Find Observables - Cisco XDR APIs

{"type":"api","title":"Find Observables","meta":{"id":"/apps/pubhub/media/cisco-xdr-api-docs/f4e065ff5977829c89df289df08411f83205f526/1a3dc6e7-b8dd-3b25-8a9a-23da1377f2da","info":{"title":"Inspect Web Service","description":"Extract Observables from text","contact":{"name":"Cisco Security Business Group -- Advanced Threat","email":"cisco-intel-api-support@cisco.com"},"license":{"name":"All Rights Reserved","url":"https://www.cisco.com"},"version":"1.0.107"},"security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"tags":[{"name":"Inspect","description":"Inspect related routes"}],"x-parser-conf":{"serverConfig":"select","overview":{"markdownPath":"reference/inspect/overview.md","uri":"inspect-api-guide"},"disableAuthEditing":true,"exampleAsDefault":true,"oAuth2":{"clientId":"client-546e34fc-c6bf-4951-ac69-f6d7987a7814","clientSecret":"MYw4_E_tBdFwUwrX6WFYKVD5LQrG2k7XrJ5J046wWE0s1gAKCxJ8VA","proxyEnabled":false},"meta":{"useProxy":true}},"openapi":"3.0.1","servers":[{"url":"https://visibility.amp.cisco.com"}],"securitySchemes":{"oAuth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://visibility.amp.cisco.com/iroh/oauth2/token","scopes":{"telemetry":"Collect application data for analytics","integration:read":"Manage your modules","private-intel:read":"Access Private Intelligence","admin":"Provide admin privileges","cognitive":"Cognitive Integration","profile:read":"Get your profile information","inspect:read":"Extract Observables and data from text","asset":"Access and modify your assets","event":"Read IROH Events","feedback":"Submit Customer Feedback","sse":"SSE Integration. Manage your Devices.","registry":"Manage registry entries","users:read":"Manage users of your organization","investigation":"Perform threat analysis investigation","invite:read":"Invite users into your organization","casebook":"Access and modify your casebooks","playbook":"Access and modify your playbooks","orbital":"Orbital Integration.","enrich:read":"Query your configured modules for threat intelligence","oauth:read":"Manage OAuth2 Clients","vault":"Grants access to Module Vaults","response:read":"List and execute response actions using configured modules","notification":"Receive notifications from integrations","global-intel:read":"Access AMP Global Intelligence","webhook":"Manage your Webhooks","ao:read":"AO Integration."}}}}}},"spec":{"tags":["Inspect"],"summary":"Find Observables","description":"[required scopes](/iroh/doc/iroh-auth/#scopes): `inspect:read`\n\nDetects and returns observables from plain text.","operationId":"findObservables","requestBody":{"content":{"application/json":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string","description":"Text to inspect for observables.","example":"1.2.3.4 foo bar xyz.com www.xyz.com"}},"additionalProperties":false,"$$ref":"#/components/schemas/StrContent"}},"application/x-yaml":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string","description":"Text to inspect for observables.","example":"1.2.3.4 foo bar xyz.com www.xyz.com"}},"additionalProperties":false,"$$ref":"#/components/schemas/StrContent"}},"application/edn":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string","description":"Text to inspect for observables.","example":"1.2.3.4 foo bar xyz.com www.xyz.com"}},"additionalProperties":false,"$$ref":"#/components/schemas/StrContent"}},"application/transit+json":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string","description":"Text to inspect for observables.","example":"1.2.3.4 foo bar xyz.com www.xyz.com"}},"additionalProperties":false,"$$ref":"#/components/schemas/StrContent"}},"application/transit+msgpack":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string","description":"Text to inspect for observables.","example":"1.2.3.4 foo bar xyz.com www.xyz.com"}},"additionalProperties":false,"$$ref":"#/components/schemas/StrContent"}}},"required":true},"responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"uniqueItems":true,"type":"array","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/x-yaml":{"schema":{"uniqueItems":true,"type":"array","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/edn":{"schema":{"uniqueItems":true,"type":"array","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/transit+json":{"schema":{"uniqueItems":true,"type":"array","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}},"application/transit+msgpack":{"schema":{"uniqueItems":true,"type":"array","items":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable"}}}}},"400":{"description":"Bad Request","content":{"application/json":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string"}},"additionalProperties":false,"description":"An object containing the offending parameters.","example":{"content":"missing-required-key"},"$$ref":"#/components/schemas/400"}},"application/x-yaml":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string"}},"additionalProperties":false,"description":"An object containing the offending parameters.","example":{"content":"missing-required-key"},"$$ref":"#/components/schemas/400"}},"application/edn":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string"}},"additionalProperties":false,"description":"An object containing the offending parameters.","example":{"content":"missing-required-key"},"$$ref":"#/components/schemas/400"}},"application/transit+json":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string"}},"additionalProperties":false,"description":"An object containing the offending parameters.","example":{"content":"missing-required-key"},"$$ref":"#/components/schemas/400"}},"application/transit+msgpack":{"schema":{"required":["content"],"type":"object","properties":{"content":{"type":"string"}},"additionalProperties":false,"description":"An object containing the offending parameters.","example":{"content":"missing-required-key"},"$$ref":"#/components/schemas/400"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"exception_message":{"type":"string"},"level":{"type":"string"},"token":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"error":"invalid_request","error_description":"No JWT found in HTTP Authorization header"},"$$ref":"#/components/schemas/401"}},"application/x-yaml":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"exception_message":{"type":"string"},"level":{"type":"string"},"token":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"error":"invalid_request","error_description":"No JWT found in HTTP Authorization header"},"$$ref":"#/components/schemas/401"}},"application/edn":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"exception_message":{"type":"string"},"level":{"type":"string"},"token":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"error":"invalid_request","error_description":"No JWT found in HTTP Authorization header"},"$$ref":"#/components/schemas/401"}},"application/transit+json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"exception_message":{"type":"string"},"level":{"type":"string"},"token":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"error":"invalid_request","error_description":"No JWT found in HTTP Authorization header"},"$$ref":"#/components/schemas/401"}},"application/transit+msgpack":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"exception_message":{"type":"string"},"level":{"type":"string"},"token":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"error":"invalid_request","error_description":"No JWT found in HTTP Authorization header"},"$$ref":"#/components/schemas/401"}}}},"403":{"description":"Forbidden","content":{"application/json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"missing-scopes":{"type":"array","items":{"type":"string"}},"required-scopes":{"type":"array","items":{"type":"string"}},"scopes":{"type":"array","items":{"type":"string"}},"trace_id":{"type":"string"},"user-id":{"type":"string"},"org-id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"missing-scopes":["inspect:read"],"required-scopes":["inspect:read"],"scopes":[],"user-id":"user1","org-id":"org1","trace_id":"ctx-43eb882f-75d6-41cf-817a-34bb3dbf71ab","error":"missing_scope","error_description":"You do not have the required credentials to access this route."},"$$ref":"#/components/schemas/403"}},"application/x-yaml":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"missing-scopes":{"type":"array","items":{"type":"string"}},"required-scopes":{"type":"array","items":{"type":"string"}},"scopes":{"type":"array","items":{"type":"string"}},"trace_id":{"type":"string"},"user-id":{"type":"string"},"org-id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"missing-scopes":["inspect:read"],"required-scopes":["inspect:read"],"scopes":[],"user-id":"user1","org-id":"org1","trace_id":"ctx-43eb882f-75d6-41cf-817a-34bb3dbf71ab","error":"missing_scope","error_description":"You do not have the required credentials to access this route."},"$$ref":"#/components/schemas/403"}},"application/edn":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"missing-scopes":{"type":"array","items":{"type":"string"}},"required-scopes":{"type":"array","items":{"type":"string"}},"scopes":{"type":"array","items":{"type":"string"}},"trace_id":{"type":"string"},"user-id":{"type":"string"},"org-id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"missing-scopes":["inspect:read"],"required-scopes":["inspect:read"],"scopes":[],"user-id":"user1","org-id":"org1","trace_id":"ctx-43eb882f-75d6-41cf-817a-34bb3dbf71ab","error":"missing_scope","error_description":"You do not have the required credentials to access this route."},"$$ref":"#/components/schemas/403"}},"application/transit+json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"missing-scopes":{"type":"array","items":{"type":"string"}},"required-scopes":{"type":"array","items":{"type":"string"}},"scopes":{"type":"array","items":{"type":"string"}},"trace_id":{"type":"string"},"user-id":{"type":"string"},"org-id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"missing-scopes":["inspect:read"],"required-scopes":["inspect:read"],"scopes":[],"user-id":"user1","org-id":"org1","trace_id":"ctx-43eb882f-75d6-41cf-817a-34bb3dbf71ab","error":"missing_scope","error_description":"You do not have the required credentials to access this route."},"$$ref":"#/components/schemas/403"}},"application/transit+msgpack":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"missing-scopes":{"type":"array","items":{"type":"string"}},"required-scopes":{"type":"array","items":{"type":"string"}},"scopes":{"type":"array","items":{"type":"string"}},"trace_id":{"type":"string"},"user-id":{"type":"string"},"org-id":{"type":"string"}},"additionalProperties":false,"description":"An object describing the problem.","example":{"missing-scopes":["inspect:read"],"required-scopes":["inspect:read"],"scopes":[],"user-id":"user1","org-id":"org1","trace_id":"ctx-43eb882f-75d6-41cf-817a-34bb3dbf71ab","error":"missing_scope","error_description":"You do not have the required credentials to access this route."},"$$ref":"#/components/schemas/403"}}}},"500":{"description":"Internal Server Error","content":{"application/json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"The error string.","example":{"error":"unknown-exception","error_description":"This exception has been logged for further inspection.","trace_id":"5755e17e-992f-4892-b2f6-db59b2bf480c"},"$$ref":"#/components/schemas/500"}},"application/x-yaml":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"The error string.","example":{"error":"unknown-exception","error_description":"This exception has been logged for further inspection.","trace_id":"5755e17e-992f-4892-b2f6-db59b2bf480c"},"$$ref":"#/components/schemas/500"}},"application/edn":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"The error string.","example":{"error":"unknown-exception","error_description":"This exception has been logged for further inspection.","trace_id":"5755e17e-992f-4892-b2f6-db59b2bf480c"},"$$ref":"#/components/schemas/500"}},"application/transit+json":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"The error string.","example":{"error":"unknown-exception","error_description":"This exception has been logged for further inspection.","trace_id":"5755e17e-992f-4892-b2f6-db59b2bf480c"},"$$ref":"#/components/schemas/500"}},"application/transit+msgpack":{"schema":{"required":["error"],"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"trace_id":{"type":"string"}},"additionalProperties":false,"description":"The error string.","example":{"error":"unknown-exception","error_description":"This exception has been logged for further inspection.","trace_id":"5755e17e-992f-4892-b2f6-db59b2bf480c"},"$$ref":"#/components/schemas/500"}}}}},"x-no-doc":false,"x-codegen-request-body-name":"StrContent","__originalOperationId":"findObservables","security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"method":"post","path":"/iroh/iroh-inspect/inspect"}}