-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
DHSFeedV2.yml
221 lines (221 loc) · 7.68 KB
/
DHSFeedV2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
category: Data Enrichment & Threat Intelligence
commonfields:
id: DHS Feed v2
version: -1
configuration:
- defaultvalue: 'true'
display: Fetch indicators
name: feed
type: 8
required: false
- defaultvalue: https://ais2.cisa.dhs.gov/taxii2/
display: Discovery Service URL (e.g., https://ais2.cisa.dhs.gov/taxii2/)
name: url
required: true
type: 0
- displaypassword: Key File as Text
additionalinfo: For more information, visit https://us-cert.cisa.gov/ais.
name: key
type: 9
required: true
hiddenusername: true
- additionalinfo: For more information, visit https://us-cert.cisa.gov/ais.
display: Certificate File as Text
name: certificate
required: true
type: 12
- additionalinfo: The default API root to use (e.g., default, public). If left empty, the server default API root will be used. When the server has no default root, the first available API root will be used instead. The user must be authorized to reach the selected API root.
defaultvalue: 'public'
display: Default API Root to use
name: default_api_root
type: 0
required: false
- additionalinfo: Indicators will be fetched from this collection. Run the "dhs-get-collections" command to get a valid value. If left empty, the instance will try to fetch from all the collections in the given discovery service.
display: Collection Name To Fetch Indicators From
name: collection_to_fetch
type: 0
required: false
- additionalinfo: Indicators from this integration instance will be marked with this reputation.
defaultvalue: Bad
display: Indicator Reputation
name: feedReputation
options:
- None
- Good
- Suspicious
- Bad
type: 18
required: false
- additionalinfo: Reliability of the source providing the intelligence data.
defaultvalue: F - Reliability cannot be judged
display: Source Reliability
name: feedReliability
options:
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: true
type: 15
- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.
display: Traffic Light Protocol Color
name: tlp_color
options:
- RED
- AMBER
- GREEN
- WHITE
type: 15
required: false
- defaultvalue: indicatorType
display: ''
name: feedExpirationPolicy
options:
- never
- interval
- indicatorType
- suddenDeath
type: 17
required: false
- defaultvalue: '20160'
display: ''
name: feedExpirationInterval
type: 1
required: false
- defaultvalue: '240'
display: Feed Fetch Interval
name: feedFetchInterval
type: 19
required: false
- additionalinfo: 'The time interval for the first fetch (retroactive) in the following format: <number> <time unit> of type minute/hour/day. For example, 1 minute, 12 hours. Limited to 48 hours.'
defaultvalue: 24 hours
display: First Fetch Time
name: initial_interval
type: 0
required: false
- additionalinfo: 'The objects to fetch, most likely indicators. Specifying the types of objects to fetch may slow down the fetch time.'
display: STIX Objects To Fetch
name: objects_to_fetch
type: 16
options:
- indicator
- relationship
- report
- malware
- campaign
- attack-pattern
- course-of-action
- intrusion-set
- tool
- threat-actor
- infrastructure
- autonomous-system
- domain-name
- email-addr
- file
- ipv4-addr
- ipv6-addr
- mutex
- url
- user-account
- windows-registry-key
- identity
- location
- vulnerability
required: false
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
display: Bypass exclusion list
name: feedBypassExclusionList
type: 8
required: false
- additionalinfo: The maximum number of indicators that can be fetched per fetch. If this field is left empty, there will be no limit on the number of indicators fetched.
display: Max Indicators Per Fetch
name: limit
type: 0
required: false
- additionalinfo: Set the number of STIX objects that will be requested with each TAXII poll (http request). A single fetch is made of several TAXII polls. Changing this setting can help speed up fetches, or fix issues on slower networks. Please note server restrictions may apply, overriding and limiting the requested limit.
defaultvalue: '1000'
display: Max STIX Objects Per Poll
name: limit_per_request
type: 0
required: false
- additionalinfo: Choose how to handle complex observations. Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR". For example, `[ IP = 'b' ] AND [ URL = 'd' ]`
defaultvalue: Skip indicators with more than a single observation
display: Complex Observation Mode
name: observation_operator_mode
options:
- Create indicator for each observation
- Skip indicators with more than a single observation
type: 15
required: false
- additionalinfo: Supports CSV values.
display: Tags
name: feedTags
type: 0
required: false
- additionalinfo: Incremental feeds pull only new or modified indicators that have been sent from the integration. As the determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR, all indicators coming from these feeds are labeled new or modified.
defaultvalue: 'true'
display: Incremental Feed
hidden: true
name: feedIncremental
type: 8
required: false
description: The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community.
display: DHS Feed v2
name: DHS Feed v2
script:
commands:
- arguments:
- auto: PREDEFINED
defaultValue: 'false'
description: Will return only the rawJSON of the indicator object.
name: raw
predefined:
- 'true'
- 'false'
- defaultValue: '10'
description: Maximum number of indicators to return. Default is 10. If you are increasing this value, make sure the 'execution-timeout' argument is also increased.
name: limit
- defaultValue: '24 hours'
description: Fetch only indicators that were added to the server after the given time. Provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hours, 2 days. Limited to 48 hours.
name: added_after
description: Allows you to test your feed and to make sure you can fetch indicators successfully. Due to API limitations, this command may take a long time to run. Make sure the 'execution-timeout' argument is increased. See the integration readme for further information.
name: dhs-get-indicators
outputs:
- contextPath: DHS.Indicators.value
description: Indicator value.
type: String
- contextPath: DHS.Indicators.type
description: Indicator type.
type: String
- contextPath: DHS.Indicators.rawJSON
description: Indicator rawJSON.
type: String
- description: Gets the list of collections from the discovery service.
name: dhs-get-collections
outputs:
- contextPath: DHS.Collections.ID
description: Collection ID.
type: String
- contextPath: DHS.Collections.Name
description: Collection name.
type: String
dockerimage: demisto/taxii2:1.0.0.83423
feed: true
runonce: false
script: '-'
subtype: python3
type: python
fromversion: 6.5.0
tests:
- No tests