4. Refer “Pivot” Actions¶
4.1. Extract Observables¶
Note
This step can be skipped if the observable type is known and can be mapped to the supported observables so you can build your own payload.
Extract observables using:
POST /iroh/iroh-inspect/inspect
4.1.1. API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-inspect/inspect HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
{
"content": "cisco.com"
}
JSON Response:
[
{
"value": "cisco.com",
"type": "domain"
}
]
4.2. Refer Observables¶
Pass the returned array to:
POST /iroh/iroh-enrich/refer/observables
4.2.1. API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-enrich/refer/observables HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
[
{
"value": "cisco.com",
"type": "domain"
}
]
JSON Response:
{
"data": [
{
"id": "ref-talos-search-domain-cisco.com",
"module": "Talos Intelligence",
"module-type": "SenderBaseInvestigateModule",
"title": "Search for this domain",
"description": "Lookup this domain on Talos Intelligence",
"url": "https://www.talosintelligence.com/reputation_center/lookup?search=cisco.com",
"categories": [
"Talos Intelligence",
"Search"
]
}
]
}
JQ Filters for commonly used values:
.data[].module.data[].url.data[].title
This may return:
.data[].description
Render .data[].title link to user in a way that makes sense within the product.
Note
Open the URL in a new tab when possible.
4.3. Use Cases¶
- Get the links to pivot into products based on modules
- Streamline user experience when needing to pivot into other products
- To enable someone to pivot to the UI of a product to search for an Observable
- To enable someone to pivot to the UI of a product to lookup or browsed the information about an Observable