Cyware Threat Intelligence Exchange (CTIX)
App Vendor: Cyware
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.7.4
API Version: 2.0.0
About App
Cyware Threat Intelligence Platform (CTIX) is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. The CTIX app enables security teams to integrate with the CTIX enterprise application for data ingestion, data enrichment, analysis, and bi-directional sharing of threat data within the trusted network.
The CTIX app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
---|---|
Add Indicator in Whitelist Management | This action adds indicators in the whitelist management. |
Add Tags | The action updates and adds tags to a threat indicator. |
Block/Unblock IOC | The action updates the threat indicator for block response. |
Create Global Notes | This action creates global notes. |
Create Indicator Package | This action posts new indicator (IOC) data in a CTIX intel feed and custom/server STIX package. |
Create Task | This action creates a task. |
CVE Search | This action retrieves the details of a CVE ID such as affected software, references, and package details. |
Domain Search | This action retrieves the details of a domain such as basic details, sources, relations, and investigations. |
Fetch IOC Details | The action retrieves details of a threat indicator. |
Get Details of a Feed Component | This action retrieves all the details of a feed component such as basic, confidence, handling, sources, and relations details. |
Get Details of a Rule | This action retrieves the details of a rule such as rule summary, source and collection details, and so on. |
Get Details of a Server Collection | This action retrieves the details of server collection from threat server collection such as name, type, and other basic details. |
Get Details of a Source | This action retrieves the details of a source such as source id and details of valid source objects. |
Get Details of a Source Collection | This action retrieves the details of source collections as threat intel source collection such as collection type, sources, and polling details. |
Get Feeds From a Rule | This action retrieves feeds from a rule. |
Get Feeds From a Server Collection | This action retrieves feeds from server collection from the threat server collection. |
Get Feeds From a Source Collection | This action retrieves the feeds from source collection as threat intel source collection feeds. |
Get Feeds of Indicators | This action retrieves the feeds of indicators from threat data. |
Get a List of Enrichment Tools | This action retrieves a list of enrichment tools for threat data indicators. |
Get a List of Feed Component | This action retrieves a list of feed components for retrieved intel feeds and published STIX packages. |
Get a List of Global Notes | This action retrieves a list of global notes. |
Get a List of Labels | This action retrieves a list of labels. |
Get a List of Reports | This action retrieves a list of reports. |
Get a List of Rules | This action retrieves a list of rules. |
Get a List of Server Collection | This action retrieves a list of server collections from threat intel server collections. |
Get a List of Source Collections | This action retrieves a list of source collections. |
Get a List of Sources | This action retrieves a list of sources. |
Get a List of STIX Packages | This action retrieves a list of STIX packages. |
Get a List of Tasks | This action retrieves a list of tasks. |
Get a List of Whitelisted Indicator Types | This action retrieves a list of whitelist indicator types. |
Get all Widgets | This action retrieves all widgets. |
Get a Saved Result Set | This action retrieves a saved result set from STIX packages. |
Get Bulk Enrichment | This action returns the enrichment data for a list of threat data IDs. |
Get Bulk IOC Details by Indicator ID | This action retrieves bulk IOC details by indicator ID. |
Get Bulk IOC Details by Indicator Value | This action retrieves bulk IOC details by indicator value. |
Get Download Link for Report | This action retrieves a download link for a report. |
Get Feeds | This action retrieves feeds. |
Get Indicator Enrichment Data | This action retrieves indicator enrichment data from threat data. |
Get Run Logs | This action retrieves run logs for a specific report. |
Get Widget Data | This action retrieves data of a widget. |
Get Widget Details | This action retrieves details of a widget. |
Hash Search | This action retrieves the details of a hash value such as basic details and virus total report of the hash. |
Indicator Search | This action searches for a URL, domain, IP address, hash, or CVE ID. |
Initiate CSOL Action | The action initiates an action of the Orchestrate app. |
IP Address Search | This action searches for an IP address. |
Post Enrichment Data to an Indicator | This action posts enrichment data to an indicator in threat data. |
Query Whitelisted Indicator | This action queries a whitelisted IOC. |
Remove Indicators From Whitelist Management | This action deletes an indicators from a whitelist. |
Remove Tags | This action removes tags. |
Update Global Note | This action updates a note. |
Update Task | This action updates a task. |
URL Search | This action retrieves the details of a URL such as STIX object ID, list of packages, and so on. |
Configuration Parameters
The following configuration parameters are required for the CTIX app to communicate with the CTIX enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Base URL | Enter the base URL for accessing the CTIX platform using REST API. Example: "https://ctix.domain.tld/ctixapi/openapi/" | Text | Required | |
Access Key | Enter the access key for accessing the CTIX platform using REST API. Example: "sample access key" | Text | Required | |
Secret Key | Enter the secret key for accessing the CTIX platform using REST API. Example: "sample secret key" | Password | Required | |
Verify | Choose your preference to verify SSL while making requests. It is recommended to set this option to true. If false is passed, it may result in an incorrect establishment of the connection, potentially causing it to become broken. | Default value: False |
Action: Add Indicator in Whitelist Management
This action adds indicators to the whitelist management.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Indicator Value | Enter the list of indicator (IOC) values. Example: $LIST[security.com,cyware.com] | List | Required | |
Indicator Type | Enter the indicator (IOC) type. Example: "domain" | Text | Required | Allowed values:
|
Reason | Enter the reason for adding the indicator to the whitelist. Example: "Security purpose" | Text | Required |
Example Request
[ { "ioc_value": ["security.com", "cyware.com"], "ioc_type": "domain", "reason": "Security purpose" } ]
Action: Add Tags
The action updates and adds tags to a threat indicator.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter the task ID. Example: "Sample task ID" | Text | Required | You can retrieve the task ID using the Get a List of Tasks action. |
Labels | Enter the list of labels. Example: $LIST[solarwinds, tanium] | List | Required |
Example Request
[ { "labels": [ "solarwinds", "tanium" ], "task_id": "sample task ID" } ]
Action: Block/Unblock IOC
This action updates the threat indicator for block response.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter the task ID. Example: "indicator--651a3032-14f9-4xx1-aa88-b5d3f9fe57b5" | Text | Required | You can retrieve the task ID using the Get a List of Tasks action. |
Block Response | Enter the response for the threat indicator to be blocked. Example: no | Boolean | Optional | Allowed values:
|
Block Time | Enter the time in epoch format at which you must block the IOC. Example: 1685948076 | Integer | Optional |
Example Request
[ { "task_id": "indicator--651a3032-14f9-4xx1-aa88-b5d3f9fe57b5", "block_time": "1685948076", "block_response": true } ]
Action: Create Global Notes
This action creates global notes.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Title | Enter the note title. Example: "Threat Intel" | Text | Required | |
Description | Enter the note description. Example: "SolarWind Intel" | Text | Required | |
Additional Parameters | Enter the additional parameters in key-value pairs. Example: { "note_type": "normal", "is_active": True, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" } | Key Value | Optional | Allowed parameters:
|
Example Request
[ { "notes_title": "Threat Intel", "notes_text": "SolarWind Intel", "extra_params": { "note_type": "normal", "is_active": True, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" } } ]
Action: Create Indicator Package
This action posts new indicator (IOC) data in a CTIX intel feed and custom or server STIX package.
Input Parameter
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Package Title | Enter the STIX package title. Example: "Intel_Server" | Text | Required | |
Package Description | Enter the STIX package description. Example: "This is an Intel server bug fix" | Text | Required | |
Indicator Payload | Enter the Indicator payload in a list. Example: $JSON[{"ioc-type": "ip", "ioc_value": "194.87.185.80", "confidence_id": 1, "confidence_score": "high", "object_description": "Indicator added based on the block request from CTIX"}] | List | Required | Allowed IOC types:
Allowed confidence scores:
Allowed Confidence ID value:
|
TLP | Enter the TLP for package. Example: "white" | Text | Required | Allowed values:
|
Sources | Enter the sources. Example: "Third-Party" | Text | Required | |
Labels | Enter the list of UUIDs of the labels. Example: $LIST[7ed8c92a-5772-4ff7-b0e4-8029a0cfad98, 7ed8c92a-5772-4ff7-b0e4-8029a0cfad98] | List | Optional | You can retrieve the UUID of the labels using the Get List of Labels action. |
Do you want to Create Server STIX Packages | Enter Yes to create server STIX packages. Else enter No. Example: Yes | Boolean | Optional | Default value: No |
Do you want to Create Intel Feed Packages | Enter true to create intel feed packages. Else enter false. Example: Yes | Boolean | Optional | Default value: No |
Indicator Title | Enter the indicator title. Example: "mal_domain: cyware.com" | Text | Optional | Default value: <indicator_type: indicator_value> |
Collections | Enter the list of collections IDs. Example: $LIST[{'collection_id': 'sample collection id 1'}, {'collection_id': 'sample collection id 2'}] | List | Optional | You can retrieve the collections IDs using the Get a List of Server Collection action.Collections IDs list format: [{'collection_id': 'id 1'}, {'collection_id': 'id 2'}] |
Client Collection | Enter the list of client (source) collections IDs. Example: $LIST[{'id': 'sample collection id 1'}, {'id': ' sample collection id 2'}] | List | Optional | You can retrieve the client collections IDs using the Get a List of Source Collection action.Client collection iID list format: [{'id': 'id 1'}, {'id': '2'}] |
Status | Enter the status. Example: "draft" | Text | Optional | Allowed values:
|
Keywords | Enter the keywords as tags in a list of string. Example: $LIST[fang_value,unfang_value] | List | Optional | |
CSAP Alert ID | Enter the CSAP alert ID. Example: "sample csap alert id" | Text | Optional | |
Custom Properties | Enter the custom json dictionary in a list. Example: $LIST[{"name": "anna", "value": {"annie": "admin", "value": "0.0.0.0"}}] | List | Optional | You can enter multiple dictionaries in the list. |
Example Request
[ { "title":"Intel_Server", "description":"This is an Intel server bug fix", "ioc_value":[ { "ioc-type":"ip", "ioc_value":"194.87.185.80", "confidence_id":1, "confidence_score":"high", "object_description":"Indicator added based on the block request from CTIX" } ] }, { "tlp_type":"white", "sources":"Third-Party", "custom_stix_package":false, "intel_feed":true, "indicator_title":"mal_domain: cyware.com", "status":"draft", "keywords":[ "fang_value", "unfang_value" ], "custom_properties":[ { "name":"anna", "value":{ "annie":"admin", "value":"0.0.0.0" } } ] } ]
Action: Create Task
This action creates a task.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Title | Enter the task title. Example: "Update IOC" | Text | Required | |
Description | Enter the task description. Example: "Update the IOC" | Text | Required | |
Priority | Enter the priority level. Example: "low" | Text | Required | Allowed values:
|
Assignee ID | Enter the user (assignee) ID. Example: "Sample assignee ID" | Text | Required | You can retrieve the Assignee ID using the Get a List of Tasks action. |
Indicator ID | Enter the indicator ID. Example: "Sample indicator ID" | Text | Required | You can retrieve the Indicator ID using the Fetch IOC Details action. |
Status | Enter the status. Example: "completed" | Text | Optional | Allowed values:
Default value: "not_started" |
Example Request
[ { "title": "Update IOC", "description": "Update the IOC", "priority": "low", "assignee_id": "sample assignee id", "indicator_id": "sample indicator id", "status": "completed" } ]
Action: CVE Search
This action retrieves the details of a CVE ID such as affected software, references, and package details.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
CVE ID | Enter the CVE ID. Example: "sample CVE ID" | Text | Required |
Example Request
[ { "cve_id": "sample cve ID" } ]
Action: Domain Search
This action retrieves the details of a domain such as basic details, sources, relations, and investigations.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Domain | Enter the domain name. Example: "cyware.com" | Text | Required |
Example Request
[ { "domain": "cyware.com" } ]
Action: Fetch IOC Details
This action retrieves the details of a threat indicator using the task ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter a task ID to retrieve the details of a threat indicator. Example: $LIST[indicator--axx3d2e5-3d7a-4bfc-b74c-20388334ffea, indicator--s87b3d2e5-xx7a-4bfc-bxxc-20388334ffea] | List | Required | You can retrieve a task ID using the action Get a List of Tasks. |
Example Request
[ { "task_id": ["indicator--axx3d2e5-3d7a-4bfc-b74c-20388334ffea","indicator--s87b3d2e5-xx7a-4bfc-bxxc-20388334ffea"] } ]
Action: Get Details of a Feed Component
This action retrieves all the details of a feed component.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Package ID | Enter the package ID. Example: "package-c2d67a43f8-812b-a07344aa45d0" | Text | Required | You can retrieve the Package ID using the Get a List of STIX Packages action. |
Component ID | Enter the component ID. Example: "indicator-e23ea1fc-cfb0-49fa-a89c-60a8da3ea57d" | Text | Required | You can retrieve the Component ID using the Get a List of Feed Components action. |
Example Request
[ { "package_id": "package-c2d67a43f8-812b-a07344aa45d0", "component_id": "indicator-e23ea1fc-cfb0-49fa-a89c-60a8da3ea57d" } ]
Action: Get Details of a Rule
This action retrieves the details of a rule such as rule summary, source and collection details, and so on.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Rule ID | Enter the rule ID. Example: "238b16dc-e05e-4edf-a7c9-a077bd0de729" | Text | Required | You can retrieve the Rule ID using the Get a List of Rules action. |
Example Request
[ { "rule_id": "238b16dc-e05e-4edf-a7c9-a077bd0de729" } ]
Action: Get Details of a Server Collection
This action retrieves the details of server collection from threat server collection such as name, type, and other basic details.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Collection ID | Enter the collection ID. Example: "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5" | Text | Required | You can retrieve the collection ID using the Get a List of Server Collection action. |
Example Request
[ { "collection_id": "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5" } ]
Action: Get Details of a Source
This action retrieves the details of a source such as source id and details of valid source objects.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the source ID. Example: "sample source ID" | Text | Required | You can retrieve the source ID using the Get a List of Sources action. |
Example Request
[ { "source_id": "sample source ID" } ]
Action: Get Details of a Source Collection
This action retrieves the details of source collections as threat intel source collection such as collection type, sources, and polling details.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the source ID. Example: "Sample source ID" | Text | Required | You can retrieve the source ID using the Get a List of Sources action. |
Collection ID | Enter the collection ID. Example: "Sample collection ID" | Text | Required | You can retrieve the source collection ID using the Get a List of Source Collections action. |
Example Request
[ { "collection_id": "sample collection ID", "source_id": "sample source ID" } ]
Action: Get Feeds From a Rule
This action retrieves feeds from a rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Rule ID | Enter the rule ID. Example: "238b16dc-e05e-4edf-a7c9-a077bd0de729" | Text | Required | You can retrieve the Rule ID using the Get a List of Rules action. |
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "rule_id": "238b16dc-e05e-4edf-a7c9-a077bd0de729", "params": { "page": 1, "page_size": 5 } } ]
Action: Get Feeds From a Server Collection
This action retrieves feeds from server collection from the threat server collection.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Collection ID | Enter the collection ID. Example: "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5" | Text | Required | You can retrieve the collection ID using the Get a List of Server Collection action. |
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "collection_id": "sample collection id", "params": { "page": 1, "page_size": 5 } } ]
Action: Get Feeds From a Source Collection
This action retrieves the feeds from source collection as threat intel source collection feeds.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the source ID. Example: "Sample source ID" | Text | Required | You can retrieve the source ID using the Get a List of Sources action. |
Collection ID | Enter the collection ID. Example: "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5" | Text | Required | You can retrieve the source collection ID using the Get a List of Source Collections action. |
Additional Query Parameters | Enter the additional query parameters in key value-pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "collection_id": "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5", "source_id": "sample source ID", "params": { "page": 1, "page_size": 5 } } ]
Action: Get Feeds of Indicators
This action retrieves the feeds of indicators from threat data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "enhanced_search": "cyware.com", "page": 1, "page_size": 5, "deprecated": true, "indicator_type": "domain", "blocked": true, "first_seen": "1609905500", "last_seen": "1610078300", "score": 10 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "enhanced_search": "cyware.com", "page": 1, "page_size": 5, "deprecated": true, "indicator_type": "domain", "blocked": true, "first_seen": "1609905500", "last_seen": "1610078300", "score": 10 } } ]
Action: Get a List of Enrichment Tools
This action retrieves a list of enrichment tools for threat data indicators.
Input Parameters
This action does not require any input parameter.
Action: Get a List of Feed Component
This action retrieves a list of feed components for retrieved intel feeds and published STIX packages.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Packages ID | Enter the package ID. Example: "package-c2d67a43f8-812b-a07344aa45d0" | Text | Required | You can retrieve the Package ID using the Get a List of STIX Packages action. |
Example Request
[ { "package_id": "package-c2d67a43f8-812b-a07344aa45d0", } ]
Action: Get a List of Global Notes
This action retrieves a list of global notes.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed values:
|
Example request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Labels
This action retrieves a list of labels.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Reports
This actions retrieves a list of reports.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Page Number | Enter the page number to list reports on that page number. Example: 5 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of reports to list out per page. Example: 20 | Integer | Optional | Default value: 10 |
Example Request
[ { "page_number": 5, "page_size": 20 } ]
Action: Get a List of Rules
This action retrieves a list of rules.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Server Collection
This action retrieves a list of server collections from threat intel server collections.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Source Collections
This action retrieves a list of source collections.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Source ID | Enter the source ID. Example: "sample source ID" | Text | Required | You can retrieve the source ID using the Get a List of Sources action. |
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "source_id": "sample source ID", "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Sources
This action retrieves a list of sources.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of STIX Packages
This action retrieves a list of STIX packages.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Tasks
This action retrieves a list of tasks.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get a List of Whitelisted Indicator Types
This action retrieves a list of whitelist indicator types.
Input Parameters
This action does not require any input parameter.
Action: Get All Widgets
This action retrieves all the widgets into a page.
Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Page Size | Enter the page size. Example: 500 | Integer | Optional | The default value is 100. |
Example Request
[ { "page_size": 500 } ]
Action: Get a Saved Result Set
This action retrieves a saved result set from STIX packages.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
From Timestamp | Enter the from timestamp in epoch time format. Example: "1609823166" | Text | Optional | |
To Timestamp | Enter the "to timestamp" in epoch time format. Example: "1641359166" | Text | Optional | |
Additional Query Parameters | Enter the additional query parameters in the form of key-value pairs. Example: {"page": 5 } | Key Value | Optional | Allowed keys:
|
Label Name | Enter the label name to retrieve all the details related to the label. Example: "Solarwind" | Text | Optional |
Example Request
[ { "from_timestamp": 1609823166, "to_timestamp": 1641359166, "params": { "page": 5 }, "label_name": "SolarWind" } ]
Action: Get Bulk Enrichment
This action returns the enrichment data for a list of threat data IDs.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Threat Data IDs | Enter the Threat Data IDs. Example: $LIST[ indicator--c442d2f0-0fed-4abb-af53-cf5efc8676f5 ] | List | Required |
Example Request
[ { "threat_data_ids": [ "indicator--c442d2f0-0fed-4abb-af53-cf5efc8676f5" ] } ]
Action: Get Bulk IOC Details by Indicator ID
This action retrieves bulk IOC details by indicator ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IOC IDs | Enter the IOC ID. Example: $LIST[indicator-48578510-b2b0-496e-940d-eba2d903e0] | List | Required | |
Enhanced Search | Enter true for enhanced search. Example: False | Boolean | Optional | Default value: False |
Page Number | Enter the page number from where you need to retrieve the list of reports. Example: 5 | Integer | Optional | Default value: 1 |
Page Size | Enter the page size to display the number of reports per page. Example: 7 | Integer | Optional | Default value: 10 |
Fields | Enter the comma separated field values whose details are to be fetched. Example: "name2, type" | Text | Optional |
Example Request
[ { “ioc_id”: ['indicator-48578510-b2b0-496e-940d-eba2d903e0'], “enhanced_search”: false, “page_number”: 5, “page_size”: 7, “fields”: “name2, type” } ]
Action: Get Bulk IOC Details by Indicator Value
This action retrieves bulk IOC details by indicator value.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IOC Values | Enter the IOC values. Example: $LIST[formspree.io, 111.56.98.34] | List | Required | |
Enhanced Search | Enter true for enhanced search. Example: True | Boolean | Optional | Default value: False |
Page Number | Enter the page number to from where you need to retrieve the list of reports. Example: 5 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of reports to be displayed per page. Example: 7 | Integer | Optional | Default value: 10 |
Fields | Enter the comma separated field values whose details are need to be fetched. Example: "name2, type" | Text | Optional |
Example Request
[ { “ioc_values”: ['formspree.io','111.56.98.34’], “nhanced_search”: false, “page_number”: 5, “page_size”: 7, “fields”: “name2, type” } ]
Action: Get Download Link for Report
This action retrieves a download link for a report.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Report ID | Enter the Report ID to retrieve its run logs. Example: "a1746c31-945b-4a96-b513-f6537c421947" | Text | Required |
Example Request
[ { "report_id": "a1746c31-945b-4a96-b513-f6537c421947" } ]
Action: Get Feeds
This action retrieves a list of feeds.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1, "page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "params": { "page": 1, "page_size": 5 } } ]
Action: Get Indicator Enrichment Data
This action retrieves indicator enrichment data from threat data.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Indicator Value | Enter the indicator value. Example: "cyware.com" | Text | Required | |
Indicator Type | Enter the indicator type. Example: "domain" | Text | Required | Allowed values:
|
Example Request
[ { "indicator_type": "domain", "indicator_value": "cyware.com" } ]
Action: Get Run Logs
This action retrieves run logs for a specific report.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Report ID | Enter the Report ID to retrieve the run logs. Example: "a1746c31-945b-4a96-b513-f6537c421947" | Text | Required | |
Page Number | Enter the page number to retrieve the list of reports on the that page number. Example: 5 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of reports to list out per page. Example: 20 | Integer | Optional | Default value: 10 |
Example Request
[ { "report_id": "a1746c31-945b-4a96-b513-f6537c421947", "page_number": 5, "page_size": 20 } ]
Action: Get Widgets Data
This action retrieves data of a widget using ID and timestamp.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Widget ID | Enter the widget ID to retrieve details of the widget. Example: 0012 | Text | Required | |
Created From | Enter the timestamp from which the widget was created. Example: 1634458234 | Text | Required | |
Created Till | Enter the timestamp till which the widget was created. Example: 1642407034 | Text | Required |
Example Request
[ { "widget_id": 0012, "created_from": 1634458234, "created_till": 1642407034 } ]
Action: Get Widget Details
This action retrieves widget details using the widget ID.
Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Widget ID | Enter the widget ID to retrieve the widget details. Example: "0012" | Text | Required |
Example Request
[ { "widget_id": 0012 } ]
Action: Hash Search
This action retrieves the details of a hash value such as basic details and virus total report of the hash.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Hash | Enter the hash value. Example: "md4" | Text | Required | Allowed hash types:
|
Example Request
[ { "hash_value": "md4" } ]
Action: Indicator Search
This action searches for a URL, domain, IP address, hash, or CVE ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Indicator Type | Enter the indicator (IOC) type. Example: "domain" | Text | Required | Allowed values:
|
Indicator Value | Enter the indicator (IOC) value. Example: "cyware.com" | Text | Required |
Example Request
[ { "indicator_type": "domain", "indicator_value": "cyware.com" } ]
Action: Initiate CSOL Action
The action initiates an action of a CSOL app.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter the task ID. Example: "Sample task ID" | Text | Required | You can retrieve the task ID using the Get a List of Tasks action. |
App Name | Enter the app name. Example: "Qradar" | Text | Required | |
Action Name | Enter the action name. Example "update_reference_set" | Text | Required |
Example Request
[ { "app_name": "Qradar", "action": "update_reference_set", "task_id": "sample task ID" } ]
Action: IP Address Search
This action searches for an IP address.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IP Address | Enter the IP address. Example: "1.1.1.1" | Text | Required |
Example Request
[ { "ip": "1.1.1.1" } ]
Action: Post Enrichment Data to an Indicator
This action posts enrichment data to an indicator in threat data.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Indicator ID | Enter the indicator ID. Example: "Sample indicator ID" | Text | Required | You can retrieve the Indicator ID using the Fetch IOC Details action. |
Enrichment Data | Enter the json data from enrichment tools in key-value pairs. Example: { data": { "app_report": {"data":"test", "Source":"source_name"} } } | Key Value | Optional | You can retrieve the enrichment data using the Get Indicator Enrichment Data action. |
App Name | Enter the application name. Example: "virus total" | Text | Required | |
App Type | Enter the app type. Example: "domain" | Text | Required | Allowed values:
|
Report Slug | Enter the report slug. Example: "virus_total_ip_report" | Text | Required | Report slug format: {app_name}_{app_type}_report |
Create New App | Optional preference to create a new app in CTIX if the app is not available. Example: No | Boolean | Optional | Allowed values:
Default value: No |
Example Request
[ { "payload": { data": { "app_report": {"data":"test", "Source":"source_name"} } }, "app_name": "Virus Total", "app_type": "domain", "report_slug": "virus_total_ip_report", "is_app_new": "No", "indicator_id": "sample indicator ID" } ]
Action: Query Whitelisted Indicator
This action queries a whitelisted IOC.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Indicator Value | Enter the indicator (IOC) value. Example: "cyware.com" | Text | Required | |
Additional Query Parameters | Enter the additional query parameters in key-value pairs. Example: { "page": 1,"page_size": 5 } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "ioc_value": "cyware.com", "params": { "page": 1, "page_size": 5 } } ]
Action: Remove Indicators From Whitelist Management
This action deletes indicators from a whitelist.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Whitelist Indicator ID | Enter the list of whitelisted indicator IDs. Example: $LIST[475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6, 475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6] | List | Required | You can retrieve the whitelisted indicator ID using the Get a List of Whitelisted Indicator Types action. |
Example Request
[ { "whitelist_ioc_id": [ '475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6', '475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6' ] } ]
Action: Remove Tags
This action removes tags using task ID and labels.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter the task ID. Example: "sample task ID" | Text | Required | You can retrieve the task ID using the Get a List of Tasks action. |
Labels | Enter the list of labels. Example: $LIST[solarwinds, tanium] | List | Required |
Example Request
[ { "labels": [ "solarwinds", "tanium" ], "task_id": "sample task id" } ]
Action: Update Global Note
This action updates a global note.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Note Title | Enter the note title. Example: "Threat" | Text | Required | |
Note Description | Enter the description. Example: "Endpoint threat detected" | Text | Required | |
Note ID | Enter the note ID. Example: "sample note ID" | Text | Required | You can retrieve the note ID using the Get a List of Global Notes action. |
Extra Params | Enter the extra parameters in key-value pairs. Example: { "note_type": "indicator", "is_active": False, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "notes_title": "Threat", "notes_text": "Endpoint threat detected", "notes_id": "sample note ID", "extra_params": { "note_type": "indicator", "is_active": False, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" } } ]
Action: Update Task
This action updates a task.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Task ID | Enter the task ID. Example: "Sample task ID" | Text | Required | You can retrieve the task ID using the Get a List of Tasks action. |
Title | Enter the task title. Example: "IOC updated" | Text | Required | |
Assignee ID | Enter the task assignee ID (user ID). Example: "Sample assignee ID" | Text | Required | You can retrieve the Assignee ID using the Get a List of Tasks action. |
Indicator ID | Enter the indicator ID. Example: "Sample indicator ID" | Text | Required | You can retrieve the indicator ID using the Fetch IOC Details action. |
Status | Enter the status. Example: "in_progress" | Text | Required | Allowed values:
|
Extra Params | Enter the extra parameters in key-value pairs. Example: { "closure_comment": "Task updated", "due_date": 1609854506, "description": "Update task with IOC", "reassigned_reason": "Change of ownership" } | Key Value | Optional | Allowed keys:
|
Example Request
[ { "title": "IOC updated", "status": "in_progress", "task_id": "sample task ID", "assignee_id": "sample assignee ID", "indicator_id": "sample indicator ID", "extra_params": { "closure_comment": "Task updated", "due_date": 1609854506, "description": "Update task with IOC", "reassigned_reason": "Change of ownership" } } ]
Action: URL Search
This action retrieves the details of a URL such as STIX object ID, list of packages, and so on.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
URL | Enter the URL. Example: "www.google.com" | Text | Required |
Example Request
[ { "url": "www.google.com" } ]