Analyst1

the analyst1 connector facilitates the integration of analyst1's advanced threat analysis and intelligence capabilities with other security systems analyst1 is a robust threat intelligence platform that provides detailed insights into cyber threats and adversaries the analyst1 connector for swimlane turbine enables users to perform batch checks, retrieve sensor configurations, and access detailed information on indicators, malware, and rules by integrating with analyst1, swimlane turbine users can enhance their security automation workflows with rich threat intelligence, streamline sensor and rule management, and conduct thorough malware analysis, all within a low code environment prerequisites to utilize the analyst1 connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for analyst1 api access email address user's email for login credentials password corresponding password for the provided email address asset setup the asset for this connector requires the following inputs username password capabilities this connector provides the following capabilities get batch check get config file for sensor get indicators get indicator by id get indicators for sensor get malware by id get rules by sensor id get sensors by id get taskings by sensor id indicator query search malware submit evidence notes for more information on analyst1 is found at https //analyst1 com api documentation link https //partner cloud analyst1 com/guide/viewer?category=api\&guide=2 7 0%20rest%20api configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username email address string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get batch check performs a match operation on a collection of values across various entities in analyst1, requiring specific parameters endpoint url /api/1 0/batchcheck method get input argument name type required description parameters values array required the values to search for separated by commas input example {"parameters" {"values" \["string"]}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results searchedvalue string value for the parameter results matchedvalue string value for the parameter results id number unique identifier results entity object result of the operation results entity key string result of the operation results entity title string result of the operation results type object type of the resource results type key string type of the resource results type title string type of the resource results benign boolean result of the operation results actor array result of the operation results actor id number unique identifier results actor title string result of the operation results actor akas array result of the operation results malware array result of the operation results malware id number unique identifier results malware title string result of the operation results malware akas array result of the operation results system array result of the operation results system id number unique identifier results system title string result of the operation results system akas array result of the operation output example {"results" \[{"searchedvalue" "string","matchedvalue" "string","id" 123,"entity" {},"type" {},"benign"\ true,"actor" \[],"malware" \[],"system" \[]}]} get config file for sensor retrieve the current configuration file for a specified sensor using its unique identifier endpoint url /api/1 0/sensors/{{id}}/taskings/config method get input argument name type required description path parameters id number required parameters for the get config file for sensor action input example {"path parameters" {"id" 7671}} output parameter type description file object output field file file file string output field file file file file name string name of the resource file contenttype string type of the resource output example {"file" {"file" "string","file name" "example name","contenttype" "text/plain"}} get indicator by id retrieve detailed information for a specific indicator in analyst1 using the unique identifier endpoint url /api/1 0/indicator/{{id}} method get input argument name type required description path parameters id number required requested resource id input example {"path parameters" {"id" 983}} output parameter type description status code number http status code of the response reason string response reason phrase expand string output field expand type string type of the resource value object value for the parameter value name string name of the resource value classification string value for the parameter description object output field description description name string name of the resource description classification string output field description classification activitydates array output field activitydates activitydates date string date value activitydates classification string output field activitydates classification reporteddates array output field reporteddates reporteddates date string date value reporteddates classification string output field reporteddates classification targets array output field targets targets name string name of the resource targets id number unique identifier targets classification string output field targets classification attackpatterns array output field attackpatterns attackpatterns name string name of the resource attackpatterns id number unique identifier attackpatterns classification string output field attackpatterns classification actors array output field actors output example {"expand" "string","type" "string","value" {"name" "example name","classification" "string"},"description" {"name" "example name","classification" "string"},"activitydates" \[{"date" "2024 01 01t00 00 00z","classification" "string"}],"reporteddates" \[{"date" "2024 01 01t00 00 00z","classification" "string"}],"targets" \[{"name" "example name","id" 123,"classification" "string"}],"attackpatterns" \[{"name" "example name","id" 123,"classification" "string"}],"actors" \[{"name" "example name","id" 123, get indicators browse indicator resources to retrieve and list various indicators from analyst1 for further analysis endpoint url /api/1 0/indicator method get input argument name type required description parameters page number optional parameters for the get indicators action parameters pagesize number optional parameters for the get indicators action parameters descsort boolean optional parameters for the get indicators action parameters sortby string optional parameters for the get indicators action parameters type string optional parameters for the get indicators action parameters benign boolean optional parameters for the get indicators action parameters tasked boolean optional parameters for the get indicators action parameters status string optional parameters for the get indicators action parameters tlp string optional parameters for the get indicators action parameters verified boolean optional parameters for the get indicators action parameters searchterm string optional parameters for the get indicators action parameters indicatorvalueonlysearch boolean optional parameters for the get indicators action parameters sources array optional parameters for the get indicators action parameters expand string optional parameters for the get indicators action input example {"parameters" {"page" 1,"pagesize" 10,"descsort"\ true,"sortby" "id","type" "domain","benign"\ true,"tasked"\ true,"status" "aab","tlp" "undetermined","verified"\ true,"searchterm" "description","indicatorvalueonlysearch"\ true,"sources" \[301,302],"expand" "sources"}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results expand string result of the operation results links boolean result of the operation results id number unique identifier results type string type of the resource results value object value for the parameter results value name string name of the resource results value classification string value for the parameter results status string status value results tlp string result of the operation pagesize number output field pagesize page number output field page totalresults number result of the operation totalpages number output field totalpages links boolean output field links output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"results" \[{}],"pagesize" 1,"page" 1,"totalresults" 10,"totalpages" 10,"links"\ true}} get indicators for sensor retrieve indicators associated with a specific sensor in analyst1 using the sensor's unique identifier endpoint url /api/1 0/sensors/{{id}}/indicators method get input argument name type required description path parameters id number required sensor id status string optional indicator status filter allowed values are 'u' for unable to act, 'aab' for awaiting ability, 'aw' for awaiting intention, 'aal' for awaiting allowed, 'ar' for awaiting rule, & 'rc' for rule created type string optional filter results based on indicator type allowed values are 'domain', 'ip', 'file', 'email', 'string', 'ipv6', 'mutex', 'httprequest', & 'url' value string optional indicator value filter actor number optional actor query no indicator actor filter verified boolean optional indicator verified status filter if absent, indicators with both verified and unverified status are included page number optional the requested results page, 1 indexed if absent, the first page is always returned pagesize number optional the requested results per page when present, must be between 1 and 100 inclusive descsort boolean optional the sort direction true for a descending sort, false for a ascending sort sortby string optional the value to sort results on allowed values are 'id', 'type', 'value', 'reportcount', 'benign', 'tasked' expand string optional determines which child resources to return details for valid options are hitstats', 'sources', and 'enrichmentresults' selected options will be returned in the 'expand' response value input example {"json body" {"status" "u","type" "domain","value" "value","actor" 1,"verified"\ true,"page" 1,"pagesize" 10,"descsort"\ false,"sortby" "id","expand" "sources"},"path parameters" {"id" 7671}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results expand string result of the operation results type string type of the resource results value object value for the parameter results value name string name of the resource results value classification string value for the parameter results description object result of the operation results description name string name of the resource results description classification string result of the operation results activitydates array result of the operation results activitydates date string result of the operation results activitydates classification string result of the operation results reporteddates array result of the operation results reporteddates date string result of the operation results reporteddates classification string result of the operation results targets array result of the operation results targets name string name of the resource results targets id number unique identifier results targets classification string result of the operation results attackpatterns array result of the operation results attackpatterns name string name of the resource results attackpatterns id number unique identifier results attackpatterns classification string result of the operation output example {"results" \[{"expand" "string","type" "string","value" {},"description" {},"activitydates" \[],"reporteddates" \[],"targets" \[],"attackpatterns" \[],"actors" \[],"malwares" \[],"status" "active","hashes" \[],"filenames" \[],"filesize" {},"path" {}}],"pagesize" 123,"page" 123,"totalresults" 123,"totalpages" 123,"links" {"next" {"href" "string"},"first" {"href" "string"},"last" {"href" "string"},"self" {"href" "string"}}} get malware by id retrieve detailed information for a specific malware entry using its unique identifier in the analyst1 platform endpoint url /api/1 0/malware/{{id}} method get input argument name type required description path parameters id number required parameters for the get malware by id action input example {"path parameters" {"id" 301}} output parameter type description status code number http status code of the response reason string response reason phrase links boolean output field links id number unique identifier title object output field title title name string name of the resource title classification string output field title classification output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"links"\ true,"id" 301,"title" {"name" "spynote","classification" "secretfvey"}}} get rules by sensor id retrieve the set of rules associated with a specific sensor in analyst1 using the sensor's unique identifier endpoint url /api/1 0/sensors/{{id}}/rules method get input argument name type required description path parameters id number required sensor id type string optional rule type (i e , sensor manufacturer) may be one of 'unknown', snort', 'mcafee hips', 'palo alto', 'juniper', 'yara', suricata', 'symantec proxysg',cisco asa','tipping point ips', 'tanium blocklist', 'other auto' exploitstage number optional rule exploit stage lookup valid ids in the /api/1 0/exploitstage endpoint source string optional rule source may be one of 'internal', 'auto indicator', 'proofpoint snort', 'proofpoint suricata' tlp string optional rule traffic light protocol color may be one of 'undetermined', 'clear', 'green', 'amber', 'amber+strict', & 'red' page number optional the requested results page, 1 indexed if absent, the first page is always returned pagesize number optional the requested results per page when present, must be between 1 and 100 inclusive descsort boolean optional the sort direction true for a descending sort, false for a ascending sort sortby string optional the value to sort results on allowed values are 'id', 'type' (sensor manufacturer), 'source', 'context', 'exploitstage', 'tasked', 'taskedcount', 'tlp', 'sid', 'othersid' input example {"json body" {"type" "unknown","exploitstage" 1,"source" "internal","tlp" "undetermined","page" 1,"pagesize" 10,"descsort"\ false,"sortby" "id"},"path parameters" {"id" 7671}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results id number unique identifier results name string name of the resource results tlp string result of the operation results source string result of the operation results tlpjustification string result of the operation results tlpcaveats string result of the operation results tlpreevaluatedate string result of the operation results rulestatus string status value results ruledefinition string result of the operation results ruletype string type of the resource results tasked boolean result of the operation results context string result of the operation results exploitstage object result of the operation results exploitstage id number unique identifier results exploitstage name string name of the resource results exploitstage classification string result of the operation results sid string unique identifier results othersid string unique identifier results taskedcount number result of the operation results actors object result of the operation results actors idnamepairs array unique identifier results actors idnamepairs id number unique identifier output example {"status code" 200,"response headers" {"date" "wed, 04 oct 2023 15 49 27 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "close","cache control" "no cache, no store, private, max age=0, must revalidate","strict transport security" "max age=31536000","x frame options" "sameorigin","x content type options" "nosniff"},"reason" "","json body" {"results" \[{}],"pagesize" 10,"page" 1,"totalresults" 4,"totalpages" 1,"links" {"first" {},"last" {},"self" {}} get sensors by id retrieve detailed information for a specific sensor by its id in analyst1 endpoint url /api/1 0/sensors/{{id}} method get input argument name type required description path parameters id number required sensor id input example {"path parameters" {"id" 7672}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource logicallocation string output field logicallocation org object output field org org id number unique identifier org name string name of the resource type string type of the resource currentversionnumber number output field currentversionnumber latestconfigversionnumber number output field latestconfigversionnumber comments array output field comments firmwareversion string output field firmwareversion installdate string date value modelnumber string output field modelnumber networkspeed string output field networkspeed numindicators number output field numindicators numsignatures number output field numsignatures physicaladdress string output field physicaladdress purchasedate string date value serialnumber number output field serialnumber output example {"id" 123,"name" "example name","logicallocation" "string","org" {"id" 123,"name" "example name"},"type" "string","currentversionnumber" 123,"latestconfigversionnumber" 123,"comments" \["string"],"firmwareversion" "string","installdate" "string","modelnumber" "string","networkspeed" "string","numindicators" 123,"numsignatures" 123,"physicaladdress" "string"} get taskings by sensor id retrieve differences in taskings between the latest and a past version for a given sensor id and version in analyst1 endpoint url /api/1 0/sensors/{{id}}/taskings/diff/{{version}} method get input argument name type required description path parameters id number required the sensor's id path parameters version number required one based, past version of a sensor input example {"path parameters" {"id" 7669,"version" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier version number output field version latestversion number output field latestversion indicatorsadded array output field indicatorsadded indicatorsremoved array output field indicatorsremoved rulesadded array output field rulesadded rulesremoved array output field rulesremoved links object output field links links self object output field links self links self href string output field links self href output example {"id" 123,"version" 123,"latestversion" 123,"indicatorsadded" \["string"],"indicatorsremoved" \["string"],"rulesadded" \["string"],"rulesremoved" \["string"],"links" {"self" {"href" "string"}}} indicator query performs an exact match query for indicators in analyst1 based on type and value parameters endpoint url /api/1 0/indicator/match method get input argument name type required description parameters type string required the indicator type parameters value string required the indicator value input example {"parameters" {"type" "ip","value" "45 89 53 46"}} output parameter type description status code number http status code of the response reason string response reason phrase expand string output field expand type string type of the resource value object value for the parameter value name string name of the resource value classification string value for the parameter description object output field description activitydates array output field activitydates reporteddates array output field reporteddates reporteddates date string date value reporteddates classification string output field reporteddates classification targets array output field targets attackpatterns array output field attackpatterns actors array output field actors malwares array output field malwares status string status value hashes array output field hashes filenames array name of the resource filesize object output field filesize path object output field path ports array output field ports ipregistration object output field ipregistration domainregistration object output field domainregistration ipresolution object output field ipresolution output example {"status code" 200,"response headers" {"date" "thu, 27 jun 2024 18 01 03 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, max age=0, must revalidate","strict transport security" "max age=31536000","x frame options" "sameorigin","x content type options" "nosniff"},"reason" "","json body" {"expand" "sources,hitstatsdetails,enrichmentresults,hitstats","type" "ip","value" {"name" "45 89 53 46"," search malwares initiate a search for malware across the analyst1 platform to identify potential threats and compile relevant data endpoint url /api/1 0/malware method get input argument name type required description parameters actor string optional parameters for the search malwares action parameters category string optional parameters for the search malwares action parameters stage string optional parameters for the search malwares action parameters text string optional parameters for the search malwares action parameters page number optional parameters for the search malwares action parameters pagesize number optional parameters for the search malwares action input example {"parameters" {"actor" "comment panda","category" "backdoor","stage" "title","text" "category","page" 1,"pagesize" 10}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results id number unique identifier results title object result of the operation results title name string name of the resource results title classification string result of the operation pagesize number output field pagesize page number output field page totalresults number result of the operation totalpages number output field totalpages links boolean output field links output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"results" \[{}],"pagesize" 1,"page" 1,"totalresults" 10,"totalpages" 10,"links"\ true}} submit evidence submits an evidence file for asynchronous processing in analyst1, requiring a form body input endpoint url /api/1 0/evidence method post input argument name type required description form body object required request body data form body evidencefile object required the evidence file form body evidencefile file string required request body data form body evidencefile file name string required request body data form body evidencefileclassification string required the evidence file's classification only used if a classification can not be determined during extraction form body tlp string required the evidence file's traffic light protocol (tlp) designation only used if a tlp can not be determined during extraction allowed values clear, green, amber, amber+strict, & red form body tlpjustification string optional the evidence file's specification of a justification for the tlp assigned; required when tlp color changes form body tlpcaveats string optional request body data form body tlpreevaluatedate string optional request body data form body sourceid number optional request body data form body sourcetitle string optional request body data form body sourceurl string optional request body data form body disableindicatorautoenrichment boolean optional request body data input example {"form body" {"evidencefile" {"file" "string","file name" "example name"},"evidencefileclassification" "string","tlp" "string","tlpjustification" "string","tlpcaveats" "string","tlpreevaluatedate" "string","sourceid" 123,"sourcetitle" "string","sourceurl" "string","disableindicatorautoenrichment"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier output example {"uuid" "12345678 1234 1234 1234 123456789abc"} response headers header description example cache control directives for caching mechanisms no cache, no store, private, max age=0, must revalidate connection http response header connection close content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated wed, 04 oct 2023 11 49 49 gmt strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin