IBM Xforce

the ibm xforce connector integrates with swimlane to query malware, ips, and urls capabilities this connector provides the following capabilities get ip report get ip reputation get malware for family get malware for file hash get malware for ip get malware for url get url category list get url history get url report get url updates of deltas get urls by category wildcard search malware family asset setup the ibm xforce asset requires an url , api key and api password documentation api doc https //api xforce ibmcloud com configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get ip report returns the ip report for the entered ip endpoint url /ipr/{{ip}} method get input argument name type required description ip string required parameter for get ip report output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip history array output field history created string output field created reason string response reason phrase geo object output field geo country string output field country countrycode string output field countrycode ip string output field ip cats object output field cats categorydescriptions object output field categorydescriptions reasondescription string response reason phrase score number score value subnets array output field subnets created string output field created reason string response reason phrase reason removed boolean response reason phrase asns object output field asns ip string output field ip categorydescriptions object output field categorydescriptions reasondescription string response reason phrase score number score value cats object output field cats subnet string output field subnet example \[ { "status code" 200, "response headers" { "date" "tue, 23 jan 2024 06 33 45 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "server timing" "intid;desc=31fb7d7830c67ba0", "x xss protection" "1; mode=block", "content security policy" "default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ", "x content security policy" "default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ", "x webkit csp" "default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ", "x content type options" "nosniff", "vary" "origin, accept encoding", "access control allow credentials" "true", "strict transport security" "max age=15552000; includesubdomains; preload", "cache control" "private, no cache, no store, must revalidate", "expires" " 1" }, "reason" "ok", "json body" { "ip" "8 8 8 8", "history" \[], "subnets" \[], "cats" {}, "geo" {}, "score" 1, "reason" "regional internet registry", "reasondescription" "one of the five rirs announced a (new) location mapping of the ip ", "categorydescriptions" {}, "tags" \[] } } ] get ip reputation returns the ip reputation report for the entered ip endpoint url /ipr/history/{{ip}} method get input argument name type required description ip string required parameter for get ip reputation output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip history array output field history created string output field created geo object output field geo country string output field country countrycode string output field countrycode ip string output field ip reason string response reason phrase reasondescription string response reason phrase malware extended object output field malware extended botnet string output field botnet lat number output field lat long number output field long city string output field city cc string output field cc country number output field country isnew boolean output field isnew deleted boolean output field deleted reason removed boolean response reason phrase categorydescriptions object output field categorydescriptions key string output field key value string value for the parameter cats object output field cats example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "ip" "216 137 61 0x08", "history" \[] } } ] get malware report for file hash returns a malware report for the given file hash, for example, md5, sha1 and sha256 endpoint url /malware/{{filehash}} method get input argument name type required description filehash string required parameter for get malware report for file hash output parameter type description status code number http status code of the response reason string response reason phrase malware object output field malware created string output field created type string type of the resource family array output field family familymembers object output field familymembers md5 string output field md5 mimetype string type of the resource origins object output field origins cncservers object output field cncservers rows array output field rows count number count value domain string output field domain filepath string output field filepath firstseen string output field firstseen host string output field host ip string output field ip lastseen string output field lastseen md5 string output field md5 origin string output field origin schema string output field schema type string type of the resource uri string output field uri downloadservers object output field downloadservers example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "malware" {}, "tags" \[] } } ] get malware for family returns the malware associated with the entered family using wildcard search endpoint url /malware/family/{{family}} method get input argument name type required description family string required parameter for get malware for family output parameter type description status code number http status code of the response reason string response reason phrase count number count value family array output field family firstseen string output field firstseen lastseen string output field lastseen malware array output field malware created string output field created family array output field family md5 string output field md5 type string type of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 0, "family" \[], "firstseen" "2023 10 05t06 52 16 276z", "lastseen" "2023 10 05t06 52 16 276z", "malware" \[] } } ] get malware for ip returns the malware associated with the entered ip endpoint url /ipr/malware/{{ip}} method get input argument name type required description ip string required parameter for get malware for ip output parameter type description status code number http status code of the response reason string response reason phrase malware array output field malware family array output field family first string output field first last string output field last md5 string output field md5 origin string output field origin uri string output field uri example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "malware" \[] } } ] get malware for url returns the malware associated with the entered url endpoint url /url/malware/{{url}} method get input argument name type required description url string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase count number count value malware array output field malware count number count value domain string output field domain filepath string output field filepath firstseen string output field firstseen host string output field host ip string output field ip lastseen string output field lastseen md5 string output field md5 origin string output field origin schema string output field schema type string type of the resource uri string output field uri example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 0, "malware" \[] } } ] get url category list return a list of url categories provided by xfe endpoint url /url/categories method get output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "name" "ibm", "description" "xforce" } } ] get url history returns the url history for the entered url endpoint url /url/history/{{url}} method get input argument name type required description url string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request created string output field created cats object output field cats deleted boolean output field deleted categoryname object name of the resource confidence number unique identifier reasons array response reason phrase description string output field description deleted boolean output field deleted history array output field history url string url endpoint for the request created string output field created expired string output field expired cats object output field cats deleted boolean output field deleted categoryname object name of the resource confidence number unique identifier reasons array response reason phrase description string output field description deleted boolean output field deleted score number score value score number score value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "url" "www ibm com/smarterplanet", "created" "string", "cats" {}, "history" \[], "score" 9 } } ] get url report returns the url report for the entered url endpoint url /url/{{url}} method get input argument name type required description url string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation url string url endpoint for the request cats object output field cats category boolean output field category categorydescriptions object output field categorydescriptions category string output field category score number score value associated array output field associated url string url endpoint for the request cats object output field cats category boolean output field category categorydescriptions object output field categorydescriptions category string output field category score number score value tags array output field tags type string type of the resource tag string output field tag entitytype string type of the resource entityid string unique identifier commentid string unique identifier user string output field user date string date value displayname string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "result" {}, "associated" \[], "tags" \[] } } ] get url updates of deltas the delta api provides the data as a bulk download ("base content") for each category supported endpoint url /url/deltas method get input argument name type required description category string required parameter for get url updates of deltas pull id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data array response data url string url endpoint for the request created string output field created score string score value pullid number unique identifier createdat string output field createdat example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "pullid" 0, "createdat" "string" } } ] get urls by category return a list of urls according to the category and date range endpoint url /url method get input argument name type required description category string required parameter for get urls by category startdate string optional date value enddate string optional date value descending string optional parameter for get urls by category limit number optional parameter for get urls by category skip number optional parameter for get urls by category output parameter type description status code number http status code of the response reason string response reason phrase category string output field category rows array output field rows url string url endpoint for the request created string output field created nextpage string output field nextpage previouspage string output field previouspage example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "category" "string", "rows" \[], "nextpage" "string", "previouspage" "string" } } ] wildcard search malware family returns the malware associated with the entered family using wildcard search endpoint url /malware/familyext/{{family}} method get input argument name type required description family string required parameter for wildcard search malware family output parameter type description status code number http status code of the response reason string response reason phrase count number count value family array output field family firstseen string output field firstseen lastseen string output field lastseen malware array output field malware created string output field created family array output field family md5 string output field md5 type string type of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 0, "family" \[], "firstseen" "2023 10 05t06 57 16 299z", "lastseen" "2023 10 05t06 57 16 299z", "malware" \[] } } ] response headers header description example access control allow credentials http response header access control allow credentials true cache control directives for caching mechanisms private, no cache, no store, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 849e01c5db251bd6 bom connection http response header connection keep alive content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated tue, 23 jan 2024 06 33 45 gmt etag an identifier for a specific version of a resource w/"6716 o1ricwxfcssrmo9laifjxttpigu" expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache server information about the software used by the origin server cloudflare server timing http response header server timing intid;desc=31fb7d7830c67ba0 set cookie http response header set cookie 1da94ed293a0cf87cb3996cfe5961f3d=e230bbaa856d049ddfdf51eff8f3d99a; path=/; httponly; secure; samesite=none, cfruid=e11de639963482f7adf5d705ba132213b0f0cae0 1705991625; path=/; domain= ibmcloud com; httponly; secure; samesite=none strict transport security http response header strict transport security max age=15552000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary origin, accept encoding x content security policy http response header x content security policy default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' x content type options http response header x content type options nosniff x webkit csp http response header x webkit csp default src 'self'; script src 'self' 'unsafe inline' 'unsafe eval' 'test cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval' 'cloud ibm com/analytics/build/bluemix analytics min js' 'unsafe inline' 'unsafe eval'; style src 'self' 'unsafe inline'; object src 'none' x xss protection http response header x xss protection 1; mode=block