Skip to main content

Cyware Orchestrate

Cyware Threat Intelligence Exchange (CTIX)

App Vendor: Cyware

App Category: Data Enrichment & Threat Intelligence

Connector Version: 1.7.2

API Version: 2.0.0

About App

Cyware Threat Intelligence Platform (CTIX) is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. The CTIX app enables security teams to integrate with the CTIX enterprise application for data ingestion, data enrichment, analysis, and bi-directional sharing of threat data within the trusted network.

The CTIX app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Create Indicator Package

This action posts new indicator (IOC) data in a CTIX intel feed and custom/server STIX package.

Create Global Notes

This action creates global notes.

Create Task

This action creates a task.

Domain Search

This action retrieves the details of a domain such as basic details, sources, relations, and investigations.

Get a List of Feed Component

This action retrieves a list of feed components for retrieved intel feeds and published STIX packages.

Get Details of a Feed Component

This action retrieves all the details of a feed component such as basic, confidence, handling, sources, and relations details.

Get Feeds of Indicators

This action retrieves the feeds of indicators from threat data.

Get a List of Labels

This action retrieves a list of labels.

Get a List of Global Notes

This action retrieves a list of global notes.

Get Details of a Rule

This action retrieves the details of a rule such as rule summary, source and collection details, and so on.

Get Feeds From a Rule

This action retrieves feeds from a rule.

Get a List of Rules

This action retrieves a list of rules.

Get a List of Server Collection

This action retrieves a list of server collections from threat intel server collections.

Get Details of a Server Collection

This action retrieves the details of server collection from threat server collection such as name, type, and other basic details.

Get Feeds From a Server Collection

This action retrieves feeds from server collection from the threat server collection.

Get Details of a Source Collection

This action retrieves the details of source collections as threat intel source collection such as collection type, sources, and polling details.

Get Feeds From a Source Collection

This action retrieves the feeds from source collection as threat intel source collection feeds.

Get a List of Source Collections

This action retrieves a list of source collections.

Get Details of a Source

This action retrieves the details of a source such as source id and details of valid source objects.

Get a List of Sources

This action retrieves a list of sources.

Get a List of STIX Packages

This action retrieves a list of STIX packages.

Get a List of Tasks

This action retrieves a list of tasks.

Hash Search

This action retrieves the details of a hash value such as basic details and virus total report of the hash.

IP Address Search

This action searches for an IP address.

Query Whitelisted Indicator

This action queries a whitelisted IOC.

CVE Search

This action retrieves the details of a CVE ID such as affected software, references, and package details.

Update Custom STIX Package

This action updates a custom STIX package.

Update Global Note

This action updates a note.

Update Task

This action updates a task.

URL Search

This action retrieves the details of a URL such as STIX object ID, list of packages, and so on.

Add Indicator in Whitelist Management

This action adds indicators in the whitelist management.

Add Tag in STIX Package

This action adds a tag in a STIX package.

Get Feeds

This action retrieves feeds.

Get a List of Whitelisted Indicator Types

This action retrieves a list of whitelist indicator types.

Remove Indicators From STIX Package

This action deletes indicators from a STIX package.

Remove Indicators From Whitelist Management

This action deletes an indicators from a whitelist.

Post Enrichment Data to an Indicator

This action posts enrichment data to an indicator in threat data.

Get Indicator Enrichment Data

This action retrieves indicator enrichment data from threat data.

Get a List of Enrichment Tools

This action retrieves a list of enrichment tools for threat data indicators.

Indicator Search

This action searches for a URL, domain, IP address, hash, or CVE ID.

Get a Saved Result Set

This action retrieves a saved result set from STIX packages.

Initiate CSOL Action

The action initiates an action of the Orchestrate app.

Add Tags

The action updates and adds tags to a threat indicator.

Fetch IOC Details

The action retrieves details of a threat indicator.

Block/Unblock IOC

The action updates the threat indicator for block response.

Remove Tags

This action removes tags.

Get all Widgets

This action retrieves all widgets.

Get Widget Details

This action retrieves details of a widget.

Get Widget Data

This action retrieves data of a widget.

Get Feed of Vulnerabilities

This action retrieves a feeds of vulnerabilities from threat data in the Cyware Threat Intelligence eXchange(CTIX) Application.

Get a List of Reports

This actions retrieves a list of reports.

Get Run Logs

This action retrieves run logs for a specific report.

Get Download Link for Report

This action retrieves a download link for a report.

Get Bulk Enrichment

This action returns the enrichment data for a list of threat data IDs.

Get Bulk IOC Details by Indicator Value

This action retrieves bulk IOC details by indicator value.

Get Bulk IOC Details by Indicator ID

This action retrieves bulk IOC details by indicator ID.

Configuration Parameters

The following configuration parameters are required for the CTIX app to communicate with the CTIX enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the base URL for accessing the CTIX platform using REST API.

Example:

"https://ctix.domain.tld/ctixapi/openapi/"

Text

Required

Access Key

Enter the access key for accessing the CTIX platform using REST API.

Example:

"sample access key"

Text

Required

Secret Key

Enter the secret key for accessing the CTIX platform using REST API.

Example:

"sample secret key"

Password

Required

Verify

Choose your preference to verify SSL while making requests.

It is recommended to set this option to true. If false is passed, it may result in an incorrect establishment of the connection, potentially causing it to become broken.

Default value: False

Action: Create Indicator Package

This action posts new indicator (IOC) data in a CTIX intel feed and custom or server STIX package.

Input Parameter

Parameter

Description

Field Type

Required/Optional

Comments

Package Title

Enter the STIX package title.

Example:

"Intel_Server"

Text

Required

Package Description

Enter the STIX package description.

Example:

"This is an Intel server bug fix"

Text

Required

Indicator Payload

Enter the Indicator payload in a list.

Example:

$JSON[{"ioc-type": "ip", "ioc_value": "194.87.185.80", "confidence_id": 1, "confidence_score": "high", "object_description": "Indicator added based on the block request from CTIX"}]

List

Required

Allowed IOC types:

  • ip

  • url

  • domain

  • email

  • md5

Allowed confidence scores:

  • high

  • low

  • medium

  • none

  • unknown

Allowed Confidence ID value:

  • 1

  • 2

  • 3

  • 4

  • 5

TLP

Enter the TLP for package.

Example:

"white"

Text

Required

Allowed values:

  • white

  • green

  • amber

  • red

Sources

Enter the sources.

Example:

"Third-Party"

Text

Required

Labels

Enter the list of UUIDs of the labels.

Example:

$LIST[7ed8c92a-5772-4ff7-b0e4-8029a0cfad98, 7ed8c92a-5772-4ff7-b0e4-8029a0cfad98]

List

Optional

You can retrieve the UUID of the labels using the Get List of Labels action.

Do you want to Create Server STIX Packages

Enter Yes to create server STIX packages. Else enter No.

Example:

Yes

Boolean

Optional

Default value:

No

Do you want to Create Intel Feed Packages

Enter true to create intel feed packages. Else enter false.

Example:

Yes

Boolean

Optional

Default value:

No

Indicator Title

Enter the indicator title.

Example:

"mal_domain: cyware.com"

Text

Optional

Default value: <indicator_type: indicator_value>

Collections

Enter the list of collections IDs.

Example:

$LIST[{'collection_id': 'sample collection id 1'}, {'collection_id': 'sample collection id 2'}]

List

Optional

You can retrieve the collections IDs using the Get a List of Server Collection action.Collections IDs list format:

[{'collection_id': 'id 1'}, {'collection_id': 'id 2'}]

Client Collection

Enter the list of client (source) collections IDs.

Example:

$LIST[{'id': 'sample collection id 1'}, {'id': ' sample collection id 2'}]

List

Optional

You can retrieve the client collections IDs using the Get a List of Source Collection action.Client collection iID list format:

[{'id': 'id 1'}, {'id': '2'}]

Status

Enter the status.

Example:

"draft"

Text

Optional

Allowed values:

  • draft

  • published

Keywords

Enter the keywords as tags in a list of string.

Example:

$LIST[fang_value,unfang_value]

List

Optional

CSAP Alert ID

Enter the CSAP alert ID.

Example:

"sample csap alert id"

Text

Optional

Custom Properties

Enter the custom json dictionary in a list.

Example:

$LIST[{"name": "anna", "value": {"annie": "admin", "value": "0.0.0.0"}}]

List

Optional

You can enter multiple dictionaries in the list.

Example Request

[
   {
      "title":"Intel_Server",
      "description":"This is an Intel server bug fix",
      "ioc_value":[
         {
            "ioc-type":"ip",
            "ioc_value":"194.87.185.80",
            "confidence_id":1,
            "confidence_score":"high",
            "object_description":"Indicator added based on the block request from CTIX"
         }
      ]
   },
   {
      "tlp_type":"white",
      "sources":"Third-Party",
      "custom_stix_package":false,
      "intel_feed":true,
      "indicator_title":"mal_domain: cyware.com",
      "status":"draft",
      "keywords":[
         "fang_value",
         "unfang_value"
      ],
      "custom_properties":[
         {
            "name":"anna",
            "value":{
               "annie":"admin",
               "value":"0.0.0.0"
            }
         }
      ]
   }
]
Action: Create Global Notes

This action creates global notes.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Title

Enter the note title.

Example:

"Threat Intel"

Text

Required

Description

Enter the note description.

Example:

"SolarWind Intel"

Text

Required

Additional Parameters

Enter the additional parameters in key-value pairs.

Example:

{ "note_type": "normal", "is_active": True, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" }

Key Value

Optional

Allowed parameters:

  • note_type (str): Default value: “normal”. Allowed values:

    • indicator

    • normal

  • object_id

  • is_active (boolean): Default value: “True”. Allowed values:

    • True

    • False

  • save_type (str)

  • shared_type (str): Default value: “global”. Allowed values:

    • private

    • global

    • specific_users

  • colour_code (hexadecimal): Default value: “#d6d6d6”.

Example Request

[
  {
    "notes_title": "Threat Intel",
    "notes_text": "SolarWind Intel",
    "extra_params": 
    {
      "note_type": "normal",
      "is_active": True,
      "save_type": "button",
      "shared_type": "global",
      "colour_code": "#d6d6d6"
    }
  }
]
Action: Create Task

This action creates a task.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Title

Enter the task title.

Example:

"Update IOC"

Text

Required

Description

Enter the task description.

Example:

"Update the IOC"

Text

Required

Priority

Enter the priority level.

Example:

"low"

Text

Required

Allowed values:

  • high

  • low

  • medium

Assignee ID

Enter the user (assignee) ID.

Example:

"Sample assignee ID"

Text

Required

You can retrieve the Assignee ID using the Get a List of Tasks action.

Indicator ID

Enter the indicator ID.

Example:

"Sample indicator ID"

Text

Required

You can retrieve the Indicator ID using the Fetch IOC Details action.

Status

Enter the status.

Example:

"completed"

Text

Optional

Allowed values:

  • not_started

  • in_progress

  • completed

Default value:

"not_started"

Example Request

[
  {
    "title": "Update IOC",
    "description": "Update the IOC",
    "priority": "low",
    "assignee_id": "sample assignee id",
    "indicator_id": "sample indicator id",
    "status": "completed"
  }
]
Action: Domain Search

This action retrieves the details of a domain such as basic details, sources, relations, and investigations.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Domain

Enter the domain name.

Example:

"cyware.com"

Text

Required

Example Request

[
  {
    "domain": "cyware.com"
  }
]
Action: Get a List of Feed Component

This action retrieves a list of feed components for retrieved intel feeds and published STIX packages.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Packages ID

Enter the package ID.

Example:

"package-c2d67a43f8-812b-a07344aa45d0"

Text

Required

You can retrieve the Package ID using the Get a List of STIX Packages action.

Example Request

[
    {
        "package_id": "package-c2d67a43f8-812b-a07344aa45d0",
    }
]
Action: Get Details of a Feed Component

This action retrieves all the details of a feed component.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Package ID

Enter the package ID.

Example:

"package-c2d67a43f8-812b-a07344aa45d0"

Text

Required

You can retrieve the Package ID using the Get a List of STIX Packages action.

Component ID

Enter the component ID.

Example:

"indicator-e23ea1fc-cfb0-49fa-a89c-60a8da3ea57d"

Text

Required

You can retrieve the Component ID using the Get a List of Feed Components action.

Example Request

[
    {
        "package_id": "package-c2d67a43f8-812b-a07344aa45d0",
        "component_id": "indicator-e23ea1fc-cfb0-49fa-a89c-60a8da3ea57d"
    }
]
Action: Get Feeds of Indicators

This action retrieves the feeds of indicators from threat data.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "enhanced_search": "cyware.com", "page": 1, "page_size": 5, "deprecated": true, "indicator_type": "domain", "blocked": true, "first_seen": "1609905500", "last_seen": "1610078300", "score": 10 }

Key Value

Optional

Allowed keys:

  • enhanced_search(indicator value)

  • page (int)

  • page_size (int)

  • deprecated (bool)

  • indicator_type (url, ip, hash, domain)

  • blocked (bool)

  • first_seen (epoch time)

  • last_seen (epoch time)

  • score (int)

Example Request

[
  {
    "params": 
    {
      "enhanced_search": "cyware.com",
      "page": 1,
      "page_size": 5,
      "deprecated": true,
      "indicator_type": "domain",
      "blocked": true,
      "first_seen": "1609905500",
      "last_seen": "1610078300",
      "score": 10
    }
  }
]
Action: Get a List of Labels

This action retrieves a list of labels.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of Global Notes

This action retrieves a list of global notes.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed values:

  • page(int)

  • page_size(int)

Example request

[
  {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get Details of a Rule

This action retrieves the details of a rule such as rule summary, source and collection details, and so on.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Rule ID

Enter the rule ID.

Example:

"238b16dc-e05e-4edf-a7c9-a077bd0de729"

Text

Required

You can retrieve the Rule ID using the Get a List of Rules action.

Example Request

[
  {
    "rule_id": "238b16dc-e05e-4edf-a7c9-a077bd0de729"
  }
]
Action: Get Feeds From a Rule

This action retrieves feeds from a rule.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Rule ID

Enter the rule ID.

Example:

"238b16dc-e05e-4edf-a7c9-a077bd0de729"

Text

Required

You can retrieve the Rule ID using the Get a List of Rules action.

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "rule_id": "238b16dc-e05e-4edf-a7c9-a077bd0de729",
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of Rules

This action retrieves a list of rules.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of Server Collection

This action retrieves a list of server collections from threat intel server collections.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get Details of a Server Collection

This action retrieves the details of server collection from threat server collection such as name, type, and other basic details.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Collection ID

Enter the collection ID.

Example:

"cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5"

Text

Required

You can retrieve the collection ID using the Get a List of Server Collection action.

Example Request

[
  {
    "collection_id": "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5"
  }
]
Action: Get Feeds From a Server Collection

This action retrieves feeds from server collection from the threat server collection.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Collection ID

Enter the collection ID.

Example:

"cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5"

Text

Required

You can retrieve the collection ID using the Get a List of Server Collection action.

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "collection_id": "sample collection id",
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get Details of a Source Collection

This action retrieves the details of source collections as threat intel source collection such as collection type, sources, and polling details.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the source ID.

Example:

"Sample source ID"

Text

Required

You can retrieve the source ID using the Get a List of Sources action.

Collection ID

Enter the collection ID.

Example:

"Sample collection ID"

Text

Required

You can retrieve the source collection ID using the Get a List of Source Collections action.

Example Request

[
  {
    "collection_id": "sample collection ID",
    "source_id": "sample source ID"
  }
]
Action: Get Feeds From a Source Collection

This action retrieves the feeds from source collection as threat intel source collection feeds.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the source ID.

Example:

"Sample source ID"

Text

Required

You can retrieve the source ID using the Get a List of Sources action.

Collection ID

Enter the collection ID.

Example:

"cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5"

Text

Required

You can retrieve the source collection ID using the Get a List of Source Collections action.

Additional Query Parameters

Enter the additional query parameters in key value-pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "collection_id": "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5",
    "source_id": "sample source ID",
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of Source Collections

This action retrieves a list of source collections.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the source ID.

Example:

"sample source ID"

Text

Required

You can retrieve the source ID using the Get a List of Sources action.

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
  {
    "source_id": "sample source ID",
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get Details of a Source

This action retrieves the details of a source such as source id and details of valid source objects.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source ID

Enter the source ID.

Example:

"sample source ID"

Text

Required

You can retrieve the source ID using the Get a List of Sources action.

Example Request

[
  {
    "source_id": "sample source ID"
  }
]
Action: Get a List of Sources

This action retrieves a list of sources.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
 {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of STIX Packages

This action retrieves a list of STIX packages.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
 {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Get a List of Tasks

This action retrieves a list of tasks.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1, "page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
 {
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: Hash Search

This action retrieves the details of a hash value such as basic details and virus total report of the hash.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Hash

Enter the hash value.

Example:

"md4"

Text

Required

Allowed hash types:

  • md4

  • md5

  • sha1

  • sha256

  • sha512

  • ssdeep

Example Request

[
    {
        "hash_value": "md4"
    }
]
Action: IP Address Search

This action searches for an IP address.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IP Address

Enter the IP address.

Example:

"1.1.1.1"

Text

Required

Example Request

[
  {
    "ip": "1.1.1.1"
  }
]
Action: Query Whitelisted Indicator

This action queries a whitelisted IOC.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator Value

Enter the indicator (IOC) value.

Example:

"cyware.com"

Text

Required

Additional Query Parameters

Enter the additional query parameters in key-value pairs.

Example:

{ "page": 1,"page_size": 5 }

Key Value

Optional

Allowed keys:

  • page(int)

  • page_size(int)

Example Request

[
 {
    "ioc_value": "cyware.com",
    "params": 
    {
      "page": 1,
      "page_size": 5
    }
  }
]
Action: CVE Search

This action retrieves the details of a CVE ID such as affected software, references, and package details.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

CVE ID

Enter the CVE ID.

Example:

"sample CVE ID"

Text

Required

Example Request

[
 {
    "cve_id": "sample cve ID"
  }
]
Action: Update Custom STIX Package

This action updates a custom STIX package.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Custom STIX Package ID

Enter the custom STIX package ID.

Example:

"package-fa3b6a0f-a502-4810-8412-595a04157f56"

Text

Required

You can retrieve the STIX package ID using the Get a List of STIX Packages action.

Indicators

Enter the list of indicators.

Example:

$LIST[ "sample indicator id 1","sample indicator id 2" ]

List

Required

You can retrieve the indicator ID using the Fetch IOC Details action.

Title

Enter the title.

Example:

"STIX package"

Text

Optional

Status

Enter the custom STIX package status.

Example:

"published"

Text

Optional

Allowed values:

  • draft

  • published

Collection ID

Enter the list of collection IDs.

Example:

$LIST[cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5]

List

Optional

You can retrieve the collection ID using the Get a List of Server Collections action.

Example Request

[
  {
    "title": "STIX package",
    "status": "published",
    "collection_ids": "cd31bd57-b0a3-4bf4-8e87-e2b84e818ce5",
    "custom_stix_package_id": "package-fa3b6a0f-a502-4810-8412-595a04157f56",
    "indicator_list": [
                        "sample indicator id 1",
                        "sample indicator id 2"
            ]
  }
]
Action: Update Global Note

This action updates a global note.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Note Title

Enter the note title.

Example:

"Threat"

Text

Required

Note Description

Enter the description.

Example:

"Endpoint threat detected"

Text

Required

Note ID

Enter the note ID.

Example:

"sample note ID"

Text

Required

You can retrieve the note ID using the Get a List of Global Notes action.

Extra Params

Enter the extra parameters in key-value pairs.

Example:

{ "note_type": "indicator", "is_active": False, "save_type": "button", "shared_type": "global", "colour_code": "#d6d6d6" }

Key Value

Optional

Allowed keys:

  • note_type (str): Default value: “normal”. Allowed values:

    • indicator

    • normal

  • object_id (id)

  • is_active (boolean): Default value: “True”. Allowed values:

    • True

    • False

  • save_type (str): “button”

  • shared_type (str): Default value: “global”. Allowed values:

    • private

    • global

    • specific_users

  • colour_code (hexadecimal): Default value: “#d6d6d6”.

Example Request

[
  {
    "notes_title": "Threat",
    "notes_text": "Endpoint threat detected",
    "notes_id": "sample note ID",
    "extra_params":
    {
      "note_type": "indicator",
      "is_active": False,
      "save_type": "button",
      "shared_type": "global",
      "colour_code": "#d6d6d6"
    }
  }
]
Action: Update Task

This action updates a task.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"Sample task ID"

Text

Required

You can retrieve the task ID using the Get a List of Tasks action.

Title

Enter the task title.

Example:

"IOC updated"

Text

Required

Assignee ID

Enter the task assignee ID (user ID).

Example:

"Sample assignee ID"

Text

Required

You can retrieve the Assignee ID using the Get a List of Tasks action.

Indicator ID

Enter the indicator ID.

Example:

"Sample indicator ID"

Text

Required

You can retrieve the indicator ID using the Fetch IOC Details action.

Status

Enter the status.

Example:

"in_progress"

Text

Required

Allowed values:

  • not_started

  • in_progress

  • completed

Extra Params

Enter the extra parameters in key-value pairs.

Example:

{ "closure_comment": "Task updated", "due_date": 1609854506, "description": "Update task with IOC", "reassigned_reason": "Change of ownership" }

Key Value

Optional

Allowed keys:

  • closure_comment(str)

  • due_date(epoch time)

  • description(str)

  • reassigned_reason(str): only when assignee to another user

Example Request

[
  {
    "title": "IOC updated",
    "status": "in_progress",
    "task_id": "sample task ID",
    "assignee_id": "sample assignee ID",
    "indicator_id": "sample indicator ID",
    "extra_params":
    {
      "closure_comment": "Task updated",
      "due_date": 1609854506,
      "description": "Update task with IOC",
      "reassigned_reason": "Change of ownership"
    }
  }
]
Action: URL Search

This action retrieves the details of a URL such as STIX object ID, list of packages, and so on.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL.

Example:

"www.google.com"

Text

Required

Example Request

[
  {
    "url": "www.google.com"
  }
]
Action: Add Indicator in Whitelist Management

This action adds indicators in the whitelist management.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator Value

Enter the list of indicator (IOC) values.

Example:

$LIST[security.com,cyware.com]

List

Required

Indicator Type

Enter the indicator (IOC) type.

Example:

"domain"

Text

Required

Allowed values:

  • address (ipv4)

  • address (ipv6)

  • asn number

  • email address

  • hash (md5)

  • hash (sha1)

  • hash (sha224)

  • hash (sha256)

  • hash (sha384)

  • hash (ssdeep)

  • url

  • cidr

  • domain

  • mutex name

  • win registry key

  • user agent name

Reason

Enter the reason for adding the indicator to the whitelist.

Example:

"Security purpose"

Text

Required

Example Request

[
  {
    "ioc_value": ["security.com", "cyware.com"],
    "ioc_type": "domain",
    "reason": "Security purpose"
  }
]
Action: Remove Indicators From STIX Package

This action deletes indicators from a STIX package.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

STIX Package ID

Enter the STIX package ID.

Example:

"package-fa3b6a0f-a502-4810-8412-595a04157f56"

Text

Required

You can retrieve the STIX package ID using the Get a List of STIX Packages action.

Indicators ID

Enter the list of indicator IDs.

Example:

$LIST[sample indicator id]

List

Required

You can retrieve the indicator ID using the Fetch IOC Details action.

Example Request

[
  {
    "stix_id": "package-fa3b6a0f-a502-4810-8412-595a04157f56",
    "indicators_id": [
                    "sample indicator id"
            ]
  }
]
Action: Remove Indicators From Whitelist Management

This action deletes indicators from a whitelist.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Whitelist Indicator ID

Enter the list of whitelisted indicator IDs.

Example:

$LIST[475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6, 475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6]

List

Required

You can retrieve the whitelisted indicator ID using the Get a List of Whitelisted Indicator Types action.

Example Request

[
 {
    "whitelist_ioc_id": [
                    '475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6', 
                    '475d58bb-b7f2-4a03-a1e8-b633f1b6b2c6'
            ]
  }
]
Action: Post Enrichment Data to an Indicator

This action posts enrichment data to an indicator in threat data.

Input Parameters

e

Parameter

Description

Field Type

Required/Optional

Comments

Indicator ID

Enter the indicator ID.

Example:

"Sample indicator ID"

Text

Required

You can retrieve the Indicator ID using the Fetch IOC Details action.

Enrichment Data

Enter the json data from enrichment tools in key-value pairs.

Example:

{ data": { "app_report": {"data":"test", "Source":"source_name"} } }

Key Value

Optional

You can retrieve the enrichment data using the Get Indicator Enrichment Data action.

App Name

Enter the application name.

Example:

"virus total"

Text

Required

App Type

Enter the app type.

Example:

"domain"

Text

Required

Allowed values:

  • ip

  • domain

  • hash

  • url

Report Slug

Enter the report slug.

Example:

"virus_total_ip_report"

Text

Required

Report slug format:

{app_name}_{app_type}_report

Create New App

Optional preference to create a new app in CTIX if the app is not available.

Example:

No

Boolean

Optional

Allowed values:

  • Yes- New App is created

  • No - New App is not created

Default value:

No

Example Request

[
  {
    "payload": 
    {
      data": 
      {
        "app_report": {"data":"test", "Source":"source_name"}
      }
    },
    "app_name": "Virus Total",
    "app_type": "domain",
    "report_slug": "virus_total_ip_report",
    "is_app_new": "No",
    "indicator_id": "sample indicator ID"
  }
]
Action: Get Indicator Enrichment Data

This action retrieves indicator enrichment data from threat data.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator Value

Enter the indicator value.

Example:

"cyware.com"

Text

Required

Indicator Type

Enter the indicator type.

Example:

"domain"

Text

Required

Allowed values:

  • ipv4-addr

  • ipv6-addr

  • url

  • domain

  • file

Example Request

[
  {
    "indicator_type": "domain",
    "indicator_value": "cyware.com"
  }
]
Action: Get a List of Enrichment Tools

This action retrieves a list of enrichment tools for threat data indicators.

Input Parameters

This action does not require any input parameter.

Action: Indicator Search

This action searches for a URL, domain, IP address, hash, or CVE ID.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator Type

Enter the indicator (IOC) type.

Example:

"domain"

Text

Required

Allowed values:

  • domain

  • url

  • ip

  • cve_id

  • hash

Indicator Value

Enter the indicator (IOC) value.

Example:

"cyware.com"

Text

Required

Example Request

[
  {
    "indicator_type": "domain",
    "indicator_value": "cyware.com"
  }
]
Action: Get a Saved Result Set

This action retrieves a saved result set from STIX packages.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

From Timestamp

Enter the from timestamp in epoch time format.

Example:

"1609823166"

Text

Optional

To Timestamp

Enter the "to timestamp" in epoch time format.

Example:

"1641359166"

Text

Optional

Additional Query Parameters

Enter the additional query parameters in the form of key-value pairs.

Example:

{"page": 5 }

Key Value

Optional

Allowed keys:

  • page (int)

  • page_size (int)

Label Name

Enter the label name to retrieve all the details related to the label.

Example:

"Solarwind"

Text

Optional

Example Request

[
  {
    "from_timestamp": 1609823166,
    "to_timestamp": 1641359166,
    "params": 
    {
      "page": 5
    },
    "label_name": "SolarWind"
  }
]
Action: Initiate CSOL Action

The action initiates an action of a CSOL app.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"Sample task ID"

Text

Required

You can retrieve the task ID using the Get a List of Tasks action.

App Name

Enter the app name.

Example:

"Qradar"

Text

Required

Action Name

Enter the action name.

Example

"update_reference_set"

Text

Required

Example Request

[
  {
    "app_name": "Qradar",
    "action": "update_reference_set",
    "task_id": "sample task ID"
  }
]
Action: Add Tags

The action updates and adds tags to a threat indicator.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"Sample task ID"

Text

Required

You can retrieve the task ID using the Get a List of Tasks action.

Labels

Enter the list of labels.

Example:

$LIST[solarwinds, tanium]

List

Required

Example Request

[
  {
    "labels": [
                "solarwinds", 
                "tanium"
        ],
    "task_id": "sample task ID"
  }
]
Action: Fetch IOC Details

This action retrieves the details of a threat indicator using the task ID.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter a task ID to retrieve the details of a threat indicator.

Example:

$LIST[indicator--axx3d2e5-3d7a-4bfc-b74c-20388334ffea, indicator--s87b3d2e5-xx7a-4bfc-bxxc-20388334ffea]

List

Required

You can retrieve a task ID using the action Get a List of Tasks.

Example Request

[
 {
    "task_id": ["indicator--axx3d2e5-3d7a-4bfc-b74c-20388334ffea","indicator--s87b3d2e5-xx7a-4bfc-bxxc-20388334ffea"]
  }
]
Action: Block/Unblock IOC

This action updates the threat indicator for block response.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"indicator--651a3032-14f9-4xx1-aa88-b5d3f9fe57b5"

Text

Required

You can retrieve the task ID using the Get a List of Tasks action.

Block Response

Enter the response for the threat indicator to be blocked.

Example:

no

Boolean

Optional

Allowed values:

  • yes: Threat indicator is blocked

  • no: Threat indicator is not blocked

Block Time

Enter the time in epoch format at which you must block the IOC. Example: 1685948076

Integer

Optional

Example Request

[
    {
        "task_id": "indicator--651a3032-14f9-4xx1-aa88-b5d3f9fe57b5",
        "block_time": "1685948076",
        "block_response": true
    }
]
Action: Remove Tags

This action removes tags using task ID and labels.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"sample task ID"

Text

Required

You can retrieve the task ID using the Get a List of Tasks action.

Labels

Enter the list of labels.

Example:

$LIST[solarwinds, tanium]

List

Required

Example Request

[
  {
    "labels": [
                "solarwinds", 
                "tanium"
        ],
    "task_id": "sample task id"
  }
]
Action: Get a List of Reports

This actions retrieves a list of reports.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Page Number

Enter the page number to list reports on that page number.

Example:

5

Integer

Optional

Default value:

1

Page Size

Enter the number of reports to list out per page.

Example:

20

Integer

Optional

Default value:

10

Example Request

[
    {
        "page_number": 5,
        "page_size": 20

    }
]
Action: Get Run Logs

This action retrieves run logs for a specific report.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the Report ID to retrieve the run logs.

Example:

"a1746c31-945b-4a96-b513-f6537c421947"

Text

Required

Page Number

Enter the page number to retrieve the list of reports on the that page number.

Example:

5

Integer

Optional

Default value:

1

Page Size

Enter the number of reports to list out per page.

Example:

20

Integer

Optional

Default value:

10

Example Request

[
    {
        "report_id": "a1746c31-945b-4a96-b513-f6537c421947",
        "page_number": 5,
        "page_size": 20

    }
]
Action: Get Bulk Enrichment

This action returns the enrichment data for a list of threat data IDs.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat Data IDs

Enter the Threat Data IDs.

Example:

$LIST[ indicator--c442d2f0-0fed-4abb-af53-cf5efc8676f5 ]

List

Required

Example Request

[
    {
        "threat_data_ids": [
            "indicator--c442d2f0-0fed-4abb-af53-cf5efc8676f5"
        ]
    }
]
Action: Get All Widgets

This action retrieves all the widgets into a page.

Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Page Size

Enter the page size.

Example:

500

Integer

Optional

The default value is 100.

Example Request

[
  {
    "page_size": 500
  }
]
Action: Get Widget Details

This action retrieves widget details using the widget ID.

Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Widget ID

Enter the widget ID to retrieve the widget details.

Example:

"0012"

Text

Required

Example Request

[
  {
    "widget_id": 0012
  }
]
Action: Get Widget Details

This action retrieves widget details using the widget ID.

Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Widget ID

Enter the widget ID to retrieve the widget details.

Example:

"0012"

Text

Required

Example Request

[
  {
    "widget_id": 0012
  }
]
Action: Get Feeds of Vulnerabilities

This action retrieves feeds of vulnerabilities from threat data in the Cyware Threat Intelligence eXchange(CTIX) Application.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Query Parameters

Enter the query parameters to retrieve the feeds of vulnerabilities.

Key Value

Optional

Allowed keys:

  • indicator value

  • page

  • page size

  • deprecated

  • indicator_type

  • blocked

  • first seen

  • last seen

  • score

Example Request

[
  "params": 
    {
      "enhanced_search": "sample indicator value",
      "page": 5,
      "page_size": 50,
      "deprecated": "true",
      "indicator_type": "url",
      "blocked": "false",
      "first_seen": 1609439400,
      "last_seen": 1640975400
    }
]
Get Bulk IOC Details by Indicator ID

This action retrieves bulk IOC details by indicator ID.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC IDs

Enter the IOC ID.

Example:

$LIST[indicator-48578510-b2b0-496e-940d-eba2d903e0]

List

Required

Enhanced Search

Enter true for enhanced search.

Example:

False

Boolean

Optional

Default value:

False

Page Number

Enter the page number from where you need to retrieve the list of reports.

Example:

5

Integer

Optional

Default value:

1

Page Size

Enter the page size to display the number of reports per page.

Example:

7

Integer

Optional

Default value:

10

Fields

Enter the comma separated field values whose details are to be fetched.

Example:

"name2, type"

Text

Optional

Example Request

[
 {
    “ioc_id”: ['indicator-48578510-b2b0-496e-940d-eba2d903e0'],
    “enhanced_search”: false,
    “page_number”: 5,
    “page_size”: 7,
    “fields”: “name2, type”
  }
]
Get Bulk IOC Details by Indicator Value

This action retrieves bulk IOC details by indicator value.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC Values

Enter the IOC values.

Example:

$LIST[formspree.io, 111.56.98.34]

List

Required

Enhanced Search

Enter true for enhanced search.

Example:

True

Boolean

Optional

Default value:

False

Page Number

Enter the page number to from where you need to retrieve the list of reports.

Example:

5

Integer

Optional

Default value:

1

Page Size

Enter the number of reports to be displayed per page.

Example:

7

Integer

Optional

Default value:

10

Fields

Enter the comma separated field values whose details are need to be fetched.

Example:

"name2, type"

Text

Optional

Example Request

[
 {
    “ioc_values”: ['formspree.io','111.56.98.34’],
    “nhanced_search”: false,
    “page_number”: 5,
    “page_size”: 7,
    “fields”: “name2, type”
  }
]