-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
Sixgill_Darkfeed_Enrichment.yml
604 lines (604 loc) · 22.8 KB
/
Sixgill_Darkfeed_Enrichment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
category: Data Enrichment & Threat Intelligence
sectionOrder:
- Connect
- Collect
commonfields:
id: Sixgill_Darkfeed_Enrichment
version: -1
configuration:
- display: Sixgill API client ID
name: client_id
required: true
type: 0
section: Connect
- display: Sixgill API client secret
name: client_secret
required: true
type: 4
section: Connect
- display: Trust any certificate (not secure)
name: insecure
required: false
type: 8
section: Connect
advanced: true
- display: Use system proxy settings
name: proxy
required: false
type: 8
section: Connect
advanced: true
- additionalinfo: Reliability of the source providing the intelligence data.
defaultvalue: B - Usually reliable
display: Source Reliability
name: integrationReliability
options:
- A+ - 3rd party enrichment
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: false
type: 15
section: Collect
- defaultvalue: indicatorType
name: feedExpirationPolicy
display: ''
options:
- never
- interval
- indicatorType
- suddenDeath
required: false
type: 17
section: Collect
advanced: true
- defaultvalue: '20160'
name: feedExpirationInterval
display: ''
required: false
type: 1
section: Collect
advanced: true
description: Sixgill Darkfeed Enrichment – powered by the broadest automated collection from the deep and dark web – is the most comprehensive IOC enrichment solution on the market. By enriching Palo Alto Networks Cortex XSOAR IOCs with Darkfeed, customers gain unparalleled context and essential explanations in order to accelerate their incident prevention and response and stay ahead of the threat curve. Automatically enrich Cortex XSOAR IOCs (machine to machine) via Darkfeed. Block threats and enrich endpoint protection in real-time from the Cortex XSOAR dashboard, gain contextual and actionable insights with essential explanations of Cortex XSOAR IOCs.
display: Sixgill DarkFeed Enrichment
name: Sixgill_Darkfeed_Enrichment
script:
commands:
- arguments:
- default: true
description: A comma-separated list of IPs to check.
isArray: true
name: ip
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per indicator to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each IP in the input list.
execution: false
name: ip
outputs:
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the indicator score.
type: String
- contextPath: SixgillDarkfeed.IP.created
description: The timestamp when the indicator was created.
type: Date
- contextPath: SixgillDarkfeed.IP.id
description: The unique ID of the indicator.
type: String
- contextPath: SixgillDarkfeed.IP.description
description: The description of the indicator.
type: String
- contextPath: SixgillDarkfeed.IP.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.IP.modified
description: The timestamp when the indicator was last modified.
type: Date
- contextPath: SixgillDarkfeed.IP.pattern
description: The indicator IP address.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_confidence
description: The indicator confidence score.
type: Number
- contextPath: SixgillDarkfeed.IP.sixgill_feedid
description: The indicator subfeed ID.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_feedname
description: The indicator subfeed name.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.IP.sixgill_severity
description: The indicator severity score.
type: Number
- contextPath: SixgillDarkfeed.IP.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.IP.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.IP.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.IP.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.IP.labels
description: The indicative labels of the indicator.
type: Unknown
- contextPath: SixgillDarkfeed.IP.external_reference
description: Link to the IOC on VirusTotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
- contextPath: IP.Address
description: The indicator IP address.
type: String
- arguments:
- default: true
description: A comma-separated list of domain names to check.
isArray: true
name: domain
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per indicator to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each domain name in the input list.
execution: false
name: domain
outputs:
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the indicator score.
type: String
- contextPath: SixgillDarkfeed.Domain.created
description: The timestamp when the indicator was created.
type: Date
- contextPath: SixgillDarkfeed.Domain.id
description: The unique ID of the indicator.
type: String
- contextPath: SixgillDarkfeed.Domain.description
description: The description of the indicator.
type: String
- contextPath: SixgillDarkfeed.Domain.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Domain.modified
description: The timestamp when the indicator was last modified.
type: Date
- contextPath: SixgillDarkfeed.Domain.pattern
description: The indicator domain name.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_confidence
description: The indicator confidence score.
type: Number
- contextPath: SixgillDarkfeed.Domain.sixgill_feedid
description: The indicator subfeed ID.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_feedname
description: The indicator subfeed name.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Domain.sixgill_severity
description: The indicator severity score.
type: Number
- contextPath: SixgillDarkfeed.Domain.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Domain.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.Domain.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.Domain.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.Domain.labels
description: The indicative labels of the indicator.
type: Unknown
- contextPath: SixgillDarkfeed.Domain.external_reference
description: Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
- contextPath: Domain.Name
description: The indicator domain name.
type: String
- arguments:
- default: true
description: A comma-separated list of URLs to check.
isArray: true
name: url
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per indicator to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each URL in the input list.
execution: false
name: url
outputs:
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the indicator score.
type: String
- contextPath: SixgillDarkfeed.URL.created
description: The timestamp when the indicator was created.
type: Date
- contextPath: SixgillDarkfeed.URL.id
description: The unique ID of the indicator.
type: String
- contextPath: SixgillDarkfeed.URL.description
description: The description of the indicator.
type: String
- contextPath: SixgillDarkfeed.URL.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.URL.modified
description: The timestamp when the indicator was last modified.
type: Date
- contextPath: SixgillDarkfeed.URL.pattern
description: The indicator URL.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_confidence
description: The indicator confidence score.
type: Number
- contextPath: SixgillDarkfeed.URL.sixgill_feedid
description: The indicator subfeed ID.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_feedname
description: The indicator subfeed name.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.URL.sixgill_severity
description: The indicator severity score.
type: Number
- contextPath: SixgillDarkfeed.URL.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.URL.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.URL.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.URL.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.URL.labels
description: The indicative labels of the indicator.
type: Unknown
- contextPath: URL.Data
description: The indicator URL.
type: string
- contextPath: SixgillDarkfeed.URL.external_reference
description: Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
- arguments:
- default: true
description: A comma-separated list of file hashes to check.
isArray: true
name: file
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per indicator to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each file hash in the input list.
execution: false
name: file
outputs:
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the indicator score.
type: String
- contextPath: SixgillDarkfeed.File.created
description: The timestamp when the indicator was created.
type: Date
- contextPath: SixgillDarkfeed.File.id
description: The unique ID of the indicator.
type: String
- contextPath: SixgillDarkfeed.File.description
description: The description of the indicator.
type: String
- contextPath: SixgillDarkfeed.File.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.File.modified
description: The timestamp when the indicator was last modified.
type: Date
- contextPath: SixgillDarkfeed.File.pattern
description: The indicator file hash (hashes include MD5, SHA-1 and SHA-256 when possible).
type: String
- contextPath: SixgillDarkfeed.File.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.File.sixgill_confidence
description: The indicator confidence score.
type: Number
- contextPath: SixgillDarkfeed.File.sixgill_feedid
description: The indicator subfeed ID.
type: String
- contextPath: SixgillDarkfeed.File.sixgill_feedname
description: The indicator subfeed name.
type: String
- contextPath: SixgillDarkfeed.File.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.File.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.File.sixgill_severity
description: The indicator severity score.
type: Number
- contextPath: SixgillDarkfeed.File.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.File.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.File.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.File.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.File.labels
description: The indicative labels of the indicator.
type: Unknown
- contextPath: SixgillDarkfeed.File.external_reference
description: Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
- contextPath: File.SHA256
description: The SHA256 file hash.
type: string
- contextPath: File.SHA512
description: The SHA512 file hash.
type: string
- contextPath: File.SHA1
description: The SHA1 file hash.
type: string
- contextPath: File.MD5
description: The MD5 file hash.
type: string
- arguments:
- default: true
description: A comma-separated list of actors to check.
isArray: true
name: actor
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per actor to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each actor in the input list.
execution: false
name: sixgill-get-actor
outputs:
- contextPath: SixgillDarkfeed.Actor.created
description: The timestamp when the actor shared their first IOC.
type: Date
- contextPath: SixgillDarkfeed.Actor.id
description: The unique ID of the actor.
type: String
- contextPath: SixgillDarkfeed.Actor.description
description: The description of the actor.
type: String
- contextPath: SixgillDarkfeed.Actor.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Actor.modified
description: The timestamp when the actor was last modified.
type: Date
- contextPath: SixgillDarkfeed.Actor.pattern
description: A list of the IOCs shared by the actor.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_confidence
description: The confidence score of the actor.
type: Number
- contextPath: SixgillDarkfeed.Actor.sixgill_feedid
description: The Subfeed ID of the actor.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_feedname
description: The Subfeed name of the actor.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Actor.sixgill_severity
description: The severity score of the actor.
type: Number
- contextPath: SixgillDarkfeed.Actor.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Actor.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.Actor.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.Actor.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.Actor.labels
description: The indicative labels of the actor.
type: Unknown
- contextPath: SixgillDarkfeed.Actor.external_reference
description: Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
- arguments:
- default: true
description: A comma-separated list of post IDs to check.
isArray: true
name: post_id
required: true
secret: false
- default: false
defaultValue: '0'
description: The number of outputs per post ID to be skipped when returning the result set. Default is 0.
isArray: false
name: skip
required: false
secret: false
deprecated: false
description: Returns information and a reputation for each post ID in the input list.
execution: false
name: sixgill-get-post-id
outputs:
- contextPath: SixgillDarkfeed.Postid.created
description: The timestamp when an IOC was first included in the post.
type: Date
- contextPath: SixgillDarkfeed.Postid.id
description: The unique ID of the post.
type: String
- contextPath: SixgillDarkfeed.Postid.description
description: The description of the post ID.
type: String
- contextPath: SixgillDarkfeed.Postid.lang
description: The language of the original post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Postid.modified
description: The timestamp when the post ID information was last modified.
type: Date
- contextPath: SixgillDarkfeed.Postid.pattern
description: A list of the IOCs included in the post.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_actor
description: The actor of the original post on the dark web.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_confidence
description: The confidence score of the post ID.
type: Number
- contextPath: SixgillDarkfeed.Postid.sixgill_feedid
description: The Subfeed ID of the post ID.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_feedname
description: The Subfeed name of the post ID.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_postid
description: The ID of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_posttitle
description: The title of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Postid.sixgill_severity
description: The severity score of the post ID.
type: Number
- contextPath: SixgillDarkfeed.Postid.sixgill_source
description: The source of the post in the Sixgill portal.
type: String
- contextPath: SixgillDarkfeed.Postid.spec_version
description: The STIX specification version.
type: String
- contextPath: SixgillDarkfeed.Postid.type
description: The STIX object type.
type: String
- contextPath: SixgillDarkfeed.Postid.valid_from
description: The creation date of the post in the Sixgill portal.
type: Date
- contextPath: SixgillDarkfeed.Postid.labels
description: The indicative labels of the post ID.
type: Unknown
- contextPath: SixgillDarkfeed.Postid.external_reference
description: Link to the IOC on Virustotal and an abstraction of the number of detections; MITRE ATT&CK tactics and techniques.
type: Unknown
dockerimage: demisto/sixgill:1.0.0.54624
feed: false
isfetch: false
longRunning: false
longRunningPort: false
runonce: false
script: '-'
subtype: python3
type: python
fromversion: 5.5.0