CYFIRMA V2

the cyfirma v2 connector enables users to integrate a comprehensive suite of cyber threat intelligence tools into their security workflows, facilitating proactive defense mechanisms against emerging cyber threats cyfirma v2 offers a comprehensive suite of real time threat intelligence capabilities, enabling users to retrieve tailored alerts and indicators of compromise (iocs) for enhanced situational awareness with the cyfirma v2 connector for swimlane turbine, security teams can automate the ingestion of actionable intelligence, streamline threat analysis, and prioritize risks based on impact this integration empowers users to proactively defend against emerging threats, manage digital risks, and maintain a robust security posture within the swimlane ecosystem prerequisites to effectively utilize the cyfirma v2 connector within the swimlane turbine platform, ensure you have the following prerequisites api key authentication with the following parameters url endpoint for the cyfirma v2 api services key unique identifier to authenticate and authorize access to cyfirma v2 capabilities this connector provides the following capabilities get attack surface alerts get data breach and web monitoring get digitial risk impersonation infringement get social public exposure iocs in csv iocs in json iocs in xml list of iocs seach for ioc asset setup the cyfirma asset requires an url and an api key to interact with the api configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required key key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get attack surface alerts retrieve tailored alerts data based on the specified alert configuration in the cyfirma v2 on board page, requiring 'type' parameter endpoint url /core/api ua/v2/alerts/attack surface method get input argument name type required description parameters type string required the value of the type of parameter is dependent on the api that is being called parameters page number optional the records returned by the api are paginated parameters size number optional the number of records per page is defined by the value of size parameters impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly parameters after string optional retrieve all data having created date value greater than the value specified in this parameter parameters from date time string optional retrieve data having created date value between from date time and to date time parameters to date time string optional retrieve data having created date value between from date time and to date time parameters order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default input example {"parameters" {"type" "open ports","page" 1,"size" 10,"impact" "low","after" "","from date time" "","to date time" "","order by created date" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "thu, 02 nov 2023 10 47 40 gmt","content type" "application/json","content length" "3551","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport security get data breach and web monitoring retrieve cyfirma v2 alerts for data breaches and web monitoring based on specified alert configurations endpoint url /core/api ua/v2/alerts/data breach and web monitoring method get input argument name type required description parameters type string required the value of the type of parameter is dependent on the api that is being called parameters page number optional the records returned by the api are paginated parameters size number optional the number of records per page is defined by the value of size parameters impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly parameters after string optional retrieve all data having created date value greater than the value specified in this parameter parameters from date time string optional retrieve data having created date value between from date time and to date time parameters to date time string optional retrieve data having created date value between from date time and to date time parameters order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default input example {"parameters" {"type" "phishing","page" 1,"size" 10,"impact" "low","after" "","from date time" "","to date time" "","order by created date" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "thu, 02 nov 2023 10 56 22 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport security" "max age=31536000 get digital risk imperonation infringement retrieve alerts for impersonation and infringement digital risks from cyfirma v2, filtered by alert 'type' parameter endpoint url /core/api ua/v2/alerts/impersonation and infringement method get input argument name type required description parameters type string required the value of the type of parameter is dependent on the api that is being called parameters page number optional the records returned by the api are paginated parameters size number optional the number of records per page is defined by the value of size parameters impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly parameters after string optional retrieve all data having created date value greater than the value specified in this parameter parameters from date time string optional retrieve data having created date value between from date time and to date time parameters to date time string optional retrieve data having created date value between from date time and to date time parameters order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default input example {"parameters" {"type" "social handlers"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "thu, 02 nov 2023 10 42 40 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport security" "max age=31536000 get social public exposure retrieve public social exposure alerts from cyfirma v2 based on a specified alert type endpoint url /core/api ua/v2/alerts/social and public exposure method get input argument name type required description parameters type string required the value of the type of parameter is dependent on the api that is being called parameters page number optional the records returned by the api are paginated parameters size number optional the number of records per page is defined by the value of size parameters impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly parameters after string optional retrieve all data having created date value greater than the value specified in this parameter parameters from date time string optional retrieve data having created date value between from date time and to date time parameters to date time string optional retrieve data having created date value between from date time and to date time parameters order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default input example {"parameters" {"type" "source code"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "thu, 02 nov 2023 11 05 13 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se iocs in csv retrieve indicators of compromise in stix 1 1 csv format from cyfirma v2, with delta or full export options endpoint url /core/api ua/threatioc/csv method get input argument name type required description parameters delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours parameters all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client parameters with risk score boolean optional • true will return the iocs with risk score • false will return the iocs without risk score input example {"parameters" {"key" "api key value","delta"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file file name string name of the resource file file string output field file file output example {"file" {"file name" "example name","file" "string"}} iocs in json obtain indicators of compromise in stix 1 1 json format from cyfirma v2, with delta or full export options endpoint url /core/api ua/threatioc/stix json method get input argument name type required description parameters delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours parameters all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client input example {"parameters" {"all"\ true,"delta"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"observables"\ null,"indicators" {},"exploittargets"\ null,"incidents"\ null,"coursesofaction"\ null,"campaigns"\ null,"threatactors"\ null,"reports"\ null,"relatedpackages"\ null,"id" "{https //www cyfirma com/}package 6a445526 98ce 4d99 8ebd 6fcffa086128","idref"\ null,"timestamp" "2020 09 30t08 23 33 945+0000","version" "1 2","stixheader" {},"ttps"\ null}]} iocs in xml retrieves indicators of compromise in stix 1 1 xml format from cyfirma v2, with options to specify delta or full data retrieval endpoint url /core/api ua/threatioc/stix xml method get input argument name type required description parameters delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours parameters all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client input example {"parameters" {"key" "api key value","delta"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase stix package object output field stix package stix package stix header object output field stix package stix header stix package stix header description object output field stix package stix header description stix package stix header description prefix string output field stix package stix header description prefix stix package stix header description text string output field stix package stix header description text stix package stix header prefix string output field stix package stix header prefix stix package indicators object output field stix package indicators stix package indicators indicator object output field stix package indicators indicator stix package indicators indicator title object output field stix package indicators indicator title stix package indicators indicator title prefix string output field stix package indicators indicator title prefix stix package indicators indicator title text string output field stix package indicators indicator title text stix package indicators indicator description object output field stix package indicators indicator description stix package indicators indicator description prefix string output field stix package indicators indicator description prefix stix package indicators indicator observable object output field stix package indicators indicator observable stix package indicators indicator observable object object output field stix package indicators indicator observable object stix package indicators indicator observable id string unique identifier stix package indicators indicator observable prefix string output field stix package indicators indicator observable prefix stix package indicators indicator producer object output field stix package indicators indicator producer stix package indicators indicator producer identity object unique identifier stix package indicators indicator producer time object time value stix package indicators indicator producer prefix string output field stix package indicators indicator producer prefix stix package indicators indicator xmlns string output field stix package indicators indicator xmlns stix package indicators indicator xmlns\ ns141 string output field stix package indicators indicator xmlns \ ns141 output example {"status code" 200,"reason" "ok","json body" {"stix package" {"stix header" {},"indicators" {}," xmlns" "http //xml/metadatasharing xsd"," xmlns\ addressobj" "http //cybox mitre org/objects#addressobject 2"," xmlns\ cyfirma" "https //www cyfirma com/"," xmlns\ uriobj" "http //cybox mitre org/objects#uriobject 2"," xmlns\ cybox" "http //cybox mitre org/cybox 2"," xmlns\ cyboxcommon" "http //cybox mitre org/common 2"," xmlns\ indicator" "http //stix mitre org/indicator 2"," xmlns\ stix" "http //stix mitr list of iocs retrieve a list of indicators of compromise (iocs) from cyfirma v2 in stix 2 1 format, with delta and all options endpoint url /core/api ua/threatioc/stix/v2 1 method get input argument name type required description parameters delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours parameters all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client input example {"parameters" {"key" "api key value","delta"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"type" "indicator","spec version" "2 1","id" "indicator 8e2e2d2b 17d4 4cbf 938f 98ee46b3cd3f","created by ref" "identity f431f809 377b 45e0 aa1c 6a4751cae5ff","created" "2016 04 06t20 03 48 000z","modified" "2016 04 06t20 03 48 000z","indicator types" \[],"name" "poison ivy malware","description" "this file is part of poison ivy","pattern" "\[ file\ hashes 'sha 256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03 ","valid from" "2016 01 01 search for iocs retrieve iocs in stix 2 1 json format by searching with specific indicator types such as md5, sha, ip, domain, etc , using 'indicatortype' and 'value' parameters endpoint url /core/api ua/threatioc/stix/v2 1/search method get input argument name type required description parameters indicatortype string required if the search is using the ioc api, the value, indicator type param value needs to be defined one of the value types from the indicator types (md5, sha, ip, domain, hostname, url, email, cve, exploit, mutex) can be passed to the api, which retrieves the details according to that request parameters value string required the param for value requires to get the details of the ioc’s in stix2 1 format and all associated with threat actors, campaign, intrusion set, etc input example {"parameters" {"key" "api key value","indicatortype" "md5","value" "stix2 1 format string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"type" "indicator","spec version" "2 1","id" "indicator 8e2e2d2b 17d4 4cbf 938f 98ee46b3cd3f","created by ref" "identity f431f809 377b 45e0 aa1c 6a4751cae5ff","created" "2016 04 06t20 03 48 000z","modified" "2016 04 06t20 03 48 000z","indicator types" \[],"name" "poison ivy malware","description" "this file is part of poison ivy","pattern" "\[ file\ hashes 'sha 256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03 ","valid from" "2016 01 01 response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 81fbc5a5cc659a95 nag connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 3551 content security policy http response header content security policy default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'unsafe eval' https //storage googleapis com https //d3js org https //cdn ckeditor com https //www amcharts com https //cdn amcharts com https //d3js org/d3 v4 min js ; style src 'self' 'unsafe inline'; style src elem 'self' 'unsafe inline' https //fonts googleapis com https //www amcharts com https //d3js org https //cdn ckeditor com ; img src 'self' data ; font src 'self' data content type the media type of the resource application/json date the date and time at which the message was originated thu, 02 nov 2023 11 05 13 gmt expires the date/time after which the response is considered stale 0 permissions policy http response header permissions policy camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync xhr=(), accelerometer=(self), ambient light sensor=(self), autoplay=(self), battery=(self), camera=(self), cross origin isolated=(self), display capture=(self), document domain=(self), encrypted media=(self), execution while not rendered=(self), execution while out of viewport=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard map=(self), magnetometer=(self), microphone=(self), midi=(self), navigation override=(self), payment=(self), picture in picture=(self), publickey credentials get=(self), screen wake lock=(self), sync xhr=(self), usb=(self), web share=(self), xr spatial tracking=(self) pragma http response header pragma no cache referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary origin, access control request method, access control request headers, origin, access control request method, access control request headers x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny, deny x xss protection http response header x xss protection 1; mode=block, 1; mode=block