CTIX V3
App Vendor: Cyware
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.11.0
API Version: 3.0.0
About App
Cyware Threat Intelligence Platform (CTIX) is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. The CTIX app enables security teams to integrate with the CTIX enterprise application for data ingestion, data enrichment, analysis, and bi-directional sharing of threat data within the trusted network.
The CTIX V3 connector app is configured with Orchestrate to perform the following actions:
Action on Rules | This action performs actions on rules, such as activate, deactivate, and more. |
Add Tag to Threat Data | This action adds a tag to a threat object. |
Add Whitelisted IOCs | This action adds an indicator as whitelisted. |
Bulk IOC Advance Lookup | This action searches threat data objects in the CTIX application in bulk and retrieves the details of the objects. |
Bulk Lookup and Create Intel | This action fetches or creates the list of threat data objects present in the CTIX application. |
Create Collections | This action creates a collection on CTIX. |
Create CTIX Action | This action creates an action on CTIX. |
Create Enrichment Object | This action creates an enrichment for an object on CTIX. |
Create Global Note | This action creates a global note for an object on CTIX. |
Create Saved Search | This action creates a saved search on CTIX. |
Create Subscriber | This action adds a subscriber in CTIX. |
Create Tag | This action creates a tag on CTIX. |
Create Threat Defender Content | This action creates a threat defender content record. |
Create Tool Account | This action creates an account of a tool in CTIX. |
Delete a Tag | This action deletes a tag. |
Delete Report | This action deletes a report from CTIX. This action is irreversible and the deleted report cannot be retrieved. |
Generate Export Link | This action generates an export link that is used to share data on CTIX. |
Get Accounts of a Tool in CTIX | This action lists all the accounts of a tool in CTIX. |
Get Advanced View of Object | This action is used to get an advanced view of the object. |
Get License Info | This action retrieves the license details. Use this action with caution as it exposes the license details. |
Get Note Details | This action retrieves note details from CTIX. |
Get Object Details by Table View | This action retrieves the object information for the given filters in a tabular format. |
Get Object View of Indicator | This action retrieves basic correlated object information for an indicator object in CTIX. |
Get Related Objects | This action retrieves the related objects of an object type, such as the top threat actors in an industry or top TTPs used by a Threat Actor. |
Get Report Details | This action retrieves the details of a report. |
Get Report Run Logs | This action retrieves the report run log details. |
Get Rule Details | This action retrieves the details of a rule. |
Get Saved Search Result | This action retrieves the results of a saved search on CTIX. |
Get Threat Object Relations | This action retrieves the relationships for an object on CTIX. |
Get User Details | This action retrieves the details of a user from the CTIX application. |
Get User Group Details | This action retrieves the user group details from the CTIX application. |
Get Whitelisted IOC Details | This action retrieves the details of a whitelisted object. |
Get Widgets Data | This action retrieves the details of a specific widget. |
Import Intel | This action imports threat data to Intel Exchange. |
Ingest STIX Data | This action ingests STIX 2.0 data into CTIX. |
List All Collections | This action retrieves a list of all collections in CTIX. |
List All Global Notes | This action lists all the global notes from CTIX. |
List All Tags | This action lists all tags from CTIX. |
List API Feeds | This action retrieves a list of all API feeds available on CTIX. |
List Enrichment Objects | This action retrieves a list of all enrichment tools. |
List Integrations | This action retrieves a list of the integrations configured in CTIX. |
List Quick Add Intel History | This action lists the intel added using Quick Add Intel. |
List Reports | This action retrieves a list of reports. |
List Rules | This action retrieves a list of all enrichment rules. |
List Saved Result Set | This action retrieves the data published using the Save Result Set and Save Result Set V3 actions in the rules. |
List Saved Searches | This action retrieves a list of saved searches on CTIX. |
List Sources | This action lists all the feed sources available in CTIX. |
List Subscribers | This action retrieves a list of subscribers configured in CTIX. |
List User Groups | This action lists the user groups from the CTIX application. |
List Users | This action lists the users of the CTIX application. |
List Whitelisted IOCs | This action retrieves a list of all whitelisted IOCs. |
List Widgets | This action retrieves a list of widgets configured in CTIX. |
Perform Manual Action on IOC | This action applies actions to a threat data object. |
Quick Add Indicators | This action adds threat indicators data in CTIX. |
Run Report | This action runs a report. |
Run Rule | This action runs a rule on CTIX. |
Search Threat Data | This action searches for CTIX threat data. |
Update Global Note | This action creates a global note for an object on CTIX. |
Update User Details | This action updates the user details on the CTIX application. |
Update User Group Details | This action updates the user group details on the CTIX. |
View Detailed Page Source Description | This action retrieves description, fanged description, and more for the given object type and object ID as received from the feed source. |
View External References For Object | This action retrieves all external references for an object. |
View Object Source Details | This action retrieves object information for the given object ID. |
View Object Source List | This action retrieves object details in retrospect to the source. |
Generic Action | This action performs an action on CTIX to an undefined endpoint that is not handled by the app. |
Action Name | Description |
---|
Configuration Parameters
The following configuration parameters are required for the CTIX V3 app to communicate with the CTIX V3 enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Base URL | Enter the base URL of CTIX. Example: https://qa.cyware.com/ctixapi/ | Text | Required | Base URL format: https://tenant_code.cyware.com/ctixapi/ |
Access Key | Enter the CTIX access ID to authenticate with. | Password | Required | |
Secret Key | Enter the secret secret key to authenticate with. | Password | Required | |
SSL Verification | Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CTIX V3. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Action on Rules
This action performs actions on rules, such as activate, deactivate, and more.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Rule ID List | Enter the list of rule IDs to perform an action on. Example: $LIST[98230f-0e9f-45f4-a4c4-sdv89023hb3423] | List | Required | |
Action | Enter the action to perform. Example: follow | Text | Required | Allowed values:
|
Example Request
[ { “rule_id_list”: [“98230f-0e9f-45f4-a4c4-sdv89023hb3423”], “action”: "follow" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns success message "Successful". |
Action: Add Tag to Threat Data
This action adds a tag to a threat object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Object ID | Enter the object ID to which you need to add a tag. Example: "05d1bb85-74ac-4bea-bdc2-284e6e57c4bd" | Text | Required | |
Tag to Add | Enter a tag that you need to add to an object. Example: "phishing" | Text | Required | |
Create New Tags | Choose to create a new tag, if the entered tag does not exist. Example: true | Boolean | Optional | Allowed values:
|
Object Type | Enter the type of threat data object. Example:
| Text | Optional | Default: Indicator |
Example Request
[ { "object_id": "05d1bb85-74ac-4bea-bdc2-284e6e57c4bd", "tag_to_add": "phishing", "create_new_tags": true } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns success message "Action Successfully Executed". |
Action: Add Whitelisted IOCs
This action adds an indicator as whitelisted.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IOC Type | Enter the type of the IOC. Example: ipv4-addr | Text | Required | |
IOC List | Enter the list of IOCs to add to the whitelist. Example: $LIST[1.1.1.1, 2.2.2.2] | List | Required | |
Description | Enter a description to pass with the whitelisting. | Text | Required | |
Include URLs | Choose whether to include URLs in the whitelist. Example: false | Boolean | Optional | Default value: false |
Example Request
[ { “ioc_type”: “ipv4_addr”, “ioc_list”: [“1.1.1.1”, ”2.2.2.2”], “description”: “Sample IOC description”, “include_urls”: false } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
invalid | Array | Returns the list of invalid IOCs passed. |
new_created | Array | Returns the list of newly added valid IOCs. |
already_exists | Array | Returns the list of IOCs that are already available in the allowed indicators list. |
Action: Bulk IOC Advance Lookup
This action performs a bulk search of the threat data objects in the CTIX application and retrieves the details of the objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Object Type | Enter the type of threat data object. Example: indicator, vulnerability, malware | Text | Required | You can retrieve this ID using the action List All Tags. |
Enrichment Data | Enter true to retrieve the latest five enrichment data of the threat data objects. | Boolean | Optional | Allowed values:
Default value: false |
Relation Data | Enter true to retrieve the latest 100 relations details of threat data objects. | Boolean | Optional | Allowed values:
Default value: false |
Object Value | Enter a list of up to 100 threat data object values to look up. Example: $LIST[47.92.78.238, www.facebook.com] | List | Optional | Note that one of the Object ID or Object Value parameters is required. |
Object ID | Enter a list of up to 100 threat data object IDs to look up. Example: $LIST['2b8d0163-da03-4a1d-86c5-f981f0920c0d'] | List | Optional | Note that One of the Object ID or Object Value parameters is required. |
Fields | Enter a comma-separated list of fields to retrieve specific details of the objects. Example: relations,enrichment_data | Text | Optional | By default, it retrieves all field data. |
Enrichment Tools | Enter a comma-separated list of up to five enrichment tool names to retrieve the enriched threat data objects. Example: AbuseIPDB | Text | Optional | |
Extra Params | Enter any additional parameters to pass with this request. Example {page_size: 1} | Key Value | Optional | Allowed values:
|
Example Request
[ { "object_type": "malware", "enrichment_data": true } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the score assigned to the threat data object by an analyst. |
| String | Returns the TLP assigned to the threat data object by an analyst. |
| String | Returns the country name where the threat data object was seen. |
| Timestamp | Returns the source-created date and time of the threat data object. |
| Timestamp | Returns the created date and time of the threat data object in CTIX. |
| Timestamp | Returns the last modified date and time of the threat data object in CTIX. |
| Array | Returns a list of custom attributes with details, such as Examples: Custom Attribute Name: Custom Attribute Value: |
| Integer | Returns the Confidence Score calculated by the CTIX confidence score engine. |
| String | Returns the source description of the threat data. |
| Array | Returns a list of enrichment objects retrieved from the enrichment tools. |
| Timestamp | Returns the first seen date and time of the threat data object. |
| String | Returns the ID of the threat data object. |
| String | Returns the IOC type. Returns Returns hash type for hashes and the indicator type key for other indicators. |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Timestamp | Returns the last seen date and time of the threat data object. |
| Timestamp | Returns the source-modified date and time of the threat data object. |
| String | Returns the value of the threat data object. |
| String | Returns the SDO type the threat data object type of the IOC. |
| Array | Returns a list of JSON objects for the collections in which the IOC is published. |
| JSON Object | Returns a list of related threat data objects. |
| Array | Returns the list of sources that reported the threat data object. |
| String | Returns the sub-type of an indicator. Returns Returns hash type for hashes and |
| Array | Returns the tags associated with the threat data object. |
| String | Returns the TLP assigned to the threat data object by the source. |
| Boolean | Returns true if the threat data is marked for manual review by an analyst. |
| Timestamp | Returns the date and time since when this threat data object is valid. |
| Timestamp | Returns the date and time until when this threat data object is valid. |
Action: Bulk Lookup and Create Intel
This action searches the threat data objects in the CTIX application and if the objects are not present, then it creates a list of threat data objects in the CTIX application.
Note
This action is available in CTIX from the release v3.3.1 and later versions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Indicators | Enter the list of indicators. Example: $LIST[76.77.xx3.225:80, 131.190.xx3.60, 56.15.xx5.2x8] | List | Required | |
Enrichment | Enter true to add the last enriched information for each enriched object. Example: true | Boolean | Optional | Default value: true Allowed values:
|
Create | Enter true to create new IOCs that were missed from the list of lookup IOCs. Example: true | Boolean | Optional | Default value: true Allowed values:
|
Metadata | Enter additional information about the objects such as TLP, confidence score, and more while creating intel. Example: {'tlp':'RED'} | Key Value | Optional | |
Collection Name | Enter the name of the collection to map the threat data objects. Example: $LIST[76.77.213.225:80, 131.190.253.60, 56.15.255.238]" | Text | Optional | |
Source Name | Enter the source name to map the threat data objects. Example : Orchestrate | Text | Optional |
Example Request
[ { "create": true, "metadata": {}, "enrichment": true, "indicators": [ "131.190.xx3.60", "56.15.xx5.2x8" ], "collection_name": {"ctix_collection"} } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the IOCs that exist in the platform. |
| Array | Returns a list of JSON objects. Each object includes the details of the IOCs that exists in the platform. For more information, see The Results Objects. |
| Integer | Returns the details of the IOCs that exist in the platform. |
| JSON Object | Returns the details of the IOCs that do not exist in the platform. |
| Array | Returns a list of invalid IOC values. Invalid IOC values will not be ingested into the platform. |
| Integer | Returns the total count of invalid IOC values. |
| Array | Returns a list of all valid IOC values. All valid IOC values will be ingested into the platform if the query parameter create=true is passed with the request. |
| Integer | Returns the total number of valid IOC values. |
Action: Create Tag
This action creates a tag on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Name | Enter the name of the tag to add. | Text | Required | |
Color | Enter the color of the tag to assign. | Text | Optional | Default value: #5236E2 |
Action: Create Collections
This action creates a collection on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Name | Enter the name of the collection. Example: Malicious URL | Text | Required | |
Description | Enter a description of the collection. Example: A very common method for delivering malware to potential targets is to host it at a particular URL. Targets are then directed to that URL via a phishing e-mail or a link from another site and, when they reach it, are exploited. Sharing lists of malicious URLs can be an effective and cheap way to limit exposure to malicious code. | Text | Required | |
Polling | Choose if you want to add the collection to poll data. Example: true | Boolean | Required | |
Inbox | Choose if you want to add the collection to the inbox service. Example: true | Boolean | Required |
Example Request
[ { “name”: “Malicious URL”, “description”: “A very common method for delivering malware to potential targets is to host it at a particular URL”, “polling”: “true”, “inbox”: “true” } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns “Success”. |
Action: Create CTIX Action
This action creates an action on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Action Name | Enter the action name to run. Example: pfsense actions | Text | Required | |
Action Type | Enter the action type. Example: automatic | Text | Required | |
Rule Name | Enter the rule name. Example: trigger playbook | Text | Required | |
App Type | Enter the app type. Example: third_party | Text | Required | |
App Name | Enter the app name. Example: pfsense | Text | Required | |
App Response | Enter the app response. Example: {"pfense": "third_party"} | Key Value | Required | |
Object ID | Enter the object ID. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Object Type | Enter the object type. Example: malware | Text | Required |
Example Request
[ { "action_name": "Pfence Actions", "action_type": "automatic", "rule_name": "Trigger Playbook", "app_type": "third_party", "app_name": "Pfence", "app_response": { "pfense": "third_party" }, "object_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e", "object_type": "malware" } ]
Action: Create Enrichment Object
This action creates an enrichment for an object on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Tool ID | Enter the tool ID to create an enrichment object. Example: 7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33 | Text | Required | |
Verdict | Enter the enrichment verdict. Example: Malicious | Text | Required | |
Score | Enter the enrichment score. | Text | Required | This ranges between 1-100 with 1 being non-malicious and 100 being highly malicious. |
Object ID | Enter the object ID to pass the enrichment to | Text | Required | |
Classification | Enter the classification of the enrichment. | Text | Optional | |
Object Type | Enter the object type that is being enriched. Example: malware, campaign, indicator | Text | Optional | Default value: indicator |
Tool Response | Enter a JSON tool response to pass with the enrichment. Example: {'status': 'Malicious'} | Key Value | Optional | |
Parsed Response | Pass the parsed response received from the tool. Example: {'status': 'Malicious'} | Key Value | Optional |
Action: Create Global Note
This action creates a global note for an object on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Text | Enter the note to add to the object. Example: test note | Text | Required | |
Note Type | Enter the note type to create. | Text | Required | Allowed value: report |
Object ID | Enter the object ID to update the note. Example: 2b8d0163-da03-4a1d-86c5-f981f0920c0d | Text | Optional | |
Meta Data | Enter any additional metadata associated with the note. Example: report_id: 2b8d0163-da03-4a1d-86c5-f981f0920c0d | Key Value | Optional |
Action: Create Saved Search
This action creates a saved search on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Type | Enter the type of the saved search. Example:
| Text | Required | |
Name | Enter the name of the saved search. Example: IOC Intel | Text | Required | |
Query | Enter the query to generate the report. Example: type=\"indicator\" and sub_type=\"file\" and created>\"2021-07-28\" | Text | Required | |
Shared Type | Enter the shared type of the saved search. Example: private | Text | Required | Allowed values:
|
Metadata | Enter the metadata of the saved search that helps in the transformation to the CQL query or threat data filters. | Text | Required |
Example Request
[ { "type": "basic", "name": "CQL Search", "query": "type=\"indicator\" and sub_type=\"file\" and created>\"2021-07-28\"", "shared_type": "private", "metadata": "This is a sample data addition" } ]
Action: Create Subscriber
This action creates a subscriber in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Name | Enter the name of the subscriber. | Text | Required | |
Primary Contact Name | Enter the primary contact name of the subscriber. | Text | Required | |
Enter the email ID of the subscriber. | Text | Required | ||
Score | Enter the confidence score for the subscriber. | Integer | Required | |
Collection IDs | Enter the list of IDs of STIX collections to which the subscriber is to be added. Example: $LIST[9251d39e-c6d4-4c63-a55f-8201fd0d583d] | List | Required | |
Whitelisted IP Ranges | Enter the list of IPs from which the subscriber is allowed to make requests to TAXII/MISP server. | List | Optional | |
Extra Params | Enter the extra parameters to pass with the request payload. | Key Value | Optional |
Example Request
[ { “name”: “John Doe”, “primary_contact_name”: “John Doe”, “email”: “johndoe@example.com”, “score”: 60, “collection_ids”: [“9251d39e-c6d4-4c63-a55f-8201fd0d583d”], “whitelisted_list_ranges”: [“1.1.1.1”, “3.3.3.3”] } ]
Action: Create Threat Defender Content
This action creates a threat defender content record.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Rule | Enter the rule content. Example: 'rule tdl1 : sample rule'. | Text | Required | |
Tags | Enter the list of tag objects to apply to the content. Example: $LIST[{"id": "ef4fdadc-c98c-4e09-afd2-b9084706151e", "name": "yara", "colour_code": "#FF5330"}] | List | Optional | |
Extra Params | Enter any additional details to add to the threat data content. Example: "external_variables": [{"type": "boolean", "key": "some_string_var", "value": true}] | Key_value | Optional |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Returns the HTTP status code 201 for a successful execution. |
Action: Create Tool Account
This action creates an account of a tool in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Tool ID | Enter the tool ID to create an account. Example: 7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33 | Text | Required | |
Base URL | Enter the base URL of the product to connect. | Text | Optional | |
Secret Key | Enter the secret key to use for authentication. | Text | Optional | |
Access Key | Enter the access key to use for authentication. | Text | Optional | |
SSL Encrypted | Enter if we need to validate the SSL certificate. | Boolean | Optional | Default value: True |
Is Active | Enter true, to set the status of the account as active, else enter false. | Boolean | Optional | |
Auth Type | Enter the authentication type. Example: user-pass. | Text | Optional | Defaults value: user-pass |
Extra Fields | Enter if to pass any extra data in the extra field section of the request. | Key Value | Optional |
Action: Delete a Tag
This action is used to delete a tag.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Tag ID | Enter the ID of the tag to be deleted. Example: 8818f140-62c6-4dee-bfb2-bc26bde9dfa1 | Text | Required | You can retrieve this ID using the action List All Tags. |
Example Request
[ { "tag_id": 2025 } ]
Action: Delete Report
This action deletes a report from CTIX. This action is irreversible and the deleted report cannot be retrieved.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Report ID | Enter the report ID to be deleted. Example: "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" | Text | Required | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" } ]
Action: Generate Export Link
This action generates an export link that is used to share data on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Format | Enter the export format of the report. Example: csv | Text | Required | Allowed value: "csv" |
Component | Enter the component of the report. Example: threat_data | Text | Required | Allowed value: "threat_data" |
Query | Enter the CQL query to generate the report. Example: type='indicator' | Text | Required |
Example Request
[ { "format": "csv", "component": "threat_data", "query": "type='indicator'" } ]
Action: Get Accounts of a Tool in CTIX
This action retrieves the list of all accounts of a tool in CTIX.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Tool ID | Enter the tool ID to get accounts. Example: 7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33 | Text | Required |
Action: Get Advanced View of Object
This action retrieves additional information such as kill chains, external references, published collections for the given object ID, and password.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID to get an advanced view. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required |
Example Request
[ { "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array of JSON Objects | Returns a list of kill chain phases with the phase ID, kill chain name, and phase name. |
| Array of JSON Objects | Returns a list of published collections with the ID, action type, name, and published time. |
Action: Get License Info
This action retrieves the license details. Use this action with caution as it exposes the license details.
Action Input Parameters
This action does not require any input parameter.
Action: Get Note Details
This action retrieves note details from CTIX.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Note ID | Enter the note ID to get details. | Text | Required |
Action: Get Object Details by Table View
This action retrieves the object information for the given filters in a tabular format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID to retrieve the details. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Object Type | Enter the object type. Example:
| Text | Required | |
Page No | Enter the page number of the response. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to return from the entered page number. Example: 10 | Integer | Optional | Default value: 10 |
Example Request
[ { “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”, "object_type”: “malware”, “page_no”: 2, “page_size”: 5 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Dictionary | Returns the details of the collection the object has polled. |
| String | Returns the ID of the collection. |
| String | Returns the name of the collection. |
| Timestamp | Returns the creation date of the object as received from the source. |
| Integer | Returns the total number of custom attributes received for the object from the source. |
| Timestamp | Returns the first seen date of the object as received from the source. |
| String | Returns the unique ID of the record. |
| Timestamp | Returns the date on which the object was last seen as shared by the source. |
| Timestamp | Returns the date of modification of the object as shared by the source. |
| String | Return details about the source. |
| String | Returns the ID of the source. |
| String | Returns the name of the source. |
| String | Returns the type of source, such as RSS, API feed, or more. |
| Integer | Returns the highest confidence score received from the source. |
| Array | Returns the list of all the labels or tags received from the source. |
| Integer | Returns the number of times the object has polled from the source. |
| String | Returns the TLP of the object, such as RED, AMBER, GREEN, WHITE. |
Action: Get Object View of Indicator
This action retrieves basic correlated object information for an indicator object in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the ID of the indicator to retrieve the object view. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required |
Example Request
[ { “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112” } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the description given by an analyst. |
| Integer | Returns the score given by an analyst. |
| String | Returns the TLP value given by an analyst. |
| String | Returns if the object was part of any SDO or has been observed. |
| String | Returns the confidence score of the object. |
| String | Returns the type of confidence score engine used to calculate the score. |
| String | Returns the country for a valid object. |
| Timestamp | Returns the STIX defined creation date of the object. |
| Timestamp | Returns the creation date of the object in the CTIX platform. |
| Timestamp | Returns the modification date of the object in the CTIX platform. |
| Integer | Returns the score of an object in the CTIX platform. |
| String | Returns the TLP of the object in the CTIX platform. |
| String | Returns the defanged description. |
| String | Returns the description of the object. |
| String | Returns the fanged description of the object. |
| Timestamp | Returns the STIX defined date on which the object was first observed. |
| Timestamp | Returns the STIX-defined date on which the object was last observed. |
| Timestamp | Returns the STIX defined date on which the object was modified. |
| String | Returns the name of the object. |
| String | Returns the list of sources from where the object has been received. |
| String | Returns the ID of the source. |
| String | Returns the name of the source. |
| String | Returns the type of sources such as API Feed, RSS Feed, and more. |
| String | Returns the valid subtype of the object such as an indicator is a valid subtype is a URL, domain, and more. |
| String | Returns the Top Level Domain(TLD) value for Domain objects. |
| String | Returns the TLP of the object. |
| String | Returns the type of object. |
| Array | Returns the types of objects referred to by STIX as indicator types, malware types, and more. |
| Timestamp | Returns the STIX defined as valid from the date of an object. |
| Timestamp | Returns the STIX defined as valid until the date of an object. |
Action: Get Report Details
This action retrieves the details of a report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Report ID | Enter the report ID to query. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional | |
Type | Enter the report type to query. | Text | Required | Allowed values:
Default: basic |
Example Request
[ { "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one source. |
| String | Returns the type of basic report, such as saved or custom. |
| String | Returns the unique ID of the schedule. |
| String | Returns the time interval for the re-run of the report. |
| Timestamp | Returns the starting date and time in EPOCH format from which the report captures the received data. |
| Integer | Returns the schedule frequency. |
| String | Returns the end duration interval for the captured data. |
| Integer | Returns the duration in days to capture data in the report. |
| String | Returns the sorting type in basic reports:
|
| String | Returns the name of the report. |
| String | Returns the unique ID of the report. |
| Array of JSON objects | Returns the list of columns in a report. |
| JSON Object | Returns the list of internal recipients with whom to share the report. |
| JSON Object | Returns the list of external recipients with whom to share the report. |
| String | Returns the type of report, such as basic or advanced. |
| Array | Returns the report formats, such as CSV, XLS. |
| String | Returns the shared type, such as global or private. |
| Timestamp | Returns the date and time in EPOCH format at which the report was manually run. |
| Timestamp | Returns the scheduled date and time in EPOCH format of the report generation. |
| JSON Object | Returns the saved search object for the corresponding report used for generating the report. |
| JSON Object | Returns the details of the user who created the report. |
Action: Get Report Run Logs
This action retrieves the report run log details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Report ID | Enter the report ID. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Type | Enter the report type. | Text | Optional | Default value: basic Allowed values:
|
Example Request
[ { "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" } ]
Action: Get Rule Details
This action retrieves the details of a rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Rule ID | Enter the rule ID to retrieve the details. Example: f44312d8-452a-4c7e-93b5-39af07d642db | Text | Required |
Example Request
[ { “rule_id”: "f44312d8-452a-4c7e-93b5-39af07d642db" } ]
Action: Get Saved Search Result
This action retrieves the results of a saved search on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Saved Search ID | Enter the ID of the saved search. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required |
Example Request
[ { “saved_search_id”: “5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e” } ]
Action: Get Threat Object Relations
This action retrieves the relationships for an object on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Object ID | Enter the object ID to retrieve relations. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Object Type | Enter the object type. Example: indicator | Text | Required | For more information on the supported object types, see STIX |
Page Size | Enter the number of results to retrieve per page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to go to a specific results page. | Integer | Optional | Default value: 1 |
Example Request
[ { "object_id":"eee70fcc-a23b-4d3b-a968-fc78b121d112", "object_type":"indicator", "page_no":1, "page_size":10 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Includes the relationship details. |
| String | Returns the STIX-defined relationship type between the objects. |
| Array | Returns the list of sources from where you received the relationship. |
| JSON Object | Returns the details of the target object such as ID, name, and type. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records. |
| Integer | Returns the page size. |
| Array | Returns the list of result objects. |
Action: Get User Details
This action retrieves the details of a user from the CTIX application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
User ID | Enter the user ID to retrieve the user details. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required |
Example Request
[ { "user_id":"cf0e148b-5f7a-4f05-8f4d-081fa1743231" } ]
Action: Get User Group Details
This action retrieves the user group details from the CTIX application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
User Group ID | Enter the user group ID to retrieve the details of a user group. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required |
Example Request
[ { "usergroup_id":"cf0e148b-5f7a-4f05-8f4d-081fa1743231" } ]
Action: Get Whitelisted IOC Details
This action retrieves the details of a whitelisted object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the whitelisted object ID. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required |
Example Request
[ { “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112” } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
type | String | Returns the type of IOC. |
value | String | Returns the value of the IOC. |
id | String | Returns the unique ID of the allowed indicator. |
modified_by | String | Returns the ID of the user who last modified the entry. |
modified | Timestamp | Returns the last modified date and time in EPOCH format. |
include_subdomains | Boolean | Returns true if the subdomains of a domain are allowed, else returns false. |
include_urls | Boolean | Returns true if the URLs of a domain or IPv4 address are allowed, else returns false. |
include_emails | Boolean | Returns true if the emails a domain are allowed, else returns false. |
created_by | String | Returns the ID of the user that added the allowed indicator. |
created | Timestamp | Returns the created date and time in EPOCH format. |
Action: Get Widgets Data
This action retrieves the details of a specific widget.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Widget Slug | Enter the widget slug to get the details. You can retrieve this value by using the List Widgets action. | Text | Required | You can retrieve the widget slug using the List Widgets action. |
Created From | Enter the timestamp to get data from. Example: 1650375753 | Integer | Optional | |
Created Until | Enter the timestamp to get data till. Example: 1650375753 | Integer | Optional | |
Size | Enter the response size. | Integer | Optional |
Example Request
[ { "widget_name": "top5_sdos", "created_from": 1624147200, "created_till": 1626825599, "size": 7 } ]
Action: Import Intel
This action imports threat data to Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
File Path | Enter the file path. | Text | Required | Allowed values: .json, .xml, .csv, URL |
Collection ID | Enter the ID of the collection to which the file is imported. Example: 603dd2cf-2c3e-4a6b-8200-505d3586df1f | Text | Optional | |
Version | If the file format is stix1 or stix2, enter the STIX version. | String | Optional | Allowed values: 1.0, 2.0, 2.1 Default value is 2.1. |
File Format | Enter the format for the import. | Text | Optional | Allowed values: cy-csv, misp, openioc, stix1, stix2, stix20, stix1url, csv-recorded-future |
Action: Ingest STIX Data
This action ingests STIX 2.0 data into CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the ID of the source to ingest the data. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Collection ID | Enter the ID of the collection to ingest the data. Example: 777775a5-5ad2-4239-b5eb-aba1e48f2113 | Text | Required | |
Source Type | Enter the type of source to ingest the data. Example: custom_stix_sources | Text | Required | |
STIX Bundle | Enter a valid STIX bundle to ingest the data. Example: { "id": "bundle--eaa3295e-34bc-432b-9deb-111110fff237", "type": "bundle", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", "name": "spear phishing", "confidence": 0, "revoked": false } ] } | Text | Required | |
Timeout | Enter the timeout in seconds. Example: 30 | Integer | Required | Default value: 30 |
Example Request
[ { "source_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112", "timeout": 15, "collection_id": “777775a5-5ad2-4239-b5eb-aba1e48f2113”, "source_type": “CUSTOM_STIX_SOURCES”, “stix_bundle”: { "id": "bundle--eaa3295e-34bc-432b-9deb-111110fff237", "type": "bundle", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", "name": "Spear Phishing", "confidence": 0, "revoked": false } ] } } ]
Action: List All Collections
This action retrieves a list of all collections in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Size | Enter the size of responses per page. Example: 10 | Integer | Optional | Default value: 10 |
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Example Request
[ { "page_size": 10, "page_no": 1 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| String | Returns the collection ID. |
| String | Returns the collection name. |
| String | Returns the collection description. |
| Boolean | Returns true if the collection is active, else returns false. |
| String | Returns the type of collection. |
| Boolean | Returns true if the collection is editable, else returns false. |
| Boolean | Returns true if the polling is allowed, else returns false. |
| Boolean | Returns true if the inbox is allowed for collection, else returns false. |
| Timestamp | Returns the date and time at which the collection was created. |
| Boolean | Returns true if the collection is subscribed by any subscriber, else returns false. |
Action: List All Global Notes
This action lists all global notes from CTIX.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Number | Enter the page number to go to a specific page. | Integer | Optional | |
Page Size | Enter the number of items per page. | Integer | Optional | |
Extra Params | Enter any additional parameters to pass with the payload. Example: created_from: 1628361607 | Key Value | Optional | Allowed keys: object_id, created_by, created_from, created_to, q |
Action: List All Tags
This action lists all tags from CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Number | Enter the page number to go to a specific page. Example: 1 | Integer | Optional | |
Page Size | Enter the number of items to retrieve per page. Example: 10 | Integer | Optional | |
Extra Params | Enter any additional parameters to pass with the payload. Example: 'created_from': '1628361607' | Key Value | Optional | Allowed keys: created_from, created_to, created_by, modified_from, modified_to, tag_type |
Action: List API Feeds
This action retrieves a list of all API feeds available on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size of the responses. Example: 10 | Integer | Optional | Default value: 10 |
Intel Feed | Choose whether to filter to see the connectors that generate intel feeds. Example: true | Boolean | Optional | |
Query | Enter a query to filter intel feeds. | Text | Optional | This parameter is a free text match. |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { “page_no”: 1, “page_size”: 10, “intel_feed”: true } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link to the previous page. |
| Integer | Returns the number of entries on a page. |
| Integer | Returns the total number of application connectors. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| String | Returns the ID of the feed source connector. |
| String | Returns the name of the feed source connector. |
| String | Returns the path for the logo image of the connector. |
| String | Returns the name for the access key field. |
| String | Returns the access key type, for example, text. |
| Bool | Returns True if an access key is required, else returns False. |
| String | Returns the name for the secret key field. |
| String | Returns the type of secret key, for example, text. |
| Bool | Returns True if a secret key is required for authentication, else returns False. |
| Integer | Returns the order of this feed source connector. |
| String | Returns the default URL of this feed source connector. |
| String | Returns the category of this application connector, such as Cyware Product, Security Information and Event Management System, SIEM, Devops, Email, Endpoint, Information, Network Security, Reputation, Sandbox, and more. |
| String | Returns a list of all the related action names for this feed source connector. |
| Boolean | Returns true if the API feed source is a featured app. |
| Array of JSON Objects | Returns a list of related fields. |
| Array of JSON Objects | Returns a list of extra fields. |
| Boolean | Returns true if the API feed source is in active state. |
| Boolean | Returns true if the API feed source is configured. |
Action: List Enrichment Objects
This action retrieves a list of all enrichment tools.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Size | Enter the number of objects to return per page. Example: 10 | Integer | Optional | Default value: 10 |
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Layout | Enter the layout to return the responses. Example: overview | Text | Optional | |
Tool | Enter the enrichment tool ID to return the responses. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | |
Object Type | Enter the object type to retrieve the objects. Example: indicator | Text | Optional | |
Object ID | Enter the object ID. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { "page_size": 8, "page_no": 2, "layout": "overview", "tool": "03694ab0-0e9f-45f4-a4c4-2b6eaedd4803", "object_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e", "object_type": "malware" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| String | Returns the ID of the enrichment object. |
| String | Returns the tool object from which you want to enrich the data. |
| String | Returns the date of creation of enrichment tool. |
| String | Returns the date of data modification. |
| String | Returns the verdict of enrichment. |
| String | Returns the status of the enrichment. |
| String | Returns the date of enrichment of data. |
| String | Returns the classification of enrichment. |
| Integer | Returns the confidence score of enrichment. |
| String | Returns the type of object of the enriched data. |
| String | Returns the object ID of the enriched data. |
| String | Returns the parsed enriched data. |
| String | Returns the raw enriched data. |
Action: List Integrations
This action retrieves a list of the integrations configured in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Category | Enter the category to filter the integrations. Example: "cyware_product" | Text | Optional | Allowed values:
|
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size of the responses. Example: 10 | Integer | Optional | Default value: 10 |
Extra Params | Enter the extra parameters to pass. | Key Value | Optional |
Example Request
[ { “category”: “cyware_product”, “page_no”: 5, “page_size”: 10 } ]
Action: List Quick Add Intel History
This action lists the intels added using Quick Add Intel.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Number | Enter the page number to retrieve results from. Example: 1 | Integer | Optional | |
Page Size | Enter the number of items to retrieve per page. Example: 10 | Integer | Optional | |
Component | Enter the component ‘quick-add-intel’ to retrieve the quick add intel history. | Text | Required | |
Extra Params | Enter additional parameters to filter the response. Example: 'created_from': '1628361607' | Key-Value | Optional | Allowed keys: q, created_from, created_to, published_from, published_to, sort, created_by_id, status |
Action: List Reports
This action retrieves a list of reports.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Type | Enter the report type. Example: basic | Text | Optional | Allowed values:
|
Sort | Enter the field name to sort the reports by. The data is retrieved in descending order. Example: name | Text | Optional | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { "type": "saved", "sort": "name" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. Each object represents one report. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the size of the requested page. |
| Array of JSON Objects | Returns results in JSON objects for each report. |
| JSON Object | Returns the details of the scheduled runs. |
| String | Returns the unique ID of the schedule. |
| String | Returns the time interval for the re-run of the report. |
| Timestamp | Returns the starting date and time in EPOCH format from which the report captures the received data. |
| Integer | Returns the number of times a report has to run during the provided interval. |
| JSON Object | Returns the end type, number of attempts left, and end time. |
| Integer | Returns the duration in days to capture data in the report. |
| String | Returns the sorting type in basic reports:
|
| String | Returns the title of the report. |
| String | Returns the unique ID of the report. |
| Array of JSON objects | Returns the list of columns in a basic report. |
| JSON Object | Returns the list of internal recipients with whom to share the report. |
| JSON Object | Returns the list of external recipients with whom to share the report. |
| String | Returns the type of report, such as a basic or advanced. |
| Array | Returns the report format, such as CSV and XLS for basic reports and PDF for advanced reports. |
| String | Returns the shared type, such as global or private. |
| Timestamp | Returns the date and time in EPOCH format at which the report was the last run. |
| JSON Object | Returns the details of the user who created the report. |
| JSON Object | Returns the details of the user who last modified the report. |
Action: List Rules
This action retrieves a list of all enrichment rules.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of rules to return per page. Example: 10 | Integer | Optional | Default value: 10 |
Source | Enter a list of source IDs to filter rules with the matching sources. Example: $LIST[98230f-0e9f-45f4-a4c4-sdv89023hb3423] | List | Optional | |
Created by ID | Enter the CTIX user ID to filter rules created by a specific user. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | |
Last Active Till | Enter the timestamp value to filter successfully executed rules until the provided timestamp value. Example: 1579289600 | Integer | Optional | |
Last Active From | Enter the timestamp value to filter successfully executed rules from the given timestamp value. Example: 1579289600 | Integer | Optional | |
Created From | Enter the timestamp value to filter rules created from the given timestamp. Example: 1579289600 | Integer | Optional | |
Created To | Enter the timestamp value to filter rules created until the given timestamp. Example: 1579289600 | Integer | Optional | |
Return Minimal Response | Choose whether to return the minimal or complete details of the objects. Example: true | Boolean | Optional | Default value: true |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { “page_no”: 1, “page_size”: 10, “source”: [“98230f-0e9f-45f4-a4c4-sdv89023hb3423”], “created_by_id”: "03694ab0-0e9f-45f4-a4c4-2b6eaedd4803", “last_active_to”: 1579289600, “last_active_from”: 1479289600, “created_from”: 1479289600, “created_to”: 1579289600, “minimal”: true } ]
Action: List Saved Result Set
This action retrieves the data published using the Save Result Set and Save Result Set V3 actions in the rules.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Page Number | Enter the page number to return. Example: 5 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size of the responses. Example: 10 | Integer | Optional | Default Value: 10 |
Version | Saved Result Set version. Example: v3 | Text | Optional | Allowed values: v2, v3 Default value: v3 |
Label Name | Enter the label name to filter data. All data associated with the passed tag will be returned. | Text | Optional | |
Extra Params | Enter any extra parameter to pass. Example: {"version": “v2”, "label_name": "sample_tag", "from_timestamp": 1649407795, "to_timestamp": 1649406695} | Key Value | Optional | Allowed keys:
|
Example Request
[ { "page_no": 5, "page_size": 10, "extra_params": { "version": "v2", "label_name": "sample_tag", "from_timestamp": 1649407795, "to_timestamp": 1649406695 } } ]
Action: List Saved Searches
This action retrieves a list of saved searches on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number from which you want to retrieve the data. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size of the responses. Example: 10 | Integer | Optional | Default value: 10 |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { "page_no": 5, "page_size": 10 } ]
Action: List Sources
This action lists all the feed sources in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Source Type | Enter a comma-separated list of the source type name to filter sources based on the type. Example: $LIST[custom_stix_sources,web_scrapper] | List | Optional | |
Page | Enter the page number to retrieve sources. Example: 1 | Integer | Optional | |
Page Size | Enter the number of sources to be retrieved per page. Example: 5 | Integer | Optional | |
Extra Paramaters | Enter any additional parameters to pass. Example: nominal: True | Key Value | Optional | Allowed keys:
|
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns URL link for next page. |
| String | Returns URL link to the previous page. |
| Integer | Returns the number of entries per page. |
| Integer | Returns the total number of entries. |
| String | Returns ID of the source created. |
| String | Returns the source name. |
| String | Returns the user ID of the creator. |
| String | Returns the ID of the user who modified the source. |
| Boolean | Returns true if the source is active, else returns false. |
| Integer | Returns the confidence value of the source. |
| Boolean | Returns true if source credentials are in a working state, else returns false. Also to state if polling is working properly. |
| Boolean | Returns true if the source is editable, returns false. For some default sources flag is turned off. |
| String | Returns the description of the source. |
| JSON Object | Returns the source category. |
| Integer | Returns the source order. |
| String | Returns the type of source, such as CUSTOM_STIX_SOURCES is the default value for STIX sources. |
| Boolean | Returns true if intel is present to create intel, else returns false. |
| Boolean | Returns true if SSL encryption is applied, else returns false. |
| String | Returns the username for the source. |
| String | Returns the TAXII Url of the source. |
| JSON Object | Returns the key value. |
| JSON Object | Returns the certificate value. |
| Integer | Returns the authentication type of the source. |
| String | Returns the TAXII option of the source. |
| Integer | Returns the time in minutes in which you get a notification if no feeds are received. |
Action: List Subscribers
This action retrieves a list of subscribers configured in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number to retrieve the results. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size of the requested page. Example: 10 | Integer | Optional | Default value: 10 |
Extra Params | Enter the extra parameters to pass. | Key Value | Optional |
Example Request
[ { “page_no”: 5, “page_size”: 10 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| String | Returns the ID of the subscriber. |
| String | Returns the name of the subscriber. |
| String | Returns the username for TAXII credentials. |
| Timestamp | Returns the timestamp at which the subscriber is created. |
| Timestamp | Returns the timestamp at which subscriber details are modified. |
| Timestamp | Returns the recent timestamp at which the subscriber polled for data from TAXII or the MISP server. |
| String | Returns the user object who created subscriber. |
| String | Returns the user object who recently modified the subscriber details. |
| String | Returns the subscriber organization name. |
| Boolean | Returns true if the subscriber is active else returns false. |
| String | Returns the primary contact details of subscriber. |
| String | Returns the secondary contact details of subscriber. |
| Integer | Returns the confidence score assigned to subscriber. |
| Array | Returns the allowed list of IPs from which TAXII or MISP requests are allowed for the subscriber. |
| String | Returns the MISP Server URL of the subscriber. |
| Boolean | Returns true if the TAXII requests are allowed for this subscriber, else returns false. |
| Boolean | Returns true if the MISP requests are allowed for this subscriber, else returns false. |
Action: List User Groups
This action lists the user groups from the CTIX application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query | Enter a query to list user groups. Example: admin | Text | Required | |
Page Size | Enter the number of results to retrieve per page. Example: 12 | Integer | Optional | Default value:10 |
Page Number | Enter the page number to go to a specific results page. Example: 4 | Integer | Optional | Default value:1 |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[ { "query":"admin", "page_no":1, "page_size":10 } ]
Action: List Users
This action lists the users of the CTIX application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query | Enter a query to list users. Example: john doe | Text | Required | |
Page Size | Enter the number of results to retrieve per page. Example: 10 | Integer | Optional | |
Page Number | Enter the page number to go to a specific results page. Example: 1 | Integer | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[ { "query":"John Doe", "page_no":1, "page_size":10 } ]
Action: List Whitelisted IOCs
This action retrieves a list of all whitelisted IOCs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page Size | Enter the number of responses to return per page. Example: 10 | Integer | Optional | Default value: 10 |
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Example Request
[ { "page_size": 10, "page_no": 1 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
next | String | Returns a link to the next page. |
page_size | Integer | Returns the number of records retrieved per page. |
previous | String | Returns a link to the previous page. |
total | Integer | Returns the total number of allowed indicators available in the CTIX platform. |
type | String | Returns the type of the IOC. |
value | String | Returns the value of the IOC |
id | String | Returns the unqiue ID of the allowed indicator. |
modified_by | String | Returns the details of the user who last modified the allowed indicator. |
modified | Timestamp | Returns the timestamp when the allowed indicator was last modified |
include_subdomains | Boolean | Returns true if the subdomains of a domain are allowed. Else returns false. |
include_urls | Boolean | Returns true if the URLs of a domain or IPv4 address are allowed, else returns false. |
include_emails | Boolean | Returns true if the emails of a domain are allowed, else returns false. |
created_by | String | Returns the details of the user who created the allowed indicator. |
created | Timestamp | Returns the timestamp when the allowed indicator was created. |
Action: List Widgets
This action retrieves a list of widgets that are configured on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Page No | Enter the page number of the dashboards. Example: 1 | Integer | Optional | Default Value: 1 |
Page Size | Enter the page size of the requested page number. Example: 10 | Integer | Optional | Default Value: 10 |
Extra Params | Enter the extra parameters to pass. | Key Value | Optional |
Example Request
[ { “page_no”: 5, “page_size”: 10 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the link for the next page. |
| String | Returns the link to the previous page. |
| Integer | Returns the size of the requested page. |
| Integer | Returns the total number of widgets. |
| Array of JSON Objects | Returns the list of the containing data. |
| String | Returns the name of the widget. |
| String | Returns the description of the widget. |
| String | Returns the default chart type of the widget. |
| Array | Returns the list of the supported type of widgets. |
| String | Returns the unique ID of the widget. |
| JSON Object | Returns the configuration of the widget. |
| String | Returns the type of widget. |
| String | Returns the ID of the creator of the widget. Returns null for the system widgets. |
Action: Perform Manual Action on IOC
This action applies actions to a threat data object. You can apply actions such as deprecating an item, undeprecating it, adding an analyst score, and more.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the ID of the object to perform the action. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Action to Take | Enter the action to be performed on the IOC. Example: deprecate | Text | Required | Allowed values:
|
IOC Type | Enter the type of IOC. Example: indicator | Text | Optional | Default value:"indicator" |
Extra Data | Enter the extra data to be passed. The extra data is passed with the data section of the payload structure. | Key Value | Optional | |
Extra Params | Enter the extra parameters to pass with the request. | Key Value | Optional |
Example Request
[ { "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112", "action_to_take": "false_positive", "ioc_type": "malware" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| String | Includes the response received from the app action: "Action Successfully Executed" |
Action: Quick Add Indicators
This action adds threat indicators data in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Title | Enter the title of the indicator. Example: "Intel" | Text | Required | |
Source | Enter the source of the data to be added. Example: "Orion" | Text | Required | |
Collection Name | Enter the collection name of the indicator. Example: "MISP" | Text | Optional | |
Indicators | Enter all the indicators to be added in the following format: {"indicator_type": "indicator_value"} Example: {"url":"sampleurl.com"} | Key Value | Optional | Allowed values:
|
Confidence Score | Enter the confidence score of the indicators. Example: 60 | Integer | Optional | Allowed values: 0 to 100 |
TLP | Enter the Traffic Light Protocol (TLP) of the indicators in capital letters. Example: "RED" | Text | Optional | |
Label | Enter the list of labels for the indicators. Example: $LIST[phishing, vishing] | List | Optional | This parameter is supported in CTIX from the release v3.3.2 and later versions. |
SDOs | Enter the SDOs to connect with the indicators. The passed SDOs must be STIX V2.1 compliant. Example: {"vulnerability: "log4j"} | Key Value | Optional | You must pass the SDOs in the following format: {"sdo_name": "sdo_value"} |
Custom Attributes | Enter the custom attributes to be passed. | Key Value | Optional |
Example Request
[ { "title":"Intel", "source":"Orion", "collection_name":"MISP", "indicators":{ "url":"sampleurl.com" }, "confidence":60, "tlp":"RED", "label":[ "phishing", "vishing" ], "sdos":{ "vulnerability":"log4j" } } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns success message "Intel creation is in progress.". |
Action: Run Report
This action runs a report in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Report ID | Enter the report ID to be run. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional | |
Type | Enter the report type. | Text | Optional | Allowed values:
Default value: basic |
Example Request
[ { "report_id": "5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. Each object represents one source. |
| String | Success message: Your Report will be mailed to you as soon as it is ready. |
Action: Run Rule
This action runs a rule on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Rule ID | Enter the rule ID to run. Example: "4i9a8f0q9d-3e3d-4e7f-a6b3-6b3e6b3e6b3e" | Text | Required | |
Start Time | Enter the timestamp value to filter threat data that are created from the entered timestamp value. Example: 1579289600 | Integer | Required | |
End Time | Enter the timestamp value to filter threat data that are created until the entered timestamp value. Example: 1579289600 | Integer | Required | |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { “rule_id”: "4i9a8f0q9d-3e3d-4e7f-a6b3-6b3e6b3e6b3e", “start_time”: 1579289500, “end_time”: 1579289600 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns success message "Rule is running". |
Action: Search Threat Data
This action searches for CTIX threat data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
CQL Query | Enter a CQL query to search threat data. Example: type = 'indicator' | Text | Optional | |
Page No | Enter the page number from which you want to retrieve the data. Example: 1 | Integer | Optional | Default Value: 1 |
Page Size | Enter the response page length. Example: 15 | Integer | Optional | Default Value: 10 |
Extra Params | Enter the extra parameters to pass with the request URL. | Key Value | Optional |
Example Request
[ { "cql_query": type = "indicator" AND value = "185.xx0.10x.15", "page_no": 1, "page_size": 15 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| String | Returns the score assigned to a threat data object by an analyst. |
| String | Returns the TLP assigned to a threat data object by an analyst. |
| Integer | Returns the score calculated by the CTIX confidence score engine. |
| String | Returns the type of confidence.
|
| String | Returns the country name where the threat data object was seen. |
| Epoch | Returns the date and time of the creation of the threat data object. |
| Epoch | Returns the date and time of the creation of the threat data object in CTIX. |
| Epoch | Returns the date and time of modification of the threat data object in CTIX. |
| Epoch | Returns the date and time at which the threat data object was first seen. |
| String | Returns the ID of the threat data object. |
| String | Returns the type of indicator. Returns |
| String | Returns the type of indicator. Returns |
| Boolean | Returns True if an action was performed on the threat data object, else returns False. |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Epoch | Returns the last seen date and time of the threat data object. |
| Epoch | Returns the modified date and time of the threat data object. |
| String | Returns the name of the threat data object. |
| String | Returns the primary attribute of the threat data object if the threat data object is a custom object. |
| String | Returns the name of the collections in which the threat data object is published. |
| String | Returns the severity of the threat data object. |
| Array | Returns the list of IDs and names of source collections of the threat data object. |
| String | Returns the confidence score of the threat data object as reported by its source. |
| Array | Returns the list of sources that reported this threat data object. |
| String | Returns the sub-type of an object if it is an indicator. |
| String | Returns tags defined on the threat data object. |
| String | Returns the TLP assigned to the threat data object. |
| Epoch | Returns the date and time since when this threat data object is valid. |
| Epoch | Returns the date and time until when this threat data object is valid. |
| Dictionary | Returns the details of the last enrichment of the object if the object was enriched |
Action: Update Global Note
This action updates a global note for an object on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Note ID | Enter the note ID to update. Example: 8003c6ba-5215-486d-881f-d940dcb78d35 | Text | Required | |
Text | Enter the note text to update. Example: test note | Text | Required | |
Note Type | Enter the note type to update. | Text | Required | Allowed values: report |
Object ID | Enter the object ID to create the note for. Example: 2b8d0163-da03-4a1d-86c5-f981f0920c0d | Text | Optional | |
Meta Data | Enter any additional metadata associated with the note. | Key-Value | Optional |
Action: Update User Details
This action updates the user details on the CTIX application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
User ID | Enter the user ID to update. Example: 0abb420f-dd90-415c-9c5f-fe93425dc9c2 | Text | Required | |
First Name | Enter the first name of the user. Example" John | Text | Required | |
Last Name | Enter the last name of the user. Example: Doe | Text | Required | |
User Groups | Enter a list of user groups to assign to the user. Example: [ { "id": "8003c6ba-5215-486d-881f-d940dcb78d35" } ] | List | Required | |
Username | Enter the username of the user. Example: john.doe | Text | Required | |
Is Active | Choose to mark the user group as either active or inactive. | Boolean | Optional | |
Contact Number | Enter the contact number of the user to update Example: 99872xx743303 | Text | Optional | |
Extra Params | Enter the extra parameters. Example: [{"email_alerts": true}] | Key Value | Optional |
Example Request
[ { "user_id": "0abb420f-dd90-415c-9c5f-fe93425dc9c2", "username": “John.doe”, "last_name": “Doe”, "first_name": “John”, "user_groups": [ { "id": "e3f2e6aa-52da-4195-8187-b9d8dd60601b" } ], "extra_params": {}, "contact_number": “99872xx743303" } ]
Action: Update User Group Details
This action updates the user group details on CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
User Group ID | Enter the user group ID to update. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required | |
User Group | Enter the user group name to update. Example: admin | Text | Required | |
User Group Permissions | Enter a list of permissions to assign to the user group. | List | Required | |
Is Active | Choose to mark the user group as either active or inactive. | Boolean | Optional | |
Description | Enter a description of the user group to update. | Text | Optional | |
Extra Params | Enter any additional parameters to pass with the payload. Example: [{"email_alerts": "true"}] | Key Value | Optional |
Example Request
[ { "is_active":true, "user_group":"Admin group", "description":"admin group sample description", "extra_params":{ }, "user_group_id":"e3f2e6aa-52da-4195-8187-b9d8dd60601b", "user_groups_permissions":[ { "id":"d51dd803-0922-480d-ac78-7b8f86d1284e" }, { "id":"d4601602-1d2f-463f-a619-544be9d5c2b0" } ] } ]
Action: View Detailed Page Source Description
This action retrieves description, fanged description, and more for the given object type and object ID as received from the feed source.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID to retrieve the detailed page source description. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Object Type | Enter the object type. Example: indicator | Text | Required |
Example Request
[ { "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112", "object_type": "malware" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array of JSON Objects | Returns a list of source objects. |
| String | Returns the ID of the source. |
| String | Returns the fanged version of the description. |
| String | Returns the defanged version of the description. |
| String | Returns the description as received from the source. |
Action: View External References For Object
This action retrieves all external references for an object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID to retrieve the external references. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Object Type | Enter the object type. Example: indicator | Text | Required | |
Page Size | Enter the page size to return. Example: 10 | Integer | Optional | Default value: 10 |
Page No | Enter the page number to return. Example: 1 | Integer | Optional | Default value: 1 |
Example Request
[ { "object_id": "eee70fcc-a23b-4d3b-a968-fc78b121d112", "object_type": "malware", "page_no": 2, "page_size": 5 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| Integer | Returns the currently accessible page number. |
| String | Returns the URL link of the external reference referred by the object. |
| String | Returns the ID that identifies the reference. |
| String | Returns the name of the source as referred by the reference. |
Action: View Object Source Details
This action retrieves object information for the given object ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID to retrieve the details. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | |
Object Type | Enter the object type. Example:
| Text | Optional |
Example Request
[ { “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”, "object_type”: “malware” } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the unique ID of the record. |
| Dictionary | Returns the details about the collection. |
| Integer | Returns the confidence score reported from a source. |
| Timestamp | Returns the date and time of the object creation as received from the source over a platform. |
| Timestamp | Returns the date and time of object creation over the platform. |
| Timestamp | Returns the date and time of object modification over the platform. |
| Array | Returns the list of custom attributes received for the object from the source. |
| String | Returns the description of the object given by the source. |
| String | Returns the granular markings sent from the source as defined from STIX. |
| Array | Returns the list of kill chain phases for the valid objects. |
| Timestamp | Returns the modified date and time as received from the source. |
| String | Returns the pattern as received from the source in case of a valid object, such as an indicator. |
| String | Returns the pattern type as received from the source in case of a valid object, such as an indicator. |
| String | Returns the pattern version as received from the source in case of the valid object, such as an indicator. |
| String | Returns the ID of the object received from the source. |
| String | Returns the ID of the object as stored in the database. |
| String | Returns details about the source. |
| String | Returns the specific version of TAXII as received from the source in case of a valid object. |
| Array | Returns the list of tags received from the source. |
| Array | Returns the list of valid types for the object received from the source. |
| String | Returns the hash value used for recognizing a record in CTIX. |
| Timestamp | Returns the date and time from which the received object is valid over the platform. |
| Timestamp | Returns the date and time till which the received object is valid over the platform. |
Action: View Object Source List
This action retrieves object details in retrospect to the source.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Object ID | Enter the object ID. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | |
Object Type | Enter the object type. Example:
| Text | Required | |
Source ID | Enter the source ID to map the details. Example: fde70fc0-a23b-4d3b-a968-fc78b121d21d | Text | Required | |
Page No | Enter the page number of the response. Example: 1 | Integer | Optional | Default value: 1 |
Page size | Enter the number of items to return from the entered page number. Example: 10 | Integer | Optional | Default value: 10 |
Example Request
[ { “object_id”: “eee70fcc-a23b-4d3b-a968-fc78b121d112”, "object_type”: “malware”, “source_id”: "fde70fc0-a23b-4d3b-a968-fc78b121d21d”, “page_no”: 2, “page_size”: 5 } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Link to the next page of the response. |
| Integer | Page size of the response. |
| String | Link to the previous page of the response. |
| Integer | Total number of records available. |
| Array of JSON Objects | Returns a list of results. |
| Timestamp | Returns the date and time at which the object got ingested into the platform. |
| Timestamp | Returns the date and time at which the object got modified in the platform. |
| String | Returns the unique ID of the record. |
| String | Returns the pattern for a valid object. |
| String | Returns the pattern type for a valid object. |
| String | Returns the pattern version for the valid object. |
| String | Returns the types as sent by the source for the object, such as indicator types and more. |
Action: Generic Action
This action performs an action on CTIX to an undefined endpoint that is not handled by the app.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Endpoint | Enter the complete API endpoint to make the call. Example:
| Text | Required | |
HTTP Method | Enter the HTTP method in capital letters. Example: POST | Text | Required | |
Request Body | Enter the request body in JSON format. | Any | Optional | |
Query Params | Enter the query parameters. | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, file_name, files, retry_wait, retry_count, response_type. |
Example Request
[ { "endpoint": "ingestion/enrichment/enrichment-object/", "http_method": "POST" } ]