Cyware Fusion and Threat Response (CFTR)
App Vendor: Cyware
Connector Category: Cyware Products
Connector version: 3.7.0
API version: CFTR 2
Default Port: 443
About App
Cyware Fusion and Threat Response (CFTR) takes the approach of a Cyber Fusion Centre (CFC) to facilitate detection, response, threat hunting, threat intelligence sharing, and investigations.
CFTR brings together disparate teams within an organization like SecOps, IT operations, physical security, product development, fraud containment, and others to improve overall threat intelligence, accelerate incident response and reduce organizational cost and risk. By combining the SOC team and CFC models together, CFTR enhances the monitoring capabilities of a SOC team and gives the organization the ability to better defend against incidents and intrusions, reduce mean time to response (MTTR) and stay on top of threats that could target their environments.
The Cyware Fusion and Threat Response (CFTR) app in the Orchestrate application can connect with the CFTR application to perform the following actions:
Action Name | Description |
Get Countries | This action retrieves a list of all the countries. |
Get Manufacturers | This action retrieves a list of manufacturers. |
Get Manufacturer Details | This action retrieves manufacturer details. |
Get OS Types | This action retrieves a list of Operating System types. |
Get OS Type Details | This action retrieves details of an Operating System type. |
Get Labels | This action retrieves a list of Labels. |
Get Label Details | This action retrieves Label details. |
Get Sources | This action retrieves a list of Sources. |
Get Source Details | This action retrieves Source details. |
Get Business Unit Details | This action retrieves details of a Business Unit. |
Get Business Units | This action retrieves a list of Business Units. |
Get Locations | This action retrieves a list of Locations. |
Get Location Details | This action retrieves Location details using Location UID. |
Get User Groups | This action retrieves a list of all User Groups. |
Get User Group Details | This action retrieves details of a particular User Group. |
Get CFTR Users | This action retrieves a list of CFTR platform users. |
Get CFTR User Details | This action retrieves details of CFTR platform users. |
Get Attachments | This action retrieves all attachments from a module. |
Get Comments | This action retrieves a list of comments of a module. |
Add Comment | This action adds a comment on a specific component. |
Get Attack Techniques | This action retrieves a list of Attack Techniques. |
Get Attack Technique Details | This action retrieves Attack Technique details. |
Get Attack Tactics | This action retrieves a list of Attack Tactics. |
Get Attack Tactic details | This action retrieves Attack Tactic details. |
Create Attack Tactic-Technique Pair | This action creates an attack Tactic-Technique pair. |
Update Asset User Details | This action updates asset user details. |
Add Asset User | This action creates a new asset user. |
Get Asset User Details | This action retrieves details of an asset user. |
Get Asset Users | This action retrieves a list of asset users. |
Update Asset Software Details | This action modifies an Asset Software details/record. |
Add Asset Software | This action adds/creates an Asset Software record using mandatory fields. |
Get Asset Software Details | This action retrieves Asset Software details using UID. |
Get Asset Software | This action retrieves a list of Asset Software. |
Update Asset Application Details | This action updates an application's details using UID and additional fields. |
Add Asset Application | This action adds an application. |
Get Asset Application Details | This action retrieves application details. |
Get Asset Applications | This action retrieves a list of applications. |
Update Device Details | This action updates a device's details using the UID of the device and additional fields. |
Get Device Details | This action retrieves details of a device using the UID of the device. |
Get Devices | This action retrieves a list of devices. |
Add Device | This action adds a device. |
Update Vulnerability Details | This action updates a vulnerability's details. |
Create Vulnerability | This action adds a new vulnerability record. |
Get Vulnerability Details | This action retrieves vulnerability details. |
Get Vulnerabilities | This action retrieves a list of vulnerabilities. |
Update Threat Intel (IOC) | This action updates Threat Intel (IOC) using UID and fields. |
Create Threat Intel (IOC) | This action adds a new Threat Intel (IOC) using IOC value, type, and other details. |
Get Threat Intel (IOC) Details | This action retrieves Threat Intel (IOC) details. |
Get List of Threat Intel (IOC) | This action retrieves a list of Threat Intel (IOC). |
Update Malware Details | This action updates the details of the Malware. |
Create a Malware | This action creates a Malware entry. |
Update Threat Actor Details | This action updates details of a Threat Actor. |
Get Malware Details | This action retrieves details of a Malware. |
List Malware | This action retrieves a list of Malware. |
Get a List of Threat Actors | This action retrieves the list of Threat Actors. |
Get Threat Actor Details | This action retrieves details of a Threat Actor. |
Create Threat Actor | This action creates a Threat Actor. |
Update PIR Details | This action updates PIR details. |
Create a PIR | This action creates a PIR. |
Get PIR Details | This action retrieves PIR details. |
Get PIRs | This action retrieves the list of PIRs. |
Create Enhancement | This action creates an enhancement. |
Update Enhancement Details | This action updates details of an enhancement. |
Get Enhancement Details | This action retrieves enhancements details. |
Get Enhancements | This action retrieves the list of enhancements. |
Update Action Details | This action updates details of an action. |
Create Action | This action creates an action. |
Get Action Details | This action retrieves action details. |
Get Actions | This action retrieves list of actions. |
Update Incident Details | The action updates the details of an Incident. |
Create Incident | This action creates an incident. |
Get Incident Details | This action retrieves details of an Incident. |
Get Incidents | This action retrieves list of Incidents. |
Update Campaign Details | This action updates Campaign details. |
Create Campaign | This action creates a new Campaign. |
Get Campaign Details | This action retrieves Campaign details. |
Get Campaigns | This action retrieves a list of Campaigns. |
Update Threat Briefing Details | This action updates details of a Threat Briefing. |
Create a Threat Briefing | This action adds a Threat Briefing record. |
Get Threat Briefings | This action retrieves a list of Threat Briefings. |
Get Threat Briefing Details | This action retrieves Threat Briefing details. |
Fetch Health Console Status | This action retrieves console status. |
Get Recommended Users for an Incident | This action retrieves the list of users who are automatically recommended by CFTR for assigning to a specific incident. Recommendations are shown based on their roster and the history of incidents handled. |
Upload Attachment | This action uploads an attachment to a component. |
List Custom Modules | This action retrieves the name and identifier of the custom modules. |
List Custom Module Entries | This action retrieves the entries of a custom module. |
Get Custom Module Details | This action retrieves the details of a custom module entry. |
Create Custom Module Entry | This action creates a custom module entry. |
Update Custom Module Entry | This action updates a custom module entry. |
Add Comment in Custom Module | This action adds comments in a custom module entry. |
List Incident Workflows | This action retrieves all the incident workflows from your CFTR application. |
Get Incident Workflow Details | This action retrieves the details of an incident workflow. |
Get Threat Intel Form Structure | This action retrieves the form field structure of the Threat Intel module. |
Get List of Threat Intel Types | This action retrieves all the Threat Intel types in the CFTR application. |
Connect Modules | This action connects modules to reflect in Connect the Dots of each module. |
Get Templates | This action retrieves the merge incident templates. |
Get Rosters | This action retrieves all rosters that are configured in the CFTR application. |
Merge Incidents | This action merges incidents with a parent incident. |
Generic Action | This is a generic action to perform any additional use case on CFTR. |
Action: Get Countries
This action retrieves a list of all the countries.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Manufacturers
This action retrieves a list of manufacturers.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Manufacturer Details
This action retrieves manufacturer details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Manufacturer UID | Enter the manufacturer's unique ID. | Text | Required |
{
"unique_id": "Example Manufacturer ID",
}Action: Get OS Types
This action retrieves a list of Operating System types.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get OS Type Details
This action retrieves details of an Operating System type.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Operating System (OS) UID | Enter the OS type unique ID. | Text | Required |
|
{
"unique_id": "Example Operating System Type ID",
}Action: Get Labels
This action retrieves a list of Labels.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Label Details
This action retrieves Label details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Label UID | Enter the Label unique ID. | Text | Required |
{
"unique_id": "Example Label ID",
}Action: Get Sources
This action retrieves a list of Sources.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Source Details
This action retrieves Source details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source UID | Enter the Source unique ID. | Text | Required |
{
"unique_id": "Example Source ID",
}Action: Get Business Unit Details
This action retrieves details of a Business Unit.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Business Unit UID | Enter the Business Unit unique ID. | Text | Required |
{
"unique_id": "Example Business Unit ID",
}Action: Get Business Units
This action retrieves a list of business units.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Locations
This action retrieves a list of Locations.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Location Details
This action retrieves location details using location UID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Location UID | Enter the Location unique ID. | Text | Required |
{
"unique_id": "Example Location ID",
}Action: Get User Groups
This action retrieves a list of all User Groups.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get User Group Details
This action retrieves details of a particular User Group.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Group comm ID | Enter the group communication ID of the User Group. | Text | Required |
{
"unique_id": "Example User Group ID",
}Action: Get CFTR Users
This action retrieves a list of CFTR platform users.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get CFTR User Details
This action retrieves details of CFTR platform users.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID for the CFTR platform user. | Text | Required |
|
{
"unique_id": "Example Platform User ID",
}Action: Get Attachments
This action retrieves all attachments from a module.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component name | Enter the CFTR component name. | Text | Required | Allowed values:
|
Unique ID | Enter the Unique ID. For example, if the component name is “incident”, then the unique ID must be the corresponding “incident UID”. | Text | Required |
|
[
{
"component_name": "incident",
"unique_id": "Example Unique ID",
}
]Action: Get Comments
This action retrieves a list of comments of a module.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component name | Enter the CFTR component name. | Text | Required | Allowed values:
|
Unique ID | Enter the Unique ID. For example, if the component name is “incident”, then the unique ID must be the corresponding “incident UID”. | Text | Required |
|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
"component_name": "incident",
"unique_id": "Example Unique ID",
}
]Action: Add Comment
This action adds a comment on a specific component.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component name | Enter the CFTR component name. | Text | Required | Allowed values:
|
Unique ID | Enter the Unique ID. For example, if the component name is “incident”, then the unique ID must be the corresponding “incident UID”. | Text | Required |
|
Comment | Enter the content to add as a comment. For example, "File management". | Text | Required |
|
[
{
"component_name": "incident",
"unique_id": "Example Unique ID",
"comment": "File management",
}
]Action: Get Attack Techniques
This action retrieves a list of Attack Techniques.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Attack Technique Details
This action retrieves Attack Technique details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Attack Technique UID | Enter the Attack Technique unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Attack Tactics
This action retrieves a list of Attack Tactics.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Attack Tactic Details
This action retrieves Attack Tactic details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Attack Tactic UID | Enter the Attack Tactic ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Create Attack Tactic-Technique Pair
This action creates an attack tactic-technique pair.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Attack Technique UID | Enter the Attack Technique UID. | Text | Required |
|
Attack Tactic UID | Enter the Attack Tactic ID. | Text | Required |
|
[
{
"technique_uid": "Example Unique ID",
"tactic_uid": "Example Unique ID",
}
]Action: Update Asset User Details
This action updates asset user details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
General user UID | Enter the unique ID of the asset user. | Text | Required |
|
Additional information | Enter additional information in the form of key-value pairs to update general user details. For example, {“name": "Anna”}. | Key-Value | Optional | Allowed values:
|
[
{
"unique_id": "Example Unique ID",
{
"extra_fields":
{
"full_name": "Anna Harris"
}
}
}
]Action: Create Asset User
This action creates a new asset user.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee name | Enter employee name for the user. For example, "Anna". | Text | Required |
|
Employee code | Enter the employee code for the user. | Text | Required |
|
Email address | Enter an email address for the user. For example, "sampleuser@example.com". | Text | Required |
|
Business Unit (BU) | Enter the UIDs of Business Units in a comma-separated list. | List | Required | You can retrieve the unique ID of the business units using the Get Business Units action. |
Additional information | Enter additional information to create a general user in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"employee_name": "Anna Harris",
"employee_code": "Sample Employee Code",
"email": "Sample Email",
"business_units": "Business Unit",
{
"extra_fields":
{
"full_name": "Anna Harris"
}
}
}
]Action: Get Asset User Details
This action retrieves details of an asset user.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
General user UID | Enter the unique ID of an asset user. | Text | Required |
|
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Asset Users
This action retrieves a list of asset users.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Asset Software Details
This action modifies an asset software details/record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset Software UID | Enter the unique ID of the Asset Software. | Text | Required | |
Additional information | Enter additional information about the Asset Software to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "Example Unique ID",
{
"extra_fields":
{
"title": "Desktop Computer",
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"software_status": "active"
}
}
}
]Action: Add Asset Software
This action adds/creates an Asset Software record in CFTR.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset Software name | Enter the Asset Software name to keep it as the title. For example, "VirusTotal". | Text | Required |
|
Software publisher UID | Enter the unique ID of the software publisher. | Text | Required | You can retrieve the unique ID of a software publisher using the Get Manufacturers action. |
Software type | Enter the software type in a list of comma-separated strings. Example: $LIST[software_type1, software_type2] | List | Required |
|
Software ID | Enter the software ID. | Text | Required |
|
Additional information | Enter additional information to create an Asset Software in the form of key-value pairs. For example, {“BU_name": "CFTR”}. | Key-Value | Optional |
|
[
{
"title": "VirusTotal",
"software_publisher": "VirusTotal",
"software_id": "Example Unique ID",
"software_type": ["software_type1", "software_type2"],
"extra_fields":
{
“BU_name": "Business Unit 1"
}
}
]Action: Get Asset Software Details
This action retrieves Asset Software details using UID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset software UID | Enter the asset software unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Asset Software
This action retrieves a list of asset software.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Application Details
This action updates an application's details using UID and additional fields.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Application UID | Enter the unique ID of the application. | Text | Required | |
Additional information | Enter additional information to update in an application in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "Example Unique ID",
{
"extra_fields":
{
"title": "VirusTotal",
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "active"
}
}
}
]Action: Add Asset Application
This action adds an application.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Application name | Enter the application name. For example, "Google Chrome". | Text | Required |
|
Business Units (BU) | Enter a list of the unique IDs of the business units. Example: $LIST[a8007b20-bf76-4ce8-a761-45a453512479, a8007b20-bf76-4ce8-a761-45a453512470] | List | Required | You can retrieve the unique ID of business units using the Get Business Units action. |
Application status | Enter the application's status. | Text | Required | Allowed values:
|
Locations | Enter the UIDs of impacted locations by the application in a list. Example: $LIST[a8007b20-bf76-4ce8-a761-45a453512471, a8007b20-bf76-4ce8-a761-45a453512472] | List | Required | You can retrieve the unique ID of locations using the Get Locations action. |
Application URL | Enter the application URL if it is internet-facing. For example, "www.google.com". | Text | Required |
|
Additional information | Enter additional information about an application to add in the form of key-value pairs. For example, {“version": "1.0.0”}. | Key-Value | Optional |
|
[
{
"app_name": "Google Chrome",
"business_units": ["a8007b20-bf76-4ce8-a761-45a453512479", "a8007b20-bf76-4ce8-a761-45a453512470"],
"app_status": "Live",
"locations": ["a8007b20-bf76-4ce8-a761-45a453512471", "a8007b20-bf76-4ce8-a761-45a453512472"],
"app_url": "www.google.com",
"extra_fields":
{
"version": "1.0.0"
}
}
]Action: Get Asset Application Details
This action retrieves application details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Application UID | Enter the application's unique ID. | Text | Required |
|
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Asset Applications
This action retrieves a list of applications.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Device Details
This action updates a device's details using the UID of the device and additional fields.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device UID | Enter the device's unique ID. | Text | Required | |
Additional information | Enter additional information about the device in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "Example Unique ID",
{
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"hostname": "EC2AMAZ-8V2J535",
"endpoint_status": "clean"
}
}
}
]Action: Get Device Details
This action retrieves details of a device using the UID of the device.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device UID | Enter the device's unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Devices
This action retrieves a list of devices.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Add Device
This action adds a device.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hostname | Enter the hostname. For example, "EC2AMAZ-8V2J535". | Text | Required |
|
IP address | Enter the IP address. For example, "1.1.1.1". | Text | Required |
|
Additional Information | Enter additional information about the device in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"hostname": "EC2AMAZ-8V2J535",
"ip_address": "1.1.1.1",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"endpoint_status": "clean"
}
}
]Action: Update Vulnerability Details
This action updates a vulnerability's details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Vulnerability UID | Enter the unique ID of the vulnerability. | Text | Required | |
Additional information | Enter the additional information about the vulnerability to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"risk": "Very Low",
"title": "Critical VUL1243",
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"cvss_score":8
}
}
]Action: Create Vulnerability
This action adds a new vulnerability record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Vulnerability name | Enter the vulnerability name. For example, "New Vulnerability". | Text | Required | |
Risk level | Enter the risk level of the vulnerability. | Text | Required | Allowed values:
|
Sources | Enter the sources of vulnerability in a comma-separated list. | List | Required | You can retrieve the sources using the Get Sources action. |
Priority level | Enter the priority level of the vulnerability. | Text | Required | Allowed values:
|
Additional information | Enter additional information to create a vulnerability in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"title": "New Vulnerability",
"risk": "Low",
"priority": "Low",
"extra_fields":
{
"BU_name": "Business Unit 1"
}
}
]Action: Get Vulnerability Details
This action retrieves vulnerability details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Vulnerability UID | Enter the vulnerability's unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Vulnerabilities
This action retrieves a list of vulnerabilities.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Threat Intel (IOC)
This action updates Threat Intel (IOC) using UID and fields.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Intel (IOC) UID | Enter the threat intel (IOC) unique ID. | Text | Required | |
Additional information | Enter additional information about Threat Intel to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"tlp": "WHITE",
"value": "5075f76fb61ce1a56d9b7758f97c7903796933b0b0737a274bf8d347b5fa4473",
"status": "none",
"created": "2021-07-30T07:35:58.756888Z",
"ioc_type": "371b43d3-e28d-42f8-80c3-f32039d38954",
"modified": "2021-07-30T07:35:58.756888Z",
"unique_id": "b7392170-ea74-467c-9665-0103020cd926"
}
]Action: Create Threat Intel (IOC)
This action adds a new Threat Intel (IOC) using IOC value, type, and other details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Intel (IOC) value | Enter the Threat Intel (IOC) value. For example, "cyware.com". | Text | Required |
|
Threat Intel (IOC) type | Enter the Threat Intel (IOC) type. | Text | Required | You can retrieve the threat intel types using the Get List of Threat Intel Types action. |
Additional information | Enter additional information to create Threat Intel in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"ioc_type": "domain",
"ioc_value": "cyware.com"
}
]Action: Get Threat Intel (IOC) Details
This action retrieves Threat Intel (IOC) details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Intel (IOC) UID | Enter the Threat Intel (IOC) unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get List of Threat Intel (IOC)
This action retrieves a list of Threat Intel (IOC).
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"type": "ioc_domain",
"tlp": "RED",
"status": "cleaned",
"page": 1,
"page_size": 10
}
}
]Action: Update Malware Details
This action updates details of a Malware record using Malware UID and additional fields.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware UID | Enter the unique ID of the Malware. | Text | Required | |
Additional information | Enter the additional information about Malware to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status":"active"
}
}
]Action: Create a Malware
This action adds/creates a Malware record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware name | Enter the Malware name. For example, "New Malware". | Text | Required | |
Malware type | Enter the type of Malware. For example, "Ransomware". | List | Required | |
Affected platforms | Enter the UIDs of platforms affected by Malware in a comma-separated list. | List | Required | |
Status | Enter the status. | Text | Required | |
Additional information | Enter the additional information to create Malware in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"title": "New Malware",
"malware_type": "Ransomware",
"platform": "Windows Server 2k12",
"status": "active"
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"file_type": "dll"
}
}
]Action: Update Threat Actor Details
This action updates details of a particular Threat Actor.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Actor UID | Enter the Threat Actor unique ID. | Text | Required | |
Additional information | Enter additional information about Threat Actor to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"type": "Hacktivist"
}
}
]Action: Get Malware Details
This action retrieves details of Malware.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware UID | Enter the Malware unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: List Malware
This action retrieves a list of Malware.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get a List of Threat Actors
This action retrieves a list of Threat Actors.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Get Threat Actor Details
This action retrieves details of a particular Threat Actor.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Actor UID | Enter the Threat Actor unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Create Threat Actor
This action creates a Threat Actor.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Actor title | Enter the name of the Threat Actor. For example, "NewThreatActor". | Text | Required |
|
List of countries | Enter the UID of countries in a comma-separated list. | List | Required | You can retrieve the unique ID of countries using the Get Locations action. |
Threat Actor type | Enter the type of Threat Actor. For example, "Hacktivist". | Text | Required |
|
Additional information | Enter the additional information to create a Threat Actor in the form of key-value pairs. For example, {“BU_name": "CFTR”}. | Key-Value | Optional |
|
[
{
"title": "NewThreatActor",
"threat_actor_type": "Hacktivist",
"countries_data": ["Afghanistan", "China"],
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "active"
}
}
]Action: Update PIR Details
This action updates a PIR (Priority Intel Requirement) record/details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
PIR UID | Enter the PIR (Priority Intel Requirement) unique ID. | Text | Optional | |
Additional information | Enter additional information about PIR to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
}
}
]Action: Create a PIR
This action adds a new PIR (Priority Intel Requirement) entry/record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
PIR title | Enter the PIR title. For example, "Security Strategy". | Text | Required | |
Assigned Group UID | Enter the unique ID of the Assigned Group. | Text | Required | |
PIR priority | Enter the PIR priority. | Text | Optional | Allowed values:
|
PIR description | Enter a short description for the PIR. For example, "Strategizing threats prevention". | Text | Optional | |
Additional information | Enter the additional information to create a PIR in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"title": "Security Strategy",
"assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
"priority": "low",
"description": "Strategizing threats prevention",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
}
}
]Action: Get PIR Details
This action retrieves PIR (Priority Intel Requirement) details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
PIR UID | Enter the Priority Intel Requirement (PIR) unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get PIRs
This action retrieves a list of PIR (Priority Intel Requirement).
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Create Enhancement
This action creates an enhancement record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Enhancement title | Enter the enhancement title. For example, "New enhancement". | Text | Required |
|
Assigned Group UID | Enter the unique ID of the Assigned Group. | Text | Required |
|
Enhancement priority | Enter the priority of the enhancement. | Text | Required | Allowed values:
|
Additional information | Enter the additional information to create an enhancement in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"title": "New Enhancement",
"assigned_group": "3b3b1351-1cdf-46b7-bf90-8526720608a3",
"priority": "high",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "open"
}
}
]Action: Update Enhancement Details
This action updates an enhancement's details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Enhancement UID | Enter the enhancement unique ID. | Text | Required | |
Additional information | Enter additional information about enhancement to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "closed"
}
}
]Action: Get Enhancement Details
This action retrieves enhancement details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Enhancement UID | Enter the enhancement unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Enhancements
This action retrieves a list of enhancement records/details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Action Details
This action updates action details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action UID | Enter the unique ID of the action. | Text | Required | |
Additional information | Enter additional information about action to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status":"open"
}
}
]Action: Create Action
This action creates an action.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action title | Enter an action title. For example, "Analyze". | Text | Required |
|
Assigned Group UID | Enter the Assigned Group unique ID. | Text | Required |
|
Additional information | Enter additional information to create an action in the form of key-value pairs. For example, {“BU_name": "CFTR”}. | Key-Value | Optional |
|
[
{
"title": "New Action",
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "open"
}
}
]Action: Get Action details
This action can be used to retrieve details of a particular action.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action UID | Enter the action unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Actions
This action retrieves a list of actions.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10
}
}
]Action: Update Incident Details
This action updates the details of an Incident.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident UID | Enter the unique ID of an Incident. | Text | Required |
|
Incident status | Enter the Incident status. | Text | Optional | Allowed values:
Default value:
|
Incident phase | Enter the Incident phase. | Text | Optional | Allowed values:
|
Additional information | Enter additional information about an Incident to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"status": "untriaged",
"phase": "Containment",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
}
}
]Action: Create Incident
This action creates an Incident.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the Incident title. Example: New Incident | Text | Required | |
Description | Enter the description for the Incident. Example: Incident detected | Text | Required | |
Status | Enter the incident status. | Text | Required | Allowed values:
By default, the value is "untriaged". |
Incident Type | Enter the attack vector of the incident. Example: Malware | Text | Required | |
Business Unit Impacted | A list of the unique IDs of the business units impacted. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Required | |
Locations Impacted | A list of unique IDs for the impacted locations. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | List | Required | |
Source | A list of unique IDs of the sources for this incident. Example: $LIST[7c81cbda-11d8-4026-ae2f-287eaa643a9b] | Text | Required | |
Incident Date | The date of the incident in ISO 8601 time. Example: 2021-10-28T19:37:16.321856Z | Text | Required | |
Detection Date | The date this incident was detected in ISO 8601 time. Example: 2021-10-28T19:37:16.321856Z | Text | Required | |
Level | The severity level of the incident.Example:Critical | Text | Required | |
Assigned Group | The group_comm_id of the group that will be assigned to this incident.Example:AssignmentID_123 | Text | Required | |
Extra Fields | Key value pairs of additional information to add to this incident.Example:ID:123 | Key Value | Optional |
Example Input
[
{
"title": "New Incident",
"description": "Incident Detected,
"status": "Open",
"ie_incident_type": "Malware",
"business_unit_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"locations_impacted": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"source": [7c81cbda-11d8-4026-ae2f-287eaa643a9b],
"incident_date": "2021-10-28T19:37:16.321856Z",
"detection_date": "2021-10-28T19:37:16.321856Z",
"level": "Critical",
"assigned_group": "AssignmentID_12"
}
]Action: Get Incident Details
This action retrieves Incident details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident UID | Enter the Incident unique ID. | Text | Required |
|
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Incidents
This action retrieve a list of Incidents.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10,
"status": "open"
}
}
]Action: Update Campaign Details
This action updates Campaign details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Campaign UID | Enter the unique ID of the Campaign. | Text | Required |
|
Additional information | Enter the additional information about the campaign details to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
}
}
]Action: Get Campaign Details
This action retrieves Campaign details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Campaign UID | Enter the Campaign unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Get Campaigns
This action retrieves a list of Campaigns.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10,
"status": "ACTIVE"
}
}
]Action: Update Threat Briefing Details
This action updates details of a Threat Briefing.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Briefing UID | Enter the unique ID of the Threat Briefing. | Text | Required | |
Additional information | Enter the additional information about the Threat Briefing to update in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
[
{
"unique_id": "afce2d6f-0495-4540-984b-c47652a9785b",
"extra_fields":
{
"created": "2021-07-23T11:36:59.803613Z",
"modified": "2021-07-23T11:36:59.803613Z",
"status": "Active"
}
}
]Action: Create a Threat Briefing
This action adds a Threat Briefing record.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat briefing title | Enter the Threat Briefing title. For example, "New Threat Briefing". | Text | Required |
|
Business Units (BU) | Enter Business Unit IDs in a comma-separated list. | List | Required | You can retrieve the unique ID of business units using the Get Business Units action. |
Locations | Enter location IDs in a comma-separated list. | List | Required | You can retrieve the unique ID of locations using the Get Locations action. |
Description | Enter a short description related to the Threat Briefing. For example, "new threat briefing added". | Text | Optional |
|
Additional information | Enter the additional information to create a Threat Briefing in the form of key-value pairs. For example, {“BU_name": "Business Unit 1”}. | Key-Value | Optional |
|
[
{
"title": "New Threat Briefing",
"description": "new threat briefing added",
"business_units": ["941563df-d8be-4c0e-9d3c-ac6906107300"],
"locations": ["941563df-d8be-4c0e-9d3c-ac6906107399"],
"extra_fields":
{
"state": "62044014-dc5f-4e6d-8a07-c9cab089dccd",
"modified": "2019-12-19T09:48:06.402132Z",
}
}
]Action: Get Threat Briefings
This action retrieves a list of Threat Briefings.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"page": 1,
"page_size": 10,
"status": "ACTIVE"
}
}
]Action: Get Threat Briefing Details
This action retrieves Threat Briefing details.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Briefing UID | Enter the Threat Briefing unique ID. | Text | Required |
[
{
"unique_id": "Example Unique ID",
}
]Action: Fetch Health Console Status
This action retrieves console status.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key-Value | Optional | Allowed values:
|
[
{
"query_params":
{
"created_date__gte": "1627835818",
"created_date__lte": "1596299815"
}
}
]Action: Get List of Recommended Users for an Incident
This action retrieves the list of users who are automatically recommended by CFTR for assigning to a specific incident. Recommendations are shown based on their roster and the history of incidents handled.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the Incident's unique ID. | Text | Required |
|
Allocation Datetime | Enter the allocation date and time in Epoch format. | Text | Optional |
|
Apply ML | To either use or skip ML to get a user list. | Boolean | Optional | Default value: true Allowed values:
|
[
{
"apply_ml": true,
"unique_id": "Example Unique ID",
}
]Action: Upload Attachment
This action uploads an attachment to a component.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Identifier | Enter the object/component identifier. Example: "incident" | Text | Required | Accepted values:
|
Object Unique ID | Enter the unique ID for the object. Example: "df0xxxx7-baca-4d21-96ae-15xxx7191" | Text | Required |
|
File Path | Specify the path for the file to upload. Example: "/tmp/d70dd6a1-71f3-412a-9f1d-6c5d74b544fc/local_file.txt" | Text | Required | Note: The file must be a Linux/Unix data path. |
File Type | Enter the file type for the attachment. Example: "artifact" | Text | Optional | Accepted values:
|
{
"object_unique_id": "df0xxxx7-baca-4d21-96ae-15xxx7191",
"object_identifier": "incident",
"file_path": "/tmp/d70dd6a1-71f3-412a-9f1d-6c5d74b544fc/local_file.txt"
}Action: List Custom Modules
This action retrieves the name and identifier of the custom modules.
Input Parameters
This action does not require any input parameter.
Action: List Custom Module Entries
This action retrieves the entries of a custom module.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Identifier | Enter the component identifier of a module to retrieve the entries. Example: module1 | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Modules action. |
Example Request
{
"component_identifier": "module1"
}Action: Get Custom Module Details
This action retrieves the details of a custom module entry.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Identifier | Enter the component identifier of a custom module. Example: module1 | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Modules action. |
Instance Unique ID | Enter the unique ID of a custom module entry. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Module Entries action. |
Example Request
{
"component_identifier": "module1",
"instance_unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca"
}Action: Create Custom Module Entry
This action creates a custom module entry.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Identifier | Enter the component identifier of a custom module. Example: module1 | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Modules action. |
Title | Enter a title for the entry. Example: Lost IoT device | Text | Required |
|
Description | Enter a description of the entry. An IoT device is missing from the inventory. | Text | Required |
|
Payload | Enter the additional information to be added in the custom module entry in key-value pairs. | Key Value | Optional | Use the field_readable_key of the custom fields as keys. |
Example Request
{
"component_identifier": "module1",
"title": "Lost IoT device",
"description": "An IoT device is missing from the inventory."
}Action: Update Custom Module Entry
This action updates a custom module entry.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Identifier | Enter the component identifier of a custom module. Example: module1 | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Modules action. |
Instance Unique ID | Enter the ID of a custom module entry to update. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Module Entries action. |
Title | Enter a title for the entry. Example: Lost IoT device | Text | Required |
|
Description | Enter a description of the entry. An IoT device is missing from the inventory. | Text | Required |
|
Payload | Enter the additional information to be added in the custom module entry in key-value pairs. | Key Value | Optional | Use the field_readable_key of the custom fields as keys. |
Example Request
{
"component_identifier": "module1",
"instance_unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca",
"title": "Lost IoT device",
"description": "An IoT device is missing from the inventory."
}Action: Add Comment in Custom Module
This action adds comments in a custom module entry.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component Identifier | Enter the component identifier of a custom module. Example: module1 | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Modules action. |
Instance Unique ID | Enter the ID of a custom module entry to update. Example: 822c2781-8ea0-4122-8176-8995a4c81dca | Text | Required | You can retrieve the Component Identifier of a module using the List Custom Module Entries action. |
Description | Enter the comment to be added. Example: IP address to be blocked. | Text | Required |
|
Mentioned Users Usernames | Enter the list of usernames of users mentioned in the comment. Example: $LIST[john_doe] | List | Optional | You can retrieve the username of a user using the Get CFTR Users action. |
Example Request
{
"component_identifier": "module1",
"instance_unique_id": "822c2781-8ea0-4122-8176-8995a4c81dca",
"description": "IP address to be blocked.",
"mentioned_users_usernames": ["john_doe"]
}Action: List Incident Workflows
This action retrieves all the incident workflows from your CFTR application.
Input Parameters
This action does not require any input parameter.
Action: Get Incident Workflow Details
This action retrieves the details of an incident workflow.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workflow ID | Enter the ID of an incident workflow. Example: 5ca19332-75e2-4e1b-953a-22f8b467ea1d | Text | Required | You can retrieve the ID of an incident workflow using the List Incident Workflows action. |
Example Request
{
"id": "5ca19332-75e2-4e1b-953a-22f8b467ea1d"
}Action: Threat Intel Form Structure
This action retrieves the form field structure of the Threat Intel module.
Input Parameters
This action does not require any input parameter.
Action: Get List of Threat Intel Types
This action retrieves all the Threat Intel types in the CFTR application.
Input Parameters
This action does not require any input parameter.
Action: Connect Modules
This action connects modules to reflect in Connect the Dots of each module.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter the module keys and the respective list of module entry IDs in key-value pairs. Example: $JSON{"incident":["1d9509c9-501b-4261-ba85-a9690acc5100","49b46c68-b10d-41fd-82e7-1681fd8b7787"],"vulnerability":["b4afd23b-a13f-4a4a-bacb-99e6aa465d42","eda602cc-4118-48b7-9394-e2bf954c7135"],"ioc_ip":["25f952cf-ff04-43b0-99a6-4ddbd67ba744","ecb6a7fb-cb8a-4d56-ad62-96e24412d9a1"],"ioc_domain":["1c2761b0-9bda-48d1-81d5-45b69eb04138"],"ioc_email":["38670dbc-cd59-4461-bcbe-610fad10b49c"],"ioc_SHA256":["81e3a43b-c9b8-4027-81c2-6586ce1450e5"],"device":["ccb5c6bf-32b8-4a2f-94e8-6dcdfcd532e1"],"campaign":["5fe20073-ded5-462e-88c8-23f64ea9a662"],"enhancement":["648a0746-52f6-4e0c-a35b-9ae76cf78335"],"malware":["7940e65d-7336-4fbd-b3e4-addbd6d70958"],"action":["983a8175-e3a1-4fe1-8536-537bdc7cce82","660ca3a8-5f67-4959-b4ac-94750104e614"],"pir":["09ce52b9-e761-4078-aa11-d60f72f5b9da"],"general-user":["c367f9ff-5120-4789-8a75-771d3ca299a8"],"asset-software":["9c3000ae-0992-4c35-bc4d-aad049999796"]} | Key Value | Required | If you enter multiple incident IDs, the incidents will not be connected with each other as related incidents. To know more about the allowed module keys, see CFTR API Reference. |
Example Request
{
"data": {
"incident": [
"1d9509c9-501b-4261-ba85-a9690acc5100",
"49b46c68-b10d-41fd-82e7-1681fd8b7787"
],
"vulnerability": [
"b4afd23b-a13f-4a4a-bacb-99e6aa465d42",
"eda602cc-4118-48b7-9394-e2bf954c7135"
],
"ioc_ip": [
"25f952cf-ff04-43b0-99a6-4ddbd67ba744",
"ecb6a7fb-cb8a-4d56-ad62-96e24412d9a1"
],
"ioc_domain": [
"1c2761b0-9bda-48d1-81d5-45b69eb04138"
],
"ioc_email": [
"38670dbc-cd59-4461-bcbe-610fad10b49c"
],
"ioc_SHA256": [
"81e3a43b-c9b8-4027-81c2-6586ce1450e5"
],
"device": [
"ccb5c6bf-32b8-4a2f-94e8-6dcdfcd532e1"
],
"campaign": [
"5fe20073-ded5-462e-88c8-23f64ea9a662"
],
"enhancement": [
"648a0746-52f6-4e0c-a35b-9ae76cf78335"
],
"malware": [
"7940e65d-7336-4fbd-b3e4-addbd6d70958"
],
"action": [
"983a8175-e3a1-4fe1-8536-537bdc7cce82",
"660ca3a8-5f67-4959-b4ac-94750104e614"
],
"pir": [
"09ce52b9-e761-4078-aa11-d60f72f5b9da"
],
"general-user": [
"c367f9ff-5120-4789-8a75-771d3ca299a8"
],
"asset-software": [
"9c3000ae-0992-4c35-bc4d-aad049999796"
]
}
}Action: Get Templates
This action retrieves the merge incident templates.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page No | Enter the page number to retrieve merge incident templates. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of merge incident templates to retrieve per page. Example: 10 | Integer | Optional | Default value: 10 |
Example Request
{
"page_no": 1,
"page_size": 10
}Action: Get Rosters
This action retrieves all rosters that are configured in the CFTR application.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page No | Enter the page number to retrieve rosters. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of rosters to retrieve per page. Example: 10 | Integer | Optional | Default value: 10 |
All Data | Enter true to retrieve all rosters. Example: false | Boolean | Optional | If you enter false, then the rosters list is returned in a paginated manner. Rosters are returned as per the values defined in the Page No and Page Size parameters. Default value: true |
Search Query | Enter the query text to search rosters. Example: analyst | Text | Optional |
|
{
"page_no": 1,
"page_size": 10,
"all_data": false,
"search_query": "analyst"
}Action: Generic Action
This is a generic action to perform any additional use case on CFTR.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the complete endpoint to make the call to. Example: incident/ | Text | Required | |
HTTP Method | Enter the HTTP endpoint method in uppercase. Example: POST | Text | Required | |
Query Params | Enter the query parameters to pass. Example: page_no page_size | Key Value | Optional | |
Payload JSON | Enter the JSON payload to pass with the body of a request Example: $JSON[{'data': {'type': type,'id': id}}] | Any | Optional | |
Payload data | Enter the payload data to pass with the body of a request. | Any | Optional |
Example Request
[
{
"endpoint": "device/",
"http_method": "GET",
"query_params": {}
}
]