CTIX V3
CTIX is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
|---|---|---|
Bulk IOC Advanced Lookup | This action performs a bulk search of the threat data objects in the CTIX application and retrieves the details of the objects. For more information, see Action: Bulk IOC Advance Lookup. | Look for IP addresses76.77.123.225:80, 131.190.343.60, and 56.15.565.208 in the CTIX application. |
Get Related Objects | This action retrieves the related objects of an object type, such as the top threat actors in an industry or top TTPs used by a Threat Actor. For more information, see Action: Get Related Objects. | Retrieve the related objects of the object type threat-actor. |
Quick Add Indicators | This action adds threat indicator data in CTIX. For more information, see Action: Quick Add Indicators. | Add the URL sampleurl.com with the title Intel and source as RSS Feed. |
Search Threat Data | This action searches for CTIX threat data. For more information, see Action: Search Threat Data. | Search for threat data in CTIX. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the CTIX V3 app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select CTIX V3 and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL to access CTIX. For example, https://qa.cyware.com/ctixapi/
Access Key: Enter the access ID to authenticate with CTIX.
Secret Key: Enter the secret key to authenticate with CTIX.
SSL Verification: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CTIX. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Bulk IOC Advance Lookup
This action performs a bulk search of the threat data objects in the CTIX application and retrieves the details of the objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Object Type | Enter the type of threat data object. Example: indicator, vulnerability, malware | Text | Required | Use 'indicator' value if IOCs(sha1, sha512, sha224, sha384, sha256, md5, domain, ipv4, ipv6, url, etc) are provided. |
Enrichment Data | Enter true to retrieve the latest five enrichment data of the threat data objects. | Boolean | Optional | Allowed values:
Default value: false |
Relation Data | Enter true to retrieve the latest 100 relations details of threat data object. | Boolean | Optional | Allowed values:
Default value: false |
Object Value | Enter a list of up to 100 threat data object values to look up. Example: $LIST[47.92.78.238, www.facebook.com] | List | Optional | Note that one of the Object ID or Object Value parameters is required. |
Object ID | Enter a list of up to 100 threat data object IDs to look up. Example: $LIST['2b8d0163-da03-4a1d-86c5-f981f0920c0d'] | List | Optional | Note that One of the Object ID or Object Value parameters is required. |
Fields | Enter a comma-separated list of fields to retrieve specific details of the objects. Example: relations,enrichment_data | Text | Optional | By default, it retrieves all field data. |
Enrichment Tools | Enter a comma-separated list of up to five enrichment tool names to retrieve the enriched threat data objects. Example: AbuseIPDB | Text | Optional | |
Extra Params | Enter any additional parameters to pass with this request. Example {page_size: 1} | Key Value | Optional | Allowed values:
|
Example Request
[
{
"object_type": "malware",
"enrichment_data": true
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the score assigned to the threat data object by an analyst. |
| String | Returns the TLP assigned to the threat data object by an analyst. |
| String | Returns the country name where the threat data object was seen. |
| Timestamp | Returns the source-created date and time of the threat data object. |
| Timestamp | Returns the created date and time of the threat data object in CTIX. |
| Timestamp | Returns the last modified date and time of the threat data object in CTIX. |
| Array | Returns a list of custom attributes with details, such as Examples: Custom Attribute Name: Custom Attribute Value: |
| Integer | Returns the Confidence Score calculated by the CTIX confidence score engine. |
| String | Returns the source description of the threat data. |
| Array | Returns a list of enrichment objects retrieved from the enrichment tools. |
| Timestamp | Returns the first seen date and time of the threat data object. |
| String | Returns the ID of the threat data object. |
| String | Returns the IOC type. Returns Returns hash type for hashes and the indicator type key for other indicators. |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Timestamp | Returns the last seen date and time of the threat data object. |
| Timestamp | Returns the source-modified date and time of the threat data object. |
| String | Returns the value of the threat data object. |
| String | Returns the SDO type the threat data object type of the IOC. |
| Array | Returns a list of JSON objects for the collections in which the IOC is published. |
| JSON Object | Returns a list of related threat data objects. |
| Array | Returns the list of sources that reported the threat data object. |
| String | Returns the sub-type of an indicator. Returns Returns hash type for hashes and |
| Array | Returns the tags associated with the threat data object. |
| String | Returns the TLP assigned to the threat data object by the source. |
| Boolean | Returns true if the threat data is marked for manual review by an analyst. |
| Timestamp | Returns the date and time since when this threat data object is valid. |
| Timestamp | Returns the date and time until when this threat data object is valid. |
Action: Quick Add Indicators
This action adds threat indicators data in CTIX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the title of the indicator. Enter only one value at a time. Example: "Intel" | Text | Required | |
Source | Enter the source of the data to be added. Enter only one value at a time. Example: "Orion" | Text | Required | |
Collection Name | Enter the collection name of the indicator. Example: "MISP" | Text | Optional | |
Indicators | Enter all the indicators to be added in the following format: {"indicator_type": "indicator_value"} Example: {"url":"sampleurl.com"} | Key Value | Optional | Allowed values:
|
Confidence Score | Enter the confidence score of the indicators. Example: 60 | Integer | Optional | Allowed values: 0 to 100 |
TLP | Enter the Traffic Light Protocol (TLP) of the indicators in capital letters. Example: "RED" | Text | Optional | |
Label | Enter the list of labels for the indicators. Example: $LIST[phishing, vishing] | List | Optional | This parameter is supported in CTIX from the release v3.3.2 and later versions. |
Custom Attributes | Enter the custom attributes to be passed. | Key Value | Optional |
Example Request
[
{
"title":"Intel",
"source":"Orion",
"collection_name":"MISP",
"indicators":{
"url":"sampleurl.com"
},
"confidence":60,
"tlp":"RED",
"label":[
"phishing",
"vishing"
],
"sdos":{
"vulnerability":"log4j"
}
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns success message "Intel creation is in progress.". |
Action: Search Threat Data
This action searches for CTIX threat data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CQL Query | Enter a CQL query to search threat data. Example: type = 'indicator' | Text | Optional | |
Retry Count | Enter the retry count for failed requests. Example: 5 | Integer | Optional | Default value: 0 |
Retry Interval | Specify the time (in seconds) to wait between retries. Example: 5 | Integer | Optional | Default value: 15 seconds |
Page No | Enter the page number from which you want to retrieve the data. Example: 1 | Integer | Optional | Default Value: 1 |
Page Size | Enter the response page length. Example: 15 | Integer | Optional | Default Value: 10 |
Extra Params | Enter the extra parameters to pass with the request URL. Example: {'field_key': 'field_value'}" | Key Value | Optional |
Example Request
[
{
"cql_query": type = "indicator" AND value = "185.xx0.10x.15",
"page_no": 1,
"page_size": 15
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Returns the URL link to the next page. |
| String | Returns the URL link of the previous page. |
| Integer | Returns the total number of records returned by the API. |
| Array of JSON Objects | Returns the list of results returned by the API. |
| Integer | Returns the page size specified in the query parameters. |
| String | Returns the score assigned to a threat data object by an analyst. |
| String | Returns the TLP assigned to a threat data object by an analyst. |
| Integer | Returns the score calculated by the CTIX confidence score engine. |
| String | Returns the type of confidence.
|
| String | Returns the country name where the threat data object was seen. |
| Epoch | Returns the date and time of the creation of the threat data object. |
| Epoch | Returns the date and time of the creation of the threat data object in CTIX. |
| Epoch | Returns the date and time of modification of the threat data object in CTIX. |
| Epoch | Returns the date and time at which the threat data object was first seen. |
| String | Returns the ID of the threat data object. |
| String | Returns the type of indicator. Returns |
| String | Returns the type of indicator. Returns |
| Boolean | Returns True if an action was performed on the threat data object, else returns False. |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Boolean | Returns |
| Epoch | Returns the last seen date and time of the threat data object. |
| Epoch | Returns the modified date and time of the threat data object. |
| String | Returns the name of the threat data object. |
| String | Returns the primary attribute of the threat data object if the threat data object is a custom object. |
| String | Returns the name of the collections in which the threat data object is published. |
| String | Returns the severity of the threat data object. |
| Array | Returns the list of IDs and names of source collections of the threat data object. |
| String | Returns the confidence score of the threat data object as reported by its source. |
| Array | Returns the list of sources that reported this threat data object. |
| String | Returns the sub-type of an object if it is an indicator. |
| String | Returns tags defined on the threat data object. |
| String | Returns the TLP assigned to the threat data object. |
| Epoch | Returns the date and time since when this threat data object is valid. |
| Epoch | Returns the date and time until when this threat data object is valid. |
| Dictionary | Returns the details of the last enrichment of the object if the object was enriched |