Skip to content
/ cifv3_responder Public

A Cortex Responder for submitting artifacts to CIFv3

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ckrez/cifv3_responder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

CIFv3

CIFv3

 
 

README.md

README.md

 
 

Repository files navigation

cifv3_responder

A Cortex responder for CIFv3

Responder will submit case and alert artifacts to a CIFv3 server.

Configuration Parameters:

  • CIF API URL
  • CIF API Token
  • Verify API SSL (True/False) (defaults to 'True')
  • Default confidence level for indicators (defaults to '5')
  • Default group to submit to (defaults to 'everyone')
  • TLP Map to map TheHive TLP (white, green, etc.) to a custom TLP, in the form of a JSON object. For example, to map 'amber' to 'privileged':

{"2": "privileged"}

See TheHive doc for TLP numerical values.

Artifact Tags:

  • Indicator tags (botnet, malware, etc.) are derived from artifact tags.
  • Confidence can be set on a per-artifact basis by adding the confidence:[0-10] tag to the artifact. If not specified, the default confidence level is used.
  • All other directive tags (e.g. key:value) are ignored

For example, a artifact with the tags phishing, malware, confidence:7 will create an indicator with the tag of phishing, malware at a confidence of 7.

About

A Cortex Responder for submitting artifacts to CIFv3

Topics

cif threatintel thehive cortex cifv3

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages