Analyst1

the analyst1 connector facilitates the integration of analyst1's advanced threat analysis and intelligence capabilities with other security systems analyst1 is a robust threat intelligence platform that provides detailed insights into cyber threats and adversaries the analyst1 connector for swimlane turbine enables users to perform batch checks, retrieve sensor configurations, and access detailed information on indicators, malware, and rules by integrating with analyst1, swimlane turbine users can enhance their security automation workflows with rich threat intelligence, streamline sensor and rule management, and conduct thorough malware analysis, all within a low code environment prerequisites to utilize the analyst1 connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for analyst1 api access email address user's email for login credentials password corresponding password for the provided email address asset setup the asset for this connector requires the following inputs username password capabilities this connector provides the following capabilities get batch check get config file for sensor get indicators get indicator by id get indicators for sensor get malware by id get rules by sensor id get sensors by id get taskings by sensor id indicator query search malware submit evidence api documentation link analyst1 api documentation link https //partner cloud analyst1 com/guide/viewer?category=api\&guide=2 7 0%20rest%20api configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username email address string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get batch check performs a match operation on a collection of values across various entities in analyst1, requiring specific parameters endpoint url /api/1 0/batchcheck method get input argument name type required description values array required the values to search for separated by commas output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation searchedvalue string value for the parameter matchedvalue string value for the parameter id number unique identifier entity object output field entity key string output field key title string output field title type object type of the resource key string output field key title string output field title benign boolean output field benign actor array output field actor id number unique identifier title string output field title akas array output field akas malware array output field malware id number unique identifier title string output field title akas array output field akas system array output field system id number unique identifier title string output field title akas array output field akas example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "results" \[] } } ] get config file for sensor retrieve the current configuration file for a specified sensor using its unique identifier endpoint url /api/1 0/sensors/{{id}}/taskings/config method get input argument name type required description id number required unique identifier output parameter type description file object output field file file string output field file file name string name of the resource contenttype string type of the resource example \[ { "file" { "file" "string", "file name" "example name", "contenttype" "text/plain" } } ] get indicator by id retrieve detailed information for a specific indicator in analyst1 using the unique identifier endpoint url /api/1 0/indicator/{{id}} method get input argument name type required description id number required requested resource id output parameter type description status code number http status code of the response reason string response reason phrase expand string output field expand type string type of the resource value object value for the parameter name string name of the resource classification string output field classification description object output field description name string name of the resource classification string output field classification activitydates array output field activitydates date string date value classification string output field classification reporteddates array output field reporteddates date string date value classification string output field classification targets array output field targets name string name of the resource id number unique identifier classification string output field classification attackpatterns array output field attackpatterns name string name of the resource id number unique identifier classification string output field classification actors array output field actors example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "expand" "string", "type" "string", "value" {}, "description" {}, "activitydates" \[], "reporteddates" \[], "targets" \[], "attackpatterns" \[], "actors" \[], "malwares" \[], "status" "active", "hashes" \[], "filenames" {}, "filesize" {}, "path" {} } } ] get indicators browse indicator resources to retrieve and list various indicators from analyst1 for further analysis endpoint url /api/1 0/indicator method get input argument name type required description page number optional parameter for get indicators pagesize number optional parameter for get indicators descsort boolean optional parameter for get indicators sortby string optional parameter for get indicators type string optional type of the resource benign boolean optional parameter for get indicators tasked boolean optional parameter for get indicators status string optional status value tlp string optional parameter for get indicators verified boolean optional parameter for get indicators searchterm string optional parameter for get indicators indicatorvalueonlysearch boolean optional value for the parameter sources array optional parameter for get indicators expand string optional parameter for get indicators output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation expand string output field expand links boolean output field links id number unique identifier type string type of the resource value object value for the parameter name string name of the resource classification string output field classification status string status value tlp string output field tlp pagesize number output field pagesize page number output field page totalresults number result of the operation totalpages number output field totalpages links boolean output field links example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "results" \[], "pagesize" 1, "page" 1, "totalresults" 10, "totalpages" 10, "links" true } } ] get indicators for sensor retrieve indicators associated with a specific sensor in analyst1 using the sensor's unique identifier endpoint url /api/1 0/sensors/{{id}}/indicators method get input argument name type required description id number required sensor id status string optional indicator status filter allowed values are 'u' for unable to act, 'aab' for awaiting ability, 'aw' for awaiting intention, 'aal' for awaiting allowed, 'ar' for awaiting rule, & 'rc' for rule created type string optional filter results based on indicator type allowed values are 'domain', 'ip', 'file', 'email', 'string', 'ipv6', 'mutex', 'httprequest', & 'url' value string optional indicator value filter actor number optional actor query no indicator actor filter verified boolean optional indicator verified status filter if absent, indicators with both verified and unverified status are included page number optional the requested results page, 1 indexed if absent, the first page is always returned pagesize number optional the requested results per page when present, must be between 1 and 100 inclusive descsort boolean optional the sort direction true for a descending sort, false for a ascending sort sortby string optional the value to sort results on allowed values are 'id', 'type', 'value', 'reportcount', 'benign', 'tasked' expand string optional determines which child resources to return details for valid options are hitstats', 'sources', and 'enrichmentresults' selected options will be returned in the 'expand' response value output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation expand string output field expand type string type of the resource value object value for the parameter name string name of the resource classification string output field classification description object output field description name string name of the resource classification string output field classification activitydates array output field activitydates date string date value classification string output field classification reporteddates array output field reporteddates date string date value classification string output field classification targets array output field targets name string name of the resource id number unique identifier classification string output field classification attackpatterns array output field attackpatterns name string name of the resource id number unique identifier classification string output field classification example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "results" \[], "pagesize" 123, "page" 123, "totalresults" 123, "totalpages" 123, "links" {} } } ] get malware by id retrieve detailed information for a specific malware entry using its unique identifier in the analyst1 platform endpoint url /api/1 0/malware/{{id}} method get input argument name type required description id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase links boolean output field links id number unique identifier title object output field title name string name of the resource classification string output field classification example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "links" true, "id" 301, "title" {} } } ] get rules by sensor id retrieve the set of rules associated with a specific sensor in analyst1 using the sensor's unique identifier endpoint url /api/1 0/sensors/{{id}}/rules method get input argument name type required description id number required sensor id type string optional rule type (i e , sensor manufacturer) may be one of 'unknown', snort', 'mcafee hips', 'palo alto', 'juniper', 'yara', suricata', 'symantec proxysg',cisco asa','tipping point ips', 'tanium blocklist', 'other auto' exploitstage number optional rule exploit stage lookup valid ids in the /api/1 0/exploitstage endpoint source string optional rule source may be one of 'internal', 'auto indicator', 'proofpoint snort', 'proofpoint suricata' tlp string optional rule traffic light protocol color may be one of 'undetermined', 'clear', 'green', 'amber', 'amber+strict', & 'red' page number optional the requested results page, 1 indexed if absent, the first page is always returned pagesize number optional the requested results per page when present, must be between 1 and 100 inclusive descsort boolean optional the sort direction true for a descending sort, false for a ascending sort sortby string optional the value to sort results on allowed values are 'id', 'type' (sensor manufacturer), 'source', 'context', 'exploitstage', 'tasked', 'taskedcount', 'tlp', 'sid', 'othersid' output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation id number unique identifier name string name of the resource tlp string output field tlp source string output field source tlpjustification string output field tlpjustification tlpcaveats string output field tlpcaveats tlpreevaluatedate string date value rulestatus string status value ruledefinition string output field ruledefinition ruletype string type of the resource tasked boolean output field tasked context string output field context exploitstage object output field exploitstage id number unique identifier name string name of the resource classification string output field classification sid string unique identifier othersid string unique identifier taskedcount number count value actors object output field actors idnamepairs array unique identifier id number unique identifier example \[ { "status code" 200, "response headers" { "date" "wed, 04 oct 2023 15 49 27 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "close", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "", "json body" { "results" \[], "pagesize" 10, "page" 1, "totalresults" 4, "totalpages" 1, "links" {} } } ] get sensors by id retrieve detailed information for a specific sensor by its id in analyst1 endpoint url /api/1 0/sensors/{{id}} method get input argument name type required description id number required sensor id output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource logicallocation string output field logicallocation org object output field org id number unique identifier name string name of the resource type string type of the resource currentversionnumber number output field currentversionnumber latestconfigversionnumber number output field latestconfigversionnumber comments array output field comments firmwareversion string output field firmwareversion installdate string date value modelnumber string output field modelnumber networkspeed string output field networkspeed numindicators number output field numindicators numsignatures number output field numsignatures physicaladdress string output field physicaladdress purchasedate string date value serialnumber number output field serialnumber example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "id" 123, "name" "example name", "logicallocation" "string", "org" {}, "type" "string", "currentversionnumber" 123, "latestconfigversionnumber" 123, "comments" \[], "firmwareversion" "string", "installdate" "string", "modelnumber" "string", "networkspeed" "string", "numindicators" 123, "numsignatures" 123, "physicaladdress" "string" } } ] get taskings by sensor id retrieve differences in taskings between the latest and a past version for a given sensor id and version in analyst1 endpoint url /api/1 0/sensors/{{id}}/taskings/diff/{{version}} method get input argument name type required description id number required the sensor's id version number required one based, past version of a sensor output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier version number output field version latestversion number output field latestversion indicatorsadded array output field indicatorsadded indicatorsremoved array output field indicatorsremoved rulesadded array output field rulesadded rulesremoved array output field rulesremoved links object output field links self object output field self href string output field href example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "id" 123, "version" 123, "latestversion" 123, "indicatorsadded" \[], "indicatorsremoved" \[], "rulesadded" \[], "rulesremoved" \[], "links" {} } } ] indicator query performs an exact match query for indicators in analyst1 based on type and value parameters endpoint url /api/1 0/indicator/match method get input argument name type required description type string required the indicator type value string required the indicator value output parameter type description status code number http status code of the response reason string response reason phrase expand string output field expand type string type of the resource value object value for the parameter name string name of the resource classification string output field classification description object output field description activitydates array output field activitydates reporteddates array output field reporteddates date string date value classification string output field classification targets array output field targets attackpatterns array output field attackpatterns actors array output field actors malwares array output field malwares status string status value hashes array output field hashes filenames array name of the resource filesize object output field filesize path object output field path ports array output field ports ipregistration object output field ipregistration domainregistration object output field domainregistration ipresolution object output field ipresolution example \[ { "status code" 200, "response headers" { "date" "thu, 27 jun 2024 18 01 03 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "", "json body" { "expand" "sources,hitstatsdetails,enrichmentresults,hitstats", "type" "ip", "value" {}, "description" null, "activitydates" \[], "reporteddates" \[], "targets" \[], "attackpatterns" \[], "actors" \[], "malwares" \[], "status" "aw", "hashes" null, "filenames" null, "filesize" null, "path" null } } ] search malwares initiate a search for malware across the analyst1 platform to identify potential threats and compile relevant data endpoint url /api/1 0/malware method get input argument name type required description actor string optional parameter for search malwares category string optional parameter for search malwares stage string optional parameter for search malwares text string optional parameter for search malwares page number optional parameter for search malwares pagesize number optional parameter for search malwares output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation id number unique identifier title object output field title name string name of the resource classification string output field classification pagesize number output field pagesize page number output field page totalresults number result of the operation totalpages number output field totalpages links boolean output field links example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "results" \[], "pagesize" 1, "page" 1, "totalresults" 10, "totalpages" 10, "links" true } } ] submit evidence submits an evidence file for asynchronous processing in analyst1, requiring a form body input endpoint url /api/1 0/evidence method post input argument name type required description form body object required request body data evidencefile object required the evidence file file string required parameter for submit evidence file name string required name of the resource evidencefileclassification string required the evidence file's classification only used if a classification can not be determined during extraction tlp string required the evidence file's traffic light protocol (tlp) designation only used if a tlp can not be determined during extraction allowed values clear, green, amber, amber+strict, & red tlpjustification string optional the evidence file's specification of a justification for the tlp assigned; required when tlp color changes tlpcaveats string optional parameter for submit evidence tlpreevaluatedate string optional date value sourceid number optional unique identifier sourcetitle string optional parameter for submit evidence sourceurl string optional url endpoint for the request disableindicatorautoenrichment boolean optional parameter for submit evidence output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "uuid" "12345678 1234 1234 1234 123456789abc" } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, private, max age=0, must revalidate connection http response header connection close content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated wed, 04 oct 2023 08 18 07 gmt strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin notes for more information on analyst1 is found at analyst1 main site https //analyst1 com