Step: Cortex

This step lets you send a query to the Cortex API service on your local system using your account's name and API key. The step utilizes the Web Data Source to set up the connection, and uses the same interface Cortex does to send content from your playbook to a Cortex Analyzer. Responses are stored in package table variables to be used in other steps. (Introduced in DarkLight 5.7)


Can use table variable values

Allows FreeMarker Expressions

Requires local installation of Cortex and configured Analyzers

  • Web Source: Select a Data Source of type Web
    • The URL field should only contain the base URL for Cortex (e.g. https://192.168.5.99:9001)
    • Enter your Cortex User ID in the Username field
    • Enter your Cortex User's API Key in the Password field
    • KeyStore is not used
  • TLP: The Traffic Light Protocol is used to signal how widely you want your information shared. Some analyzers will only return results if your TLP is open enough. In DarkLight, hover over the color name to see the definition for it. A summary is below:
    • Red - personal for named recipients only
    • Amber - limited distribution
    • Green - community wide
    • White - unlimited
  • PAP: The Permissible Actions Protocol indicates how the received information can be used. The Cortex API does not currently do anything with this setting, but it is included in DarkLight for future capabilities. A summary of the levels is below:
    • PAP Red - Non-detectable actions only
    • PAP Amber - Passive cross check for conducting online checks
    • PAP Green - Active actions allowed (ping, block, etc.)
    • PAP White - No restrictions
  • Data Type: - Choose the data type you will be sending to an analyzer. This choice affects the list of analyzers you can choose in the next list. All data types are available with the exception of "file" as DarkLight does not currently have a mechanism to send a file to an analyzer. The data types provided by Cortex are:
    • ip
    • domain
    • fqdn (fully qualified domain name)
    • hash
    • url
    • mail
  • Analyzer: A list of the analyzers installed in your Cortex instance that can operate on the selected Data Type.
  • Input Data: The piece of data from the package that you want to send in to the Analyzer. FreeMarker templates are allowed.
  • Meta Data Output Variable: The name of the package variable to store the data returned from Cortex about the query itself (not the results of the query). The data returned to this variable will be in JSON format, so you will likely use the JSONPath step to parse it.
  • Report Output Variable: The name of the package variable to store the result data returned from the Cortex Analyzer about the Input Data. The data returned to this variable will be in JSON format, so you will likely use the JSONPath step to parse it.
  • step/cortex
  • Last modified: 2018/11/13 20:12