{"type":"model","meta":{"id":"/apps/pubhub/media/cisco-xdr-api-docs/fa9197522b1e6452b6dbfc472555dcc7ceeb71bd/0aedfab1-f4ca-36de-85d5-679dbd7db871","info":{"title":"IROH-INT Enrich","description":"IROH Integrations: configure and query Threat Response modules","contact":{"name":"Cisco Security Business Group -- Advanced Threat","email":"cisco-intel-api-support@cisco.com"},"license":{"name":"All Rights Reserved","url":"https://www.cisco.com"},"version":"1.0.107"},"security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"tags":[{"name":"Health","description":"This set of routes allow to check the health of your integrations setup Verify if your modules are setup correctly and if your credentials are correct."},{"name":"Deliberate","description":"This set of routes allow to quickly get answers from your integrations You might use them at the start of any investigation to quickly get answers from your modules if something is bad."},{"name":"Observe","description":"This set of routes allow to get in depth investigation data about a threat You might use them at the start of any investigation to get the full picture and get to know if something has been seen in your environment."},{"name":"Refer","description":"This set of routes allow to get relevant Reference links and quickly pivot pursuing your investigation on a specific product interface. "}],"x-parser-conf":{"serverConfig":"select","overview":{"markdownPath":"reference/enrich/overview.md","uri":"enrich-api-guide"},"disableAuthEditing":true,"exampleAsDefault":true,"oAuth2":{"clientId":"client-546e34fc-c6bf-4951-ac69-f6d7987a7814","clientSecret":"MYw4_E_tBdFwUwrX6WFYKVD5LQrG2k7XrJ5J046wWE0s1gAKCxJ8VA","proxyEnabled":false},"meta":{"useProxy":true}},"openapi":"3.0.1","servers":[{"url":"https://visibility.amp.cisco.com"}],"securitySchemes":{"oAuth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://visibility.amp.cisco.com/iroh/oauth2/token","scopes":{"telemetry":"Collect application data for analytics","integration:read":"Manage your modules","private-intel:read":"Access Private Intelligence","admin":"Provide admin privileges","cognitive":"Cognitive Integration","profile:read":"Get your profile information","inspect:read":"Extract Observables and data from text","asset":"Access and modify your assets","event":"Read IROH Events","feedback":"Submit Customer Feedback","sse":"SSE Integration. Manage your Devices.","registry":"Manage registry entries","users:read":"Manage users of your organization","investigation":"Perform threat analysis investigation","invite:read":"Invite users into your organization","casebook":"Access and modify your casebooks","playbook":"Access and modify your playbooks","playbook:read":"Access and modify your playbooks","orbital":"Orbital Integration.","enrich:read":"Query your configured modules for threat intelligence","oauth:read":"Manage OAuth2 Clients","vault":"Grants access to Module Vaults","response:read":"List and execute response actions using configured modules","notification":"Receive notifications from integrations","global-intel:read":"Access AMP Global Intelligence","webhook":"Manage your Webhooks","ao:read":"AO Integration."}}}}}},"spec":{"required":["type","value"],"type":"object","properties":{"value":{"type":"string","description":"The value of the observable.","example":"1.2.3.4"},"type":{"type":"string","description":"The type of observable.","example":"ip","enum":["file_path","mac_address","trend_micro_id","cybereason_id","process_args","s1_agent_id","device","hostname","certificate_common_name","serial_number","meraki_network_id","url","certificate_serial","meraki_org_id","cisco_cm_id","registry_key","process_path","darktrace_id","process_username","cortex_agent_id","orbital_node_id","process_uid","ngfw_name","user","certificate_issuer","ipv6","email","cisco_uc_id","sha256","crowdstrike_id","sha1","registry_name","md5","ip","domain","email_subject","imei","ngfw_id","amp_computer_guid","ms_machine_id","mutex","processor_id","swc_device_id","registry_path","odns_identity","odns_identity_label","cisco_mid","process_name","pki_serial","meraki_node_sn","email_messageid","imsi","user_agent","process_hash","file_name"]}},"additionalProperties":false,"description":"A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.","example":{"value":"1.2.3.4","type":"ip"},"$$ref":"#/components/schemas/Observable","title":"Observable"}}