Pulsedive

the pulsedive connector allows for the integration of pulsedive's comprehensive threat intelligence into security automation workflows pulsedive is a threat intelligence platform that provides real time data on indicators of compromise (iocs) and facilitates proactive cyber threat analysis the pulsedive connector for swimlane turbine allows users to integrate rich threat intelligence into their security workflows, enabling automated scanning, information retrieval, and comprehensive analysis of threats by leveraging pulsedive's capabilities, security teams can enhance their incident response with actionable insights, streamline investigations, and improve their overall security posture without the need for manual queries or coding limitations none to date supported versions this connector supports the latest version of the pulsedive api additional docs links to third party vendor’s api documentation pulsedive api documentation https //pulsedive com/api/indicators api documentation https //pulsedive com/api/indicators configuration prerequisites to effectively utilize the pulsedive connector within the swimlane turbine platform, ensure you have the following prerequisites api key authentication with the necessary parameters url the endpoint url for the pulsedive api api key your unique authentication key provided by pulsedive authentication methods the following authentication methods are supported for this connector api key authentication url the endpoint url for the pulsedive api api key your unique identifier to authenticate with the pulsedive api troubleshooting tips ensure the api key has the necessary permissions verify that the api key is not expired or revoked capabilities this connector provides the following capabilities add to the queue get indicators by indicator id get indicator by value get indicators links get indicators properties retrieve the result add to the queue the first step to scanning an indicator is adding the indicator to the queue for processing we can specify whether we want to perform an active scan for the indicator by setting the probe parameter to 0 for passive or 1 for active pulsedive's documentation for this action can be found here https //pulsedive com/api/scan get indicators by indicator id this query will return the latest properties if the historical parameter is omitted to return all historical properties, you can set the historical parameter to 1 schema is an optional parameter to return associated attributes with the indicator type you are querying for example, if you are querying google com, the schema parameter will return only attributes associated with domains customizable indicator types is in the pulsedive roadmap pulsedive's documentation for this action can be found here https //pulsedive com/api/indicators get indicator by value this query is identical to querying by indicator id, but the information is retrieved using the indicator value querying links and properties by indicator value won't work pulsedive's documentation for this action can be found here https //pulsedive com/api/indicators get indicators links retrieve links associated with specific indicators pulsedive's documentation for this action can be found here https //pulsedive com/api/indicators get indicators properties you can bundle this request with the initial indicators request by setting the historical property to 1 in the initial request executing them separately or omitting historical properties on the initial request might be better for performance if you don't need all historical data pulsedive's documentation for this action can be found here https //pulsedive com/api/indicators retrieve the result once we've added an indicator to the queue for analysis, we'll use the qid to check on the result the status field will let us know if the request is still processing once we get a response that contains a success message we'll know the scan is finished the pulsedive platform generally checks for results every 500 ms the api request is only recorded when you add the indicator to the queue we don't log requests when you check for analysis results so this won't be marked against your rate limit with that being said, we ask that you please do not abuse the request pulsedive's documentation for this action can be found here https //pulsedive com/api/scan configurations pulsedive api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add to the queue initiates the scanning process by adding an indicator to pulsedive's queue, with options for passive or active scans endpoint url /api/analyze php method post input argument name type required description data body object optional response data value string optional value for the parameter probe string optional parameter for add to the queue pretty string optional parameter for add to the queue output parameter type description status code number http status code of the response reason string response reason phrase success string whether the operation was successful qid number unique identifier example \[ { "status code" 200, "response headers" { "date" "tue, 19 nov 2024 08 56 07 gmt", "server" "apache", "cache control" "no store, no cache, must revalidate", "content security policy" "default src 'self'", "x content type options" "nosniff", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x requests remaining month" "488", "x requests remaining second" "0", "x requests remaining day" "43", "content encoding" "gzip", "vary" "accept encoding", "keep alive" "timeout=5, max=100", "connection" "keep alive", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "success" "added request to queue ", "qid" 1520822174 } } ] get indicators by indicator id retrieve current or historical properties of a pulsedive indicator by its unique id endpoint url /api/info php method get input argument name type required description iid string optional indicator id historical string optional include historical properties schema string optional include attribute schema pretty string optional pretty print json response output parameter type description status code number http status code of the response reason string response reason phrase qid object unique identifier iid number unique identifier indicator string output field indicator type string type of the resource risk string output field risk risk recommended string output field risk recommended manualrisk number output field manualrisk retired object output field retired stamp added string output field stamp added stamp updated string output field stamp updated stamp seen string output field stamp seen stamp probed string output field stamp probed stamp retired object output field stamp retired recent number output field recent submissions number output field submissions umbrella rank object output field umbrella rank umbrella domain object output field umbrella domain riskfactors array output field riskfactors rfid number unique identifier description string output field description risk string output field risk redirects object output field redirects from array output field from example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "qid" {}, "iid" 123, "indicator" "string", "type" "string", "risk" "string", "risk recommended" "string", "manualrisk" 123, "retired" {}, "stamp added" "string", "stamp updated" "string", "stamp seen" "string", "stamp probed" "string", "stamp retired" {}, "recent" 123, "submissions" 123 } } ] get indicators by value retrieve detailed information for a specific indicator value from pulsedive, excluding associated links and properties endpoint url /api/info php method get input argument name type required description indicator string optional parameter for get indicators by value pretty string optional parameter for get indicators by value output parameter type description status code number http status code of the response reason string response reason phrase qid object unique identifier iid number unique identifier indicator string output field indicator type string type of the resource risk string output field risk risk recommended string output field risk recommended manualrisk number output field manualrisk retired object output field retired stamp added string output field stamp added stamp updated string output field stamp updated stamp seen string output field stamp seen stamp probed string output field stamp probed stamp retired object output field stamp retired recent number output field recent submissions number output field submissions umbrella rank object output field umbrella rank umbrella domain object output field umbrella domain riskfactors array output field riskfactors rfid number unique identifier description string output field description risk string output field risk redirects object output field redirects from array output field from example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "qid" {}, "iid" 123, "indicator" "string", "type" "string", "risk" "string", "risk recommended" "string", "manualrisk" 123, "retired" {}, "stamp added" "string", "stamp updated" "string", "stamp seen" "string", "stamp probed" "string", "stamp retired" {}, "recent" 123, "submissions" 123 } } ] get indicators links retrieve associated links for specific indicators from pulsedive, aiding in comprehensive threat analysis endpoint url /api/info php method get input argument name type required description indicator string optional parameter for get indicators links get string optional parameter for get indicators links pretty string optional parameter for get indicators links output parameter type description status code number http status code of the response reason string response reason phrase active dns array output field active dns iid number unique identifier indicator string output field indicator type string type of the resource risk string output field risk stamp linked string output field stamp linked summary object output field summary properties object output field properties whois object output field whois ++privacy string output field ++privacy ++gdpr string output field ++gdpr geo object output field geo country string output field country countrycode string output field countrycode region string output field region city string output field city http object output field http ++content type string type of the resource ++code string output field ++code attributes array output field attributes domainiid number unique identifier domain string output field domain example \[ { "status code" 200, "response headers" { "date" "thu, 07 nov 2024 06 53 39 gmt", "server" "apache", "cache control" "no store, no cache, must revalidate", "content security policy" "default src 'self'", "x content type options" "nosniff", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x requests remaining second" "0", "x requests remaining day" "7", "content encoding" "gzip", "vary" "accept encoding", "keep alive" "timeout=5, max=100", "connection" "keep alive", "transfer encoding" "chunked", "content type" "application/json" }, "reason" "ok", "json body" { "active dns" \[] } } ] get indicators properties retrieve properties of pulsedive indicators, with an option to include historical data for optimized performance endpoint url /api/info php method get input argument name type required description iid string optional unique identifier get string optional parameter for get indicators properties pretty string optional parameter for get indicators properties output parameter type description status code number http status code of the response reason string response reason phrase whois array output field whois pid number unique identifier stamp seen string output field stamp seen name string name of the resource value string value for the parameter latest number output field latest geo array output field geo pid number unique identifier stamp seen string output field stamp seen name string name of the resource value string value for the parameter latest number output field latest http array output field http pid number unique identifier stamp seen string output field stamp seen name string name of the resource value string value for the parameter latest number output field latest clean number output field clean risky number output field risky unique number output field unique ssl array output field ssl pid number unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "whois" \[], "geo" \[], "http" \[], "ssl" \[], "dns" \[], "meta" \[], "banners" \[], "dom" \[], "cookies" \[] } } ] retrieve the result retrieve analysis results for an indicator in pulsedive using the provided queue id (qid) endpoint url /api/analyze php method get input argument name type required description qid number optional unique identifier pretty string optional parameter for retrieve the result output parameter type description status code number http status code of the response reason string response reason phrase error string error message if any status string status value qid string unique identifier example \[ { "status code" 200, "response headers" { "date" "tue, 19 nov 2024 05 48 33 gmt", "server" "apache", "cache control" "no store, no cache, must revalidate", "content security policy" "default src 'self'", "x content type options" "nosniff", "x xss protection" "1; mode=block", "strict transport security" "max age=31536000; includesubdomains", "x requests remaining month" "492", "x requests remaining second" "0", "x requests remaining day" "47", "content encoding" "gzip", "vary" "accept encoding", "keep alive" "timeout=5, max=100", "connection" "keep alive", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "error" "request(s) still processing ", "status" "processing", "qid" "1520725381" } } ] response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self' content type the media type of the resource application/json date the date and time at which the message was originated thu, 07 nov 2024 06 53 39 gmt keep alive http response header keep alive timeout=5, max=100 server information about the software used by the origin server apache strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x requests remaining day http response header x requests remaining day 8 x requests remaining month http response header x requests remaining month 488 x requests remaining second http response header x requests remaining second 0 x xss protection http response header x xss protection 1; mode=block