Cyware Intel Exchange
App Vendor: Cyware
App Category: Cyware Product, Data Enrichment & Threat Intelligence
Connector Version: 2.0.3
API Version: 3.0.0
About App
The Cyware Intel Exchange app enables security teams to ingest, enrich, analyze, and share threat intelligence in real time, helping improve threat visibility and response across trusted networks.
The Cyware Intel Exchange app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Custom Aliases | This action adds custom aliases to threat data objects such as threat actors, malware, attack patterns, campaigns, infrastructures, intrusion sets, and tools. |
Add Note to Threat Data Object | This action adds a note to a threat data object. |
Add Subscriber | This action adds a subscriber to Intel Exchange. |
Add Tag to Threat Data | This action adds a tag to a threat object. |
Bulk Add Analyst Score | This action adds an analyst score to multiple threat data objects. |
Bulk Add or Remove Watchlist | This action adds or removes multiple threat data objects from the watchlist. |
Bulk Add Relation | This action adds a relation to multiple threat data objects. |
Bulk Add Tags | This action adds tags to multiple threat data objects. |
Bulk Add TLP | This action adds TLP to multiple threat data objects. |
Bulk IOC Advanced Lookup | This action performs a bulk lookup for threat data objects in the intel exchange platform and retrieves their basic details, enriched information, and related objects. |
Bulk Lookup And Create Intel | This action performs a lookup for IOCs to retrieve the list of objects available in the Intel Exchange platform. If some IOCs are not available, you can choose to create intel and ingest the missing iocs. This action is available in Intel Exchange from the release v3.3.1 and later versions. |
Bulk Remove Tags | This action removes tags from multiple threat data objects. |
Bulk Run Rule | This action runs a rule on multiple threat data objects. |
Create Bulk Notes | This action creates notes in bulk for multiple threat data objects. |
Create Collection | This action creates a collection on Intel Exchange. |
Create Intel | This action is used to create intel by providing minimal details of indicators, SDOs, relations, custom objects, and indicators parsed from free text. |
Create Saved Search | This action creates a saved search on Intel Exchange. |
Create Tag | This action creates a tag on Intel Exchange. |
Create Task in Multiple Objects | This action creates a task in multiple threat data objects. |
Create Task in Threat Data Object | This action creates a task for a threat data object. |
Create Task to Parse IOCs | This action creates an IOC parsing task to extract STIX objects from free text data or a web page. |
Create Threat Defender Content | This action creates a threat defender content record. |
Delete Note From Threat Data Object | This action deletes a note by its unique ID. |
Delete Report | This action deletes a report from Intel Exchange. Note: This action is irreversible. |
Delete Saved Search | This action deletes a saved search using the specified ID. |
Delete Task From Threat Data Object | This action deletes a task of a threat data object. |
Enrich Threat Data | This action retrieves the enriched data of a threat data object using the enrichment tool. |
Export File | This action retrieves the export data in CSV format. |
Filter Relations by Source | This action retrieves source-specific relations of a threat data object. |
Generate Export Link | This action is used to generate an export link, which can be used to share data on Intel Exchange |
Get Accounts for Integration Tool | This action lists all accounts of an integration tool in Intel Exchange. |
Get Action Overview | This action retrieves an overview of the action data of a threat data object. |
Get Action Statistics | This action retrieves the statistics of the actions performed on a threat data object. |
Get Advanced Details for a Threat Data Object | This action retrieves additional information about a threat data object, such as kill chain phases and published collections. |
Get Key Evidence of Confidence Score | This action retrieves the key evidence for the intel exchange confidence score calculation. |
Get Kill Chain Details | This action retrieves the details of a STIX kill chain phase. |
Get License Details | This action retrieves the license details. |
Get Note Details | This action retrieves the details of the specified note. |
Get Object Source Details | This action retrieves source-specific details of a threat data object. |
Get Object Source Details in List View | This action lists all the occurrences when the specified threat data object was ingested into the platform by the given source. |
Get Quick Action Details | This action retrieves the status of the quick actions performed on a threat data object. |
Get Related Objects | This action retrieves the related objects of an object type. |
Get Relations Overview | This action retrieves the overall relations statistics of a threat data object. |
Get Report Details | This action retrieves the details of a report. |
Get Report Run Logs | This action retrieves the report run logs. |
Get Result of Parse IOCs Task | This action retrieves the result after successfully processing the create parse IOCs task action. |
Get Rule Details | This action retrieves the details about a rule. |
Get Saved Search Details | This action retrieves the details of a saved search. |
Get Signed in User Details | This action retrieves details of the currently logged-in user. |
Get Task Details in Threat Data Object | This action retrieves the details of a task. |
Get Task Details of Parsing IOCs | This action retrieves the details of the specified parse IOCs task. |
Get Task Overview in Threat Data Object | This action retrieves an overview of the tasks created for a threat data object. |
Get Threat Data Object Details | This action retrieves basic correlated details of a threat data object in Intel Exchange. |
Get User Details | This action retrieves the details of the specified user. |
Get User Group Details | This action retrieves the details of the specified user group. |
Get Widget Data | This action retrieves the data of a particular widget present in Intel Exchange. |
Import Intel | This action imports threat data to Intel Exchange. |
Ingest STIX Data | This action is used to ingest STIX 2.1 data into Intel Exchange. |
List Actions | This action retrieves a list of actions performed on a threat data object. |
List All Collections | This action lists all collections on Intel Exchange. |
List All Tags | This action lists all tags from Intel Exchange. |
List API Feeds | This action lists all api feeds available on Intel Exchange. |
List Custom Attributes of Threat Data Object | This action retrieves the custom attributes of a threat data object with respect to all the sources the object has received. |
List Enriched Objects | This action lists the enriched data of the specified threat data object. |
List Integrations | This action lists integrations configured in Intel Exchange. |
List Intel History | This action retrieves the history of an intel added to Intel Exchange through various sources. |
List IOC Types | This action lists all valid indicators of compromise (IOC) types supported by the intel exchange platform. |
List Kill Chain Phases | This action retrieves kill chain information of a threat data object. |
List Notes in Threat Data Object | This action retrieves a list of notes associated with a threat data object. |
List Published Collections of a Threat Object | This action retrieves the published collections of a threat data object. |
List Relations of Threat Data Object | This action retrieves the list of relations and their details for a given threat data object. |
List Reports | This action lists reports on Intel Exchange. |
List Rules | This action lists all the enrichment rules. |
List Saved Result Set | This action retrieves saved result sets from Intel Exchange. |
List Saved Searches | This action lists saved searches on Intel Exchange. |
List Source Collections | This action retrieves a list of collections for the sources. |
List Source Details | This action retrieves the source information for the given object type and object ID. |
List Source External References | This action lists all external references associated with a threat data object. |
List Sources | This action lists all the feed sources. |
List Source Types | This action retrieves the types of feed sources available in the Intel Exchange platform. |
List Subscribers | This action lists the subscribers configured in Intel Exchange. |
List Tasks in Threat Data Object | This action retrieves the list of tasks associated with a threat data object. |
List Threat Data | This action retrieves a list of threat data objects available for use in the Threat Investigations Canvas in Intel Exchange. |
List Threat Data Object Details in Table View | This action retrieves threat data object details in a tabular format. |
List Threat Data Object Sources | This action retrieves a list of feed sources associated with a threat data object, along with their description, fanged description, and de-fanged description. |
List User Groups | This action retrieves a list of user groups from Intel Exchange. |
List Users | This action lists all the users of the Intel Exchange application. |
List Widgets | This action lists widgets present in Intel Exchange. |
Perform Action on Threat Data Object | This action performs an action on a threat data object. You can perform actions, such as deprecate, undeprecate, add analyst tlp, add analyst score, and more. |
Perform Bulk Action on Rules | This action updates multiple rules in one operation. |
Perform Bulk Action on Threat Data | This action performs an action on multiple threat data objects. |
Pin Saved Search | This action pins a saved search to the top. |
Preview Threat Data Object | This action retrieves specific details of a threat data object. |
Quick Add Intel | This action is used to add indicator data to Intel Exchange |
Remove Pinned Saved Search | This action removes a saved search from the pinned search list. |
Retrieve Download Link | This action retrieves a download URL for the export file, which includes the file ID and a token. |
Retrieve Intel Statistics | This action retrieves the statistics history for the specified Intel component. |
Retrieve Quick Add Intel Relation Objects | This action retrieves details of threat objects ingested and linked as relationship objects to the report created through the quick add intel submission. |
Retrieve Quick Add Intel Status | This action retrieves the intel creation status of a quick add intel submission. |
Run Report | This action runs a specific report. |
Run Rule | This action runs a rule in Intel Exchange. |
Update Note in Threat Data Object | This action updates the details of a note in Intel Exchange. |
Update Pinned Saved Search | This action updates the order of a pinned saved search. |
Update Saved Search | This action updates a saved search using the specified ID. |
Update Task in Threat Data Object | This action updates a task of a threat data object. |
Update User Details | This action is used to update the user details on Intel Exchange. |
Update User Group Details | This action updates the user group details on Intel Exchange. |
Generic Action | This is a generic action to perform any additional use case that you want on Cyware Intel Exchange. |
Configuration Parameters
The following configuration parameters are required for the Cyware Intel Exchange app to communicate with the Cyware Intel Exchange enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL of Cyware Intel Exchange. Example: https://<tenant_code>.cyware.com/ctixapi | Text | Required | |
Access ID | Enter the Intel Exchange access ID to authenticate with. | Password | Required | |
Secret Key | Enter the Intel Exchange secret key for authentication. | Password | Required | |
SSL Verification | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds requests will wait to connect to Intel Exchange and read the response. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add Custom Aliases
This action adds custom aliases to threat data objects such as threat actors, malware, attack patterns, campaigns, infrastructures, intrusion sets, and tools.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of the threat data object to add custom aliases. Example: 903f519f-feb1-49b8-8c80-18ff8de99e8c | Text | Required | You can retrieve the object ID using the Action: List Threat Data. |
Custom Aliases | Enter the list of custom aliases to add to the threat actor. Example: $LIST[sample alias 1,sample alias 2] | List | Required |
Example Request
[
{
"object_id": "56f3c7f6-efe9-470a-85bd-6c3ea01b3f15",
"custom_aliases": [
"sample alias 3",
"sample alias 4"
]
}
]Action: Add Note to Threat Data Object
This action adds a note to a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Text | Enter the note to add to the object. Example: sample note | Text | Required | Ensure that the JSON content passed is stringified if the Is JSON parameter is set to true. |
Note Type | Enter the note type to create. | Text | Required | Allowed value: report |
Object ID | Enter the object ID to update the note for. Example: 2b8d0163-da03-4a1d-86c5-f981f0920c0d | Text | Required | You can retrieve this using the action List Threat Data. |
Metadata | Enter any additional metadata associated with the note. Example: report_id: 2b8d0163-da03-4a1d-86c5-f981f0920c0d | Key Value | Optional | |
Is JSON | Choose true if you want to send the note in JSON format. | Boolean | Optional | Default value: false |
Example Request
[
{
"text": "{\"summary\": \"Privilege escalation vulnerability detected in login module.\"}",
"is_json": true,
"meta_data": {
"name": "PRIVESC-LOGIN",
"type": "vulnerability",
"component": "auth-module",
"object_id": "b132ea9e-8f3a-45ac-8b59-0dbfa5a23e87"
},
"note_type": "incident",
"object_id": "67f8c3de-5ac1-4d45-a905-773e0e4a7f63"
}
]
Action: Add Subscriber
This action adds a subscriber to Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscriber Name | Enter the name of the subscriber. Example: John Doe | Text | Required | |
Primary Contact Name | Enter the primary contact name of the subscriber. | Text | Required | |
Enter the email ID of the subscriber. | Text | Required | ||
Score | Enter the score for the subscriber. | Integer | Required | |
Collection IDs | Enter the ID of the collections to which the subscriber needs to be added. Example: $LIST[9251d39e-c6d4-4c63-a55f-8201fd0d583d] | List | Required | |
IP Addresses | Enter IP addresses to establish a secure exchange of intel. Example: $LIST[0.0.0.0/0 , 1.12.34.8] | List | Required | |
Send Mail | Choose true to send mail. | Boolean | Optional | Default value: true |
Whitelisted IP Ranges | Enter any IP ranges to whitelist to access this collection. Example: $LIST[1.1.1.1 , 1.12.34.8] | List | Optional | |
Additional Params | Enter any additional parameters to pass with the request. | Key Value | Optional |
Example Request
[
{
"name": "JohnDoe",
"email": "john.doe@orgname.com",
"score": "5",
"extra_params": {},
"collection_ids": [
"890a0f0a-1d24-4592-b6a2-6104784553d7"
],
"primary_contact_name": "John",
"whitelisted_ip_ranges": [
"1.1.1.1"
]
}
]Action: Add Tag to Threat Data
This action adds a tag to a threat object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the object ID to add a tag to. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data object to add the tag to. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Tag | Enter the name of the tag to add to this object. Example: restricted_ip | Text | Required | |
Create Tag | Choose true to create a tag if the specified tag does not exist in Intel Exchange. | Boolean | Optional | Default value: false |
Tag Colour | Enter the color of the tag to assign if creating a tag. | Text | Optional | Default value: #0068fa(blue) |
Example Request
[
{
"object_id": "97e32263-d8bf-409f-9b6a-d1795515d4c2",
"tag_to_add": "restricted_cve",
"object_type": "vulnerability",
"create_new_tags": true
}
]Action: Bulk Add Analyst Score
This action adds an analyst score to multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analyst Score | Enter the analyst score to add to the objects. Example: 68 | Integer | Required | Allowed range: 0-100 |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects to perform the bulk action. example, indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"object_type": "indicator",
"analyst_score": "67"
}
]Action: Bulk Add or Remove Watchlist
This action adds or removes multiple threat data objects from the watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action Type | Enter watchlist to add objects to the watchlist, or un_watchlist to remove them. | Text | Required | Allowed values: watchlist, un_watchlist |
Object Names | Enter the list of values for the objects to add or remove from the watchlist. Example: $LIST[www.childalertfakt.eu, 3:bwcsn:ecsn] | List | Required | You can retrieve this using the action List Threat Data. |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
Adding threat data object to the watchlist:
[
{
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"action_type": "watchlist",
"object_type": "indicator",
"object_names": [
"www.childalertfakt.eu",
"3:BWcSn:EcSn"
]
}
]Removing threat data object from the watchlist:
[
{
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"action_type": "un_watchlist",
"object_type": "indicator",
"object_names": [
"www.childalertfakt.eu",
"3:BWcSn:EcSn"
]
}
]Action: Bulk Add Relation
This action adds a relation to multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Target ID | Enter the ID of an object to add as a relation. Example: 85830a15-3ae2-49f1-987c-f52ccf40a0e3 | Text | Required | You can retrieve this using the action List Threat Data. |
Target Type | Enter the type of the object to add as a relation. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Relationship Type | Enter the relationship type to add to threat data objects. | Text | Optional | Allowed values: For allowed, see the section Allowed values for the Relationship Type parameter. Default value: related-to |
Target Name | Enter the name or value of the target object you are adding as a relation. Example: An IP address like 5.205.20.175 or a domain name like example.com | Text | Optional | |
Target Sub Type | Enter the subtype of the object. Example: ipv4-addr | Text | Optional |
Example Request
[
{
"target_id": "1086b703-0e5f-403d-a542-7be06a0bf6eb",
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"object_type": "indicator",
"target_name": "https://assets.nautil.us/sites/3/nautilus/Braun_Lead-rightside.png?q=65&auto=format&w=350&h=100",
"target_type": "indicator",
"target_sub_type": "url",
"relationship_type": "related-to"
}
]targets indicates impersonates duplicate-of exploited-by has compromises associated-with employs hosts initiates manages pertains-to resolves serves-as targets-with name compromises-indicator employs-tactic mitigates-vulnerability uses-tactic associated_actor av-analysis-of characterizes downloads exfiltrates-to indicated_ttp located-at owns related_incident related_ttp static-analysis-of | uses attributed-to related-to remediated-by advertised-by mentions originates-from consists-of facilitates impacts involves measures provides-context-for runs solves treats uses-target originates-from-country employs-tool targets-vulnerability uses-tool attributed_threat_actor based-on communicates-with drops exploits kill_chain_phase object_reference potential_coa related_indicator related_vulnerability | mitigates variant-of derived-from remediates identified-by mentioned-by investigates delivers gives-characteristics-of includes knows part-of requires satisfies subtechnique-of uses-characteristics-of associates employs-malware mitigates-tactic uses-malware associated_campaign authored-by beacons-to controls dynamic-analysis-of hosts kill_chain_phases observed_ttp related_campaign related_coa suggested_coa |
Action: Bulk Add Tags
This action adds tags to multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag IDs | Enter the ID of the tags to be added. Example: $LIST[ac542ff0-b423-4329-8c82-12e419e48e18, 3af3031b-e9fc-4def-9b67-0d6a984a84fc] | List | Required | You can retrieve this using the action List All Tags. |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"tag_ids": [
"ac542ff0-b423-4329-8c82-12e419e48e18",
"3af3031b-e9fc-4def-9b67-0d6a984a84fc"
],
"object_ids": [
"ea3ba5c9-66f7-4d17-ac01-60fff153abd1",
"599ed793-c56e-4976-ae5e-fbfa92e64167"
],
"object_type": "indicator"
}
]Action: Bulk Add TLP
This action adds TLP to multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analyst TLP | Enter the analyst TLP to add to the objects. | Text | Required | Allowed values: WHITE, GREEN, AMBER, RED |
Object IDs | Enter the list of threat data object IDs to add TLPs. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"analyst_tlp": "GREEN",
"object_type": "indicator",
"additional_data": {}
}
]Action: Bulk IOC Advanced Lookup
This action performs a bulk lookup for threat data objects in the Intel Exchange platform and retrieves their basic details, enriched information, and related objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of threat data object to retrieve details for. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Enrichment Data | Choose true to retrieve the latest five enrichment data points of the threat data objects. | Boolean | Optional | Default value: false |
Relation Data | Choose true to retrieve the latest 100 relations details of threat data object details. | Boolean | Optional | Default value: false |
Object Value | Enter a list of up to 100 threat data object values to look up. NoteYou must provide either the Object ID or the Object value parameter. Example: $LIST[47.92.78.238, www.facebook.com] | List | Optional | You can retrieve this using the action List Threat Data. |
Object ID | Enter a list of up to 100 threat data object IDs to look up. NoteYou must provide either the Object ID or the Object value parameter. Example: $LIST[2b8d0163-da03-4a1d-86c5-f981f0920c0d] | List | Optional | You can retrieve this using the action List Threat Data. |
Fields to Retrieve | Enter a comma-separated list of fields to retrieve specific details of the objects. Example: relations,enrichment_data | Text | Optional | By default, it retrieves all field data. |
Enrichment Tools | Enter the names of up to five enrichment tools, separated by commas, to enrich the threat data objects. For example, enter AbuseIPDB, VirusTotal to apply both the AbuseIPDB and VirusTotal enrichment tools. | Text | Optional | You can retrieve this using the action List Integrations. |
Example Request
[
{
"object_type": "indicator",
"extra_params": {},
"object_value": [
"121.12.118.6",
"www.facebook.com",
"222.122.211.121"
]
}
]Action: Bulk Lookup And Create Intel
This action performs a lookup for IOCs to retrieve the list of objects available in the Intel Exchange platform. If some IOC s are not available, you can choose to create intel and ingest the missing IOCs. This action is available in Intel Exchange from the release v3.3.1 and later versions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicators | Enter the list of indicators to look up. Example: $LIST[76.77.213.225:80, 131.190.253.60, 56.15.255.238] | List | Required | You can enter a maximum of 1000 IOC values. |
Enrichment | Choose true to add the last enriched information for each enriched object. | Boolean | Optional | Default value: true |
Create | Choose true to create new IOCs that were missed from the list of lookup IOCs. | Boolean | Optional | Default value: true |
Metadata | Enter any additional information about the objects, such as TLP, confidence score, and more, while creating intel. Example: {'tlp':'green'} | Key Value | Optional | Allowed keys: description, labels, tlp, confidence |
Collection Name | Enter the name of the collection to map the threat data objects. Example: testFeed-External | Text | Optional | |
Source Name | Pass the name of the source to map the intel. If the passed source name does not exist in the platform, then a new source is automatically created Example: OpenAPI Lookup | Text | Optional | Default source: OpenAPI Lookup (OpenAPI) of the Miscellaneous source category. |
Example Request
[
{
"create": false,
"source": "External Threat Feed",
"metadata": {
"tlp": "GREEN",
"description": "Test entry simulating an external feed with mixed indicator types for validation purposes."
},
"enrichment": true,
"indicators": [
"185.220.101.4",
"45.83.64.1:443",
"203.0.113.45",
"198.51.100.22:8080",
"2a03:2880:f003:c07:face:b00c:0:1",
"e3b0c44298fc1c149afbf4c8996fb924",
"44d88612fea8a8f36de82e1278abb02f",
"cfcd208495d565ef66e7dff9f98764da",
"d41d8cd98f00b204e9800998ecf8427e",
"4a44dc15364204a80fe80e9039455cc1",
"275a021bbfb6480f4c5f3cf24973d7ee",
"f2ca1bb6c7e907d06dafe4687e579fce",
"abc1234def5678ghijk90123lmno456p"
],
"collection_name": "testFeed-External"
}
]
Action: Bulk Remove Tags
This action removes tags from multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag IDs | Enter the ID of the tags to be removed. Example: $LIST[ac542ff0-b423-4329-8c82-12e419e48e18, 3af3031b-e9fc-4def-9b67-0d6a984a84fc] | List | Required | You can retrieve this using the action List All Tags. |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"tag_ids": [
"9583f92f-7437-4ca1-99c5-45c92c1c164e",
"9ca2002c-21fb-440c-acdc-de8c45307e87"
],
"object_ids": [
"ea3ba5c9-66f7-4d17-ac01-60fff153abd1",
"db4ebc15-2def-4af9-9a92-c464521df3a5"
],
"object_type": "indicator"
}
]Action: Bulk Run Rule
This action runs a rule on multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID | Enter the ID of a rule to run. Example: 5602232e-085b-4c15-89af-404ea45c5703 | Text | Required | You can retrieve this using the action List Rules. |
Object IDs | Enter the list of threat data object IDs to perform the bulk action on. Example: $LIST[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of threat data objects to perform the bulk action on. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"rule_id": "726a05f5-92a6-4f0d-9483-a1f2be548ddf",
"object_ids": [
"5991363a-eff0-4a35-a068-02a3d40c3e3c",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"object_type": "indicator"
}
]Action: Create Bulk Notes
This action creates notes in bulk for multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of the threat data object. | Text | Required | Allowed value: threatdata |
Text | Enter the note content to be added to the specified threat data objects. Example: This is a sample note | Text | Required | |
Object IDs | Enter the list of object IDs on which you want to add bulk notes. Example: $LIST[77b4c308-73bc-4e1e-9d05-aeeaa0423df,dd324b2-e8e2-42da-9bc9-f9f4470a13ef] | List | Required | You can retrieve this using the action List Threat Data. |
Example Request
[
{
"note_type": "threatdata",
"object_ids": [
"7c4786c6-f537-4793-b2fa-f12cc841e8dd",
"62789e69-3850-41d0-b46b-b34f4b91a1fb"
],
"description_text": "This is a sample note"
}
]Action: Create Collection
This action creates a collection on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Polling | Choose true to add this collection to the poll data. | Boolean | Required | |
Inbox | Choose true to add this collection to the inbox service. | Boolean | Required | |
Collection Name | Enter the name of the collection. Example: sample name | Text | Required | |
Description | Enter a description of the collection. Example: This is a sample description | Text | Required | |
Marking Config | Enter the data marking type. | Text | Optional | Allowed values: tlp, acs Default value: tlp |
Default Marking Definition | Enter the default data marking definition. | Text | Optional | Default value: AMBER |
Example Request
[
{
"name": "Malicious IP Feed Inbox",
"inbox": true,
"polling": true,
"description": "Automatically ingests and processes IP-based threat indicators for correlation and alerting."
}
]
Action: Create Intel
This action is used to create intel by providing minimal details of indicators, SDOs, relations, custom objects, and indicators parsed from free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the title of the indicator to create on Intel Exchange. Example: vulnerability report | Text | Required | |
Create Intel | Choose true to create an Intel feed. | Boolean | Optional | Default value: false |
Indicator | Enter the indicators to add to the intel. This should be a dictionary in the form of {indicator_type: indicator_value}. | Key Value | Optional | Allowed indicator types: ipv4-addr, ipv6-addr, domain, url, email, md5, sha1, sha224, sha256, sha384, sha512, ssdeep |
SDOs Object | Enter the SDO types and comma-separated SDO values. Example: {\"vulnerability\": \"cve-2021-21913\", \"cve-2021-219134\"} | Key Value | Optional | |
Confidence | Enter the source confidence score of the indicators being passed. | Integer | Optional | Allowed range: 1-100 |
TLP | Enter the TLP of the indicators. | Text | Optional | Allowed values: GREEN, AMBER, RED, WHITE, NONE |
Apply Metadata to All Objects | Choose true to apply the metadata to all objects of the intel. Choose false to apply the metadata to the report object that is created as part of the quick add intel submission only. | Boolean | Optional | Default value: false |
Custom Scores | Enter the custom score key and the score in key-value pairs. Example: {\"x_ctix_customscore_2\": 2,\"x_ctix_customscore_1\": \"medium\"}. | Key Value | Optional | |
Description | Enter a description for the intel within 1000 characters. Example: This is a sample description | Text | Optional | |
Labels | Enter a list of tag names to add to the intel. Example: $LIST[label_a,label_b] | Any | Optional | |
Additional Metadata | Enter any additional metadata to create intel. | Any | Optional | |
Parsed Indicators | Enter the IOC types and indicators parsed from free text. Example: {ips: $JSON[{values: [\"2.23.4.2\", \"32.34.1.1\"]}]} | Key Value | Optional | |
Observables | Enter the STIX cyber observable object (SCO) types and comma-separated SCO values. Example: {\"user-account\": \"test@cyware.com\"} | Key Value | Optional | |
Relations | Enter the objects to be associated with the report object created as part of this quick add submission. Example: $JSON[[{\"name\": \"1.1.1.100\",\"type\": \"indicator\",\"ioc_type\": \"ipv4-addr\",\"id\": \"30bafaad-b70d-4881-97f2-7915df322332\"},{\"name\": \"1.1.1.1\",\"type\": \"indicator\",\"ioc_type\": \"ipv4-addr\",\"id\": \"8c664a86-8da7-4cc5-a2a5-aa66b7ca1c8a\"}]] | Any | Optional | You can associate a maximum of 10 objects in a single quick add submission. |
Extra data | Enter the extra data to pass in the payload. | Key Value | Optional |
Example Request
[
{
"tlp": "GREEN",
"title": "Sample Intel",
"labels": [
"label1",
"label2"
],
"all_sdos": {
"all_iocs": {
"ipv4": [
{
"value": "1.2.34.21",
"description": "sample description",
"is_false_positive": true,
"notes": [
"This is a sample note attached to this indicator!",
"Sample Note 2"
],
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"ipv6": [
{
"value": "7b6f:e96a:991b:e1f8:6e50:9bf6:3c7:2922",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"domain": [
{
"value": "abc.com",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"url": [
{
"value": "http://www.abc.com",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"email_address": [
{
"value": "john.doe@cyware.com",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"md5": [
{
"value": "00616b4b72c8a1da89ed3840fa7313e1",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
]
},
"malwares": [
{
"value": "malware1",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"attack_patterns": [
{
"value": "attackpattern1",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
],
"vulnerabilities": [
{
"value": "vulnerablities_01",
"custom_attributes": {
"x_custom_attribute1": "sample value 1",
"x_custom_attribute2": "sample value 2"
}
}
]
},
"confidence": "80"
}
]Action: Create Saved Search
This action creates a saved search on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search Type | Enter the type of the saved search. Example: basic | Text | Optional | Allowed values: basic, cql |
Saved Search Name | Enter the name of the saved result set. | Text | Required | |
Query | Enter the query to create a saved search from. Example: \"type=\"indicator\" and sub_type=\"file\" and created>\"2021-07-28\" | Text | Required | |
Shared Type | Enter the visibility setting for the saved search. | Text | Optional | Allowed values: private, global, specific users, systems Default value: private |
Metadata | Enter the metadata to support transforming the saved search into a CQL query or threat data filters. Example: {\"object_type\":[\"malware\"]} | Text | Optional |
Example Request
[
{
"name": "Recent File Indicators",
"type": "saved_search",
"query": "type=\"indicator\" AND sub_type=\"file\" AND created>\"2024-01-01\"",
"shared_type": "private"
}
]Action: Create Tag
This action creates a tag on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag Name | Enter a unique name of the tag to add within 50 characters. Example: restricted_ip | Text | Required | |
Tag Color | Enter the hex key of a color code for the tag to assign. | Text | Required | Allowed values: #5236e2, #0068fa, #eb9c00, #ff5330, #27865f, #c4c81d, #00a2c2, #c341e7, #ad6b76, #95a1b1 |
Example Request
[
{
"name": "restricted_ip"
}
]Action: Create Task in Multiple Objects
This action creates a task in multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of threat data object to associate with the task. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object IDs | Enter a list of threat data object IDs to associate with the task. Example: $LIST[f7ad5e3d-5c31-4c44-bbb1-990516d5678e, f7ad5e3d-5c31-4c44-bbb1-990516d5678e] | List | Required | You can retrieve this using the action List Threat Data. |
Assignee | Enter the ID of a user to assign the task. Example: 8efe66c3-1701-4494-a192-5512e0c2c0af | Text | Required | |
Description Text | Enter the description of the task to be performed. Example: task_test | Text | Required | |
Task Status | Enter the status of the task. | Text | Optional | Allowed values: not_started, in_progress, completed |
Closure Comment | Enter the comment to close the task. This is required if the Task Status is completed. | Text | Optional | |
Additional Data | Enter the additional data to create a task in multiple threat data objects. | Key Value | Optional | Allowed keys: type, deadline, priority |
Example Request
[
{
"assignee": "de3ccc98-efd2-45cc-9432-76bdb75a04c7",
"object_ids": [
"a323e45c-0e8e-490e-8a34-a30687ab5610",
"61a9714e-93d8-4c06-b065-5e5437766383"
],
"object_type": "indicator",
"description_text": "This is a sample description.",
"extra_data_fields": {}
}
]Action: Create Task in Threat Data Object
This action creates a task for a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Assignee | Enter the ID of a user to assign the task. Example: 5555f14c-6130-4e58-a2da-33e1a85b5a64 | Text | Required | You can retrieve this using the action List Users. |
Description Text | Enter the description of the task to be performed. Example: Verify this indicator | Text | Required | |
Threat Data Type | Enter the type of the threat data object. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of the threat data object to associate with the task. If you do not enter this, the task is created as a global task. Example: 92686150-58e5-4f15-be64-f3e123efd825 | Text | Optional | You can retrieve this using the action List Threat Data. |
Priority | Enter the priority of the task. | Text | Optional | Allowed values: high, medium, low Default value: medium |
Task Deadline | Enter the task deadline in epoch format to specify when the task should be completed. Example: 1633393469 | Integer | Optional | |
Status | Enter the status of the task. | Text | Optional | Allowed values: not_started, in_progress, completed. Default value: not_started |
Closure Comment | Enter the comment to close the task. This is required if Status is completed. | Text | Optional |
Example Request
[
{
"assignee": "de3ccc98-efd2-45cc-9432-76bdb75a04c7",
"object_ids": [
"a323e45c-0e8e-490e-8a34-a30687ab5610",
"61a9714e-93d8-4c06-b065-5e5437766383"
],
"object_type": "indicator",
"description_text": "This is a sample description",
"extra_data_fields": {}
}
]Action: Create Task to Parse IOCs
This action creates an IOC parsing task to extract STIX objects from free text data or a web page.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text Data | Enter free text (up to 50,000 characters) or a web page URL to extract STIX objects and retrieve the task ID. Example: 1.2.3.11, 1.1.2.1, domain.com | Text | Required | |
Extract STIX Object | Choose true to extract STIX objects from a web page. If you choose false, then the URL passed in the data parameter is parsed as free text. | Boolean | Optional | Default value: false |
Get Parsed IOC Details | Choose true to retrieve the parsed IOC details. | Boolean | Optional | Default value: false |
Task Completion Wait Time | Enter the time (in seconds) to wait for the task to complete and retrieve its details. | Integer | Optional | Default value: 5 |
Example Request
[
{
"iocs_task_data": "1.2.3.11, 1.1.2.1, domain.com,2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
"get_parsed_ioc_details": true
}
]Action: Create Threat Defender Content
This action creates a threat defender content record.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tags | Enter the list of tag objects to apply to the content. Example: $JSON[[{\"id\": \"ef4fdadc-c98c-4e09-afd2-b9084706151e\", \"name\": \"yara\", \"colour_code\": \"#ff5330\"}]] | Any | Optional | Allowed keys: id, name, colour_code |
Rule | Enter the rule content. Example: 'rule tdl1 : suspicious_file' | Text | Required | |
External Variables | Enter any external details to add to the threat data content. Example: $JSON[[{\"type\": \"boolean\", \"key\": \"some_string_var\", \"value\": true}]] | Any | Optional |
Example Request
[
{
"rule": "rule Suspicious_File_Strings\n{\n strings:\n $s1 = \"cmd.exe\"\n $s2 = \"powershell\"\n condition:\n any of them\n}"
}
]
Action: Delete Note From Threat Data Object
This action deletes a note by its unique ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Note ID | Enter the ID of the note to delete. Example: 8003c6ba-5215-486d-881f-d940dcb78d35 | Text | Required | You can retrieve this using the action List Notes in Threat Data Object. |
Example Request
[
{
"note_id": "cd1cb275-b713-4606-b7aa-c373d2bc4575"
}
]Action: Delete Report
This action deletes a report from Intel Exchange. This action is irreversible.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to delete. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Reports. |
Report Type | Enter the report type. | Text | Optional | Allowed values: basic, advanced Default value: basic |
Example Request
[
{
"report_id": "2edd6bd6-d6f3-48c6-bc07-3eb75bcc3f46",
"report_type": "basic"
}
]Action: Delete Saved Search
This action deletes a saved search using the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the unique ID of a saved search to delete. Example: 1a7d5c8a-848a-4a67-af82-e68f3d823c65 | Text | Required | You can retrieve this using the action List Saved Searches. |
Example Request
[
{
"saved_search_id": "4ed00bab-2858-496a-b77f-9ff59298208e"
}
]Action: Delete Task From Threat Data Object
This action deletes a task of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the unique identifier of a task to delete. Example: 2d83e656-4aca-4077-a1d7-4b572cc2fb53 | Text | Required | You can retrieve this using the action List Tasks in Threat Data Object. |
Example Request
[
{
"task_id": "521faad7-ac66-4225-b94f-db0d20b7b220"
}
]Action: Enrich Threat Data
This action retrieves the enriched data of a threat data object using the enrichment tool.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
App Slug | Enter the slug of an enrichment tool to retrieve its enriched data. Example: comodo | Text | Required | You can retrieve this using the action List Integrations. |
Object Value | Enter the value of the object to enrich. Example: 1.1.1.1 | Text | Required | |
Object ID | Enter the ID of an object. For indicators, enter the SCO ID object, and for vulnerabilities, enter the vulnerability object ID. Example: 916e0c84-61a6-412b-a25c-e65d6bcdc96b | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type to enrich the object. | Text | Required | Allowed values: indicator, vulnerability |
Action Slug | Enter the enrichment action name to retrieve specific details. | Text | Required | Allowed values: get_ip (for IPs), get_domain (for domain), get_url (for URL), get_cve (for vulnerability) |
Example Request
[
{
"value": "4.4.4.4",
"app_slug": "recorded_future",
"object_id": "18950beb-b3f1-41b5-9a13-7c17d1447459",
"action_slug": "get_ip",
"object_type": "indicator"
}
]Action: Export File
This action retrieves the export data in CSV format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File ID | Enter the file ID generated by the Generate Export Link action. Example: df21ff51-0d9e-4380-be78-b75889860702 | Text | Required | You can retrieve this using the action Generate Export Link. |
Token | Enter the token that is generated by the Retrieve Download Link action. Example: 61973ea7-5387-4e4b-a221-970fc1dca4xx | Password | Required | You can retrieve this using the action Retrieve Download Link. |
Example Request
[
{
"token": "8c5e0fe1-833d-4f07-aea1-bc9b2063f1f7",
"file_id": "89588424-1e36-4647-bd39-939f8c5a537d"
}
]Action: Filter Relations by Source
This action retrieves source-specific relations of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type to retrieve source-specific relations. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_id": "bb4338e4-d654-4bc6-ad4f-8174309f6384",
"object_type": "indicator"
}
]Action: Generate Export Link
This action is used to generate an export link, which can be used to share data on Intel Exchange
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Format | Enter the format of the report. Example: csv | Text | Required | Allowed format: csv |
Component | Enter the component of the report to export. Example: threat_data | Text | Required | Allowed value: threat_data |
Query | Enter the CQL query to generate the report. Example: type='indicator' | Text | Required | |
Columns | Enter the list of columns you want to export. Example: $JSON[[{\"key\": \"name\",\"label\": \"value\"},{\"key\": \"type\",\"label\": \"type\"}]] | Any | Required | For the allowed list, see The Column Object. |
Example Request
[
{
"query": "type='indicator'",
"component": "threat_data",
"export_format": "csv",
"columns_to_export": [
{
"key": "name",
"label": "Value"
},
{
"key": "type",
"label": "Type"
},
{
"key": "tlp",
"label": "TLP"
},
{
"key": "tags",
"label": "Tags"
},
{
"key": "sources",
"label": "Source"
},
{
"key": "source_collections",
"label": "Source Collection"
},
{
"key": "published_collections",
"label": "Published Collections"
},
{
"key": "ctix_created",
"label": "System Created Date"
},
{
"key": "ctix_modified",
"label": "System Modified Date"
},
{
"key": "country",
"label": "Country"
},
{
"key": "analyst_score",
"label": "Analyst Score"
},
{
"key": "source_confidence",
"label": "Source Confidence"
}
]
}
]Each column object includes the key and value of a column. You can include the following columns in the export file.
Key | Value |
|---|---|
name | Value |
type | Type |
tlp | TLP |
tags | Tags |
sources | Source |
source_collections | Source Collection |
published_collections | Published Collections |
ctix_created | System Created Date |
ctix_modified | System Modified Date |
country | Country |
analyst_score | Analyst Score |
source_confidence | Source Confidence |
Action: Get Accounts for Integration Tool
This action lists all accounts of an integration tool in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tool ID | Enter the integration tool ID to retrieve accounts. Example: 7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33 | Text | Required | You can retrieve this using the action List Integrations. |
Example Request
[
{
"tool_id": "3aacfe74-e645-41a7-bcea-25a893a4ef0c"
}
]Action: Get Action Overview
This action retrieves an overview of the action data of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object to retrieve the action overview. Example: 916e0c84-61a6-412b-a25c-e65d6bcdc96b | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type to retrieve the action overview. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Layout | Enter the parameter to filter some fields according to the given layout. Example: overview | Text | Required | |
Page Number | Enter the page number to retrieve actions. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. Example: 3 | Integer | Optional | Default value: 10 |
Example Request
[
{
"layout": "overview",
"page_no": "1",
"object_id": "e907fab8-b3fe-4df2-9ff0-72fd8660dd00",
"page_size": "5",
"object_type": "indicator"
}
]Action: Get Action Statistics
This action retrieves the statistics of the actions performed on a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object to retrieve associated action statistics. Example: 916e0c84-61a6-412b-a25c-e65d6bcdc96b | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type to retrieve action statistics. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Is Third Party Action | Choose true to retrieve third-party action statistics only. | Boolean | Optional | Default value: false |
Is Intel Exchange Action | Choose true to retrieve Intel Exchange action statistics only. | Boolean | Optional | Default value: false |
Example Request
[
{
"object_id": "e907fab8-b3fe-4df2-9ff0-72fd8660dd00",
"object_type": "indicator",
"is_ctix_action": true,
"is_third_action": false
}
]Action: Get Advanced Details for a Threat Data Object
This action retrieves additional information about a threat data object, such as kill chain phases and published collections.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of the object. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of the object to retrieve the details. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Threat Data. |
Example Request
[
{
"object_id": "b5dac8de-1c37-4d1d-a008-7ee96d42e543",
"object_type": "indicator"
}
]Action: Get Key Evidence of Confidence Score
This action retrieves the key evidence for the Intel Exchange confidence score calculation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the unique ID of an object. Example: dbd48dae-3505-4ace-9c0e-e617d9ccc269 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. | Text | Optional | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report Default value: indicator |
Example Request
[
{
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"object_type": "indicator"
}
]Action: Get Kill Chain Details
This action retrieves the details of a STIX kill chain phase.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Kill Chain ID | Enter the ID of a kill chain phase to retrieve the details. Example: ae78301c-4378-4348-b83e-2e7b4dd8438b | Text | Required | You can retrieve this using the action List Kill Chain Phases. |
Example Request
[
{
"kill_chain_id": "27e73c50-7f8d-44c1-bcb4-230661836a72"
}
]Action: Get License Details
This action retrieves the license details.
Action Input Parameters
No input parameters are required for this action.
Action: Get Note Details
This action retrieves the details of the specified note.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Note ID | Enter the note ID to retrieve the details. Example: 711f396d-0bf9-40bf-8693-e31aff702bbf | Text | Required | You can retrieve this using the action List Notes in Threat Data Object. |
Example Request
[
{
"note_id": "cd1cb275-b713-4606-b7aa-c373d2bc4575"
}
]Action: Get Object Source Details
This action retrieves source-specific details of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source Object ID | Enter the source object ID to retrieve the details of a threat data object ingested by a particular source at a given time. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Threat Data Object Sources. |
Object Type | Enter the object type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report Default value: indicator |
Example Request
[
{
"object_id": "7c4786c6-f537-4793-b2fa-f12cc841e8dd",
"object_type": "indicator"
}
]Action: Get Object Source Details in List View
This action lists all the occurrences when the specified threat data object was ingested into the platform by the given source.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Source ID | Enter the ID of a source to retrieve the instances of the source. Example: bc8c1d21-3bf1-4b19-bf6b-f31db555c1ec | Text | Required | You can retrieve this using the action List Source Details. |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Layout | Enter the layout to filter the number of returned fields in the response. Example: tab | Text | Optional |
Example Request
[
{
"page_no": "1",
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"page_size": "2",
"object_type": "indicator",
"source_id": "bc8c1d21-3bf1-4b19-bf6b-f31db555c1ec"
}
]Action: Get Quick Action Details
This action retrieves the status of the quick actions performed on a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of the threat data object. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of a threat data object. Example: 81f699f3-314d-4a6c-a26b-c5802552c0f7 | Text | Required | You can retrieve this using the action List Threat Data. |
Example Request
[
{
"object_id": "bb4338e4-d654-4bc6-ad4f-8174309f6384",
"object_type": "indicator"
}
]Action: Get Relations Overview
This action retrieves the overall relations statistics of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the object ID to retrieve the details. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_id": "bb4338e4-d654-4bc6-ad4f-8174309f6384",
"object_type": "indicator"
}
]Action: Get Report Details
This action retrieves the details of a report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to retrieve the details. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Reports. |
Report Type | Enter the report type. | Text | Required | Allowed values: basic, advanced |
Example Request
[
{
"report_id": "52331c5e-f491-45fb-8577-749c88c1c84a",
"report_type": "advanced"
}
]Action: Get Report Run Logs
This action retrieves the report run logs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to retrieve the run logs. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e. | Text | Required | You can retrieve this using the action List Reports. |
Type | Enter the report type. | Text | Required | Allowed values: basic, advanced |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Example Request
[
{
"page_no": "1",
"page_size": "5",
"report_id": "293b2390-7c50-454f-939b-0e1be8f77bc6",
"report_type": "basic"
}
]Action: Get Result of Parse IOCs Task
This action retrieves the result after successfully processing the create parse IOCs task action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the ID for the parse IOCs task to retrieve the result. Example: 345 | Integer | Required | You can retrieve this using the action Create Task to Parse IOCs. |
Example Request
[
{
"task_id": "345"
}
]Action: Get Rule Details
This action retrieves the details about a rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID | Enter the rule ID to get details. Example: f44312d8-452a-4c7e-93b5-39af07d642db | Text | Required | You can retrieve this using the action List Rules. |
Example Request
[
{
"rule_id": "62a40a30-8582-4020-a181-28a10b3e9775"
}
]Action: Get Saved Search Details
This action retrieves the details of a saved search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the ID of the saved search to get details. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Saved Searches. |
Example Request
[
{
"saved_search_id": "40a15e3d-8ed8-487f-ab73-52d126b90b8d"
}
]Action: Get Signed in User Details
This action retrieves details of the currently logged-in user.
Action Input Parameters
No input parameters are required for this action.
Action: Get Task Details in Threat Data Object
This action retrieves the details of a task.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the unique ID of a task to retrieve the details. Example: e536dc79-9d34-4944-855a-64f832568b8c | Text | Required | You can retrieve this using the action List Tasks in Threat Data Object. |
Example Request
[
{
"task_id": "47e7cb73-af65-43e3-950d-eda05669f6d0"
}
]Action: Get Task Details of Parsing IOCs
This action retrieves the details of the specified parse IOCs task.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the ID of a parse IOCs task to retrieve the status. Example: 345 | Integer | Required | |
Fields | Enter the value to retrieve specific details about the task. | Text | Optional | Allowed values: status, updated, queue_name, actor_name |
Example Request
[
{
"fields": "actor_name",
"task_id": "396"
}
]Action: Get Task Overview in Threat Data Object
This action retrieves an overview of the tasks created for a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of an object to retrieve an overview of the associated tasks. Example: 00a26ec9-1490-4cd5-a659-c25525ffc238 | Text | Optional | You can retrieve this using the action List Threat Data. |
Query | Enter the query to search for a task type. Example: indicator | Text | Optional | |
Priority | Enter the priority of the tasks. | Text | Optional | Allowed values: high, medium, low |
Additional Params | Enter the additional parameters to retrieve the task overview. | Key Value | Optional | Allowed keys: type, status, created_by, assignee, deadline_gte, deadline_lte |
Example Request
[
{
"query": "task",
"priority": "medium",
"extra_params": {
"type": "indicator"
}
}
]Action: Get Threat Data Object Details
This action retrieves basic correlated details of a threat data object in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of the object to retrieve the details. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of the object to retrieve the details. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"object_type": "indicator"
}
]Action: Get User Details
This action retrieves the details of the specified user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID to retrieve the details. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Users. |
Example Request
[
{
"user_id": "d29f7b59-91e1-4514-972c-e6bb02799752"
}
]Action: Get User Group Details
This action retrieves the details of the specified user group.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User Group ID | Enter the user group ID to get details. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required | You can retrieve this using the action List User Groups. |
Example Request
[
{
"user_group_id": "61aa6fee-40a2-4395-94f8-f3b933c98488"
}
]Action: Get Widget Data
This action retrieves the data of a particular widget present in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Widget Slug | Enter the widget slug to get details. Example: ioc_vs_allowed | Text | Required | You can retrieve this using the action List Widgets. |
Created From | Enter the timestamp in epoch to get data from. Example: 1650375753 | Integer | Optional | |
Created Until | Enter the timestamp in epoch to get data until. Example: 1650375753 | Integer | Optional | |
Page Size | Enter the number of records to retrieve on each page. | Integer | Optional |
Example Request
[
{
"size": "4",
"widget_name": "ioc_vs_allowed",
"created_from": "1713937557",
"created_till": "1745473558"
}
]Action: Import Intel
This action imports threat data to Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Path | Enter the file path for the data to be imported. | Text | Optional | Allowed values: .json, .xml, .csv, url For more information, see Cyware Intel Exchange API documentation. |
Collection ID | Enter the ID of the collection to which the file is imported. Example: 603dd2cf-2c3e-4a6b-8200-505d3586df1f | Text | Optional | You can retrieve this using the action List All Collections. |
Version | If the file format is STIX1 or STIX2, enter the STIX version. | Text | Optional | Allowed values: 1.0, 2.0, 2.1 Default value: 2.1 |
File Format | Enter the format for the import. | Text | Optional | Allowed values: cy-csv, misp, openioc, stix1, stix2, stix20, stix1url, and csv-recorded-future Default value: stix2 |
URL Type | Enter URL information if the file format is STIX1 URL. Example: {\"id\": \"url\",\"name\": \"stix 1.x url\",\"type\": \"url\",\"accept\": \"url\",\"slug\": \"stix1url\"} | Key Value | Optional | |
STIX1 URL | Enter the URL to specify the location of a STIX 1.x file when the file format is stix1url. Example: https://www.exampledomain/sites/default/files/2023-12/aa23-335a.stix__0.xml | Text | Optional |
Example Request
[
{
"url_type": {},
"file_path": "/tmp/37f54aff-18e2-4e79-8709-4917203e040a/1745741872_indicatord4263f0f297049c2aa9b5ae186b460faDecember1020240947AM.xml",
"collection_id": "e8e26917-4e31-49ea-a77f-c1e20f52e15d",
"format_of_file": "stix1"
}
]Action: Ingest STIX Data
This action is used to ingest STIX 2.1 data into Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source ID | Enter the ID of the source to ingest the data in. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Sources. |
Collection ID | Enter the ID of the collection to ingest the data into. Example: 777775a5-5ad2-4239-b5eb-aba1e48f2113 | Text | Required | You can retrieve this using the action List Source Collections. |
Source Type | Enter the type of the source to ingest the data. Example: custom_stix_sources | Text | Required | |
Bundle | Enter the STIX bundle to ingest the data. Ensure that this is a valid STIX bundle. Example: $JSON[{ \"id\": \"bundle--eaa3295e-34bc-432b-9deb-111110fff237\", \"type\": \"bundle\", \"objects\": [ { \"type\": \"attack-pattern\", \"spec_version\": \"2.1\", \"id\": \"attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061\", \"name\": \"spear phishing\", \"confidence\": 0, \"revoked\": false } ] }] | Any | Required | |
Imported Timestamp | Enter the imported timestamp. Example: 1436253893 | Integer | Optional |
Example Request
[
{
"bundle": {
"id": "bundle--283403c3-f0e2-4667-bef9-651ebafcb14c",
"objects": [
{
"created": "2025-04-17T14:21:02.474369Z",
"id": "identity--821db0f3-217d-469a-b7a5-666a6444b83d",
"identity_class": "organization",
"labels": [
"company"
],
}
],
"type": "bundle"
},
"source_id": "464f7431-68eb-41e6-a6c0-498df8cc1ecf",
"source_type": "Edgar_Sec_filings",
"collection_id": "e9654fbd-6a69-48db-8f40-e325106c4f23",
"imported_timestamp": "1745556697"
}
]Action: List Actions
This action retrieves a list of actions performed on a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object to retrieve actions. Example: 916e0c84-61a6-412b-a25c-e65d6bcdc96b | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. | Text | Optional | Allowed values: attack pattern, campaign, course of action, grouping, and more. |
App Type | Enter the type of the app that performed the action. Example: ctix | Text | Optional | |
Action Type | Enter the type of actions to retrieve. | Text | Optional | Allowed values: manual, automatic |
Page Number | Enter the page number to retrieve actions. Example: 1 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of actions to retrieve on each page. Example: 3 | Integer | Optional | Default value: 10 |
Example Request
[
{
"page_no": "1",
"app_type": "ctix",
"object_id": "db4ebc15-2def-4af9-9a92-c464521df3a5",
"page_size": "5",
"action_type": "manual",
"object_type": "domain-name"
}
]Action: List All Collections
This action lists all collections on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Sort By | Enter the sorting order for collections based on their creation time. | Text | Optional | Allowed values: - created to sort in descending order, and created to sort in ascending order |
Is Active | Choose true to retrieve active collections. | Boolean | Optional | Default value: true |
Created After | Enter the start time in EPOCH format to retrieve collections created after this timestamp. Example: 1716958173 | Integer | Optional | |
Created Before | Enter the end time in EPOCH format to retrieve collections before this timestamp. Example: 1717012366 | Integer | Optional | |
Collection Type | Enter the type of collection. | Text | Optional | Allowed values: inbox, polling |
Query | Enter a keyword to search collections based on the title. Example: custom | Text | Optional | |
Nominal | Choose true to retrieve collections with the ID and name of the collections. | Boolean | Optional | Default value: false |
Additional Params | Enter any additional params to pass with the request. | Key Value | Optional | Allowed values: polling, inbox, is_editable, has_subscribed, created, marking_config, default_marking_definition |
Example Request
[
{
"nominal": true,
"page_no": "1",
"sort_by": "-created",
"is_active": true,
"page_size": "100",
"created_to": "1745474781",
"created_from": "1713938777",
"extra_params": {},
"collection_type": "inbox"
}
]Action: List All Tags
This action lists all tags from Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve tags of a specific page. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to retrieve on each page. | Integer | Optional | Default value: 10 |
Created After | Enter the start time in EPOCH format to filter tags created after this timestamp. Example: 1716958173 | Integer | Optional | |
Created Before | Enter the end time in EPOCH format to filter tags created before this timestamp. Example: 1717012366 | Integer | Optional | |
Created By | Enter the ID of the creator to filter tags. Example: 5f51be4c-c2cf-4dac-9cee-7e289205143c | Text | Optional | You can retrieve this using the action List Users. |
Modified From | Enter the modified from time in EPOCH format to filter tags. Example: 1705363200 | Integer | Optional | |
Modified To | Enter the modified time in EPOCH format to filter tags. Example: 1706745599 | Integer | Optional | |
Query | Enter the query to search. Example: tag-name | Text | Optional | |
Tag Type | Enter the tag type to filter tags. | Text | Optional | Allowed values: automated and manual |
Additional Params | Enter any additional parameters to pass with the payload. Example: 'created_from': '1628361607' | Key Value | Optional |
Example Request
[
{
"page_no": "1",
"page_size": "6",
"extra_params": {
"is_active": "true"
}
}
]Action: List API Feeds
This action lists all API feeds available on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve the results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. | Integer | Optional | Default value: 10 |
Retrieve Full List | Choose true to retrieve all API feed sources without pagination. | Boolean | Optional | Default value: false |
Query | Enter a query to filter intel feeds by. This is a free-text match. | Text | Optional | |
Is Active | Choose true to retrieve active API feed sources. | Boolean | Optional | By default, all available feed sources are retrieved. |
Example Request
[
{
"page_no": "1",
"is_active": true,
"page_size": "10",
"extra_params": {}
}
]Action: List Custom Attributes of Threat Data Object
This action retrieves the custom attributes of a threat data object for all the sources the object has received.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the unique ID of an object. Example: dbd48dae-3505-4ace-9c0e-e617d9ccc269 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the type of the object. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"object_type": "indicator"
}
]Action: List Enriched Objects
This action lists the enriched data of the specified threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Size | Enter the number of records to return on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results. | Integer | Optional | Default value: 1 |
Layout | Enter the layout to return the responses. Example: overview | Text | Optional | |
Tool | Enter the enrichment tool ID to return the responses. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | You can retrieve this using the action List Integrations. |
Object Type | Enter the object type to return the responses. Example: indicator | Text | Optional | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the object ID to return the responses. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | You can retrieve this using the action List Threat Data. |
Example Request
[
{
"object_id": "e0c74e84-ddda-4b5f-85bd-98ef5d7f5fdf",
"object_type": "indicator",
"extra_params": {}
}
]Action: List Integrations
This action lists integrations configured in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the keyword or integration name to search the tool. Example: abuse | Text | Optional | |
Category | Enter the category to filter integrations by. Example: security_information_and_event_managment_system, threat_intelligence_enrichment, endpoint_detection_response, security_orchestration_automation_response, cyware_product | Text | Optional | |
Is Active | Choose true to retrieve active integrations. | Boolean | Optional | Default value: false |
Nominal | Choose true to retrieve the ID, title, and slug name of the tools. | Boolean | Optional | Default value: false |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Additional Params | Enter any additional parameters to pass. Example: q, nominal | Key Value | Optional |
Example Request
[
{
"page_no": "1",
"category": "security_information_and_event_managment_system",
"page_size": "3",
"extra_params": {}
}
]Action: List Intel History
This action retrieves the history of an intel added to Intel Exchange through various sources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to retrieve on each page. | Integer | Optional | Default value: 10 |
Component | Enter the component name to retrieve the intel history for that specific source. | Text | Optional | Allowed values: import-intel, openapi, rss_feed, rule, stix-form, and more Default value: quick-add-intel |
Filter Query | Enter a query to search for an intel based on the title. Example: enter \"ip\" to list all intel items containing \"ip\" in the title. | Text | Optional | |
Intel Status | Enter a value to retrieve intel based on the status. | Text | Optional | Allowed values: pending, processing, created, draft, failed, and published |
Additional Params | Enter the additional parameters to filter the response. Example: 'created_from': '1628361607' | Key Value | Optional | Allowed keys: created_from, created_to, published_from, q, sort, published_to, created_by_id, status, page_size, page, and component. |
Example Request
[
{
"page": "2",
"component": "quick-add-intel",
"page_size": "10",
"extra_params": {
"q": "ip",
"sort": "created"
}
}
]Action: List IOC Types
This action lists all valid indicators of compromise (IOC) types supported by the Intel Exchange platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Text | Enter the query to search for an IOC type. Example: art | Text | Optional |
Example Request
[
{
"query_text": "email"
}
]Action: List Kill Chain Phases
This action retrieves kill chain information of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the object type. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of a threat data object. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Page Number | Enter the page number to retrieve the kill chain phases. Example: 2 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. Example: 4 | Optional | Default value: 10 |
Example Request
[
{
"object_id": "b5dac8de-1c37-4d1d-a008-7ee96d42e543",
"object_type": "indicator"
}
]Action: List Notes in Threat Data Object
This action retrieves a list of notes associated with a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object to retrieve the associated notes. Example: 916e0c84-61a6-412b-a25c-e65d6bcdc96b | Text | Required | You can retrieve this using the action List Threat Data. |
Page Number | Enter the page number to go to a specific page. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to retrieve on each page. | Integer | Optional | Default value: 10 |
Additional Params | Enter any additional parameters to pass with the payload. Example: created_from: 1628361607 | Key Value | Optional |
Example Request
[
{
"page_no": "1",
"object_id": "7c4786c6-f537-4793-b2fa-f12cc841e8dd",
"page_size": "2",
"extra_params": {
"created_from": "1744720591"
}
}
]Action: List Published Collections of a Threat Object
This action retrieves the published collections of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the object type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of a threat data object. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Page Size | Enter the number of records to retrieve on each page. Example: 4 | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve the details. | Integer | Optional | Default value: 1 |
Additional Params | Enter additional parameters to list published collections. | Key Value | Optional |
Example Request
[
{
"object_id": "18950beb-b3f1-41b5-9a13-7c17d1447459",
"page_size": "2",
"extra_param": "“Save Node Input” is disabled.",
"object_type": "indicator"
}
]Action: List Relations of Threat Data Object
This action retrieves the list of relations and their details for a given threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the object ID to get details of. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Sources | Enter the list of IDs of the sources to filter the results by. Example: $LIST['7a7ac2cf-51e9-48fe-a2a8-32e7a684cc33'] | List | Optional | |
Page Number | Enter the page number of the response to fetch. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to return on each page. | Integer | Optional | Default value: 10 |
Additional Data | Enter the additional data to pass to the query. Example: {'page_size': 10} | Key Value | Required |
Example Request
[
{
"object_id": "bb4338e4-d654-4bc6-ad4f-8174309f6384",
"object_type": "indicator",
"extra_params": {
"page": "1"
}
}
]Action: List Reports
This action lists reports on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Type | Enter the report type to query. | Text | Required | Allowed values: basic, advanced |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Repeat Type | Enter the frequency of the report run schedule. | Text | Optional | Allowed values: daily, weekly, and monthly |
Shared Type | Enter the visibility of the reports. | Text | Optional | Allowed values: private, global |
Created By | Enter the ID of the user who created the reports. | Text | Optional | You can retrieve this using the action List Users. |
Modified By | Enter the ID of the user who modified the reports. | Text | Optional | You can retrieve this using the action List Users. |
Additional Params | Enter any additional parameters to pass with the request. | Key Value | Optional | Allowed values: created_from, created_to, modified_from, modified_to and more. |
Example Request
[
{
"page_no": "1",
"page_size": "10",
"repeat_type": "daily",
"report_type": "basic",
"shared_type": "global",
"extra_params": {}
}
]Action: List Rules
This action lists all the enrichment rules.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to return on each page. | Integer | Optional | Default value: 10 |
Source | Enter a comma-separated list of source IDs to filter rules with matching source. Example: 98230f-0e9f-45f4-a4c4-sdv89023hb3423,98230f-0e9f-45f4-a4c4-sdv89023hb3424 | Text | Optional | You can retrieve this using the action List Sources. |
Created By ID | Enter the Intel Exchange user ID to filter rules created by that user. Example: 03694ab0-0e9f-45f4-a4c4-2b6eaedd4803 | Text | Optional | |
Status | Enter the status of the rules. | Text | Optional | Allowed values: draft, active, inactive By default, rules with all statuses are retrieved. |
Last Active Till | Enter the timestamp in epoch to filter successfully executed rules until the given value. Example: 1579289600 | Integer | Optional | |
Last Active From | Enter the timestamp in epoch to filter successfully executed rules from the given value. Example: 1579289600 | Integer | Optional | |
Created From | Enter the timestamp in epoch to filter rules created from the given timestamp. Example: 1579289600 | Integer | Optional | |
Created Until | Enter the timestamp in epoch to filter rules created until the given timestamp. Example: 1579289600 | Integer | Optional | |
Return Minimal Response | Choose true to return the minimal response. Choose false to retrieve complete details of the objects. | Boolean | Optional | Default value: true |
Is Manual Run | Choose true to retrieve rules that are configured for manual execution only. | Key Value | Optional | Default value: false |
Example Request
[
{
"created_to": "1745226984",
"created_from": "1713690983",
"extra_params": {},
"created_by_id": "f023feca-9ba8-40f2-9912-0cc80df9889a",
"last_active_to": "1745226984",
"last_active_from": "1713690983"
}
]Action: List Saved Result Set
This action retrieves saved result sets from Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Version | Enter the saved result set version. | Text | Optional | Allowed values: v2 and v3 Default value: v3 |
Label Name | Enter the tag name to filter data. All data associated with the passed tag will be returned. | Text | Optional | |
Published From | Enter the start of the published time range in epoch format to retrieve data from this time. Example: 1649406695 | Integer | Optional | |
Published Till | Enter the end of the published time range in epoch format to retrieve data up to this time. Example: 1650265251 | Integer | Optional | |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. | Integer | Optional | Default value: 10 |
Example Request
[
{
"version": "v3"
"extra_params": {}
}
]Action: List Saved Searches
This action lists saved searches on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Search Query | Enter the query to search for a saved search. Example: malware | Text | Optional | |
Additional Params | Enter the extra parameters to list saved searches. | Key Value | Optional | Allowed values: page, page_size, and query |
Example Request
[
{
"page_no": "1",
"page_size": "5",
"extra_params": {
"query": "malware"
}
}
]Action: List Source Collections
This action retrieves a list of collections for the sources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source | Enter the unique ID of the source to retrieve associated collections. Example: 5430d746-61ce-4ef7-b1d9-5c03446eca9a | Text | Optional | You can retrieve this using the action List Sources. |
Nominal | Choose true to apply Cyware Query Language (CQL). | Boolean | Optional | |
CQL Query | Enter the CQL query to filter the source collections. | Str | Optional | |
Page Number | Enter the page number to retrieve collections. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of collections to retrieve on each page. | Integer | Optional | Default value: 10 |
Fetch Imported Collections | Choose true to fetch imported collections. | Boolean | Optional | Default value: true |
Example Request
[
{
"page": "2",
"source": "b2f4ff80-071a-4e5e-b9bc-4f81729a981d",
"nominal": "False",
"page_size": "15"
}
]Action: List Source Details
This action retrieves the source information for the given object type and object ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the object type to retrieve source information. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the object ID to retrieve source information. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Page Number | Enter the page number to retrieve sources. Example: 2 | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. Example: 4 | Integer | Optional | Default value: 1 |
Example Request
[
{
"page": "1",
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"page_size": "2",
"object_type": "indicator"
}
]Action: List Source External References
This action lists all external references associated with a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the object ID to retrieve external references. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Example Request
[
{
"page_no": "2",
"object_id": "ebe800fc-c49d-443d-a924-020cd651d7ce",
"page_size": "1",
"object_type": "indicator"
}
]Action: List Sources
This action lists all the feed sources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source Type | Enter a comma-separated list of the source type name to filter sources based on the type. Example: custom_stix_sources,web_scrapper | Text | Optional | |
Nominal | Choose true to apply Cyware Query Language (CQL). | Boolean | Optional | Default value: false |
Page Number | Enter the page number to retrieve sources from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of sources to be retrieved on each page. | Integer | Optional | Default value: 10 |
Query | Enter the query to filter the response. Set nominal to true to run the query. | Text | Optional |
Example Request
[
{
"nominal": false,
"page_no": "1",
"page_size": "10",
"source_type": "custom_stix_sources,web_scrapper"
}
]Action: List Source Types
This action retrieves the types of feed sources available in the Intel Exchange platform.
Action Input Parameters
No input parameters are required for this action.
Action: List Subscribers
This action lists the subscribers configured in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Subscriber ID | Enter the subscriber ID to filter the response based on it. Example: 5d4f094e-df41-442b-a12b-9977e7128003 | Text | Optional | |
Organization Name | Enter the organization name to filter subscribers. Example: acme | Text | Optional | |
Retrieve Active Subscribers | Choose true to retrieve active subscribers. Pass false to retrieve inactive subscribers. | Boolean | Optional | Default value: true |
Nominal | Choose true to retrieve only the name and ID of the subscribers. | Boolean | Optional | Default value: false |
Added After | Enter the start time in epoch format to filter subscribers added after this timestamp. Example: 1716958173 | Integer | Optional | |
Added Before | Enter the end time in epoch format to filter subscribers added before this timestamp. Example: 1717012366 | Integer | Optional | |
Sort By | Enter the sorting order for subscribers based on their creation time. | Text | Optional | Allowed values: -created (to sort in descending order) and created (to sort in ascending order). |
Additional Params | Enter any additional parameters to pass. Example: last_pull_from and last_pull_to | Key Value | Optional |
Example Request
[
{
"page_no": "1",
"page_size": "6",
"extra_params": {
"sort": "-created",
"nominal": "true"
}
}
]Action: List Tasks in Threat Data Object
This action retrieves the list of tasks associated with a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object to retrieve the associated tasks. Example: 00018ede-2695-4fa1-b253-56374f18bca8 | Text | Required | You can retrieve this using the action List Threat Data. |
Created By | Enter the ID of a user to filter tasks by the user who created the task. Example: 0eea7e23-9670-4c5f-9742-2666ddf0be74 | Text | Optional | You can retrieve this using the action List Users. |
Start Date | Enter the start date of the task deadline in epoch format to filter tasks. Example: 1623393469 | Integer | Optional | |
End Date | Enter the end date of the task deadline in epoch format to filter tasks. Example: 1623393501 | Integer | Optional | |
Page Number | Enter the page number to go to a specific page. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to retrieve on each page. | Integer | Optional | Default value: 10 |
Task Assignee | Enter the ID of a user to filter tasks by the assigned user. Example: ed213e1e-fa2b-476e-8778-4d4c61722494 | Text | Optional | You can retrieve this using the action List Users. |
Task Status | Enter the status to filter tasks. Example: not_started | Text | Optional | |
Task Priority | Enter the priority to filter tasks. Example: medium | Text | Optional | Allowed values: low, medium, high |
Additional Params | Enter the additional parameters to list tasks. | Key Value | Optional | Allowed values: page, page_size, priority, status, assignee, deadline_gte, deadline_lte, created_by, object_id |
Example Request
[
{
"object_id": "1879725552434888956",
"created_by": "c9a511e8-18be-444f-9f27-d8fb61e7e8c0",
"deadline_gte": "1743017400",
"deadline_lte": "1744968838",
"extra_params": {
"page": "1",
"status": "not_started",
"page_size": "2"
}
}
]Action: List Threat Data
This action retrieves a list of threat data objects available for use in the Threat Investigations Canvas in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CQL Query | Enter the CQL to list threat data. Example: type = 'indicator' | Text | Optional | |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Default value: 10 |
Enrichment | Choose true to retrieve the details of the last enrichment for the objects that can be enriched. | Boolean | Optional | Default value: true |
Sort by | Enter the value to sort the response. Example: ctix_created | Text | Optional | Allowed values: valid_from, valid_until, ctix_modified, type, id, sub_type, indicator_type, ioc_type, tlp, tags, sources, source_collections, subscribers, published_collections, subscriber_collections, severity, last_seen, first_seen, created, modified, ctix_created, name, country, confidence_score, analyst_score, analyst_tlp, confidence_type, source_confidence, is_reviewed, is_under_review, is_deprecated, is_whitelisted, is_revoked, is_false_positive, is_actioned, primary_attribute, is_watchlist, custom_attributes, analyst_cvss_score, source_created, received_id, pattern, custom_scores, marking_definitions, analyst_markings |
Retry Count | Enter the number of times to retry the request in case of a failure. | Integer | Optional | Maximum allowed value: 10 Default value: 3 |
Retry Interval | Enter the interval (seconds) between retries. | Integer | Optional | Maximum allowed value: 10 Default value: 2 |
Additional Params | Enter additional parameters to list threat data. | Key Value | Optional |
Example Request
[
{
"page_no": "2",
"cql_query": "type='indicator'",
"page_size": "25",
"enrichment": false,
"page_limit": "30",
"extra_params": {
"sort": "ctix_created"
}
}
]Action: List Threat Data Object Details in Table View
This action retrieves threat data object details in a tabular format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Page Number | Enter the page number to retrieve the details. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve per page. | Integer | Optional | Default value: 10 |
Example Request
[
{
"page_no": "1",
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"page_size": "2",
"object_type": "indicator"
}
]Action: List Threat Data Object Sources
This action retrieves a list of feed sources associated with a threat data object, along with their description, fanged description, and de-fanged description.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object ID | Enter the ID of a threat data object. Example: 09730695-2f63-4a1c-a0fb-a042689588d5 | Text | Required | You can retrieve this using the action List Threat Data. |
Object Type | Enter the object type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Example Request
[
{
"object_id": "62789e69-3850-41d0-b46b-b34f4b91a1fb",
"object_type": "indicator"
}
]Action: List User Groups
This action retrieves a list of user groups from Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a query to filter user groups by. Example: admin | Text | Optional | |
Page Number | Enter the page number of the response to fetch. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of items to return per page. | Integer | Optional | Default value: 10 |
Additional Params | Enter any additional parameters to pass with the payload. Example: is_active: true, created_from: 1628361607 | Key Value | Optional | Allowed values: page, page_size, created_by, created_from, created_to, is_active, and q |
Example Request
[
{
"query": "admin",
"page_no": "1",
"page_size": "5",
"extra_params": {
"is_active": "true"
}
}
]Action: List Users
This action lists all the users of the Intel Exchange application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a query to filter users by. Example: john doe | Text | Optional | |
Page Number | Enter the page number of the response to fetch. | Integer | Optional | Default value: 1 |
Page size | Enter the number of items to return on each page. | Integer | Optional | Default value: 10 |
Additional Params | Enter any additional parameters to pass with the payload. | Key Value | Optional | Allowed keys: invited_by, sort, is_active, is_blocked, page, page_size, created_from, created_to, q, invite_status, activity_from, activity_to, and group |
Example Request
[
{
"query": "User",
"page_no": "1",
"page_size": "10",
"extra_params": {
"sort": "date_joined",
"invite_status": "INVITED"
}
}
]Action: List Widgets
This action lists widgets present in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Widget Location | Enter the types of widgets to retrieve in comma-separated values. | Text | Optional | Allowed values: dashboard, hero, custom-dashboard-widget, information-widget, custom-hero-card Default value: dashboard |
Page Number | Enter the page number to retrieve results from. | Integer | Optional | Default value: 1 |
Page Size | Enter the number of records to retrieve on each page. | Integer | Optional | Default value: 10. |
Created By | Enter the ID of the creator of the widgets to filter widgets. Example: a2b82e81-8e7d-4e68-8a36-3d2d9cd518ad | Text | Optional | You can retrieve this using the action List Users. |
Example Request
[
{
"page_no": "1",
"page_size": "6",
"extra_params": {
"widget_location": "dashboard"
}
}
]Action: Perform Action on Threat Data Object
This action performs an action on a threat data object. You can perform actions, such as deprecate, reinstate as active, add an analyst TLP, add an analyst score, and more.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action to Take | Enter the action to perform on the IOC. Example: deprecate | Text | Required | Allowed values: deprecate, un_deprecate, reviewed, manual_review, whitelist, un_whitelist, false_positive, un_false_positive, analyst_tlp, analyst_score, add_tag, add_relation, delete, revoke_intel |
Object ID | Enter the ID of the object to perform the action on. Example: eee70fcc-a23b-4d3b-a968-fc78b121d112 | Text | Required | You can retrieve this ID using the List Threat Data action. |
Object Type | Enter the IOC type. | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report Default value: indicator |
Additional Data | Enter any additional data to pass. Note: The data is sent as part of the payload. | Key Value | Optional | |
Additional Params | Enter any additional params to pass to the request. | Key Value | Optional |
Example Request
[
{
"object_id": "bb4338e4-d654-4bc6-ad4f-8174309f6384",
"extra_data": {
"data": {
"tag_id": [
"1ff8fec7-f34a-42a2-b64e-0b327c330c3b"
]
}
},
"object_type": "indicator",
"action_to_take": "add_tag"
}
]Action: Perform Bulk Action on Rules
This action updates multiple rules in one operation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID List | Enter the list of IDs of the rules to update. Example: $LIST[2b91dfe5-8559-4f7e-a64b-5ad87c18ec7e] | List | Required | You can retrieve the rule IDs using the List Rules action. |
Action | Enter the action to perform to update the rules. Example: follow | Text | Required | Allowed values: follow (to follow rules), unfollow (to unfollow rules), inactivate (to deactivate rules), active (to activate rules) |
Example Request
[
{
"action": "follow",
"rule_id_list": [
"683b4a36-3f83-49b1-83a0-c1f5dd508",
"e550f4ed-cb05-4320-9799-8574a344a"
]
}
]Action: Perform Bulk Action on Threat Data
This action performs an action on multiple threat data objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action Type | Enter the action to perform on multiple threat data objects. | Text | Required | Allowed values: deprecate, un_deprecate, manual_review, reviewed, whitelist, un_whitelist, false_positive, and un_false_positive |
Object IDs | Enter the list of threat data object IDs to perform the bulk action. For example, $list[49d5e95e-3889-42de-8280-1ebf5c7cb95a, 71cd9a67-aa10-4016-bd32-b44534b2e1b9] | List | Required | You can retrieve this ID using theList Threat Data action. |
Object Type | Enter the type of threat data objects. Example: indicator | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Deprecated After | Enter the time (in epoch) after which the threat data objects will be deprecated. For example, 1712345678. Note: You must pass this parameter if the action type is un_deprecate. | Integer | Optional |
Example Request
[
{
"object_ids": [
"c0022d5a-928f-43cd-853d-0511c500f99e",
"53724dbe-1dde-4c90-9c06-25c7890dc766"
],
"action_type": "reviewed",
"object_type": "indicator"
}
]Action: Pin Saved Search
This action pins a saved search to the top.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the unique ID of a saved search. For example, 1a7d5c8a-848a-4a67-af82-e68f3d823c65 | Text | Required | You can retrieve the saved search ID using the List Saved Searches action. |
Order | Enter the order in which you want the saved search to appear. For example, 1 This would infer that the above saved search will be pinned as the first item on that list. | Integer | Optional | By default, if no value is specified, the saved search will be pinned on top of the list. |
Example Request
[
{
"saved_search_id": "40a15e3d-8ed8-487f-ab73-52d126b90b8d"
}
]Action: Preview Threat Data Object
This action retrieves specific details of a threat data object for preview purposes.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Object Type | Enter the type of threat data object. For example, vulnerability | Text | Required | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Object ID | Enter the ID of the threat data object to preview details. For example, 7de86a9c-320b-4678-96b9-d9c99656bd8a | Text | Required | You can retrieve this ID using the List Threat Data action. |
Example Request
[
{
"object_id": "efd2a3f0-c257-4c3d-8899-5e46fb21628b",
"object_type": "domain-name"
}
]Action: Quick Add Intel
This action creates intel in Intel Exchange by providing minimal details of indicators, SDOs, relations, custom objects, and indicators parsed from free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the title of the intel within 100 characters. Example: 1.1.1.1 | Text | Required | |
All SDOs | Enter the SDO and IOC objects to add to the intel. This must be passed as sdo_name : sdo_value. Example: {vulnerabilities: $JSON[[{\"value\": \"vul1\",\"custom_attributes\": {\"x_custom_attribute1\": \"sample value 1\",\"x_custom_attribute2\": \"sample value 2\"}}]]} | Key Value | Optional | |
Source | Enter the source of the data being added. Example: miscellaneous | Text | Optional | Default value is cyware_orchestrate |
Collection name | Enter the collection name the intel belongs to. This parameter is mandatory in versions before Intel Exchange v3.3.2. Example: csol-coll | Text | Optional | |
Confidence score | Enter the confidence score of the indicators being passed. This parameter is mandatory in versions before Intel Exchange v3.3.2. Example: 80 | Integer | Optional | |
TLP | Enter the TLP of the indicators. The TLP must be capitalized. This parameter is mandatory in versions before Intel Exchange v3.3.2. Example: clear | Text | Optional | |
Indicators | Enter all the indicators to add to the intel. The allowed format is indicator_type : indicator_value Example: {\"ipv4-addr\": \"1.2.34.21\"} | Key Value | Optional | Allowed indicator types are ipv4-addr, ipv6-addr, domain, url, email, md5, sha1, sha224, sha256, sha384, sha512, ssdeep. |
SDOs | Enter the stix-compliant-SDOs to associate with the indicators. The allowed format is sdo_name : sdo_value. Example: {\"vulnerability\": \"log4j\"} | Key Value | Optional | |
Custom Attributes | Enter any additional custom attributes to be passed as a key-value pair. Example: {\"x_test_attribute\": \"test_attribute\"} | Key Value | Optional | |
Label | Enter the list of tags for the indicators. This is supported in Intel Exchange from the release v3.3.2 and later versions. Example: $LIST[label_1,label_2] | List | Optional |
Example Request
[
{
"source": "cyware_orchestrate",
"collection": "cyware_orchestrate2",
"metadata": {
"confidence": 85,
"tlp": "RED",
"labels": [
"x--internal--acd",
"malware-campaign"
]
},
"title": "Suspicious Campaign Targeting Financial Sector",
"all_sdos": {
"all_iocs": {
"ipv4": [
{
"value": "45.77.89.120",
"description": "Known C2 server observed in phishing campaign",
"is_false_positive": false,
"notes": [
"Identified during threat hunting on 2025-06-09.",
"Correlated with indicators from FIN7 campaign."
],
"custom_attributes": {
"x_threat_level": "high",
"x_discovered_by": "SOC team"
}
}
],
"ipv6": [
{
"value": "2607:f8b0:4004:802::200e",
"custom_attributes": {
"x_threat_level": "medium",
"x_discovered_by": "automated scan"
}
}
],
"domain": [
{
"value": "malicious-update.com",
"custom_attributes": {
"x_malware_family": "Emotet",
"x_status": "blacklisted"
}
}
],
"url": [
{
"value": "http://malicious-update.com/download",
"custom_attributes": {
"x_file_type": "exe",
"x_hosting_provider": "Namecheap"
}
}
],
"email_address": [
{
"value": "attacker@fakecompany.com",
"custom_attributes": {
"x_campaign_id": "phish-2025-Q2",
"x_target_group": "finance"
}
}
],
"md5": [
{
"value": "44d88612fea8a8f36de82e1278abb02f",
"custom_attributes": {
"x_file_name": "invoice.exe",
"x_analysis_status": "malicious"
}
}
],
"sha1": [
{
"value": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"custom_attributes": {
"x_source": "sandbox",
"x_behavior": "network beaconing"
}
}
],
"sha224": [
{
"value": "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f",
"custom_attributes": {
"x_usage": "hash validation",
"x_detection_tool": "YARA"
}
}
],
"sha256": [
{
"value": "cf83e1357eefb8bd... (truncated for brevity)",
"custom_attributes": {
"x_origin": "threat feed",
"x_verified": "true"
}
}
],
"sha384": [
{
"value": "ca737f1014a48f4c... (truncated for brevity)",
"custom_attributes": {
"x_confidence": "90",
"x_tool": "HybridAnalysis"
}
}
],
"sha512": [
{
"value": "0cf918c2b2d6a0f2... (truncated for brevity)",
"custom_attributes": {
"x_malware_type": "Trojan",
"x_risk_score": "9.2"
}
}
],
"ssdeep": [
{
"value": "768:Hd29GdQ... (truncated)",
"custom_attributes": {
"x_similarity_to": "sample_malware_v2",
"x_cluster_id": "cl1234"
}
}
]
},
"vulnerabilities": [
{
"value": "CVE-2024-21412",
"custom_attributes": {
"x_cvss_score": "8.8",
"x_patch_available": "yes"
}
}
],
"malwares": [
{
"value": "RedLineStealer",
"custom_attributes": {
"x_type": "infostealer",
"x_delivery_method": "phishing email"
}
}
],
"campaigns": [
{
"value": "Operation SpearPhish",
"custom_attributes": {
"x_start_date": "2025-05-10",
"x_target_industry": "financial"
}
}
],
"threat_actors": [
{
"value": "APT28",
"custom_attributes": {
"x_country_origin": "Russia",
"x_motivation": "espionage"
}
}
],
"intrusion_sets": [
{
"value": "FancyBear",
"custom_attributes": {
"x_associated_actor": "APT28",
"x_known_ttp": "spear-phishing with macro-enabled docs"
}
}
],
"attack_patterns": [
{
"value": "Spear Phishing Attachment",
"custom_attributes": {
"x_mitre_id": "T1193",
"x_tactic": "initial-access"
}
}
],
"course_of_actions": [
{
"value": "Block IOCs at Firewall",
"custom_attributes": {
"x_type": "network",
"x_effectiveness": "high"
}
}
],
"identities": [
{
"value": "FinanceCorp Security Team",
"custom_attributes": {
"x_contact_email": "soc@financecorp.com",
"x_role": "defender"
}
}
],
"tools": [
{
"value": "Cobalt Strike",
"custom_attributes": {
"x_usage": "post-exploitation",
"x_detected_by": "EDR tool"
}
}
],
"locations": [
{
"value": "Bangalore Office",
"custom_attributes": {
"x_type": "geo",
"x_importance": "primary target region"
},
"type": "latitude-longitude",
"latitude": 12.9716,
"longitude": 77.5946
}
],
"malware_analysis": [
{
"value": "RedLine Payload Analysis",
"custom_attributes": {
"x_tool": "Cuckoo Sandbox",
"x_result": "network beaconing to 45.77.89.120"
}
}
]
}
}
]Action: Remove Pinned Saved Search
This action removes a saved search from the pinned search list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the unique ID of a saved search. Example: 1a7d5c8a-848a-4a67-af82-e68f3d823c65 | Text | Required | You can retrieve the saved search ID using the List Saved Searches action. |
Example Request
[
{
"saved_search_id": "4ed00bab-2858-496a-b77f-9ff59298208e"
}
]Action: Retrieve Download Link
This action retrieves a download URL for the export file, which includes the file ID and a token.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File ID | Enter the file ID generated by the generate export link action. For example, df21ff51-0d9e-4380-be78-b75889860702 | Text | Required | You can retrieve this using the action Generate Export Link. |
Download File | Choose true to download the exported threat data. For example, True | Boolean | Optional | Default Value: True |
Example Request
[
{
"file_id": "89588424-1e36-4647-bd39-939f8c5a537d"
}
]Action: Retrieve Intel Statistics
This action retrieves the statistics history for the specified intel component. By default, the statistics for “quick-add-intel” are returned.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Component | Enter the component to retrieve the statistics history. Example: rss_feed | Text | Optional | Allowed values: import-intel, openapi, quick-add-intel, rss_feed, stix-form, rule, threat-bulletin, threatmailbox, x-twitter, visualizer, malware_sandbox, threat-data, browser-extension Default value: quick-add-intel |
Example Request
[
{
"component": "quick-add-intel"
}
]Action: Retrieve Quick Add Intel Relation Objects
This action retrieves the details of the threat objects (indicators, SDOs, SCOs, relations, and custom objects) that are ingested and added as relationship objects that is created as part of the quick add intel submission.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the unique ID of a report object to retrieve the related objects. Example: d42fb454-62c7-4b5f-9330-40036bd2da1f | Text | Required | You can retrieve this using the action List Reports. |
Query | Enter the query to filter based on object name. Example: sa12dfad | Text | Optional | |
Page Size | Enter the number of objects to retrieve on each page. Example: 100 | Integer | Optional | Default value: 10 |
Page Number | Enter the page number to retrieve details of threat objects ingested from. Example: 5 | Integer | Optional | Default value: 1 |
Example Request
[
{
"report_id": "8cebebfe-7794-4135-88e9-abf371526beb"
}
]Action: Retrieve Quick Add Intel Status
This action retrieves the intel creation status of a quick add intel submission.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the quick add intel task ID to retrieve the intel creation status. For example, 139e97e9-51fa-4717-bcfa-1cd226a8a76d | Text | Required | You can retrieve the task ID using the List Tasks in Threat Data Object action. |
Example Request
[
{
"task_id": "c7d167d6-6305-4010-ac9a-fdd733ee795b"
}
]Action: Run Report
This action runs a specific report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to run. Example: 5e7e2c2d-3e3d-4e7f-a6b3-6b3e6b3e6b3e | Text | Required | You can retrieve this using the action List Reports. |
Report Type | Enter the report type. | Text | Required | Allowed values: basic, advanced |
Start Time | Enter the start time in epoch format from which the report should capture data. Example: 1596825599 | Integer | Required | |
End Time | Enter the end time in epoch format until which the report should capture data. Example: 1676825599 | Integer | Required | |
File Types | Enter the file types for the report. | List | Required | Allowed values: csv, xls (for basic reports), pdf (for advanced reports) |
Internal Recipients | Enter the internal recipients to share the report with. You must enter at least one internal or external recipient to run the report. | Key Value | Optional | |
External Recipients | Enter the external recipients to share the report with. You must enter at least one internal or external recipient to run the report. | Key Value | Optional |
Example Request
[
{
"end_time": "1745306213",
"report_id": "70c4c1dc-3503-43d0-a925-2e88da90d79b",
"file_types": [
"csv"
],
"start_time": "1745219817",
"report_type": "advanced",
"internal_recipients": {
"to": [
{
"user_id": "3504aa4a-1e56-40c6-89d7-fc3c6adc2b03",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@cyware.com"
}
]
}
}
]Action: Run Rule
This action runs a rule in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID | Enter the rule ID to run. Example: 4i9a8f0q9d-3e3d-4e7f-a6b3-6b3e6b3e6b3e. | Text | Required | You can retrieve this using the action List Rules. |
Start Time | Enter the timestamp value in epoch to filter threat data created from the given timestamp. Example: 1579289600 | Integer | Required | |
End Time | Enter the timestamp value in epoch to filter threat data created up to the given timestamp. Example: 1579289600 | Integer | Required |
Example Request
[
{
"rule_id": "09e38940-6652-4db2-bb83-7fd5d637b906",
"end_time": "1745302763",
"start_time": "1713690983",
"extra_params": {}
}
]Action: Update Note in Threat Data Object
This action updates the details of a note in Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Note ID | Enter the ID of the note to update the details. Example: 8003c6ba-5215-486d-881f-d940dcb78d35 | Text | Required | You can retrieve this using the action List Notes in Threat Data Object. |
Description | Enter the updated note description. Example: Updated with the latest IOC analysis details | Text | Optional | |
Note Type | Enter the note type to update. | Text | Optional | Allowed values: indicator, vulnerability, malware, campaign, threat-actor, intrusion-set, attack-pattern, incident, course-of-action, identity, tool, infrastructure, location, malware-analysis, custom-object, note, observed-data, opinion, report |
Metadata | Enter any additional metadata associated with the note. | Key Value | Optional | Provide structured context for the note |
Example Request
[
{
"text": "Updated with the latest IOC analysis details",
"note_id": "cd1cb275-b713-4606-b7aa-c373d2bc4575",
"meta_data": {},
"note_type": "indicator"
}
]Action: Update Pinned Saved Search
This action updates the order of a pinned saved search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the unique ID of a saved search. Example: 1a7d5c8a-848a-4a67-af82-e68f3d823c65 | Text | Required | You can retrieve this using the action List Saved Searches. |
Order | Enter the order in which you want the saved search to appear. Example: 2 | Integer | Optional |
Example Request
[
{
"order": "2",
"saved_search_id": "40a15e3d-8ed8-487f-ab73-52d126b90b8d"
}
]Action: Update Saved Search
This action updates a saved search using the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Saved Search ID | Enter the unique ID of a saved search to update. Example: 1a7d5c8a-848a-4a67-af82-e68f3d823c65 | Text | Required | You can retrieve this using the action List Saved Searches. |
Search Type | Enter the type of the saved search. | Text | Required | Allowed values: basic, CQL |
Saved Search Name | Enter the name of the saved search. Example: Indicator Search. | Text | Required | |
Search Query | Enter the dumped value of the query. Example: type="indicator" and sub_type="file" and created>"2021-07-28". | Text | Required | |
Shared Type | Enter the visibility setting for the saved search. | Text | Optional | Allowed values: private, global, specific users, systems |
Description | Enter the description of the saved search. Example: Indicator Search | Text | Optional | |
Metadata | Enter the metadata to support transforming the saved search into a CQL query or threat data filters. Example: {"object_type":["malware"]}. | Text | Optional |
Example Request
[
{
"name": "Indicator Search",
"description": "In order to search for indicators",
"search_type": "CQL",
"search_query": "type=\"indicator\" and sub_type=\"url\" and created>\"2024-07-28\"",
"saved_search_id": "40a15e3d-8ed8-487f-ab73-52d126b90b8d"
}
]Action: Update Task in Threat Data Object
This action updates a task of a threat data object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the unique identifier of a task to update the details. Example: 766d52d1-1575-4fb1-9d67-0d7445c919e8 | Text | Required | You can retrieve this using the action List Tasks in Threat Data Object. |
Assignee | Enter the ID of a user to assign the task. Example: 5555f14c-6130-4e58-a2da-33e1a85b5a64 | Text | Required | You can retrieve this using the action List Users. |
Description Text | Enter the description of the task to be performed. Example: Verify this indicator | Text | Required | |
Object ID | Enter the ID of the threat data object to associate with the task. If you do not enter this, the task is created as a global task. Example: 92686150-58e5-4f15-be64-f3e123efd825 | Text | Optional | You can retrieve this using the action List Threat Data Object. |
Priority | Enter the priority of the task. | Text | Required | Allowed values: high, medium, low |
Status | Enter the status of the task. | Text | Optional | Allowed values: not_started, in_progress, completed |
Closure Comment | Enter the comment to close the task. This is required if Status is completed. | Text | Optional | |
Additional Fields | Enter the additional fields to update the task in the threat data object. | Key_value | Optional | Allowed keys: deadline, type |
Example Request
[
{
"status": "completed",
"task_id": "e6c11d76-ba27-483c-b877-2e1bf5e6ac56",
"assignee": "1eace06e-0d26-4738-8544-6a22e938f113",
"priority": "high",
"object_id": "a323e45c-0e8e-490e-8a34-a30687ab5610",
"extra_fields": {
"type": "malware"
},
"closure_comment": "Task is completed",
"description_text": "Updating the status"
}
]Action: Update User Details
This action is used to update the user details on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the unique identifier of the user whose details you want to update. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required | You can retrieve this using the action List Users. |
User Groups | Enter a list of user groups to assign to the user. Example: $JSON[[{"id":"8003c6ba-5215-486d-881f-d940dcb78d35"}]] | Any | Required | |
Username | Enter the LDAP username of the user. Example: JohnDoe | Text | Required | |
First Name | Enter the first name of the user. Example: John | Text | Optional | |
Last Name | Enter the last name of the user. Example: Doe | Text | Optional | |
Email Alerts | Choose true if the user wants to receive email alerts on the associated email ID from Intel Exchange. | Boolean | Optional | Default value: True |
SMS Alerts | Choose true if the user wants to receive the SMS alerts on the associated contact number from Intel Exchange. | Boolean | Optional | Default value: True |
Is Active | Choose true if the user is an active user. | Boolean | Optional | Default value: True |
Contact Number | Enter the contact number of the user to update. | Text | Optional | |
Additional Params | Enter any additional parameters to pass with the payload. | Key value | Optional |
Example Request
[
{
"user_id": "f2779b7b-e8fa-4996-baa4-5f89073ed372",
"username": "JohnDoe",
"is_active": true,
"last_name": "Doe",
"first_name": "John",
"user_groups": [
{
"id": "2b5b1103-1a62-43a0-b10e-7b89520abee1",
"name": "Admin"
}
],
"extra_params": {}
}
]Action: Update User Group Details
This action updates the user group details on Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User Group ID | Enter the user group ID to update. Example: cf0e148b-5f7a-4f05-8f4d-081fa1743231 | Text | Required | You can retrieve this using the action List User Groups. |
User Group Name | Enter the name of the user group to update. Example: Sample Group Name | Text | Required | |
Allowed Tag Types | Enter the allowed tag types to update. Example: $JSON[[{"id": "user","name": "User","colour_code": "#0068FA","is_default": false,"theme": "blue"}]] | Any | Required | |
User Groups Permissions | Enter a list of permissions to assign to the user group. Example: $JSON[[{ "id": "8003c6ba-5215-486d-881f-d940dcb78d35"}]] | Any | Required | |
Is Active | Choose true if the user group is active. | Boolean | Required | |
Description | Enter a description for the group to update. | Text | Optional | |
Additional Params | Enter any additional parameters to pass with the payload. Example: email_alerts: true | Key value | Optional |
Example Request
[
{
"is_active": true,
"user_group": "Admin",
"description": "Includes permissions to all Intel Exchange features.",
"extra_params": {},
"user_group_id": "61aa6fee-40a2-4395-94f8-f3b933c98488",
"allowed_tag_types": [
{
"id": "user",
"name": "User",
"colour_code": "#0068FA",
"is_default": false,
"theme": "blue"
},
{
"id": "source",
"name": "Source",
"colour_code": "#45505E",
"is_default": false,
"theme": "neutral"
},
{
"id": "system",
"name": "System",
"colour_code": "#27865F",
"is_default": false,
"theme": "green"
}
],
"user_groups_permissions": [
{
"id": "d01c979b-8e9e-4da6-b35e-2314516a9aff"
}
]
}
]Action: Generic Action
This is a generic action to perform any additional use case that you want on Cyware Intel Exchange.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: ingestion/reports/ | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the additional data to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_json, files, retry_wait, retry_count, custom_output, and response_type |
Example Request
[
{
"method": "POST",
"payload": {
"query": "type =\"indicator\""
},
"endpoint": "ingestion/threat-data/list/",
"extra_fields": {},
"query_params": {
"page": "3",
"page_size": "25",
"page_limit": "30"
}
}
]