CYFIRMA V2

the cyfirma v2 connector enables users to integrate a comprehensive suite of cyber threat intelligence tools into their security workflows, facilitating proactive defense mechanisms against emerging cyber threats cyfirma v2 offers a comprehensive suite of real time threat intelligence capabilities, enabling users to retrieve tailored alerts and indicators of compromise (iocs) for enhanced situational awareness with the cyfirma v2 connector for swimlane turbine, security teams can automate the ingestion of actionable intelligence, streamline threat analysis, and prioritize risks based on impact this integration empowers users to proactively defend against emerging threats, manage digital risks, and maintain a robust security posture within the swimlane ecosystem prerequisites to effectively utilize the cyfirma v2 connector within the swimlane turbine platform, ensure you have the following prerequisites api key authentication with the following parameters url endpoint for the cyfirma v2 api services key unique identifier to authenticate and authorize access to cyfirma v2 capabilities this connector provides the following capabilities get attack surface alerts get data breach and web monitoring get digitial risk impersonation infringement get social public exposure iocs in csv iocs in json iocs in xml list of iocs seach for ioc asset setup the cyfirma asset requires an url and an api key to interact with the api configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required key key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get attack surface alerts retrieve tailored alerts data based on the specified alert configuration in the cyfirma v2 on board page, requiring 'type' parameter endpoint url /core/api ua/v2/alerts/attack surface method get input argument name type required description type string required the value of the type of parameter is dependent on the api that is being called page number optional the records returned by the api are paginated size number optional the number of records per page is defined by the value of size impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly after string optional retrieve all data having created date value greater than the value specified in this parameter from date time string optional retrieve data having created date value between from date time and to date time to date time string optional retrieve data having created date value between from date time and to date time order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "thu, 02 nov 2023 10 47 40 gmt", "content type" "application/json", "content length" "3551", "connection" "keep alive", "vary" "origin, access control request method, access control request headers, origin, a ", "content encoding" "gzip", "expires" "0", "cache control" "no cache, no store, max age=0, must revalidate", "x xss protection" "1; mode=block, 1; mode=block", "pragma" "no cache", "x content type options" "nosniff, nosniff", "strict transport security" "max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; prelo ", "x frame options" "deny, deny", "permissions policy" "camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), mic ", "content security policy" "default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'u " }, "reason" "ok", "json body" \[ {} ] } ] get data breach and web monitoring retrieve cyfirma v2 alerts for data breaches and web monitoring based on specified alert configurations endpoint url /core/api ua/v2/alerts/data breach and web monitoring method get input argument name type required description type string required the value of the type of parameter is dependent on the api that is being called page number optional the records returned by the api are paginated size number optional the number of records per page is defined by the value of size impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly after string optional retrieve all data having created date value greater than the value specified in this parameter from date time string optional retrieve data having created date value between from date time and to date time to date time string optional retrieve data having created date value between from date time and to date time order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "thu, 02 nov 2023 10 56 22 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "origin, access control request method, access control request headers, origin, a ", "expires" "0", "cache control" "no cache, no store, max age=0, must revalidate", "x xss protection" "1; mode=block, 1; mode=block", "pragma" "no cache", "x content type options" "nosniff, nosniff", "strict transport security" "max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; prelo ", "x frame options" "deny, deny", "permissions policy" "camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), mic ", "content security policy" "default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'u ", "referrer policy" "strict origin when cross origin" }, "reason" "ok", "json body" \[ {} ] } ] get digital risk imperonation infringement retrieve alerts for impersonation and infringement digital risks from cyfirma v2, filtered by alert 'type' parameter endpoint url /core/api ua/v2/alerts/impersonation and infringement method get input argument name type required description type string required the value of the type of parameter is dependent on the api that is being called page number optional the records returned by the api are paginated size number optional the number of records per page is defined by the value of size impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly after string optional retrieve all data having created date value greater than the value specified in this parameter from date time string optional retrieve data having created date value between from date time and to date time to date time string optional retrieve data having created date value between from date time and to date time order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "thu, 02 nov 2023 10 42 40 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "origin, access control request method, access control request headers, origin, a ", "expires" "0", "cache control" "no cache, no store, max age=0, must revalidate", "x xss protection" "1; mode=block, 1; mode=block", "pragma" "no cache", "x content type options" "nosniff, nosniff", "strict transport security" "max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; prelo ", "x frame options" "deny, deny", "permissions policy" "camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), mic ", "content security policy" "default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'u ", "referrer policy" "strict origin when cross origin" }, "reason" "ok", "json body" \[ {} ] } ] get social public exposure retrieve public social exposure alerts from cyfirma v2 based on a specified alert type endpoint url /core/api ua/v2/alerts/social and public exposure method get input argument name type required description type string required the value of the type of parameter is dependent on the api that is being called page number optional the records returned by the api are paginated size number optional the number of records per page is defined by the value of size impact string optional the default behaviour of the api is to return all data without being filtered by impact if a value is passed either single or comma separated then the retrieved data is filtered accordingly after string optional retrieve all data having created date value greater than the value specified in this parameter from date time string optional retrieve data having created date value between from date time and to date time to date time string optional retrieve data having created date value between from date time and to date time order by created date string optional the response dataset can be ordered by the created date field the records are in descending(desc) order by default output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "thu, 02 nov 2023 11 05 13 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "vary" "origin, access control request method, access control request headers, origin, a ", "content encoding" "gzip", "expires" "0", "cache control" "no cache, no store, max age=0, must revalidate", "x xss protection" "1; mode=block, 1; mode=block", "pragma" "no cache", "x content type options" "nosniff, nosniff", "strict transport security" "max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; prelo ", "x frame options" "deny, deny", "permissions policy" "camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), mic ", "content security policy" "default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'u " }, "reason" "ok", "json body" \[ {} ] } ] iocs in csv retrieve indicators of compromise in stix 1 1 csv format from cyfirma v2, with delta or full export options endpoint url /core/api ua/threatioc/csv method get input argument name type required description delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client with risk score boolean optional • true will return the iocs with risk score • false will return the iocs without risk score output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file name" "example name", "file" "string" } } ] iocs in json obtain indicators of compromise in stix 1 1 json format from cyfirma v2, with delta or full export options endpoint url /core/api ua/threatioc/stix json method get input argument name type required description delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ {} ] } ] iocs in xml retrieves indicators of compromise in stix 1 1 xml format from cyfirma v2, with options to specify delta or full data retrieval endpoint url /core/api ua/threatioc/stix xml method get input argument name type required description delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client output parameter type description status code number http status code of the response reason string response reason phrase stix package object output field stix package stix header object output field stix header description object output field description prefix string output field prefix text string output field text prefix string output field prefix indicators object output field indicators indicator object output field indicator title object output field title prefix string output field prefix text string output field text description object output field description prefix string output field prefix observable object output field observable object object output field object id string unique identifier prefix string output field prefix producer object output field producer identity object unique identifier time object time value prefix string output field prefix xmlns string output field xmlns xmlns\ ns141 string output field xmlns \ ns141 example \[ { "status code" 200, "reason" "ok", "json body" { "stix package" {} } } ] list of iocs retrieve a list of indicators of compromise (iocs) from cyfirma v2 in stix 2 1 format, with delta and all options endpoint url /core/api ua/threatioc/stix/v2 1 method get input argument name type required description delta boolean required • true will return only the iocs that were added in the platform after the last api call • false will return the iocs that were added in the system in the last 24 hours all boolean required • true will return all the iocs irrespective of whether it has been linked to the client • false will return only those iocs that have been linked to the client output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ {} ] } ] search for iocs retrieve iocs in stix 2 1 json format by searching with specific indicator types such as md5, sha, ip, domain, etc , using 'indicatortype' and 'value' parameters endpoint url /core/api ua/threatioc/stix/v2 1/search method get input argument name type required description indicatortype string required if the search is using the ioc api, the value, indicator type param value needs to be defined one of the value types from the indicator types (md5, sha, ip, domain, hostname, url, email, cve, exploit, mutex) can be passed to the api, which retrieves the details according to that request value string required the param for value requires to get the details of the ioc’s in stix2 1 format and all associated with threat actors, campaign, intrusion set, etc output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" \[ {} ] } ] response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 81fbc5a5cc659a95 nag connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 3551 content security policy http response header content security policy default src 'self'; frame src 'self' data ; script src 'self' 'unsafe inline' 'unsafe eval' https //storage googleapis com https //storage googleapis com https //d3js org https //d3js org https //cdn ckeditor com https //cdn ckeditor com https //www amcharts com https //www amcharts com https //cdn amcharts com https //cdn amcharts com https //d3js org/d3 v4 min js https //d3js org/d3 v4 min js ; style src 'self' 'unsafe inline'; style src elem 'self' 'unsafe inline' https //fonts googleapis com https //fonts googleapis com https //www amcharts com https //www amcharts com https //d3js org https //d3js org https //cdn ckeditor com https //cdn ckeditor com ; img src 'self' data ; font src 'self' data content type the media type of the resource application/json date the date and time at which the message was originated thu, 02 nov 2023 10 56 22 gmt expires the date/time after which the response is considered stale 0 permissions policy http response header permissions policy camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync xhr=(), accelerometer=(self), ambient light sensor=(self), autoplay=(self), battery=(self), camera=(self), cross origin isolated=(self), display capture=(self), document domain=(self), encrypted media=(self), execution while not rendered=(self), execution while out of viewport=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard map=(self), magnetometer=(self), microphone=(self), midi=(self), navigation override=(self), payment=(self), picture in picture=(self), publickey credentials get=(self), screen wake lock=(self), sync xhr=(self), usb=(self), web share=(self), xr spatial tracking=(self) pragma http response header pragma no cache referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary origin, access control request method, access control request headers, origin, access control request method, access control request headers x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny, deny x xss protection http response header x xss protection 1; mode=block, 1; mode=block