IBM Xforce

the ibm xforce connector integrates with swimlane to query malware, ips, and urls capabilities this connector provides the following capabilities get ip report get ip reputation get malware for family get malware for file hash get malware for ip get malware for url get url category list get url history get url report get url updates of deltas get urls by category wildcard search malware family asset setup the ibm xforce asset requires an url , api key and api password documentation https //api xforce ibmcloud com configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get ip report returns the ip report for the entered ip endpoint url /ipr/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get ip report action input example {"path parameters" {"ip" "8 8 8 8"}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip history array output field history history created string output field history created history reason string response reason phrase history geo object output field history geo history geo country string output field history geo country history geo countrycode string output field history geo countrycode history ip string output field history ip history cats object output field history cats history categorydescriptions object output field history categorydescriptions history reasondescription string response reason phrase history score number score value subnets array output field subnets subnets created string output field subnets created subnets reason string response reason phrase subnets reason removed boolean response reason phrase subnets asns object output field subnets asns subnets ip string output field subnets ip subnets categorydescriptions object output field subnets categorydescriptions subnets reasondescription string response reason phrase subnets score number score value subnets cats object output field subnets cats subnets subnet string output field subnets subnet output example {"status code" 200,"response headers" {"date" "tue, 23 jan 2024 06 33 45 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","server timing" "intid;desc=31fb7d7830c67ba0","x xss protection" "1; mode=block","content security policy" "default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ","x content security policy" "default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ","x webkit get ip reputation returns the ip reputation report for the entered ip endpoint url /ipr/history/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get ip reputation action input example {"path parameters" {"ip" "216 137 61 0x08"}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip history array output field history history created string output field history created history geo object output field history geo history geo country string output field history geo country history geo countrycode string output field history geo countrycode history ip string output field history ip history reason string response reason phrase history reasondescription string response reason phrase history malware extended object output field history malware extended history malware extended botnet string output field history malware extended botnet history malware extended lat number output field history malware extended lat history malware extended long number output field history malware extended long history malware extended city string output field history malware extended city history malware extended cc string output field history malware extended cc history malware extended country number output field history malware extended country history malware extended isnew boolean output field history malware extended isnew history deleted boolean output field history deleted history reason removed boolean response reason phrase history categorydescriptions object output field history categorydescriptions history categorydescriptions key string output field history categorydescriptions key history categorydescriptions value string value for the parameter history cats object output field history cats output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"ip" "216 137 61 0x08","history" \[{}]}} get malware report for file hash returns a malware report for the given file hash, for example, md5, sha1 and sha256 endpoint url /malware/{{filehash}} method get input argument name type required description path parameters filehash string required parameters for the get malware report for file hash action input example {"path parameters" {"filehash" "474b9ccf5ab9d72ca8a333889bbb34f0"}} output parameter type description status code number http status code of the response reason string response reason phrase malware object output field malware malware created string output field malware created malware type string type of the resource malware family array output field malware family malware familymembers object output field malware familymembers malware md5 string output field malware md5 malware mimetype string type of the resource malware origins object output field malware origins malware origins cncservers object output field malware origins cncservers malware origins cncservers rows array output field malware origins cncservers rows malware origins cncservers rows count number count value malware origins cncservers rows domain string output field malware origins cncservers rows domain malware origins cncservers rows filepath string output field malware origins cncservers rows filepath malware origins cncservers rows firstseen string output field malware origins cncservers rows firstseen malware origins cncservers rows host string output field malware origins cncservers rows host malware origins cncservers rows ip string output field malware origins cncservers rows ip malware origins cncservers rows lastseen string output field malware origins cncservers rows lastseen malware origins cncservers rows md5 string output field malware origins cncservers rows md5 malware origins cncservers rows origin string output field malware origins cncservers rows origin malware origins cncservers rows schema string output field malware origins cncservers rows schema malware origins cncservers rows type string type of the resource malware origins cncservers rows uri string output field malware origins cncservers rows uri malware origins downloadservers object output field malware origins downloadservers output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"malware" {"created" "2023 10 05t06 48 26 902z","type" "md5","family" \[],"familymembers" {},"md5" "string","mimetype" "string","origins" {},"risk" "string"},"tags" \[{}]}} get malware for family returns the malware associated with the entered family using wildcard search endpoint url /malware/family/{{family}} method get input argument name type required description path parameters family string required parameters for the get malware for family action input example {"path parameters" {"family" "tsunami"}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value family array output field family firstseen string output field firstseen lastseen string output field lastseen malware array output field malware malware created string output field malware created malware family array output field malware family malware md5 string output field malware md5 malware type string type of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 0,"family" \["string"],"firstseen" "2023 10 05t06 52 16 276z","lastseen" "2023 10 05t06 52 16 276z","malware" \[{}]}} get malware for ip returns the malware associated with the entered ip endpoint url /ipr/malware/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get malware for ip action input example {"path parameters" {"ip" "0270 0254 0153 0362"}} output parameter type description status code number http status code of the response reason string response reason phrase malware array output field malware malware family array output field malware family malware first string output field malware first malware last string output field malware last malware md5 string output field malware md5 malware origin string output field malware origin malware uri string output field malware uri output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"malware" \[{}]}} get malware for url returns the malware associated with the entered url endpoint url /url/malware/{{url}} method get input argument name type required description path parameters url string required parameters for the get malware for url action input example {"path parameters" {"url" "www mediaget com"}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value malware array output field malware malware count number count value malware domain string output field malware domain malware filepath string output field malware filepath malware firstseen string output field malware firstseen malware host string output field malware host malware ip string output field malware ip malware lastseen string output field malware lastseen malware md5 string output field malware md5 malware origin string output field malware origin malware schema string output field malware schema malware type string type of the resource malware uri string output field malware uri output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 0,"malware" \[{}]}} get url category list return a list of url categories provided by xfe endpoint url /url/categories method get output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "ibm","description" "xforce"}} get url history returns the url history for the entered url endpoint url /url/history/{{url}} method get input argument name type required description path parameters url string required parameters for the get url history action input example {"path parameters" {"url" "www ibm com/smarterplanet"}} output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request created string output field created cats object output field cats cats deleted boolean output field cats deleted cats categoryname object name of the resource cats categoryname confidence number unique identifier cats categoryname reasons array name of the resource cats categoryname description string name of the resource cats categoryname deleted boolean name of the resource history array output field history history url string url endpoint for the request history created string output field history created history expired string output field history expired history cats object output field history cats history cats deleted boolean output field history cats deleted history cats categoryname object name of the resource history cats categoryname confidence number unique identifier history cats categoryname reasons array name of the resource history cats categoryname description string name of the resource history cats categoryname deleted boolean name of the resource history score number score value score number score value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"url" "www ibm com/smarterplanet","created" "string","cats" {"deleted"\ true,"categoryname" {}},"history" \[{}],"score" 9}} get url report returns the url report for the entered url endpoint url /url/{{url}} method get input argument name type required description path parameters url string required parameters for the get url report action input example {"path parameters" {"url" "ibm com"}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result url string url endpoint for the request result cats object result of the operation result cats category boolean result of the operation result categorydescriptions object result of the operation result categorydescriptions category string result of the operation result score number result of the operation associated array output field associated associated url string url endpoint for the request associated cats object output field associated cats associated cats category boolean output field associated cats category associated categorydescriptions object output field associated categorydescriptions associated categorydescriptions category string output field associated categorydescriptions category associated score number score value tags array output field tags tags type string type of the resource tags tag string output field tags tag tags entitytype string type of the resource tags entityid string unique identifier tags commentid string unique identifier tags user string output field tags user tags date string date value tags displayname string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"result" {"url" "string","cats" {},"categorydescriptions" {},"score" 9},"associated" \[{}],"tags" \[{}]}} get url updates of deltas the delta api provides the data as a bulk download ("base content") for each category supported endpoint url /url/deltas method get input argument name type required description parameters category string required parameters for the get url updates of deltas action parameters pull id number optional parameters for the get url updates of deltas action input example {"parameters" {"category" "illegal activities","pull id" 5423}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data url string response data data created string response data data score string response data pullid number unique identifier createdat string output field createdat output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}],"pullid" 0,"createdat" "string"}} get urls by category return a list of urls according to the category and date range endpoint url /url method get input argument name type required description parameters category string required parameters for the get urls by category action parameters startdate string optional parameters for the get urls by category action parameters enddate string optional parameters for the get urls by category action parameters descending string optional parameters for the get urls by category action parameters limit number optional parameters for the get urls by category action parameters skip number optional parameters for the get urls by category action input example {"parameters" {"category" "illegal activities","startdate" "2016 01 01t00 00 00z","enddate" "2016 01 01t00 00 00z","descending" "string","limit" 200,"skip" 201}} output parameter type description status code number http status code of the response reason string response reason phrase category string output field category rows array output field rows rows url string url endpoint for the request rows created string output field rows created nextpage string output field nextpage previouspage string output field previouspage output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"category" "string","rows" \[{}],"nextpage" "string","previouspage" "string"}} wildcard search malware family returns the malware associated with the entered family using wildcard search endpoint url /malware/familyext/{{family}} method get input argument name type required description path parameters family string required parameters for the wildcard search malware family action input example {"path parameters" {"family" "adw "}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value family array output field family firstseen string output field firstseen lastseen string output field lastseen malware array output field malware malware created string output field malware created malware family array output field malware family malware md5 string output field malware md5 malware type string type of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 0,"family" \["string"],"firstseen" "2023 10 05t06 57 16 299z","lastseen" "2023 10 05t06 57 16 299z","malware" \[{}]}} response headers header description example access control allow credentials http response header access control allow credentials true cache control directives for caching mechanisms private, no cache, no store, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 849e01c5db251bd6 bom connection http response header connection keep alive content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated tue, 23 jan 2024 06 33 45 gmt etag an identifier for a specific version of a resource w/"6716 o1ricwxfcssrmo9laifjxttpigu" expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache server information about the software used by the origin server cloudflare server timing http response header server timing intid;desc=31fb7d7830c67ba0 set cookie http response header set cookie 1da94ed293a0cf87cb3996cfe5961f3d=e230bbaa856d049ddfdf51eff8f3d99a; path=/; httponly; secure; samesite=none, cfruid=e11de639963482f7adf5d705ba132213b0f0cae0 1705991625; path=/; domain= ibmcloud com; httponly; secure; samesite=none strict transport security http response header strict transport security max age=15552000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary origin, accept encoding x content security policy http response header x content security policy default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' x content type options http response header x content type options nosniff x webkit csp http response header x webkit csp default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' x xss protection http response header x xss protection 1; mode=block