Blocklist Generation using COAs, Indicators and Judgements with CTIA
Table of Contents
Blocklist Generation using COAs, Indicators and Judgements
Get An Access Token
POST https://visibility.amp.cisco.com/iroh/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=xxx&client_secret=xxx
Import Bundle
Import a Bundle containing all data you would expect on our systems to generate the Blocklist.
- Judgements, Indicators and relationships are produced by CTR
For the purpose of this documentation we assume that all documents are on Private Intelligence, However we can also have the COAs pushed to Public Intel, in this casse their TLP would be set to green and the Requests to list the COAs should be done one Public Intel.
POST https://private.intel.amp.cisco.com/ctia/bundle/import?external-key-prefixes=esa Authorization: ${token} Content-Type: application/json { "type": "bundle", "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "indicators": [ { "type": "indicator", "description": "A lookup table for IPs (IPv4 and IPv6) that are considered suspicious by security analysts", "valid_time": { "start_time": "2019-05-03T21:48:25.801Z", "end_time": "2020-06-03T21:48:25.801Z" }, "producer": "Talos", "tags": [ "Suspicious IPs" ], "schema_version": "1.0.11", "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "external_ids": [ "esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501338e" ], "short_description": "Custom Suspicious IP Watchlist", "title": "Custom Suspicious IP Watchlist", "indicator_type": [ "IP Watchlist" ], "id": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501338e", "severity": "High", "tlp": "amber", "confidence": "High" }, { "type": "indicator", "description": "A lookup table for IPs (IPv4 and IPv6) that are considered malicious by security analysts", "valid_time": { "start_time": "2019-05-03T21:48:25.801Z", "end_time": "2020-06-03T21:48:25.801Z" }, "producer": "Talos", "tags": [ "Malicious IPs" ], "schema_version": "1.0.11", "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "external_ids": [ "esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f" ], "short_description": "Custom Malicious IP Watchlist", "title": "Custom Malicious IP Watchlist", "indicator_type": [ "IP Watchlist" ], "id": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f", "severity": "High", "tlp": "amber", "confidence": "High" } ], "judgements": [ { "type": "judgement", "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "schema_version": "1.0.11", "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "observable": { "type": "ip", "value": "187.75.16.75" }, "external_ids": [ "esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498" ], "disposition": 2, "disposition_name": "Malicious", "priority": 95, "id": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498", "severity": "High", "tlp": "amber", "timestamp": "2019-03-01T19:22:45.531Z", "confidence": "High" }, { "type": "judgement", "source": "Feed Indicator with COA Example", "schema_version": "1.0.11", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "observable": { "type": "ip", "value": "187.75.16.75" }, "external_ids": [ "esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d499" ], "disposition": 3, "disposition_name": "Suspicious", "priority": 95, "id": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d499", "severity": "High", "tlp": "amber", "timestamp": "2019-03-01T19:22:45.531Z", "confidence": "High" } ], "coas": [ { "id": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d500", "type": "coa", "title": "Block IPs in Blacklist", "description": "Course of action to block IPs in a blacklist", "schema_version": "1.0.11", "timestamp": "2019-03-01T19:22:45.531Z", "tlp": "amber", "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "external_ids": [ "esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d500" ], "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "stage": "Response", "coa_type": "Internal Blocking", "structured_coa_type": "openc2", "open_c2_coa": { "id": "foo", "type": "structured_coa", "action": {"type": "deny"}, "modifiers": { "method": ["blacklist"] } } }, { "id": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d501", "type": "coa", "title": "Observe IPs in watchlist", "description": "Course of action to watch for IPs in a watchlist", "schema_version": "1.0.11", "timestamp": "2019-03-01T19:22:45.531Z", "tlp": "amber", "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "external_ids": [ "esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d501" ], "source": "Feed Indicator with COA Example", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "stage": "Response", "coa_type": "Monitoring", "structured_coa_type": "openc2", "open_c2_coa": { "id": "foo", "type": "structured_coa", "action": {"type": "alert"}, "modifiers": { "method": ["blacklist"] } } } ], "relationships": [ { "schema_version": "1.0.11", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c" ], "short_description": "COA - 'Block IPs in Blacklist' mitigates indicator - 'Custom Malicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d500", "target_ref": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f", "id": "transient:esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "mitigates" }, { "schema_version": "1.0.11", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d" ], "short_description": "COA - 'Observe IPs in watchlist' applies to indicator - 'Custom Suspicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d501", "target_ref": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501338e", "id": "transient:esa-relationship-2c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "mitigates" }, { "schema_version": "1.0.11", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c" ], "short_description": "Judgement is part of indicator - 'Custom Malicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498", "target_ref": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f", "id": "transient:esa-relationship-3c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "element-of" }, { "schema_version": "1.0.11", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d" ], "short_description": "Judgement is part of indicator - 'Custom Suspicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d499", "target_ref": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501338e", "id": "transient:esa-relationship-4c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "element-of" } ] }
{ "results": [ { "id": "https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-21b1fd56-7171-4266-b99d-1430cc997d0b", "original_id": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f", "result": "created", "type": "indicator" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-a73168e6-baf4-4171-9e17-6fa99040ae86", "original_id": "transient:esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501338e", "result": "created", "type": "indicator" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/judgement/judgement-679529a8-3e7a-4ff3-932d-8d7223c8d8c9", "original_id": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498", "result": "created", "type": "judgement" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/judgement/judgement-52172bb8-5d9e-420d-b46e-755c0f8e5f48", "original_id": "transient:esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d499", "result": "created", "type": "judgement" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-f6f74fd1-b48f-4df9-8591-6b3764cc5e55", "original_id": "transient:esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c", "result": "created", "type": "relationship" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-64a633c8-2919-4508-833e-6a29c2942475", "original_id": "transient:esa-relationship-2c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d", "result": "created", "type": "relationship" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-f76d2007-3c55-47ba-afad-258bc4dfa166", "original_id": "transient:esa-relationship-4c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a6d", "result": "created", "type": "relationship" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-d252f45a-c000-49f0-b12f-0ecdc45cf3ad", "original_id": "transient:esa-relationship-3c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c", "result": "created", "type": "relationship" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/coa/coa-1776202f-e5ca-4ce5-a3ce-8ed25208f3ec", "original_id": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d500", "result": "created", "type": "coa" }, { "id": "https://private.intel.amp.cisco.com:443/ctia/coa/coa-6a0d8348-45cf-44f4-b759-c15ee027faa0", "original_id": "transient:esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d501", "result": "created", "type": "coa" } ] }
Fetch a COA
Start by fetching a COA by requesting its ID as a result of the previous Import, here the "block" action.
GET https://private.intel.amp.cisco.com:443/ctia/coa/coa-dc2ab4c7-dade-4c15-aa1c-d1c0615d2825 Authorization: ${token} Accept: application/json
{ "description": "Course of action to block IPs in a blacklist", "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "stage": "Response", "schema_version": "1.0.11", "type": "coa", "source": "Feed Indicator with COA Example", "external_ids": [ "esa-coa-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d500" ], "title": "Block IPs in Blacklist", "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "coa_type": "Internal Blocking", "id": "https://private.intel.amp.cisco.com:443/ctia/coa/coa-dc2ab4c7-dade-4c15-aa1c-d1c0615d2825", "tlp": "amber", "timestamp": "2019-03-01T19:22:45.531Z", "open_c2_coa": { "type": "structured_coa", "id": "foo", "action": { "type": "deny" }, "modifiers": { "method": [ "blacklist" ] } }, "structured_coa_type": "openc2" }
Fetch Relationships referencing the COA to block with the "mitigates" type
Then fetch the Relationships related to this COA and pivot to Indicators
GET https://private.intel.amp.cisco.com/ctia/relationship/search?query=*&source_ref=https://private.intel.amp.cisco.com:443/ctia/coa/coa-dc2ab4c7-dade-4c15-aa1c-d1c0615d2825&relationship_type=mitigates Authorization: ${token} Content-Type: application/json
[ { "schema_version": "1.0.11", "target_ref": "https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-c4071d33-c1ac-4d7c-b588-1c3a30b2f6d5", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c" ], "short_description": "COA - 'Block IPs in Blacklist' mitigates indicator - 'Custom Malicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "https://private.intel.amp.cisco.com:443/ctia/coa/coa-dc2ab4c7-dade-4c15-aa1c-d1c0615d2825", "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-727225ff-f81c-4cd0-979d-0c317bae4bc5", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "mitigates" } ]
Fetch the Relationship Target Indicators
Retrieve all Indicators from the previous Relationships, here for one Indicator:
GET https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-c4071d33-c1ac-4d7c-b588-1c3a30b2f6d5 Authorization: ${token} Accept: application/json
{ "description": "A lookup table for IPs (IPv4 and IPv6) that are considered malicious by security analysts", "tags": [ "Malicious IPs" ], "valid_time": { "start_time": "2019-05-03T21:48:25.801Z", "end_time": "2020-06-03T21:48:25.801Z" }, "producer": "Talos", "schema_version": "1.0.11", "type": "indicator", "source": "Feed Indicator with COA Example", "external_ids": [ "esa-indicator-ec95b042572a11894fffe553555c44f5c88c9199aad23a925bb959daa501339f" ], "short_description": "Custom Malicious IP Watchlist", "title": "Custom Malicious IP Watchlist", "indicator_type": [ "IP Watchlist" ], "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "id": "https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-c4071d33-c1ac-4d7c-b588-1c3a30b2f6d5", "severity": "High", "tlp": "amber", "timestamp": "2019-05-22T20:52:14.581Z", "confidence": "High" }
Pivot to the Judgements looking up Indicator Relationships
For all Indicators, get their Judgement Relationships, here for one Indicator:
GET https://private.intel.amp.cisco.com/ctia/relationship/search?query=*&target_ref=https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-c4071d33-c1ac-4d7c-b588-1c3a30b2f6d5&relationship_type=element-of Authorization: ${token} Accept: application/json
[ { "schema_version": "1.0.11", "target_ref": "https://private.intel.amp.cisco.com:443/ctia/indicator/indicator-c4071d33-c1ac-4d7c-b588-1c3a30b2f6d5", "type": "relationship", "external_ids": [ "esa-relationship-1c056c6ef8ace5057980b57f3eb07b916c84d94f7d1a340f41aba7630c459a5c" ], "short_description": "Judgement is part of indicator - 'Custom Malicious IP Watchlist'", "title": "coa/indicator relationship", "external_references": [], "source_ref": "https://private.intel.amp.cisco.com:443/ctia/judgement/judgement-6803f408-eb01-4b59-9a04-da874694a54e", "id": "https://private.intel.amp.cisco.com:443/ctia/relationship/relationship-2d63e7ce-058a-41e9-b6c2-5679d23a235d", "tlp": "amber", "timestamp": "2019-05-08T18:03:32.785Z", "relationship_type": "element-of" } ]
Then finally you may get all Judgements like so for one Judgement:
GET https://private.intel.amp.cisco.com:443/ctia/judgement/judgement-6803f408-eb01-4b59-9a04-da874694a54e Authorization: ${token} Accept: application/json
{ "valid_time": { "start_time": "2019-03-01T19:22:45.531Z", "end_time": "2019-03-31T19:22:45.531Z" }, "schema_version": "1.0.11", "observable": { "value": "187.75.16.75", "type": "ip" }, "type": "judgement", "source": "Feed Indicator with COA Example", "external_ids": [ "esa-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498" ], "disposition": 2, "source_uri": "https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md", "disposition_name": "Malicious", "priority": 95, "id": "https://private.intel.amp.cisco.com:443/ctia/judgement/judgement-6803f408-eb01-4b59-9a04-da874694a54e", "severity": "High", "tlp": "amber", "timestamp": "2019-03-01T19:22:45.531Z", "confidence": "High" }
Extract the Observables from the Judgements and build the blocklist.
{ "value": "187.75.16.75", "type": "ip" }