Skip to main content

Cyware Orchestrate

Cybersixgill 2.0.0

App Vendor: Cybersixgill

App Category: Data Enrichment & Threat Intelligence

Connector Version: 2.0.0

API Version: v1.0

About App

Cybersixgill analyzes and monitors the deep web as well as the dark web for threat intelligence and proactively enriches endpoint protection in real time.

The Cybersixgill app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Enrich IOC

This action retrieves items in STIX format related to the specified IOC.

Get Actionable Alert Content

This action retrieves the content of an actionable alert.

Get Actionable Alerts

This action retrieves a list of actionable alerts.

Get Leaked Credentials

This action retrieves leaked credentials for a specific domain and email.

Get Leaked Login Credentials

This action retrieves information about leaked credentials of your company applications.

Get Next Set of Leaked Credentials

This action retrieves the next leaked credentials batch of intel items by a given pagination object.

Get Next Set of Leaked Login Credentials

This action retrieves information about leaked credentials to your company applications from a given pagination object.

Update Actionable Alerts (Beta)

This action updates a list of actionable alerts by ID.

Generic Action

This is a generic action used to make requests to any Cybersixgill endpoint.

Configuration Parameters

The following configuration parameters are required for the Cybersixgill app to communicate with the Cybersixgill enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Client Secret

Enter the client secret to authenticate with Cybersixgill.

Example:

0mogvdvxxxxxxxxxxxxx9otgbyxkrriry

Password

Required

Client ID

Enter the client ID.

Example:

orgname-cve3xxx0xh

Text

Required

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Cybersixgill.

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, this is not enabled.

Action: Enrich IOC

This action retrieves items in STIX format related to the specified IOC.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Channel ID

Enter the IOC consumer channel ID.

Example:

d5cd46c205c20c87006b55a18b106428

Text

Required

IOC Type

Enter the IOC type. Specify the value for these types in the IOC Value parameter.

Example:

domain

Text

Optional

Allowed values:

ip, domain, URL, hash

IOC Value

Enter the IOC value based on the specified IOC Type.

Example:

exampledomain.com

Text

Optional

Limit

Enter the number of IOCs to return.

Integer

Optional

Default value:

50

Skip

Enter how many IOC items to skip before displaying results.

Example:

If the skip value is 200, it displays the 201th item and forward (till the limit is reached

Integer

Optional

Default value:

0 (displays from the first item)

Sixgill Field Type

Enter the Cybersixgill field type.

Text

Optional

Allowed values:

actor, post_id

Sixgill Field Value

Enter the IOC items containing the value based on the specified Sixgill Field Type.

Example:

459ef8c762fa6c34e19031141642e9097f43a405

Text

Optional

Action: Get Actionable Alert Content

This action retrieves the content of an actionable alert.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Actionable Alert ID

Enter the ID of the actionable alert.

Example:

5fbcfeb23a5ce900013de081

Text

Required

You can retrieve the actionable alert ID using the action Get Actionable Alerts.

Limit

Enter the number of actionable alert content replies to retrieve.

Integer

Optional

Default value:

50

Fetch IPs

Choose true to retrieve content_ips from the alert content if they are available. The response will include a maximum of 100 content_ips.

Boolean

Optional

Fetch Content URLs

Choose true to retrieve content_urls from the alert content if they are available. The response will include a maximum of 1000 content_urls.

Boolean

Optional

Default value:

false

Fetch Only Current Item

Choose true to retrieve only the specific intel item instead of the complete thread.

Boolean

Optional

Default value:

false

Extra Params

Enter the extra parameters to retrieve actionable alert content.

Example:

{highlight: True}, {aggregate_alert_id: -1}

Key value

Optional

Allowed keys:

organization_id, highlight, aggregate_alert_id

Action: Get Actionable Alerts

This action retrieves a list of actionable alerts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

From Date

Enter the start date in YYYY-MM-DD HH:mm:ss format to retrieve alerts from that time.

Text

Optional

To Date

Enter the end date in YYYY-MM-DD HH:mm:ss format to retrieve alerts until that time.

Text

Optional

Fetch Size

Enter the number of alerts to return.

Integer

Optional

Default value:

50

Alert Status

Enter the status of the alert to filter the response.

List

Optional

Allowed values:

treatment_required, in_treatment, resolved

Extra Params

Enter the extra parameters to filter the response.

Example:

{is_read = False}, {sort_order = "asc"}.

Key-Value

Optional

Allowed keys:

sort_by, sort_order, offset, alert_type_id, organization_id, is_read, threat_level, threat_type

Action: Get Leaked Credentials

This action retrieves leaked credentials for a specific domain and email.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Domain 

Enter the domain associated with the leaked credentials.

Example:

test.com

Text

Optional

Email 

Enter the email address associated with the leaked credentials.

Example:

john.doe@gmail.com

Text

Optional

Limit 

Enter the number of IOCs to return.

Integer

Optional

Default value:

50

Skip 

Enter how many IOC items to skip before displaying results.

Integer

Optional

Default value:

0

Password Policy 

Choose true to get only credentials that match your password policy.

Boolean

Optional

Default value:

true

Additional Data 

Enter any additional fields to get leaked credentials.

Example:

{'pagination':{'sort_by':[{"field": "breach_id","order": "asc"}]}}

Key Value

Optional

Organization ID 

Enter the organization ID to make the request in the context of the organization.

Text

Optional

Action: Get Leaked Login Credentials

This action retrieves information about leaked credentials of your company applications.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Domain

Enter the host domain associated with the leaked credentials.

Example:

sampledomain.com

Text

Required

Start Date

Enter the start date of the publication date range in yyyy-mm-dd format.

Example:

2023-03-23

Text

Optional

End Date

Enter the end date of the publication date range in yyyy-mm-dd format.

Example:

2024-03-21

Text

Optional

Limit

Enter the number of IOCs to return.

Integer

Optional

Default value:

50

Skip

Enter how many IOC items to skip before displaying results.

Integer

Optional

Default value:

0

Additional Data

Enter the additional data to pass to the API.

Example:

{'pagination':{'sort_by':[{"field": "breach_id","order": "asc"}]}}

Key Value

Optional

Organization ID

Enter the organization ID to make the request in the context of the organization.

Text

Optional

Action: Get Next Set of Leaked Credentials

This action retrieves the next leaked credentials batch of intel items by a given pagination object.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Next Page Token

Enter the next page token.

Example:

fsdgaergewrtggfhfgdhdssrft342rfa=

Password

Required

Organization ID

Enter the organization ID to make the request in the context of the organization.

Text

Optional

Action: Get Next Set of Leaked Login Credentials

This action retrieves the information about leaked credentials to your company applications from a given pagination object.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Next Page Token

Enter the next page token.

Example:

fsdgaergewrtggfhfgdhdssrft342rfa=

Password

Required

Organization ID

Enter the organization ID to make the request in the context of the organization.

Text

Optional

Action: Update Actionable Alerts (Beta)

This action updates a list of actionable alerts by ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Actionable Alert ID List

Enter the list of actionable alert IDs that you want to update.

Example:

["5fb4c6a6d604c200010f0916"].

List

Required

You can retrieve the actionable alert ID using the action Get Actionable Alerts.

Set Read

Enter the value of read status.

Example:

read

Text

Optional

Allowed values:

read, unread

Extra Params

Enter the extra parameters to update the actionable alerts.

Key-Value

Optional

Allowed keys:

threat_level, threat_type

Action: Generic Action

This is a generic action used to make requests to any Cybersixgill endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint

Enter the endpoint to make the request to.

Example:

ioc/enrich

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload to pass to the API.

Any

Optional

Additional Data

Enter the additional data you want to pass to the API.

Key Value

Optional

Headers

Enter the headers to update.

Example:

{"x-channel-id": channel_id}

Key Value

Optional