Sekoia Intelligence (CTI)

the sekoia intelligence (cti) connector enables streamlined access to a vast array of threat intelligence data, facilitating enhanced security operations and decision making sekoia intelligence (cti) is a cutting edge cyber threat intelligence platform that provides actionable insights and detailed threat information this connector enables swimlane turbine users to automate the retrieval of observables, contextual information, and indicators directly within their security workflows by integrating with sekoia intelligence (cti), users can enhance their threat detection and response capabilities, streamline investigations, and enrich their security data with minimal effort sekoia intelligence (cti) connector integrates with sekoia intelligence (cti) api's to help organizations detect, analyze, and respond to cybersecurity threats prerequisites to effectively utilize the sekoia intelligence (cti) connector within swimlane turbine, ensure you have the following prerequisites http bearer token authentication with the following parameters url endpoint for the sekoia intelligence api the api key your personal access token for authentication capabilities this connector provides the following capabilities get an observable get indicators get indicator context list observables api documentation link https //docs sekoia io/cti/features/integrations/api/ https //docs sekoia io/cti/develop/rest api/intelligence/ configurations sekoia intelligence cti http bearer authentication authenticates using bearer token configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get an observable retrieves detailed information about an observable from sekoia intelligence (cti) using the specified uuid endpoint url /v2/inthreat/observables/{{uuid}} method get input argument name type required description path parameters uuid string required parameters for the get an observable action input example {"path parameters" {"uuid" "domain name 56772755 db50 5ef6 96ec 5c8ea374c641"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data spec version string response data data x inthreat sources refs array response data data x inthreat short display string response data data created string response data data modified string response data data value string response data output example {"status code" 200,"response headers" {"access control allow origin" " ","content encoding" "gzip","content type" "application/json","date" "fri, 15 mar 2024 11 00 31 gmt","server" "nginx","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","x frame options" "sameorigin","x powered by" "sekoia webapi","x sekoia traceid" "73ac468ca1a661d76c9aba1f88ee1fc3","transfer encoding" "chunked"},"reason" "ok","json body" {"d get context by object id retrieve contextual information for a specified object within sekoia intelligence using the object's unique id endpoint url /v2/inthreat/objects/{{object id}}/context method get input argument name type required description path parameters object id string required parameters for the get context by object id action input example {"path parameters" {"object id" "indicator b6ead917 f0f9 41ae a908 5b9d187db362"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier type string type of the resource objects array output field objects objects id string unique identifier objects type string type of the resource objects created by ref string output field objects created by ref objects created string output field objects created objects modified string output field objects modified objects revoked boolean output field objects revoked objects external references array output field objects external references objects external references source name string name of the resource objects external references url string url endpoint for the request objects object marking refs array output field objects object marking refs objects confidence number unique identifier objects lang string output field objects lang objects spec version string output field objects spec version objects x inthreat sources refs array output field objects x inthreat sources refs objects x ic is in flint boolean output field objects x ic is in flint objects x ic deprecated boolean output field objects x ic deprecated objects name string name of the resource objects description string output field objects description objects identity class string unique identifier objects sectors array output field objects sectors output example {"status code" 200,"response headers" {"access control allow origin" " ","content encoding" "gzip","content type" "application/json","date" "sun, 17 mar 2024 10 12 53 gmt","server" "nginx","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","x frame options" "sameorigin","x powered by" "sekoia webapi","x sekoia traceid" "7c20c3e75a0271f0f7b68a4bb642556f","transfer encoding" "chunked"},"reason" "ok","json body" {"i get indicators by value retrieve indicators from sekoia intelligence (cti) that match a specified value and type required parameters 'value', 'type' endpoint url /v2/inthreat/indicators method get input argument name type required description parameters value string required value of the indicator parameters type string required type of the indicator input example {"parameters" {"value" "outlook com","type" "domain name"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items type string type of the resource items created by ref string output field items created by ref items created string output field items created items modified string output field items modified items revoked boolean output field items revoked items external references array output field items external references items external references source name string name of the resource items external references description string output field items external references description items object marking refs array output field items object marking refs items confidence number unique identifier items lang string output field items lang items spec version string output field items spec version items x inthreat sources refs array output field items x inthreat sources refs items x ic is in flint boolean output field items x ic is in flint items x ic impacted sectors array output field items x ic impacted sectors items x ic impacted locations array output field items x ic impacted locations items x ic deprecated boolean output field items x ic deprecated items name string name of the resource items description string output field items description items pattern string output field items pattern items valid from string unique identifier output example {"status code" 200,"response headers" {"access control allow origin" " ","content encoding" "gzip","content type" "application/json","date" "fri, 15 mar 2024 11 44 19 gmt","server" "nginx","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","x frame options" "sameorigin","x powered by" "sekoia webapi","x sekoia traceid" "748c93dbd1aaf8ce6962ac6e49d03225","transfer encoding" "chunked"},"reason" "ok","json body" {"i get indicators context by value retrieve contextual information for indicators in sekoia intelligence (cti) that match a specified value and type endpoint url /v2/inthreat/indicators/context method get input argument name type required description parameters value string required value of the indicator parameters type string required type of the indicator input example {"parameters" {"value" "outlook com","type" "domain name"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items type string type of the resource items objects array output field items objects items objects id string unique identifier items objects type string type of the resource items objects created by ref string output field items objects created by ref items objects created string output field items objects created items objects modified string output field items objects modified items objects revoked boolean output field items objects revoked items objects external references array output field items objects external references items objects external references source name string name of the resource items objects external references description string output field items objects external references description items objects object marking refs array output field items objects object marking refs items objects confidence number unique identifier items objects lang string output field items objects lang items objects spec version string output field items objects spec version items objects x inthreat sources refs array output field items objects x inthreat sources refs items objects x ic is in flint boolean output field items objects x ic is in flint items objects x ic impacted sectors array output field items objects x ic impacted sectors items objects x ic impacted locations array output field items objects x ic impacted locations items objects x ic deprecated boolean output field items objects x ic deprecated items objects name string name of the resource output example {"status code" 200,"response headers" {"access control allow origin" " ","content encoding" "gzip","content type" "application/json","date" "fri, 15 mar 2024 11 45 03 gmt","server" "nginx","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","x frame options" "sameorigin","x powered by" "sekoia webapi","x sekoia traceid" "45db9f877383e464e359aef97f6e2230","transfer encoding" "chunked"},"reason" "ok","json body" {"i list observables retrieve a list of observables from sekoia intelligence cti for further analysis or correlation endpoint url /v2/inthreat/observables method get input argument name type required description parameters with indicated threats boolean optional parameters for the list observables action parameters offset number optional parameters for the list observables action parameters limit number optional parameters for the list observables action parameters match\[type] string optional parameters for the list observables action parameters match\[hash] string optional parameters for the list observables action parameters match\[name] string optional parameters for the list observables action parameters match\[value] string optional parameters for the list observables action parameters match\[tag] string optional parameters for the list observables action parameters match\[valid tag] string optional parameters for the list observables action parameters match\[id] string optional parameters for the list observables action parameters match\[source] string optional parameters for the list observables action input example {"parameters" {"with indicated threats"\ false,"offset" 0,"limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items type string type of the resource items spec version string output field items spec version items x inthreat sources refs array output field items x inthreat sources refs items x inthreat short display string output field items x inthreat short display items created string output field items created items modified string output field items modified items value string value for the parameter total number output field total has more boolean output field has more output example {"status code" 200,"response headers" {"access control allow origin" " ","content encoding" "gzip","content type" "application/json","date" "fri, 15 mar 2024 10 00 15 gmt","server" "nginx","strict transport security" "max age=63072000; includesubdomains; preload","vary" "accept encoding","x content type options" "nosniff","x frame options" "sameorigin","x powered by" "sekoia webapi","x sekoia traceid" "f716669725314229ae782fa76a6fbaab","transfer encoding" "chunked"},"reason" "ok","json body" {"i response headers header description example access control allow origin http response header access control allow origin content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated fri, 15 mar 2024 10 00 15 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x powered by http response header x powered by sekoia webapi x sekoia traceid http response header x sekoia traceid 45db9f877383e464e359aef97f6e2230