-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
ACTIIndicatorFeed.yml
161 lines (161 loc) · 4.48 KB
/
ACTIIndicatorFeed.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
category: Data Enrichment & Threat Intelligence
commonfields:
id: ACTI Indicator Feed
version: -1
configuration:
- defaultvalue: 'true'
display: Fetch indicators
name: feed
type: 8
required: false
- displaypassword: API Token
name: api_token
type: 9
required: true
hiddenusername: true
- additionalinfo: Indicators from this integration instance will be marked with this reputation
defaultvalue: Bad
display: Indicator Reputation
name: feedReputation
options:
- None
- Good
- Suspicious
- Bad
type: 18
required: false
- additionalinfo: Reliability of the source providing the intelligence data
defaultvalue: A - Completely reliable
display: Source Reliability
name: feedReliability
options:
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: true
type: 15
- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
display: Traffic Light Protocol Color
name: tlp_color
options:
- RED
- AMBER
- GREEN
- WHITE
type: 15
required: false
- defaultvalue: indicatorType
name: feedExpirationPolicy
display: ''
options:
- never
- interval
- indicatorType
- suddenDeath
type: 17
required: false
- defaultvalue: '20160'
name: feedExpirationInterval
display: ''
type: 1
required: false
- defaultvalue: '240'
display: Feed Fetch Interval
name: feedFetchInterval
type: 19
required: false
- additionalinfo: Incremental feeds pull only new or modified indicators that have been sent from the integration. As the determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR, all indicators coming from these feeds are labeled new or modified.
defaultvalue: 'true'
display: Incremental Feed
name: feedIncremental
type: 8
required: false
- additionalinfo: How far back in time to go when performing the first fetch
defaultvalue: '14 days'
display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
name: fetch_time
type: 0
required: false
- additionalinfo: Which indicator types to fetch
defaultvalue: IP,Domain,URL
display: Indicator Type
name: indicator_type
options:
- IP
- Domain
- URL
required: true
type: 16
- additionalinfo: Severity of the indicator. The value to start fetching indicators from.
defaultvalue: '1'
display: Indicator Severity
name: severity
options:
- '1'
- '2'
- '3'
- '4'
- '5'
type: 15
required: false
- additionalinfo: Threat Type denotes the type of threats the indicator has been associated with.
display: Threat Type
name: threat_type
options:
- Vulnerability
- Cyber Crime
- Cyber Espionage
- Hacktivism
type: 16
required: false
- additionalinfo: Confidence about the indicator details. The value of confidence to fetch indicators from. The value between 0-100
display: Confidence
name: confidence_from
type: 0
required: false
- additionalinfo: A malware family is a classification of malicious files and tools based on certain behaviors and static properties
display: Malware Family
name: malware_family
type: 0
required: false
- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
display: Bypass exclusion list
name: feedBypassExclusionList
type: 8
required: false
- additionalinfo: Supports CSV values.
display: Tags
name: feedTags
type: 0
required: false
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
description: Fetches indicators from a ACTI feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter).
display: ACTI Indicator Feed
name: ACTI Indicator Feed
script:
commands:
- arguments:
- defaultValue: '50'
description: The maximum number of results to return. The default value is 50.
name: limit
description: Gets the feed indicators.
name: acti-get-indicators
dockerimage: demisto/py3-tools:1.0.0.79870
feed: true
runonce: false
script: '-'
subtype: python3
type: python
tests:
- ACTI Indicator Feed Test
fromversion: 5.5.0