-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
FeedCyjax.yml
161 lines (161 loc) · 4.86 KB
/
FeedCyjax.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
category: Data Enrichment & Threat Intelligence
display: Cyjax Feed
name: Cyjax Feed
description: 'The feed allows customers to pull indicators of compromise from cyber incidents (IP addresses, URLs, domains, CVE and file hashes)'
commonfields:
id: Cyjax Feed
version: -1
configuration:
- defaultvalue: https://api.cyberportal.co
additionalinfo: Url to Cyjax API.
display: Cyjax API URL
name: url
required: true
type: 0
- display: API Key
additionalinfo: Cyjax API key obtained from Cyjax portal.
name: apikey
required: true
type: 4
- display: Trust any certificate (not secure)
name: insecure
required: false
defaultvalue: 'false'
type: 8
- display: Use system proxy settings
name: proxy
required: false
type: 8
- display: Fetch indicators
defaultvalue: 'true'
name: feed
required: false
type: 8
- display: Indicator Reputation
additionalinfo: Indicators from this integration instance will be marked with this reputation
defaultvalue: Suspicious
name: feedReputation
options:
- None
- Good
- Suspicious
- Bad
required: false
type: 18
- display: Source Reliability
additionalinfo: Reliability of the source providing the intelligence data
defaultvalue: A - Completely reliable
name: feedReliability
options:
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: true
type: 15
- name: tlp_color
additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
display: Traffic Light Protocol Color
options:
- RED
- AMBER
- GREEN
- WHITE
required: false
type: 15
- name: use_cyjax_tlp
display: Use Cyjax feed TLP
additionalinfo: Whether to use TLP set by Cyjax. Will override TLP set above.
required: false
defaultvalue: 'true'
type: 8
- name: feedTags
display: Tags
additionalinfo: Supports CSV values.
required: false
type: 0
- display: ""
name: feedExpirationPolicy
defaultvalue: never
type: 17
required: false
options:
- never
- interval
- indicatorType
- suddenDeath
- name: feedExpirationInterval
defaultvalue: "20160"
required: false
type: 1
display: ""
- additionalinfo: Incremental feeds pull only new or modified indicators that have been sent from the integration. As the determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR, all indicators coming from these feeds are labeled new or modified.
display: Incremental Feed
name: feedIncremental
defaultvalue: 'true'
required: false
type: 8
hidden: true
- display: Bypass exclusion list
name: feedBypassExclusionList
type: 8
required: false
additionalinfo: |-
When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
- name: feedFetchInterval
defaultvalue: '60'
display: Feed Fetch Interval
required: false
type: 19
- defaultvalue: 3 days
display: First fetch time
additionalinfo: The time interval for the first fetch (retroactive). For example 3 days, 1 hour
name: first_fetch
required: true
type: 0
script:
commands:
- arguments:
- name: since
description: The start date time in ISO 8601 format
required: false
- name: until
description: The end date time in ISO 8601 format
required: false
- name: type
description: 'The indicator type. If not specified all indicators are returned. Allowed values are IPv4, IPv6,
Domain, Hostname, Email, FileHash-SHA1, FileHash-SHA256, FileHash-MD5, FileHash-SSDEEP'
required: false
- name: source_type
description: The indicators source type. Allowed values are incidnet-report, my-report
required: false
- name: source_id
description: The indicators source ID
required: false
- name: limit
description: The maximum number of indicators to get. The default value is 50.
defaultValue: '50'
required: false
name: cyjax-get-indicators
description: Get indicators
- arguments:
- description: Indicator value
name: value
required: true
name: cyjax-indicator-sighting
description: Get sighting of a indicator
- name: cyjax-unset-indicators-last-fetch-date
description: 'Unset the indicators feed last fetch date. Should only be used if user needs to use `re-fetch` button
and wants to fetch old indicators from Cyjax. Next feed will use date set in first_fetch (default is last 3 days)'
isfetch: false
feed: true
runonce: false
script: '-'
type: python
subtype: python3
dockerimage: demisto/py3-tools:1.0.0.59406
fromversion: 5.5.0
tests:
- No tests (auto formatted)