Cyware Threat Intelligence Exchange (CTIX) uses the Cyware threat intelligence feed and automatically aggregates tactical intelligence from various STIX/TAXII feeds to provide you with a consolidated, easily readable, and actionable intel.
This document provides information about the Cyware CTIX connector, which facilitates automated interactions with a CTIX server using FortiSOAR™ playbooks. Add the Cyware CTIX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically searching and retrieving information for IP addresses, domains, URLs etc from CTIX.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-cyware-ctix
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cyware CTIX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the CTIX server to which you will connect and perform the automated operations. |
Access ID | Access ID configured for your CTIX server to which you will connect and perform the automated operations. |
Secret Key | Secret Key configured for your CTIX server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks. and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Domain | Searches for a domain in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the domain name you have specified. | search_domain Investigation |
Search IP | Searches for an IP address in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the IP address you have specified. | search_ip Investigation |
Search URL | Searches for a URL in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the URL you have specified. | search_url Investigation |
Search Hash | Searches for a hash in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the hash value you have specified. | search_hash Investigation |
Search CVE ID | Searches for a CVE ID in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the ID of the CVE you have specified. | search_cve_id Investigation |
Parameter | Description |
---|---|
Domain | Name of the domain whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"domain_data": "",
"whois_domain_report": "",
"updated": "",
"stix_object_id": "",
"domain_tld_data": ".",
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"created": "",
"packages_list": [],
"score": "",
"package_count": "",
"url_data": []
}
}
Parameter | Description |
---|---|
IP Address | IP address whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"maxmind_geoip_ip_report": "",
"updated": "",
"stix_object_id": "",
"whois_ip_report": "",
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"created": "",
"score": "",
"ip_data": "",
"packages_list": [],
"geoip_report": {
"city": {
"longitude": "",
"country_code": "",
"latitude": "",
"continent_name": "",
"region": "",
"city": "",
"time_zone": "",
"country_name": "",
"postal_code": "",
"dma_code": null,
"continent_code": ""
},
"country": {
"country_code": "",
"country_name": ""
}
},
"package_count": ""
}
}
Parameter | Description |
---|---|
URL | URL whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"data": {
"message": "",
"result": {
"domain_data": "",
"package_details": [
{
"package_title": "",
"source_name": "",
"package_timestamp": "",
"package_id": "",
"collection_name": ""
}
],
"updated": "",
"domain_tld_data": "",
"created": "",
"packages_list": [],
"package_count": "",
"url_data": []
}
},
"status": ""
}
Parameter | Description |
---|---|
Hash | Value of the hash whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"updated": "",
"stix_object_id": "",
"packages_list": [],
"created": "",
"hash_data": "",
"score": "",
"package_count": ""
}
}
Parameter | Description |
---|---|
CVE ID | ID of the CVE whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
},
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"updated": "",
"stix_object_id": "",
"created": "",
"packages_list": [],
"cve_id": "",
"score": "",
"package_count": ""
}
}
The Sample - Cyware CTIX - 1.0.0
playbook collection comes bundled with the Cyware CTIX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyware CTIX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Cyware Threat Intelligence Exchange (CTIX) uses the Cyware threat intelligence feed and automatically aggregates tactical intelligence from various STIX/TAXII feeds to provide you with a consolidated, easily readable, and actionable intel.
This document provides information about the Cyware CTIX connector, which facilitates automated interactions with a CTIX server using FortiSOAR™ playbooks. Add the Cyware CTIX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically searching and retrieving information for IP addresses, domains, URLs etc from CTIX.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-cyware-ctix
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cyware CTIX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the CTIX server to which you will connect and perform the automated operations. |
Access ID | Access ID configured for your CTIX server to which you will connect and perform the automated operations. |
Secret Key | Secret Key configured for your CTIX server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks. and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Domain | Searches for a domain in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the domain name you have specified. | search_domain Investigation |
Search IP | Searches for an IP address in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the IP address you have specified. | search_ip Investigation |
Search URL | Searches for a URL in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the URL you have specified. | search_url Investigation |
Search Hash | Searches for a hash in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the hash value you have specified. | search_hash Investigation |
Search CVE ID | Searches for a CVE ID in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the ID of the CVE you have specified. | search_cve_id Investigation |
Parameter | Description |
---|---|
Domain | Name of the domain whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"domain_data": "",
"whois_domain_report": "",
"updated": "",
"stix_object_id": "",
"domain_tld_data": ".",
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"created": "",
"packages_list": [],
"score": "",
"package_count": "",
"url_data": []
}
}
Parameter | Description |
---|---|
IP Address | IP address whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"maxmind_geoip_ip_report": "",
"updated": "",
"stix_object_id": "",
"whois_ip_report": "",
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"created": "",
"score": "",
"ip_data": "",
"packages_list": [],
"geoip_report": {
"city": {
"longitude": "",
"country_code": "",
"latitude": "",
"continent_name": "",
"region": "",
"city": "",
"time_zone": "",
"country_name": "",
"postal_code": "",
"dma_code": null,
"continent_code": ""
},
"country": {
"country_code": "",
"country_name": ""
}
},
"package_count": ""
}
}
Parameter | Description |
---|---|
URL | URL whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"data": {
"message": "",
"result": {
"domain_data": "",
"package_details": [
{
"package_title": "",
"source_name": "",
"package_timestamp": "",
"package_id": "",
"collection_name": ""
}
],
"updated": "",
"domain_tld_data": "",
"created": "",
"packages_list": [],
"package_count": "",
"url_data": []
}
},
"status": ""
}
Parameter | Description |
---|---|
Hash | Value of the hash whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"updated": "",
"stix_object_id": "",
"packages_list": [],
"created": "",
"hash_data": "",
"score": "",
"package_count": ""
}
}
Parameter | Description |
---|---|
CVE ID | ID of the CVE whose information you want to retrieve from CTIX. |
Page Size | (Optional) Number of record requests that should be included per page. By default, this is set to 20. |
The output contains the following populated JSON schema:
{
"message": "",
"result": {
"package_details": [
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
},
{
"intl_grading": "",
"source_name": "",
"package_id": "",
"source_grading": "",
"package_title": "",
"collection_name": "",
"package_timestamp": ""
}
],
"updated": "",
"stix_object_id": "",
"created": "",
"packages_list": [],
"cve_id": "",
"score": "",
"package_count": ""
}
}
The Sample - Cyware CTIX - 1.0.0
playbook collection comes bundled with the Cyware CTIX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyware CTIX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.