Cybersixgill 2.0.0
App Vendor: Cybersixgill
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: v1.0
About App
Cybersixgill analyzes and monitors the deep web as well as the dark web for threat intelligence and proactively enriches endpoint protection in real time.
The Cybersixgill app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
---|---|
Enrich IOC | This action retrieves items in STIX format related to the specified IOC. |
Get Actionable Alert Content | This action retrieves the content of an actionable alert. |
Get Actionable Alerts | This action retrieves a list of actionable alerts. |
Get Leaked Credentials | This action retrieves leaked credentials for a specific domain and email. |
Get Leaked Login Credentials | This action retrieves information about leaked credentials of your company applications. |
Get Next Set of Leaked Credentials | This action retrieves the next leaked credentials batch of intel items by a given pagination object. |
Get Next Set of Leaked Login Credentials | This action retrieves information about leaked credentials to your company applications from a given pagination object. |
Update Actionable Alerts (Beta) | This action updates a list of actionable alerts by ID. |
Generic Action | This is a generic action used to make requests to any Cybersixgill endpoint. |
Configuration Parameters
The following configuration parameters are required for the Cybersixgill app to communicate with the Cybersixgill enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Client Secret | Enter the client secret to authenticate with Cybersixgill. Example: 0mogvdvxxxxxxxxxxxxx9otgbyxkrriry | Password | Required | |
Client ID | Enter the client ID. Example: orgname-cve3xxx0xh | Text | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Cybersixgill. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, this is not enabled. |
Action: Enrich IOC
This action retrieves items in STIX format related to the specified IOC.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Channel ID | Enter the IOC consumer channel ID. Example: d5cd46c205c20c87006b55a18b106428 | Text | Required | |
IOC Type | Enter the IOC type. Specify the value for these types in the IOC Value parameter. Example: domain | Text | Optional | Allowed values: ip, domain, URL, hash |
IOC Value | Enter the IOC value based on the specified IOC Type. Example: exampledomain.com | Text | Optional | |
Limit | Enter the number of IOCs to return. | Integer | Optional | Default value: 50 |
Skip | Enter how many IOC items to skip before displaying results. Example: If the skip value is 200, it displays the 201th item and forward (till the limit is reached | Integer | Optional | Default value: 0 (displays from the first item) |
Sixgill Field Type | Enter the Cybersixgill field type. | Text | Optional | Allowed values: actor, post_id |
Sixgill Field Value | Enter the IOC items containing the value based on the specified Sixgill Field Type. Example: 459ef8c762fa6c34e19031141642e9097f43a405 | Text | Optional |
Action: Get Actionable Alert Content
This action retrieves the content of an actionable alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Actionable Alert ID | Enter the ID of the actionable alert. Example: 5fbcfeb23a5ce900013de081 | Text | Required | You can retrieve the actionable alert ID using the action Get Actionable Alerts. |
Limit | Enter the number of actionable alert content replies to retrieve. | Integer | Optional | Default value: 50 |
Fetch IPs | Choose true to retrieve content_ips from the alert content if they are available. The response will include a maximum of 100 content_ips. | Boolean | Optional | |
Fetch Content URLs | Choose true to retrieve content_urls from the alert content if they are available. The response will include a maximum of 1000 content_urls. | Boolean | Optional | Default value: false |
Fetch Only Current Item | Choose true to retrieve only the specific intel item instead of the complete thread. | Boolean | Optional | Default value: false |
Extra Params | Enter the extra parameters to retrieve actionable alert content. Example: {highlight: True}, {aggregate_alert_id: -1} | Key value | Optional | Allowed keys: organization_id, highlight, aggregate_alert_id |
Action: Get Actionable Alerts
This action retrieves a list of actionable alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
From Date | Enter the start date in YYYY-MM-DD HH:mm:ss format to retrieve alerts from that time. | Text | Optional | |
To Date | Enter the end date in YYYY-MM-DD HH:mm:ss format to retrieve alerts until that time. | Text | Optional | |
Fetch Size | Enter the number of alerts to return. | Integer | Optional | Default value: 50 |
Alert Status | Enter the status of the alert to filter the response. | List | Optional | Allowed values: treatment_required, in_treatment, resolved |
Extra Params | Enter the extra parameters to filter the response. Example: {is_read = False}, {sort_order = "asc"}. | Key-Value | Optional | Allowed keys: sort_by, sort_order, offset, alert_type_id, organization_id, is_read, threat_level, threat_type |
Action: Get Leaked Credentials
This action retrieves leaked credentials for a specific domain and email.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Domain | Enter the domain associated with the leaked credentials. Example: test.com | Text | Optional | |
Enter the email address associated with the leaked credentials. Example: john.doe@gmail.com | Text | Optional | ||
Limit | Enter the number of IOCs to return. | Integer | Optional | Default value: 50 |
Skip | Enter how many IOC items to skip before displaying results. | Integer | Optional | Default value: 0 |
Password Policy | Choose true to get only credentials that match your password policy. | Boolean | Optional | Default value: true |
Additional Data | Enter any additional fields to get leaked credentials. Example: {'pagination':{'sort_by':[{"field": "breach_id","order": "asc"}]}} | Key Value | Optional | |
Organization ID | Enter the organization ID to make the request in the context of the organization. | Text | Optional |
Action: Get Leaked Login Credentials
This action retrieves information about leaked credentials of your company applications.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Host Domain | Enter the host domain associated with the leaked credentials. Example: sampledomain.com | Text | Required | |
Start Date | Enter the start date of the publication date range in yyyy-mm-dd format. Example: 2023-03-23 | Text | Optional | |
End Date | Enter the end date of the publication date range in yyyy-mm-dd format. Example: 2024-03-21 | Text | Optional | |
Limit | Enter the number of IOCs to return. | Integer | Optional | Default value: 50 |
Skip | Enter how many IOC items to skip before displaying results. | Integer | Optional | Default value: 0 |
Additional Data | Enter the additional data to pass to the API. Example: {'pagination':{'sort_by':[{"field": "breach_id","order": "asc"}]}} | Key Value | Optional | |
Organization ID | Enter the organization ID to make the request in the context of the organization. | Text | Optional |
Action: Get Next Set of Leaked Credentials
This action retrieves the next leaked credentials batch of intel items by a given pagination object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Next Page Token | Enter the next page token. Example: fsdgaergewrtggfhfgdhdssrft342rfa= | Password | Required | |
Organization ID | Enter the organization ID to make the request in the context of the organization. | Text | Optional |
Action: Get Next Set of Leaked Login Credentials
This action retrieves the information about leaked credentials to your company applications from a given pagination object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Next Page Token | Enter the next page token. Example: fsdgaergewrtggfhfgdhdssrft342rfa= | Password | Required | |
Organization ID | Enter the organization ID to make the request in the context of the organization. | Text | Optional |
Action: Update Actionable Alerts (Beta)
This action updates a list of actionable alerts by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Actionable Alert ID List | Enter the list of actionable alert IDs that you want to update. Example: ["5fb4c6a6d604c200010f0916"]. | List | Required | You can retrieve the actionable alert ID using the action Get Actionable Alerts. |
Set Read | Enter the value of read status. Example: read | Text | Optional | Allowed values: read, unread |
Extra Params | Enter the extra parameters to update the actionable alerts. | Key-Value | Optional | Allowed keys: threat_level, threat_type |
Action: Generic Action
This is a generic action used to make requests to any Cybersixgill endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: ioc/enrich | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Additional Data | Enter the additional data you want to pass to the API. | Key Value | Optional | |
Headers | Enter the headers to update. Example: {"x-channel-id": channel_id} | Key Value | Optional |