LevelBlue Labs Open Threat Exchange (OTX)
App Vendor: LevelBlue Labs
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: v1
About App
LevelBlue Labs leverages the Open Threat Exchange (OTX), the world's largest open threat intelligence community, enabling collaborative defense through actionable, community-driven threat data and fostering knowledge exchange within the security community.
The LevelBlue Labs Open Threat Exchange app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Get Correlation Rule Details | This action retrieves the details of a correlation rule. |
Get CVE Details | This action retrieves the details of a MITRE Common Vulnerability Enumeration (CVE) ID. |
Get Domain Details | This action retrieves the details of a domain name. |
Get File Hash Details | This action retrieves the details of a file hash. |
Get Hostname Details | This action retrieves the details of a hostname. |
Get IPv4 Details | This action retrieves the details of an IPv4 address. |
Get IPv6 Details | This action retrieves the details of an IPv6 address. |
Get NID Details | This action retrieves the details of a Network Identifier (NID). |
Get URL Details | This action retrieves the details of a URL. |
Submit File for Analysis | This action submits a file for analysis. |
Submit URL for Analysis | This action submits a URL for analysis. |
Generic Action | This is a generic action to make API requests to any LevelBlue OTX endpoint. |
Configuration Parameters
The following configuration parameters are required for the LevelBlue Labs Open Threat Exchange app to communicate with the LevelBlue Labs Open Threat Exchange enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate with LevelBlue Open Threat eExchange. | Password | Required | |
API Version | Enter the API version. Example: v1 | Text | Optional | Default version: v1 |
Timeout | Enter a timeout for the API requests between 15 and 120 seconds. Example: 20 | Integer | Optional | Default value: 15 seconds |
Verify | Choose a preference to verify the SSL/TLS certificate while authenticating API requests. Example: Yes | Boolean | Optional | Default value: No |
Action: Get Correlation Rule Details
This action retrieves the details of a correlation rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Correlation Rule ID | Enter a correlation rule ID to get the details. Example: 572f8c3c540c6f0161677877 | Text | Required | |
Section | Enter a section to get specific details of the correlation rule. Example: general | Text | Required | Allowed value: general |
Example Request
[
{
"corr_rule": "572f8c3c540c6f0161677877",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the correlation rule. |
| String | CVE ID of the vulnerability. |
| Array | A list of false positives. |
| JSON Object | Returns a list of pulses associated with the correlation rule. |
| String | The correlation rule ID. |
| Array | List of sections available for the indicator. |
| String | Title of the type. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get CVE Details
This action retrieves the details of a MITRE Common Vulnerability Enumeration (CVE) ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CVE ID | Enter a CVE ID to get the details. Example: CVE-2014-0160 | Text | Required | |
Section | Enter a section to get specific details of the CVE ID. Example: general | Text | Required | Allowed value: general |
Example Request
[
{
"cve": "CVE-2014-0160",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the CVE ID, such as content, description, id, indicator, title, and others. |
| Object | Configurations of the vulnerability. |
| String | CVE ID. |
| Object | CVSS details of the CVE ID. |
| Object | CVSSv2 details of the CVE ID. |
| Object | CVSSv3 details of the CVE ID. |
| String | CWE ID of the CVE. |
| String | Date created |
| String | Date modified |
| String | Description of the CVE ID. |
| Unknown | EPSS |
| Array | List of exploits related to the CVE ID. |
| Array | True if the CVE ID is false positive |
| String | Indicator value |
| String | Mitre URL of the CVE ID. |
| String | NVD URL of the CVE ID. |
| Array | List of products associated with the CVE ID. |
| Object | Returns a list of pulses associated with the CVE ID. |
| Array | References list |
| Array | Sections list |
| Boolean | True if seen wild |
| String | Type title |
Action: Get Domain Details
This action retrieves the details of a domain name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter a domain name to get the details. Example: example1.com | Text | Required | |
Section | Enter a section to get specific details of the domain. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"domain_name": "example1.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the domain, such as content, description, id, indicator, title, type, and others. |
| String | Alexa link |
| Object | Base indicator |
| Array | If false positive |
| String | Indicator value |
| Object | Returns a list of pulses associated with the domain. |
| Array | Returns a list of sections available for the domain in the LevelBlue platform. |
| String | Type |
| String | Type title |
| Array | Returns details about the domain from various threat intelligence databases. |
| String | Returns the WHOIS link of the domain. |
| Array | Returns a list of url analysis results from LevelBlue Labs. |
| Object | Returns the geographic data of the domain, such as country code, coordinates, and other details. |
| Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this domain. |
| Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this domain. |
| Object | Returns the metadata for HTTP and HTTPS connections to the domain. |
Action: Get File Hash Details
This action retrieves the details of a file hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter a file hash to get the details. Example: 5eb63bbbe01eeed093cb22bb8f5acdc3 | Text | Required | |
Section | Enter a section to get specific details of the file hash. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"file_hash": "5eb63bbbe01eeed093cb22bb8f5acdc3",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the file hash, such as the ID, description, and other details. |
| Object | Dynamic and static analysis of this file (Cuckoo analysis, exiftool, etc.) |
| Object | Returns a list of pulses associated with the file hash. |
| Array | Returns a list of sections available for the file hash in the LevelBlue platform. |
| Object | Returns details about the file hash from various threat intelligence databases. |
| Object | List of malware detected. |
Action: Get Hostname Details
This action retrieves the details of a hostname.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Name | Enter a hostname to get the details. Example: mail.vspcord.com | Text | Required | |
Section | Enter a section to get specific details of the hostname. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"host_name": "mail.vspcord.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the hostname, such as the ID, description, and other details. |
| JSON Object | Returns a list of pulses associated with the hostname. |
| JSON Object | A more verbose listing of geographic data (Country code, coordinates, etc.) |
| JSON Object | Malware samples analyzed by LevelBlue Labs which have been observed connecting to this hostname. |
| Array | URLs analyzed by LevelBlue Labs on this hostname. |
| JSON Object | Passive dns records observed by LevelBlue Labs pointing to this hostname. |
| Array | Metadata for http(s) connections to the hostname. |
Action: Get IPv4 Details
This action retrieves the details of an IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv4 Address | Enter an IPv4 address to get the details. Example: 192.168.1.1 | Text | Required | |
Section | Enter a section to get specific details of the IP address. Example: reputation | Text | Required | Allowed values:
|
Example Request
[
{
"ipv4_address": "1.1.1.1",
"section": "reputation"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the IP address, such as the ID, description, access type, and other details. |
| String | The autonomous system name for the IP address. For example, "AS8948". |
| String | The indicator type. |
| JSON Object | Returns a list of pulses associated with the IP address. |
| Array | Returns a list of sections available for the IP address in the LevelBlue platform. |
| Array | Returns details about the IP address from various threat intelligence databases. |
| String | Returns the WHOIS link of the IP address. |
| JSON Object | Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation). |
| JSON Object | Returns the geographic data of the IP address, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address. |
| Array | Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address. |
| Array | Returns the meta data for HTTP and HTTPS connections to the IP address. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get IPv6 Details
This action retrieves the details of an IPv6 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv6 Address | Enter an IPv6 address to get the details. Example: 2001:4860:4860::8888 | Text | Required | |
Section | Enter a section to get specific details of the IP address. Example: reputation | Text | Required | Allowed values:
|
Example Request
[
{
"ipv6_address": "2001:4860:4860::8888",
"section": "reputation"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the IP address, such as the ID, description, access type, and other details. |
| String | The autonomous system name for the IP address. For example, "AS8948". |
| String | The indicator type. |
| JSON Object | Returns a list of pulses associated with the IP address. |
| Array | Returns a list of sections available for the IP address in the LevelBlue platform. |
| Array | Returns details about the IP address from various threat intelligence databases. |
| String | Returns the WHOIS link of the IP address. |
| JSON Object | Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation). |
| JSON Object | Returns the geographic data of the IP address, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address. |
| Array | Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address. |
| Array | Returns the meta data for HTTP and HTTPS connections to the IP address. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get NID Details
This action retrieves the details of a network identifier (NID).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
NID | Enter an NID to get the details. Example: 2030515 | Text | Required | |
Section | Enter a section to get specific details of the NID. Example: general | Text | Required | Allowed value:
|
Example Request
[
{
"nid": "2030515",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the NID, such as the ID, description, and other details. |
| String | Category |
| String | CVE ID |
| String | Event activity |
| Array | False positive |
| String | Indicator |
| String | Malware name |
| String | Name |
| Object | Pulse info |
| Array | Sections |
| String | Subcategory |
| String | Type title |
Action: Get URL Details
This action retrieves the details of a URL.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter a URL to get the details. Example: http://www.example1.com | Text | Required | |
Section | Enter a section to get specific details about the URL. Example: url_list | Text | Required | Allowed value:
|
Example Request
[
{
"url": "http://www.example1.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the URL, such as the ID, description, and other details. |
| String | Returns the domain name associated with the URL. |
| String | Returns the hostname associated with the URL. |
| JSON Object | Returns a list of pulses associated with the URL. |
| Array | Returns a list of sections available for the URL in the LevelBlue platform. |
| JSON Object | Returns details about the URL from various threat intelligence databases. |
| String | Returns the WHOIS link of the URL. |
| Array | Returns a list of URL analysis results from LevelBlue Labs. |
Action: Submit File for Analysis
This action submits a file for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Path | Enter the file path to upload a file to analyze. Example: /home/user1/report.txt | Text | Required |
Example Request
[
{
"file_path": "/home/user1/report.txt"
}
]Action: Submit URL for Analysis
This action submits a URL for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter a URL to analyze. Example: http://www.example1.com | Text | Required |
Example Request
[
{
"submit_url": "http://www.example1.com"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the analysis result. |
| String | Returns the analysis status. |
Action: Generic Action
This is a generic action to make API requests to any LevelBlue OTX endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. Example:
| Text | Required | |
Endpoint | Enter the endpoint to make the request. Example: /pulses/{pulse_id} | Text | Required | |
Query Params | Enter the query parameters to pass with the API request. | Key Value | Optional | |
Payload | Enter the payload to pass with the API request. | Any | Optional | |
Additional Data | Enter the additional data to pass to the API request. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"method": "POST",
"endpoint": "/pulses/{pulse_id}",
"query_params": {},
"payload": {},
"extra_fields": {}
}
]