-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
OpenCTI.yml
301 lines (301 loc) · 10.7 KB
/
OpenCTI.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
category: Data Enrichment & Threat Intelligence
commonfields:
id: OpenCTI
version: -1
configuration:
- display: Base URL
name: base_url
required: true
type: 0
- display: API Key (leave empty. Fill in the API key in the password field.)
displaypassword: API Key
name: credentials
type: 9
hiddenusername: true
required: false
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
- name: redirect_std_out
display: Redirect stdout
type: 8
additionalinfo: Used for troubleshooting purposes.
required: false
description: Manages indicators from OpenCTI. Compatible with OpenCTI 4.X API and OpenCTI 5.X API versions.
display: OpenCTI
name: OpenCTI
script:
commands:
- arguments:
- description: The maximum number of indicators to return. Default value is 50. Maximum value is 500.
name: limit
- description: 'Score minimum value to filter by. Values range is 1-100. '
name: score_start
- description: 'Score maximum value to filter by. Values range is 1-100. '
name: score_end
- auto: PREDEFINED
defaultValue: ALL
description: 'The indicator types to fetch. Out-of-the-box indicator types supported in XSOAR are: Account, Domain, Email, File, Host, IP, IPv6, Registry Key, and URL.'
isArray: true
name: indicator_types
predefined:
- ALL
- Account
- Domain
- Email
- File
- Host
- IP
- IPv6
- Registry Key
- URL
- description: The last ID from the previous call, from which to begin pagination for this call. You can find this value at the OpenCTI.IndicatorsList.LastRunID context path.
name: last_run_id
- description: The indicator's value to filter by, can be partial value.
name: search
description: Gets indicators from OpenCTI.
name: opencti-get-indicators
outputs:
- contextPath: OpenCTI.Indicators.IndicatorsList.type
description: Indicator type.
type: String
- contextPath: OpenCTI.Indicators.IndicatorsList.value
description: Indicator value.
type: String
- contextPath: OpenCTI.Indicators.IndicatorsList.id
description: Indicator ID.
type: String
- contextPath: OpenCTI.Indicators.IndicatorsList.createdBy
description: The creator of the indicator.
type: Unknown
- contextPath: OpenCTI.Indicators.IndicatorsList.score
description: Indicator score.
type: Number
- contextPath: OpenCTI.Indicators.IndicatorsList.description
description: Indicator description.
type: String
- contextPath: OpenCTI.Indicators.IndicatorsList.labels
description: Indicator labels.
type: Unknown
- contextPath: OpenCTI.Indicators.IndicatorsList.marking
description: Indicator marking definitions.
type: Unknown
- contextPath: OpenCTI.Indicators.IndicatorsList.externalReferences
description: Indicator external references.
type: Unknown
- contextPath: OpenCTI.Indicators.LastRunID
description: The last ID of the previous fetch to use for pagination.
type: String
- arguments:
- description: Indicator ID.
name: id
required: true
description: Delete indicator.
name: opencti-indicator-delete
- arguments:
- description: Indicator ID.
name: id
required: true
- auto: PREDEFINED
description: Indicator field to update.
name: field
predefined:
- score
- description
required: true
- description: Value of the field to update.
name: value
required: true
description: 'Update the indicator field. The fields that can be updated are: score, description.'
name: opencti-indicator-field-update
outputs:
- contextPath: OpenCTI.Indicator.id
description: Updated indicator ID.
type: String
- arguments:
- auto: PREDEFINED
description: 'The indicator type to create. Out-of-the-box indicator types supported in XSOAR are: Account, Domain, Email, File-MD5, File-SHA1, File-SHA256, Host, IP, IPV6, Registry Key, and URL.'
name: type
predefined:
- Account
- Domain
- Email
- File-MD5
- File-SHA1
- File-SHA256
- Host
- IP
- IPv6
- Registry Key
- URL
required: true
- description: Organization ID. Use opencti-organization-list to find all organization IDs in OpenCTI, or use opencti-organization-create to create a new organization ID.
name: created_by
- description: Indicator marking definition ID. Use opencti-marking-definition-list to find all marking definition IDs in OpenCTI.
name: marking_id
- description: Indicator label ID. Use opencti-label-list to find all label IDs in OpenCTI, or use opencti-label-create to create a new label.
name: label_id
- description: External references URL. Use opencti-external-reference-create to create a new external reference.
name: external_references_id
- description: Indicator description.
name: description
- description: Indicator score. Values range is 0 - 100. Default value is 50.
name: score
- description: Indicator value.
name: value
description: Create new indicator.
name: opencti-indicator-create
outputs:
- contextPath: OpenCTI.Indicator.id
description: New indicator ID.
type: String
- contextPath: OpenCTI.Indicator.value
description: New indicator value.
type: String
- contextPath: OpenCTI.Indicator.type
description: New indicator type.
type: String
- arguments:
- description: Indicator ID.
name: id
required: true
- auto: PREDEFINED
description: Indicator field to add.
name: field
predefined:
- marking
- label
required: true
- description: "Value of the field to add. Enter label ID or marking definition ID. Use opencti-label-list to find all label IDs in OpenCTI, or use opencti-label-create to create a new label. Use opencti-marking-definition-list to find all marking definition IDs in OpenCTI."
name: value
required: true
description: Add a field to the indicator. Fields that can be added are marking definition and label.
name: opencti-indicator-field-add
- arguments:
- description: Indicator ID.
name: id
required: true
- auto: PREDEFINED
description: Indicator field to update.
name: field
predefined:
- marking
- label
required: true
- description: "Value of the field to remove. Enter label ID or marking definition ID. Use opencti-label-list to find all label IDs in OpenCTI or opencti-marking-definition-list to find all marking definition IDs in OpenCTI."
name: value
required: true
description: Remove indicator field value. Fields which values can be removed are marking definition and label.
name: opencti-indicator-field-remove
- arguments:
- defaultValue: '50'
description: The maximum number of organizations to return per fetch. Default value is 50. Maximum value is 200.
name: limit
- description: The last ID from the previous call, from which to begin pagination for this call. You can find this value at the OpenCTI.Organizations.organizationsLastRun context path.
name: last_run_id
description: Get a list of all organizations in OpenCTI.
name: opencti-organization-list
outputs:
- contextPath: OpenCTI.Organizations.OrganizationsList.id
description: Organization ID.
type: String
- contextPath: OpenCTI.Organizations.OrganizationsList.name
description: Organization name.
type: String
- contextPath: OpenCTI.Organizations.organizationsLastRun
description: The last ID of the previous fetch to use for pagination.
type: String
- arguments:
- description: Name of the organization to create.
name: name
required: true
- description: Description of the organization.
name: description
- auto: PREDEFINED
description: Reliability of the organization.
name: reliability
predefined:
- A
- B
- C
- D
- E
- F
description: Create a new organization.
name: opencti-organization-create
outputs:
- contextPath: OpenCTI.Organization.id
description: New organization ID.
type: String
- arguments:
- defaultValue: '50'
description: The maximum number of labels to return per fetch.
name: limit
- description: The last ID from the previous call, from which to begin pagination for this call. You can find this value at the OpenCTI.Labels.labelsLastRun context path.
name: last_run_id
description: Get list of all labels.
name: opencti-label-list
outputs:
- contextPath: OpenCTI.Labels.LabelsList.id
description: Label ID.
type: String
- contextPath: OpenCTI.Labels.LabelsList.value
description: Label name.
type: String
- contextPath: OpenCTI.Labels.labelsLastRun
description: The last ID of the previous fetch to use for pagination.
type: String
- arguments:
- description: Name of the new label to create.
name: name
required: true
description: Create a new label.
name: opencti-label-create
outputs:
- contextPath: OpenCTI.Label.id
description: New label ID.
type: String
- arguments:
- description: External references URL.
name: url
required: true
- description: External references source name.
name: source_name
required: true
description: Create external reference.
name: opencti-external-reference-create
outputs:
- contextPath: OpenCTI.externalReference.id
description: New external reference ID.
type: String
- arguments:
- defaultValue: '50'
description: The maximum number of marking definitions to return per fetch.
name: limit
- description: The last ID from the previous call, from which to begin pagination for this call. You can find this value at the OpenCTI.MarkingDefinitions.markingsLastRun context path.
name: last_run_id
description: Get a list of all marking definitions.
name: opencti-marking-definition-list
outputs:
- contextPath: OpenCTI.MarkingDefinitions.MarkingDefinitionsList.id
description: Marking definition ID.
type: String
- contextPath: OpenCTI.MarkingDefinitions.MarkingDefinitionsList.value
description: Marking definition name.
type: String
- contextPath: OpenCTI.MarkingDefinitions.markingsLastRun
description: The last ID of the previous fetch to use for pagination.
type: String
dockerimage: demisto/vendors-sdk:1.0.0.74116
runonce: false
script: '-'
subtype: python3
type: python
tests:
- OpenCTI Test
fromversion: 5.0.0