LevelBlue Labs Open Threat Exchange
LevelBlue Labs leverages the Open Threat Exchange (OTX), the world's largest open threat intelligence community, enabling collaborative defense through actionable, community-driven threat data and fostering knowledge exchange within the security community.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
|---|---|---|
Get Correlation Rule Details | This action retrieves the details of a correlation rule. For more information, see Action: Get Correlation Rule Details. | Get details of the correlation ID 572f8c3c540c6f0161677877. |
Get CVE Details | This action retrieves the details of an MITRE Common Vulnerability Enumeration (CVE) ID. For more information, see Action: Get CVE Details. | Get the details of the CVE-2014-0160 from the general section. |
Get Domain Details | This action retrieves the details of a domain name. For more information, see Action: Get Domain Details. | Get the details of example1.com from the general section. |
Get File Hash Details | This action retrieves the details of a file hash. For more information, see Action: Get File Hash Details. | Get the details of 5eb63bbbe01eeed093cb22bb8f5acdc3 from the section general. |
Get Hostname Details | This action retrieves the details of a hostname. For more information, see Action: Get Hostname Details. | Get the details of the hostname mail.vspcord.com from the section General. |
Get IPv4 Details | This action retrieves the details of an IPv4 address. For more information, see Action: Get IPv4 Details. | Get the details of 192.168.1.1 from the section reputation. |
Get IPv6 Details | This action retrieves the details of an IPv6 address. For more information, see Action: Get IPv6 Details. | Get the details of 2001:4860:4860::8888 from the section reputation. |
Get NID Details | This action retrieves the details of a Network Identifier (NID). For more information, see Action: Get NID Details. | Get the details of NID 2030515. |
Get URL Details | This action retrieves the details of a URL. For more information, see Action: Get URL Details. | Get the details of the URL http://www.example1.com from the general section. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure you have the API token to authenticate with the LevelBlue Labs Open Threat Exchange app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select LevelBlue Labs Open Threat Exchange , and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
API Key: Enter the API key to authenticate with LevelBlue Open Threat eExchange.
API Version: Enter the API version. The default version is v1.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with LevelsBlue Labs Open Threat Exchange. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Get Correlation Rule Details
This action retrieves the details of a correlation rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Correlation Rule ID | Enter a correlation rule ID to get the details. Example: 572f8c3c540c6f0161677877 | Text | Required | |
Section | Enter a section to get specific details of the correlation rule. Example: general | Text | Optional | Allowed value: general Default value: general |
Example Request
[
{
"corr_rule": "572f8c3c540c6f0161677877",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the correlation rule. |
| String | CVE ID of the vulnerability. |
| Array | A list of false positives. |
| JSON Object | Returns a list of pulses associated with the correlation rule. |
| String | The correlation rule ID. |
| Array | List of sections available for the indicator. |
| String | Title of the type. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get CVE Details
This action retrieves the details of a MITRE Common Vulnerability Enumeration (CVE) ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CVE ID | Enter a CVE ID to get the details. Example: CVE-2014-0160 | Text | Required | |
Section | Enter a section to get specific details of the CVE ID. Example: general | Text | Optional | Default value: general |
Example Request
[
{
"cve": "CVE-2014-0160",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the CVE ID, such as content, description, id, indicator, title, and others. |
| Object | Configurations of the vulnerability. |
| String | CVE ID. |
| Object | CVSS details of the CVE ID. |
| Object | CVSSv2 details of the CVE ID. |
| Object | CVSSv3 details of the CVE ID. |
| String | CWE ID of the CVE. |
| String | Date created |
| String | Date modified |
| String | Description of the CVE ID. |
| Unknown | EPSS |
| Array | List of exploits related to the CVE ID. |
| Array | True if the CVE ID is false positive |
| String | Indicator value |
| String | Mitre URL of the CVE ID. |
| String | NVD URL of the CVE ID. |
| Array | List of products associated with the CVE ID. |
| Object | Returns a list of pulses associated with the CVE ID. |
| Array | References list |
| Array | Sections list |
| Boolean | True if seen wild |
| String | Type title |
Action: Get Domain Details
This action retrieves the details of a domain name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter a domain name to get the details. Example: example1.com | Text | Required | |
Section | Enter a section to get specific details of the domain. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"domain_name": "example1.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the domain, such as content, description, id, indicator, title, type, and others. |
| String | Alexa link |
| Object | Base indicator |
| Array | If false positive |
| String | Indicator value |
| Object | Returns a list of pulses associated with the domain. |
| Array | Returns a list of sections available for the domain in the LevelBlue platform. |
| String | Type |
| String | Type title |
| Array | Returns details about the domain from various threat intelligence databases. |
| String | Returns the WHOIS link of the domain. |
| Array | Returns a list of url analysis results from LevelBlue Labs. |
| Object | Returns the geographic data of the domain, such as country code, coordinates, and other details. |
| Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this domain. |
| Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this domain. |
| Object | Returns the metadata for HTTP and HTTPS connections to the domain. |
Action: Get File Hash Details
This action retrieves the details of a file hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter a file hash to get the details. Example: 5eb63bbbe01eeed093cb22bb8f5acdc3 | Text | Required | |
Section | Enter a section to get specific details of the file hash. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"file_hash": "5eb63bbbe01eeed093cb22bb8f5acdc3",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the file hash, such as the ID, description, and other details. |
| Object | Dynamic and static analysis of this file (Cuckoo analysis, exiftool, etc.) |
| Object | Returns a list of pulses associated with the file hash. |
| Array | Returns a list of sections available for the file hash in the LevelBlue platform. |
| Object | Returns details about the file hash from various threat intelligence databases. |
| Object | List of malware detected. |
Action: Get Hostname Details
This action retrieves the details of a hostname.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Name | Enter a hostname to get the details. Example: mail.vspcord.com | Text | Required | |
Section | Enter a section to get specific details of the hostname. Example: general | Text | Required | Allowed values:
|
Example Request
[
{
"host_name": "mail.vspcord.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the hostname, such as the ID, description, and other details. |
| JSON Object | Returns a list of pulses associated with the hostname. |
| JSON Object | A more verbose listing of geographic data (Country code, coordinates, etc.) |
| JSON Object | Malware samples analyzed by LevelBlue Labs which have been observed connecting to this hostname. |
| Array | URLs analyzed by LevelBlue Labs on this hostname. |
| JSON Object | Passive dns records observed by LevelBlue Labs pointing to this hostname. |
| Array | Metadata for http(s) connections to the hostname. |
Action: Get IPv4 Details
This action retrieves the details of an IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv4 Address | Enter an IPv4 address to get the details. Example: 192.168.1.1 | Text | Required | |
Section | Enter a section to get specific details of the IP address. Example: reputation | Text | Required | Allowed values:
|
Example Request
[
{
"ipv4_address": "1.1.1.1",
"section": "reputation"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the IP address, such as the ID, description, access type, and other details. |
| String | The autonomous system name for the IP address. For example, "AS8948". |
| String | The indicator type. |
| JSON Object | Returns a list of pulses associated with the IP address. |
| Array | Returns a list of sections available for the IP address in the LevelBlue platform. |
| Array | Returns details about the IP address from various threat intelligence databases. |
| String | Returns the WHOIS link of the IP address. |
| JSON Object | Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation). |
| JSON Object | Returns the geographic data of the IP address, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address. |
| Array | Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address. |
| Array | Returns the meta data for HTTP and HTTPS connections to the IP address. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get IPv6 Details
This action retrieves the details of an IPv6 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv6 Address | Enter an IPv6 address to get the details. Example: 2001:4860:4860::8888 | Text | Required | |
Section | Enter a section to get specific details of the IP address. Example: reputation | Text | Required | Allowed values:
|
Example Request
[
{
"ipv6_address": "2001:4860:4860::8888",
"section": "reputation"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the IP address, such as the ID, description, access type, and other details. |
| String | The autonomous system name for the IP address. For example, "AS8948". |
| String | The indicator type. |
| JSON Object | Returns a list of pulses associated with the IP address. |
| Array | Returns a list of sections available for the IP address in the LevelBlue platform. |
| Array | Returns details about the IP address from various threat intelligence databases. |
| String | Returns the WHOIS link of the IP address. |
| JSON Object | Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation). |
| JSON Object | Returns the geographic data of the IP address, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address. |
| Array | Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address. |
| Array | Returns the meta data for HTTP and HTTPS connections to the IP address. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get NID Details
This action retrieves the details of a network identifier (NID).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
NID | Enter an NID to get the details. Example: 2030515 | Text | Required | |
Section | Enter a section to get specific details of the NID. Example: general | Text | Optional | Allowed value: general Default value: general |
Example Request
[
{
"nid": "2030515",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the NID, such as the ID, description, and other details. |
| String | Category |
| String | CVE ID |
| String | Event activity |
| Array | False positive |
| String | Indicator |
| String | Malware name |
| String | Name |
| Object | Pulse info |
| Array | Sections |
| String | Subcategory |
| String | Type title |
Action: Get URL Details
This action retrieves the details of a URL.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter a URL to get the details. Example: http://www.example1.com | Text | Required | |
Section | Enter a section to get specific details about the URL. Example: url_list | Text | Required | Allowed value:
|
Example Request
[
{
"url": "http://www.example1.com",
"section": "general"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Returns the details of the URL, such as the ID, description, and other details. |
| String | Returns the domain name associated with the URL. |
| String | Returns the hostname associated with the URL. |
| JSON Object | Returns a list of pulses associated with the URL. |
| Array | Returns a list of sections available for the URL in the LevelBlue platform. |
| JSON Object | Returns details about the URL from various threat intelligence databases. |
| String | Returns the WHOIS link of the URL. |
| Array | Returns a list of URL analysis results from LevelBlue Labs. |