Functions/BloxOne/BloxOneTD/Get-B1TideThreatEnrichment.ps1

function Get-B1TideThreatEnrichment {
    <#
    .SYNOPSIS
        Used to retrieve threat enrichment data from BloxOne Threat Defense

    .DESCRIPTION
        This function is used to retrieve threat enrichment data from BloxOne Threat Defense

    .PARAMETER Type
        Use this parameter to specify the type of enrichment search to perform

    .PARAMETER Indicator
        Use this parameter to specify the indicator to search by. This will be either the domain name, URL or IP.
        When using the Threat Actor lookup, the indicator should be the name of the Threat Actor, e.g "APT1","Carbanak","FIN6", etc.

    .EXAMPLE
        PS> Get-B1TideThreatEnrichment
    
    .FUNCTIONALITY
        BloxOneDDI
    
    .FUNCTIONALITY
        BloxOne Threat Defense
    #>

    param(
      [Parameter(Mandatory=$true)]
      [ValidateSet("Threat Actor","Nameserver Reputation","URLHaus","ThreatFox","TLD Risk","Mandiant","Whois","Geoinfo")] ## Mitre Lookup not yet implemented
      [String]$Type,
      [Parameter(Mandatory=$true)]
      [String]$Indicator
    )

    switch ($Type) {
      "Threat Actor" {
        $Uri = "/tide/threat-enrichment/threat_actor/lookup?name=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET | Select-Object -ExpandProperty description -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
      }
      "Nameserver Reputation" {
        $Uri = "/tide/threat-enrichment/nameserver_reputation/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
      "URLHaus" {
        $Uri = "/tide/threat-enrichment/urlhaus/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
      "ThreatFox" {
        $Uri = "/tide/threat-enrichment/threatfox/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
      "TLD Risk" {
        $Uri = "/tide/threat-enrichment/tld_risk/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
      "Mandiant" {
        $Uri = "/tide/threat-enrichment/mandiant/indicator/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET | Select-Object -ExpandProperty matches -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
      }
      "Whois" {
        $Uri = "/tide/threat-enrichment/whois/search?indicator=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
      "Geoinfo" {
        $Uri = "/tide/threat-enrichment/geoinfo/search?ip=$Indicator"
        $Results = Invoke-CSP -Uri "$(Get-B1CspUrl)$Uri" -Method GET # Unable to test due to HTTP403
      }
    }
    if ($Results) {
      return $Results
    }
}