Sekoia Intelligence (CTI)

the sekoia intelligence (cti) connector enables streamlined access to a vast array of threat intelligence data, facilitating enhanced security operations and decision making sekoia intelligence (cti) is a cutting edge cyber threat intelligence platform that provides actionable insights and detailed threat information this connector enables swimlane turbine users to automate the retrieval of observables, contextual information, and indicators directly within their security workflows by integrating with sekoia intelligence (cti), users can enhance their threat detection and response capabilities, streamline investigations, and enrich their security data with minimal effort sekoia intelligence (cti) connector integrates with sekoia intelligence (cti) api's to help organizations detect, analyze, and respond to cybersecurity threats prerequisites to effectively utilize the sekoia intelligence (cti) connector within swimlane turbine, ensure you have the following prerequisites http bearer token authentication with the following parameters url endpoint for the sekoia intelligence api the api key your personal access token for authentication capabilities this connector provides the following capabilities get an observable get indicators get indicator context list observables api documentation link api authentication documentation link https //docs sekoia io/cti/features/integrations/api/sekoia intelligence (cti) api documentation link https //docs sekoia io/cti/develop/rest api/intelligence/ configurations sekoia intelligence cti http bearer authentication authenticates using bearer token configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get an observable retrieves detailed information about an observable from sekoia intelligence (cti) using the specified uuid endpoint url /v2/inthreat/observables/{{uuid}} method get input argument name type required description uuid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource spec version string output field spec version x inthreat sources refs array output field x inthreat sources refs x inthreat short display string output field x inthreat short display created string output field created modified string output field modified value string value for the parameter example \[ { "status code" 200, "response headers" { "access control allow origin" " ", "content encoding" "gzip", "content type" "application/json", "date" "fri, 15 mar 2024 11 00 31 gmt", "server" "nginx", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "x frame options" "sameorigin", "x powered by" "sekoia webapi", "x sekoia traceid" "73ac468ca1a661d76c9aba1f88ee1fc3", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] get context by object id retrieve contextual information for a specified object within sekoia intelligence using the object's unique id endpoint url /v2/inthreat/objects/{{object id}}/context method get input argument name type required description object id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier type string type of the resource objects array output field objects id string unique identifier type string type of the resource created by ref string output field created by ref created string output field created modified string output field modified revoked boolean output field revoked external references array output field external references source name string name of the resource url string url endpoint for the request object marking refs array output field object marking refs confidence number unique identifier lang string output field lang spec version string output field spec version x inthreat sources refs array output field x inthreat sources refs x ic is in flint boolean output field x ic is in flint x ic deprecated boolean output field x ic deprecated name string name of the resource description string output field description identity class string unique identifier sectors array output field sectors example \[ { "status code" 200, "response headers" { "access control allow origin" " ", "content encoding" "gzip", "content type" "application/json", "date" "sun, 17 mar 2024 10 12 53 gmt", "server" "nginx", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "x frame options" "sameorigin", "x powered by" "sekoia webapi", "x sekoia traceid" "7c20c3e75a0271f0f7b68a4bb642556f", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "id" "bundle 421d3aa7 846d 4702 9099 ba53c8510d0e", "type" "bundle", "objects" \[] } } ] get indicators by value retrieve indicators from sekoia intelligence (cti) that match a specified value and type required parameters 'value', 'type' endpoint url /v2/inthreat/indicators method get input argument name type required description value string required value of the indicator type string required type of the indicator output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier type string type of the resource created by ref string output field created by ref created string output field created modified string output field modified revoked boolean output field revoked external references array output field external references source name string name of the resource description string output field description object marking refs array output field object marking refs confidence number unique identifier lang string output field lang spec version string output field spec version x inthreat sources refs array output field x inthreat sources refs x ic is in flint boolean output field x ic is in flint x ic impacted sectors array output field x ic impacted sectors x ic impacted locations array output field x ic impacted locations x ic deprecated boolean output field x ic deprecated name string name of the resource description string output field description pattern string output field pattern valid from string unique identifier example \[ { "status code" 200, "response headers" { "access control allow origin" " ", "content encoding" "gzip", "content type" "application/json", "date" "fri, 15 mar 2024 11 44 19 gmt", "server" "nginx", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "x frame options" "sameorigin", "x powered by" "sekoia webapi", "x sekoia traceid" "748c93dbd1aaf8ce6962ac6e49d03225", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "items" \[], "has more" false } } ] get indicators context by value retrieve contextual information for indicators in sekoia intelligence (cti) that match a specified value and type endpoint url /v2/inthreat/indicators/context method get input argument name type required description value string required value of the indicator type string required type of the indicator output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier type string type of the resource objects array output field objects id string unique identifier type string type of the resource created by ref string output field created by ref created string output field created modified string output field modified revoked boolean output field revoked external references array output field external references source name string name of the resource description string output field description object marking refs array output field object marking refs confidence number unique identifier lang string output field lang spec version string output field spec version x inthreat sources refs array output field x inthreat sources refs x ic is in flint boolean output field x ic is in flint x ic impacted sectors array output field x ic impacted sectors x ic impacted locations array output field x ic impacted locations x ic deprecated boolean output field x ic deprecated name string name of the resource example \[ { "status code" 200, "response headers" { "access control allow origin" " ", "content encoding" "gzip", "content type" "application/json", "date" "fri, 15 mar 2024 11 45 03 gmt", "server" "nginx", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "x frame options" "sameorigin", "x powered by" "sekoia webapi", "x sekoia traceid" "45db9f877383e464e359aef97f6e2230", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "items" \[], "has more" false } } ] list observables retrieve a list of observables from sekoia intelligence cti for further analysis or correlation endpoint url /v2/inthreat/observables method get input argument name type required description with indicated threats boolean optional parameter for list observables offset number optional parameter for list observables limit number optional parameter for list observables match\[type] string optional type of the resource match\[hash] string optional parameter for list observables match\[name] string optional name of the resource match\[value] string optional value for the parameter match\[tag] string optional parameter for list observables match\[valid tag] string optional unique identifier match\[id] string optional unique identifier match\[source] string optional parameter for list observables output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier type string type of the resource spec version string output field spec version x inthreat sources refs array output field x inthreat sources refs x inthreat short display string output field x inthreat short display created string output field created modified string output field modified value string value for the parameter total number output field total has more boolean output field has more example \[ { "status code" 200, "response headers" { "access control allow origin" " ", "content encoding" "gzip", "content type" "application/json", "date" "fri, 15 mar 2024 10 00 15 gmt", "server" "nginx", "strict transport security" "max age=63072000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "x frame options" "sameorigin", "x powered by" "sekoia webapi", "x sekoia traceid" "f716669725314229ae782fa76a6fbaab", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "items" \[], "total" 110533685, "has more" true } } ] response headers header description example access control allow origin http response header access control allow origin content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated sun, 17 mar 2024 10 12 53 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x powered by http response header x powered by sekoia webapi x sekoia traceid http response header x sekoia traceid 748c93dbd1aaf8ce6962ac6e49d03225