response.results.title 

String

Returns the name of the feed source connector.

app_instance.response.results.third_party_logo 

String

Returns the path for the logo image of the connector.

app_instance.response.results.access_key_name 

String

Returns the name for the access key field.

app_instance.response.results.access_key_type 

String

Returns the access key type, for example, text.

app_instance.response.results.access_key_required 

Bool

Returns True if an access key is required, else returns False.

app_instance.response.results.secret_key_name 

String

Returns the name for the secret key field.

app_instance.response.results.secret_key_type 

String

Returns the type of secret key, for example, text.

app_instance.response.results.secret_key_required 

Bool

Returns True if a secret key is required for authentication, else returns False.

app_instance.response.results.order 

Integer

Returns the order of this feed source connector.

app_instance.response.results.default_api_url 

String

Returns the default URL of this feed source connector.

app_instance.response.results.category 

String

Returns the category of this application connector, such as Cyware Product, Security Information and Event Management System, SIEM, Devops, Email, Endpoint, Information, Network Security, Reputation, Sandbox, and more.

app_instance.response.results.actions 

String

Returns a list of all the related action names for this feed source connector.

app_instance.response.results.featured_app 

Boolean

Returns true if the API feed source is a featured app.

app_instance.response.results.related_fields 

Array of JSON Objects

Returns a list of related fields.

app_instance.response.results.extra_fields 

Array of JSON Objects

Returns a list of extra fields.

app_instance.response.results.is_active 

Boolean

Returns true if the API feed source is in active state.

app_instance.response.results.configured_once 

Boolean

Returns true if the API feed source is configured.

Action: List Enrichment Objects

This action retrieves a list of all enrichment tools.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Size 

Enter the number of objects to return per page.

Example:

10

Integer

Optional

Default value:

10

Page No 

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Layout 

Enter the layout to return the responses.

Example:

overview

Text

Optional

Tool 

Enter the enrichment tool ID to return the responses.

Example:

03694ab0-0e9f-45f4-a4c4-2b6eaedd4803

Text

Optional

Object Type 

Enter the object type to retrieve the objects.

Example:

indicator

Text

Optional

Object ID 

Enter the object ID.

Example:

03694ab0-0e9f-45f4-a4c4-2b6eaedd4803

Text

Optional

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request  

[
  {
    "page_size": 8,
    "page_no": 2,
    "layout": "overview",
    "tool": "03694ab0-0e9f-45f4-a4c4-2b6eaedd4803",
    "object_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e",
    "object_type": "malware"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next 

String

Returns the URL link to the next page.

app_instance.response.prev 

String

Returns the URL link of the previous page.

app_instance.response.total 

Integer

Returns the total number of records returned by the API.

app_instance.response.results

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.page_size 

Integer

Returns the page size specified in the query parameters.

app_instance.response.results.id

String

Returns the ID of the enrichment object.

app_instance.response.results.tool

String

Returns the tool object from which you want to enrich the data.

app_instance.response.results.created

String

Returns the date of creation of enrichment tool.

app_instance.response.results.modified

String

Returns the date of data modification.

app_instance.response.results.verdict

String

Returns the verdict of enrichment.

app_instance.response.results.enrichment_status

String

Returns the status of the enrichment.

app_instance.response.results.enriched_on

String

Returns the date of enrichment of data.

app_instance.response.results.classification

String

Returns the classification of enrichment.

app_instance.response.results.score

Integer

Returns the confidence score of enrichment.

app_instance.response.results.object_type

String

Returns the type of object of the enriched data.

app_instance.response.results.object_id

String

Returns the object ID of the enriched data.

app_instance.response.results.parsed_data

String

Returns the parsed enriched data.

app_instance.response.results.raw_data

String

Returns the raw enriched data.

Action: List Integrations

This action retrieves a list of the integrations configured in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Category

Enter the category to filter the integrations.

Example:

"cyware_product"

Text

Optional

Allowed values:

  • security_information_and_event_managment_system

  • threat_intelligence_enrichment

  • endpoint_detection_response

  • security_orchestration_automation_response

  • cyware_product

Page No

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Page Size

Enter the page size of the responses.

Example:

10

Integer

Optional

Default value:

10

Extra Params

Enter the extra parameters to pass.

Key Value

Optional

Example Request

[
 {
    “category”: “cyware_product”,
    “page_no”:  5,
    “page_size”: 10 
  }
]
Action: List Quick Add Intel History

This action lists the intels added using Quick Add Intel.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Number

Enter the page number to retrieve results from.

Example:

1

Integer

Optional

Page Size

Enter the number of items to retrieve per page.

Example:

10

Integer

Optional

Component

Enter the component ‘quick-add-intel’ to retrieve the quick add intel history.

Text

Required

Extra Params

Enter additional parameters to filter the response.

Example:

'created_from': '1628361607'

Key-Value

Optional

Allowed keys:

q, created_from, created_to, published_from, published_to, sort, created_by_id, status

Action: List Reports

This action retrieves a list of reports.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Type 

Enter the report type.

Example:

basic

Text

Optional

Allowed values:

  • basic

  • advanced

Sort 

Enter the field name to sort the reports by. The data is retrieved in descending order.

Example:

name

Text

Optional

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request 

[
 {
  "type": "saved",
  "sort": "name"
 }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action. Each object represents one report.

app_instance.response.next

String

Returns the URL link to the next page.

app_instance.response.previous

String

Returns the URL link of the previous page.

app_instance.response.page_size

Integer

Returns the size of the requested page.

app_instance.response.results

Array of JSON Objects

Returns results in JSON objects for each report.

app_instance.response.results.schedule

JSON Object

Returns the details of the scheduled runs.

app_instance.response.results.schedule.id

String

Returns the unique ID of the schedule.

app_instance.response.results.schedule.repeat_type

String

Returns the time interval for the re-run of the report.

app_instance.response.results.schedule.start_datetime

Timestamp

Returns the starting date and time in EPOCH format from which the report captures the received data.

app_instance.response.results.schedule.repeat_value

Integer

Returns the number of times a report has to run during the provided interval.

app_instance.response.results.schedule.ends_on

JSON Object

Returns the end type, number of attempts left, and end time.

app_instance.response.results.schedule.duration_value

Integer

Returns the duration in days to capture data in the report.

app_instance.response.results.query_key

String

Returns the sorting type in basic reports: 

  • ctix_created: Data in the report is sorted based on the system-created date. 

  • ctix_modified: Data in the report is sorted based on the system-modified date.

app_instance.response.results.name

String

Returns the title of the report.

app_instance.response.results.id

String

Returns the unique ID of the report.

app_instance.response.results.columns

Array of JSON objects

Returns the list of columns in a basic report.

app_instance.response.results.internal_recipients

JSON Object

Returns the list of internal recipients with whom to share the report.

app_instance.response.results.external_recipients

JSON Object

Returns the list of external recipients with whom to share the report.

app_instance.response.results.type

String

Returns the type of report, such as a basic or advanced.

app_instance.response.results.file_types

Array

Returns the report format, such as CSV and XLS for basic reports and PDF for advanced reports.

app_instance.response.results.shared_type

String

Returns the shared type, such as global or private.

app_instance.response.results.date_last_run

Timestamp

Returns the date and time in EPOCH format at which the report was the last run.

app_instance.response.results.created_by

JSON Object

Returns the details of the user who created the report.

app_instance.response.results.modified_by

JSON Object

Returns the details of the user who last modified the report.

Action: List Rules

This action retrieves a list of all enrichment rules.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Page Size

Enter the number of rules to return per page.

Example:

10

Integer

Optional

Default value:

10

Source

Enter a list of source IDs to filter rules with the matching sources.

Example:

$LIST[98230f-0e9f-45f4-a4c4-sdv89023hb3423]

List

Optional

Created by ID

Enter the CTIX user ID to filter rules created by a specific user.

Example:

03694ab0-0e9f-45f4-a4c4-2b6eaedd4803

Text

Optional

Last Active Till

Enter the timestamp value to filter successfully executed rules until the provided timestamp value.

Example:

1579289600

Integer

Optional

Last Active From

Enter the timestamp value to filter successfully executed rules from the given timestamp value.

Example:

1579289600

Integer

Optional

Created From

Enter the timestamp value to filter rules created from the given timestamp.

Example:

1579289600

Integer

Optional

Created To

Enter the timestamp value to filter rules created until the given timestamp.

Example:

1579289600

Integer

Optional

Return Minimal Response

Choose whether to return the minimal or complete details of the objects.

Example:

true

Boolean

Optional

Default value:

true

Extra Params

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request

[
 {
    “page_no”: 1,
    “page_size”:  10,
    “source”: [“98230f-0e9f-45f4-a4c4-sdv89023hb3423”],
    “created_by_id”: "03694ab0-0e9f-45f4-a4c4-2b6eaedd4803",
    “last_active_to”: 1579289600,
    “last_active_from”:  1479289600,
    “created_from”: 1479289600,
    “created_to”: 1579289600,
     “minimal”: true      
  }
]
Action: List Saved Result Set

This action retrieves the data published using the Save Result Set and Save Result Set V3 actions in the rules.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Page Number 

Enter the page number to return.

Example:

5

Integer

Optional

Default value:

1

Page Size 

Enter the page size of the responses. 

Example:

10

Integer

Optional

Default Value:

10

Version

Saved Result Set version.

Example:

v3

Text

Optional

Allowed values:

v2, v3

Default value:

v3

Label Name

Enter the label name to filter data. All data associated with the passed tag will be returned.

Text

Optional

Extra Params 

Enter any extra parameter to pass.

Example:

{"version": “v2”, "label_name": "sample_tag", "from_timestamp": 1649407795, "to_timestamp": 1649406695}

Key Value

Optional

Allowed keys:

  • version: Enter the Saved Result Set version. Allowed values: v2, v3. Default value: v3 

    • v2: Retrieves the data published using the Save Result Set action. Saved Result Set v2 retrieves indicator and vulnerability data only. 

    • v3: Retrieves the data published using the Save Result Set V3 action in rules.

  • label_name: Enter a tag name to filter data. All data associated with the passed tag will be returned.

  • from_timestamp: Enter the published time in EPOCH format from which you want to retrieve data.

  • to_timestamp: Enter the published time in EPOCH format until which you want to retrieve data.

Example Request

[
  {
    "page_no": 5,
    "page_size": 10,
    "extra_params": {
      "version": "v2",
	  "label_name": "sample_tag",
      "from_timestamp": 1649407795,
      "to_timestamp": 1649406695
    }
  }
]
Action: List Saved Searches

This action retrieves a list of saved searches on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No

Enter the page number from which you want to retrieve the data.

Example:

1

Integer

Optional

Default value:

1

Page Size

Enter the page size of the responses.

Example:

10

Integer

Optional

Default value:

10

Extra Params

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request

[
 {
    "page_no":  5,
    "page_size": 10 
  }
]
Action: List Sources

This action lists all the feed sources in CTIX.

Action Input Parameters

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Source Type 

Enter a comma-separated list of the source type name to filter sources based on the type.

Example:

$LIST[custom_stix_sources,web_scrapper]

List

Optional

Page 

Enter the page number to retrieve sources.

Example: 

1

Integer

Optional

Page Size 

Enter the number of sources to be retrieved per page.

Example:

5

Integer

Optional

Extra Paramaters 

Enter any additional parameters to pass.

Example:

nominal: True

Key Value

Optional

Allowed keys:

  • source_type

  • nominal

  • page

  • page_size

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next

String

Returns URL link for next page.

app_instance.response.previous

String

Returns URL link to the previous page.

app_instance.response.page_size

Integer

Returns the number of entries per page.

app_instance.response.total

Integer

Returns the total number of entries.

app_instance.response.id

String

Returns ID of the source created.

app_instance.response.name

String

Returns the source name.

app_instance.response.created_by

String

Returns the user ID of the creator.

app_instance.response.modified_by

String

Returns the ID of the user who modified the source.

app_instance.response.is_active

Boolean

Returns true if the source is active, else returns false.

app_instance.response.score

Integer

Returns the confidence value of the source.

app_instance.response.status

Boolean

Returns true if source credentials are in a working state, else returns false. Also to state if polling is working properly.

app_instance.response.is_editable

Boolean

Returns true if the source is editable, returns false. For some default sources flag is turned off.

app_instance.response.description

String

Returns the description of the source.

app_instance.response.category

JSON Object

Returns the source category.

app_instance.response.source_order

Integer

Returns the source order.

app_instance.response.source_type

String

Returns the type of source, such as CUSTOM_STIX_SOURCES is the default value for STIX sources.

app_instance.response.create_intel_feed

Boolean

Returns true if intel is present to create intel, else returns false.

app_instance.response.ssl_encrypted

Boolean

Returns true if SSL encryption is applied, else returns false.

app_instance.response.username

String

Returns the username for the source.

app_instance.response.service

String

Returns the TAXII Url of the source.

app_instance.response.key_file

JSON Object

Returns the key value.

app_instance.response.cert_file

JSON Object

Returns the certificate value.

app_instance.response.authentication_type

Integer

Returns the authentication type of the source.

app_instance.response.taxii_option

String

Returns the TAXII option of the source.

app_instance.response.last_feed_notify

Integer

Returns the time in minutes in which you get a notification if no feeds are received.

Action: List Subscribers

This action retrieves a list of subscribers configured in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No 

Enter the page number to retrieve the results.

Example:

1

Integer

Optional

Default value:

1

Page Size 

Enter the page size of the requested page.

Example:

10

Integer

Optional

Default value:

10

Extra Params 

Enter the extra parameters to pass.

Key Value

Optional

Example Request 

[
 {
    “page_no”:  5,
    “page_size”: 10 
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next 

String

Returns the URL link to the next page.

app_instance.response.prev 

String

Returns the URL link of the previous page.

app_instance.response.total 

Integer

Returns the total number of records returned by the API.

app_instance.response.results

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.page_size 

Integer

Returns the page size specified in the query parameters.

app_instance.response.results.id

String

Returns the ID of the subscriber.

app_instance.response.results.name

String

Returns the name of the subscriber.

app_instance.response.results.username

String

Returns the username for TAXII credentials.

app_instance.response.results.created

Timestamp

Returns the timestamp at which the subscriber is created.

app_instance.response.results.modified

Timestamp

Returns the timestamp at which subscriber details are modified.

app_instance.response.results.last_pull

Timestamp

Returns the recent timestamp at which the subscriber polled for data from TAXII or the MISP server.

app_instance.response.results.created_by

String

Returns the user object who created subscriber.

app_instance.response.results.last_modified_by

String

Returns the user object who recently modified the subscriber details.

app_instance.response.results.organization_name

String

Returns the subscriber organization name.

app_instance.response.results.is_active

Boolean

Returns true if the subscriber is active else returns false.

app_instance.response.results.primary_contact

String

Returns the primary contact details of subscriber.

app_instance.response.results.secondary_contact

String

Returns the secondary contact details of subscriber.

app_instance.response.results.confidence_score

Integer

Returns the confidence score assigned to subscriber.

app_instance.response.results.white_list_ip

Array

Returns the allowed list of IPs from which TAXII or MISP requests are allowed for the subscriber.

app_instance.response.results.misp_url

String

Returns the MISP Server URL of the subscriber.

app_instance.response.results.taxii_enabled

Boolean

Returns true if the TAXII requests are allowed for this subscriber, else returns false.

app_instance.response.results.misp_enabled

Boolean

Returns true if the MISP requests are allowed for this subscriber, else returns false.

Action: List User Groups

This action lists the user groups from the CTIX application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query

Enter a query to list user groups.

Example:

admin

Text

Required

Page Size

Enter the number of results to retrieve per page.

Example:

12

Integer

Optional

Default value:10

Page Number

Enter the page number to go to a specific results page.

Example:

4

Integer

Optional

Default value:1

Extra Params

Enter the extra parameters.

Key Value

Optional

Allowed keys:

  • is_active

  • created_from

    and more

Example Request

[
   {
      "query":"admin",
      "page_no":1,
      "page_size":10
   }
]

Action: List Users

This action lists the users of the CTIX application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query

Enter a query to list users.

Example:

john doe

Text

Required

Page Size

Enter the number of results to retrieve per page.

Example:

10

Integer

Optional

Page Number

Enter the page number to go to a specific results page.

Example:

1

Integer

Optional

Extra Params

Enter the extra parameters.

Key Value

Optional

Allowed keys:

  • invited_by

  • sort

  • is_active

  • is_blocked

Example Request

[
   {
      "query":"John Doe",
      "page_no":1,
      "page_size":10
   }
]
Action: List Whitelisted IOCs

This action retrieves a list of all whitelisted IOCs.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Page Size 

Enter the number of responses to return per page.

Example:

10

Integer

Optional

Default value:

10

Page No 

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Example Request 

[
 {
    "page_size":  10,
    "page_no": 1
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

next

String

Returns a link to the next page.

page_size

Integer

Returns the number of records retrieved per page.

previous

String

Returns a link to the previous page.

total

Integer

Returns the total number of allowed indicators available in the CTIX platform.

type

String

Returns the type of the IOC.

value

String

Returns the value of the IOC

id

String

Returns the unqiue ID of the allowed indicator.

modified_by

String

Returns the details of the user who last modified the allowed indicator.

modified

Timestamp

Returns the timestamp when the allowed indicator was last modified

include_subdomains

Boolean

Returns true if the subdomains of a domain are allowed. Else returns false.

include_urls

Boolean

Returns true if the URLs of a domain or IPv4 address are allowed, else returns false.

include_emails

Boolean

Returns true if the emails of a domain are allowed, else returns false.

created_by

String

Returns the details of the user who created the allowed indicator.

created

Timestamp

Returns the timestamp when the allowed indicator was created.

Action: List Widgets

This action retrieves a list of widgets that are configured on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page No 

Enter the page number of the dashboards.

Example:

1

Integer

Optional

Default Value:

1

Page Size 

Enter the page size of the requested page number.

Example:

10

Integer

Optional

Default Value:

10

Extra Params 

Enter the extra parameters to pass.

Key Value

Optional

Example Request 

[
 {
    “page_no”:  5,
    “page_size”: 10 
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next

String

Returns the link for the next page.

app_instance.response.previous

String

Returns the link to the previous page.

app_instance.response.page_size

Integer

Returns the size of the requested page.

app_instance.response.total

Integer

Returns the total number of widgets.

app_instance.response.results

Array of JSON Objects

Returns the list of the containing data.

app_instance.response.results.name

String

Returns the name of the widget.

app_instance.response.results.description

String

Returns the description of the widget.

app_instance.response.results.widget_type

String

Returns the default chart type of the widget.

app_instance.response.results.available_charts

Array

Returns the list of the supported type of widgets.

app_instance.response.results.slug

String

Returns the unique ID of the widget.

app_instance.response.results.configuration

JSON Object

Returns the configuration of the widget.

app_instance.response.results.widget_location

String

Returns the type of widget.

app_instance.response.results.created_by

String

Returns the ID of the creator of the widget. Returns null for the system widgets.

Action: Perform Manual Action on IOC

This action applies actions to a threat data object. You can apply actions such as deprecating an item, undeprecating it, adding an analyst score, and more.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the ID of the object to perform the action.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Action to Take 

Enter the action to be performed on the IOC.

Example:

deprecate

Text

Required

Allowed values:

  • deprecate

  • un_deprecate

  • reviewed

  • manual_review

  • whitelist

  • un_whitelist

  • watchlist

  • un_watchlist

  • false_positive

  • un_false_positive

  • block

  • un_block

  • analyst_tlp

  • analyst_score

  • analyst_description

  • add_tag

  • add_relation

  • delete

IOC Type 

Enter the type of IOC.

Example:

indicator

Text

Optional

Default value:"indicator"

Extra Data 

Enter the extra data to be passed. The extra data is passed with the data section of the payload structure.

Key Value

Optional

Extra Params 

Enter the extra parameters to pass with the request.

Key Value

Optional

Example Request 

[
 {
    "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112",
    "action_to_take": "false_positive",
    "ioc_type": "malware"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

String

Includes the response received from the app action: "Action Successfully Executed"

Action: Quick Add Indicators

This action adds threat indicators data in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Title 

Enter the title of the indicator.

Example:

"Intel"

Text

Required

Source 

Enter the source of the data to be added.

Example:

"Orion"

Text

Required

Collection Name 

Enter the collection name of the indicator.

Example:

"MISP"

Text

Optional

Indicators 

Enter all the indicators to be added in the following format: {"indicator_type": "indicator_value"}

Example:

{"url":"sampleurl.com"}

Key Value

Optional

Allowed values:

  • ipv4-addr

  • ipv6-addr

  • domain

  • url

  • email

  • md5

  • sha1

  • sha224

  • sha256

  • sha384

  • sha512

  • ssdeep

Confidence Score 

Enter the confidence score of the indicators.

Example:

60

Integer

Optional

Allowed values:

0 to 100

TLP 

Enter the Traffic Light Protocol (TLP) of the indicators in capital letters.

Example:

"RED"

Text

Optional

Label 

Enter the list of labels for the indicators.

Example:

$LIST[phishing, vishing]

List

Optional

This parameter is supported in CTIX from the release v3.3.2 and later versions.

SDOs 

Enter the SDOs to connect with the indicators. The passed SDOs must be STIX V2.1 compliant.

Example:

{"vulnerability: "log4j"}

Key Value

Optional

You must pass the SDOs in the following format:

{"sdo_name": "sdo_value"}

Custom Attributes 

Enter the custom attributes to be passed.

Key Value

Optional

Example Request 

[
   {
      "title":"Intel",
      "source":"Orion",
      "collection_name":"MISP",
      "indicators":{
         "url":"sampleurl.com"
      },
      "confidence":60,
      "tlp":"RED",
      "label":[
         "phishing",
         "vishing"
      ],
      "sdos":{
         "vulnerability":"log4j"
      }
   }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.details 

String

Returns success message "Intel creation is in progress.".

Action: Run Report

This action runs a report in CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID 

Enter the report ID to be run.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Type 

Enter the report type.

Text

Optional

Allowed values:

  • basic

  • advanced

Default value:

basic

Example Request 

[
 {
    "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action. Each object represents one source.

app_instance.response.result 

String

Success message: Your Report will be mailed to you as soon as it is ready.

Action: Run Rule

This action runs a rule on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Rule ID 

Enter the rule ID to run.

Example:

"4i9a8f0q9d-3e3d-4e7f-a6b3-6b3e6b3e6b3e"

Text

Required

Start Time 

Enter the timestamp value to filter threat data that are created from the entered timestamp value.

Example:

1579289600

Integer

Required

End Time 

Enter the timestamp value to filter threat data that are created until the entered timestamp value.

Example:

1579289600

Integer

Required

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request 

[
 {
   “rule_id”: "4i9a8f0q9d-3e3d-4e7f-a6b3-6b3e6b3e6b3e",
   “start_time”: 1579289500,
   “end_time”: 1579289600
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.details 

String

Returns success message "Rule is running".

Action: Search Threat Data

This action searches for CTIX threat data.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

CQL Query 

Enter a CQL query to search threat data.

Example:

type = 'indicator'

Text

Optional

Page No 

Enter the page number from which you want to retrieve the data.

Example:

1

Integer

Optional

Default Value:

1

Page Size 

Enter the response page length.

Example:

15

Integer

Optional

Default Value:

10

Extra Params 

Enter the extra parameters to pass with the request URL.

Key Value

Optional

Example Request  

[
 {
    "cql_query": type = "indicator" AND value = "185.xx0.10x.15",
    "page_no":  1,
    "page_size": 15 
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance}  

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next 

String

Returns the URL link to the next page.

app_instance.response.prev 

String

Returns the URL link of the previous page.

app_instance.response.total 

Integer

Returns the total number of records returned by the API.

app_instance.response.results 

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.page_size 

Integer

Returns the page size specified in the query parameters.

app_instance.response.results.analyst_score 

String

Returns the score assigned to a threat data object by an analyst.

app_instance.response.results.analyst_tlp 

String

Returns the TLP assigned to a threat data object by an analyst.

app_instance.response.results.confidence_score 

Integer

Returns the score calculated by the CTIX confidence score engine.

app_instance.response.results.confidence_type 

String

Returns the type of confidence. 

ctix: Confidence score is calculated in CTIX. 

third-party: Confidence score is calculated by a third-party application.

app_instance.response.results.country 

String

Returns the country name where the threat data object was seen.

app_instance.response.results.created 

Epoch

Returns the date and time of the creation of the threat data object.

app_instance.response.results.ctix_created 

Epoch

Returns the date and time of the creation of the threat data object in CTIX.

app_instance.response.results.ctix_modified 

Epoch

Returns the date and time of modification of the threat data object in CTIX.

app_instance.response.results.first_seen 

Epoch

Returns the date and time at which the threat data object was first seen.

app_instance.response.results.id 

String

Returns the ID of the threat data object.

app_instance.response.results.indicator_type 

String

Returns the type of indicator. 

Returns null if the threat data object is not an indicator.

app_instance.response.results.ioc_type 

String

Returns the type of indicator. 

Returns null if the threat data object is not an indicator.

app_instance.response.results.is_actioned 

Boolean

Returns True if an action was performed on the threat data object, else returns False.

app_instance.response.results.is_deprecated 

Boolean

Returns true if the threat data object is deprecated, else returns false.

app_instance.response.results.is_false_positive 

Boolean

Returns true if the threat data object is marked as false positive, else returns false.

app_instance.response.results.is_reviewed 

Boolean

Returns true if the threat data object is reviewed, else returns false.

app_instance.response.results.is_revoked 

Boolean

Returns true if the threat data object is revoked, else returns false.

app_instance.response.results.is_whitelisted 

Boolean

Returns true if the threat data object is marked as an allowed indicator, else returns false.

app_instance.response.results.last seen 

Epoch

Returns the last seen date and time of the threat data object.

app_instance.response.results.modified 

Epoch

Returns the modified date and time of the threat data object.

app_instance.response.results.name 

String

Returns the name of the threat data object.

app_instance.response.results.primary_attribute 

String

Returns the primary attribute of the threat data object if the threat data object is a custom object.

app_instance.response.results.published_collections 

String

Returns the name of the collections in which the threat data object is published.

app_instance.response.results.severity 

String

Returns the severity of the threat data object.

app_instance.response.results.source_collections 

Array

Returns the list of IDs and names of source collections of the threat data object.

app_instance.response.results.source_confidence 

String

Returns the confidence score of the threat data object as reported by its source.

app_instance.response.results.sources 

Array

Returns the list of sources that reported this threat data object.

app_instance.response.results.sub_type 

String

Returns the sub-type of an object if it is an indicator.

app_instance.response.results.tags 

String

Returns tags defined on the threat data object.

app_instance.response.results.tlp 

String

Returns the TLP assigned to the threat data object.

app_instance.response.results.valid_from 

Epoch

Returns the date and time since when this threat data object is valid.

app_instance.response.results.valid_until 

Epoch

Returns the date and time until when this threat data object is valid.

app_instance.response.results.enrichments 

Dictionary

Returns the details of the last enrichment of the object if the object was enriched

Action: Update Global Note

This action updates a global note for an object on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Note ID

Enter the note ID to update.

Example:

8003c6ba-5215-486d-881f-d940dcb78d35

Text

Required

Text

Enter the note text to update.

Example:

test note

Text

Required

Note Type

Enter the note type to update.

Text

Required

Allowed values:

report

Object ID

Enter the object ID to create the note for.

Example:

2b8d0163-da03-4a1d-86c5-f981f0920c0d

Text

Optional

Meta Data

Enter any additional metadata associated with the note.

Key-Value

Optional

Action: Update User Details

This action updates the user details on the CTIX application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User ID

Enter the user ID to update.

Example:

0abb420f-dd90-415c-9c5f-fe93425dc9c2

Text

Required

First Name

Enter the first name of the user.

Example"

John

Text

Required

Last Name

Enter the last name of the user.

Example:

Doe

Text

Required

User Groups

Enter a list of user groups to assign to the user.

Example:

[ { "id": "8003c6ba-5215-486d-881f-d940dcb78d35" } ]

List

Required

Username

Enter the username of the user.

Example:

john.doe

Text

Required

Is Active

Choose to mark the user group as either active or inactive.

Boolean

Optional

Contact Number

Enter the contact number of the user to update

Example:

99872xx743303

Text

Optional

Extra Params

Enter the extra parameters.

Example:

[{"email_alerts": true}]

Key Value

Optional

Example Request

[
    {
        "user_id": "0abb420f-dd90-415c-9c5f-fe93425dc9c2",
        "username": “John.doe”,
        "last_name": “Doe”,
        "first_name": “John”,
        "user_groups": [
            {
                "id": "e3f2e6aa-52da-4195-8187-b9d8dd60601b"
            }
        ],
        "extra_params": {},
        "contact_number": “99872xx743303"
    }
]
Action: Update User Group Details

This action updates the user group details on CTIX.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User Group ID

Enter the user group ID to update.

Example:

cf0e148b-5f7a-4f05-8f4d-081fa1743231

Text

Required

User Group

Enter the user group name to update.

Example:

admin

Text

Required

User Group Permissions

Enter a list of permissions to assign to the user group.

List

Required

Is Active

Choose to mark the user group as either active or inactive.

Boolean

Optional

Description

Enter a description of the user group to update.

Text

Optional

Extra Params

Enter any additional parameters to pass with the payload.

Example:

[{"email_alerts": "true"}]

Key Value

Optional

Example Request

[
   {
      "is_active":true,
      "user_group":"Admin group",
      "description":"admin group sample description",
      "extra_params":{
         
      },
      "user_group_id":"e3f2e6aa-52da-4195-8187-b9d8dd60601b",
      "user_groups_permissions":[
         {
            "id":"d51dd803-0922-480d-ac78-7b8f86d1284e"
         },
         {
            "id":"d4601602-1d2f-463f-a619-544be9d5c2b0"
         }
      ]
   }
]
Action: View Detailed Page Source Description

This action retrieves description, fanged description, and more for the given object type and object ID as received from the feed source.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID to retrieve the detailed page source description.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Object Type 

Enter the object type.

Example:

indicator

Text

Required

Example Request 

[
 {
    "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112",
    "object_type": "malware"
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.results

Array of JSON Objects

Returns a list of source objects.

app_instance.response.results.source_id

String

Returns the ID of the source.

app_instance.response.results.fanged_description

String

Returns the fanged version of the description.

app_instance.response.results.defanged_description

String

Returns the defanged version of the description.

app_instance.response.results.description

String

Returns the description as received from the source.

Action: View External References For Object

This action retrieves all external references for an object.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID to retrieve the external references.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Object Type 

Enter the object type. Example:

indicator

Text

Required

Page Size 

Enter the page size to return.

Example:

10

Integer

Optional

Default value:

10

Page No 

Enter the page number to return.

Example:

1

Integer

Optional

Default value:

1

Example Request 

[
 {
    "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112",
    "object_type": "malware",
    "page_no": 2,
    "page_size": 5
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next

String

Returns the URL link to the next page.

app_instance.response.prev

String

Returns the URL link of the previous page.

app_instance.response.total

Integer

Returns the total number of records returned by the API.

app_instance.response.results

Array of JSON Objects

Returns the list of results returned by the API.

app_instance.response.page_size

Integer

Returns the page size specified in the query parameters.

app_instance.response.page

Integer

Returns the currently accessible page number.

app_instance.response.results.url

String

Returns the URL link of the external reference referred by the object.

app_instance.response.results.external_id

String

Returns the ID that identifies the reference.

app_instance.response.results.source

String

Returns the name of the source as referred by the reference.

Action: View Object Source Details

This action retrieves object information for the given object ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID to retrieve the details.

Example:

5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e

Text

Required

Object Type 

Enter the object type.

Example:

  • indicator

  • malware

Text

Optional

Example Request  

[
 {
    “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”,
    "object_type”:  “malware”
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.id

String

Returns the unique ID of the record.

app_instance.response.collection

Dictionary

Returns the details about the collection.

app_instance.response.confidence

Integer

Returns the confidence score reported from a source.

app_instance.response.created

Timestamp

Returns the date and time of the object creation as received from the source over a platform.

app_instance.response.ctix_created

Timestamp

Returns the date and time of object creation over the platform.

app_instance.response.ctix_modified

Timestamp

Returns the date and time of object modification over the platform.

app_instance.response.custom_attributes

Array

Returns the list of custom attributes received for the object from the source.

app_instance.response.description

String

Returns the description of the object given by the source.

app_instance.response.granular_markings

String

Returns the granular markings sent from the source as defined from STIX.

app_instance.response.kill_chain_phases

Array

Returns the list of kill chain phases for the valid objects.

app_instance.response.modified

Timestamp

Returns the modified date and time as received from the source.

app_instance.response.pattern

String

Returns the pattern as received from the source in case of a valid object, such as an indicator.

app_instance.response.pattern_type

String

Returns the pattern type as received from the source in case of a valid object, such as an indicator.

app_instance.response.pattern_version

String

Returns the pattern version as received from the source in case of the valid object, such as an indicator.

app_instance.response.received_id

String

Returns the ID of the object received from the source.

app_instance.response.sco_object_id

String

Returns the ID of the object as stored in the database.

app_instance.response.source

String

Returns details about the source.

app_instance.response.spec_version

String

Returns the specific version of TAXII as received from the source in case of a valid object.

app_instance.response.tags

Array

Returns the list of tags received from the source.

app_instance.response.types

Array

Returns the list of valid types for the object received from the source.

app_instance.response.unique_hash

String

Returns the hash value used for recognizing a record in CTIX.

app_instance.response.valid_from

Timestamp

Returns the date and time from which the received object is valid over the platform.

app_instance.response.valid_until

Timestamp

Returns the date and time till which the received object is valid over the platform.

Action: View Object Source List

This action retrieves object details in retrospect to the source.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Object ID 

Enter the object ID.

Example:

eee70fcc-a23b-4d3b-a968-fc78b121d112

Text

Required

Object Type 

Enter the object type.

Example:

  • indicator

  • malware

Text

Required

Source ID 

Enter the source ID to map the details.

Example:

fde70fc0-a23b-4d3b-a968-fc78b121d21d

Text

Required

Page No 

Enter the page number of the response.

Example:

1

Integer

Optional

Default value:

1

Page size 

Enter the number of items to return from the entered page number.

Example:

10

Integer

Optional

Default value:

10

Example Request  

[
 {
    “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”,
    "object_type”:  “malware”,
    “source_id”: "fde70fc0-a23b-4d3b-a968-fc78b121d21d”,
    “page_no”: 2,
    “page_size”: 5
  }
]

Action Response Parameters

Parameter 

Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.next 

String

Link to the next page of the response.

app_instance.response.page_size 

Integer

Page size of the response.

app_instance.response.previous 

String

Link to the previous page of the response.

app_instance.response.total 

Integer

Total number of records available.

app_instance.response.results

Array of JSON Objects

Returns a list of results.

app_instance.response.results.ctix_created

Timestamp

Returns the date and time at which the object got ingested into the platform.

app_instance.response.results.ctix_modified

Timestamp

Returns the date and time at which the object got modified in the platform.

app_instance.response.results.id

String

Returns the unique ID of the record.

app_instance.response.results.pattern

String

Returns the pattern for a valid object.

app_instance.response.results.pattern_type

String

Returns the pattern type for a valid object.

app_instance.response.results.pattern_version

String

Returns the pattern version for the valid object.

app_instance.response.results.types

String

Returns the types as sent by the source for the object, such as indicator types and more.

Action: Generic Action

This action performs an action on CTIX to an undefined endpoint that is not handled by the app.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Endpoint 

Enter the complete API endpoint to make the call.

Example:

  • ingestion/enrichment/enrichment-object/

  • integration/apps/detail/:app_id/

  • conversion/feed-sources/email_accounts/:pk/

Text

Required

HTTP Method 

Enter the HTTP method in capital letters.

Example:

POST

Text

Required

Request Body 

Enter the request body in JSON format.

Any

Optional

Query Params 

Enter the query parameters.

Key Value

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

payload_data, custom_output, download, file_name, files, retry_wait, retry_count, response_type.

Example Request 

[
 {
    "endpoint": "ingestion/enrichment/enrichment-object/",
    "http_method": "POST"  
  }
]