Anomali ThreatStream (Deprecated)
This Integration is part of the Anomali ThreatStream Pack.#
Deprecated
Use Anomali ThreatStream v3 instead.
Overview
Anomali ThreatStream (previously ThreatStream Optic) is a threat-intelligence integration that enables you to pull threat intelligence from the ThreatStream platform and use in third-party tools. The integration works with the
v2
API on product version 2.5.4, using the
intelligence
resource.
Commands:
- Receive threat intelligence: threatstream-intelligence
- Check IP/domain reputation: domain
- Check file's checksum reputation: file
- Check email address reputation: threatstream-email-reputation
- Check IP reputation: ip
Prerequisites
You need to retrieve your Anomali ThreatStream credentials, which you will enter in Cortex XSOAR.
-
user ID -
API key
If you do not have these credentials, register at http://ui.threatstream.com .
Configure Cortex XSOAR to Integrate with Anomali ThreatStream
- Navigate to to Settings > Integrations > Servers & Services.
- Search for the Anomali ThreatStream integration.
-
Click
Add instance
to create and configure a new integration instance.
- Name | a meaningful name for the integration instance. (Required)
- Server URL | Anomali ThreatStream hostname or IP address and port. For example: https:// api.threatstream.com. (Required)
- User name | Anomali ThreatStream user name. (Required)
- API Key | The API key you copied in the previous procedure. (Required)
-
Click the
Test
button to verify the the URL and token.
A green light means the test was successful.
Use Cases
Use this integration to retrieve threat intelligence from the ThreatStream cloud. You can specify criteria by which the intelligence should be retrieved, as shown in the commands below. The integration supports getting reputation for IP, domain, file and email.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Receive threat intelligence: threatstream-intelligence
- Check IP/domain reputation: domain
- Check file's checksum reputation: file
- Check email address reputation: threatstream-email-reputation
- Check IP reputation: ip
Retrieve Threat Intelligence: threatstream-intelligence
Use this command to retrieve threat intelligence from the ThreatStream cloud.
Inputs
| Input Parameter | Description | Notes |
| limit | Specify the amount of records in a response. | Integer |
| asn | Autonomous System (AS) number associated with the indicator. | |
| confidence | Confidence value assigned to the indicator. | |
| country | Country associated with the indicator. | Country code. |
| created_ts | Date and time when the indicator was first detected on the ThreatStream cloud platform. | For example, 2014-10-02T20:44:35 |
| expiration_ts | Time stamp of when intelligence will expire on ThreatStream. | Time stamp is UTC. |
| feed_id | Numeric ID of the threat feed that generated the indicator. | |
| id | Unique ID for the indicator. | |
| import_session_id | ID of import session that the indicator was imported to. | |
| ip | IP address associated with the indicator, if the imported indicator is a domain or a URL. | |
| is_public | Classification of the indicator, either public or private . | |
| itype | Indicator type. | |
| latitude | The IP's geo-location latitude. | |
| longitude | The IP's geo-location longitude. | |
| meta.detail | A string that contains a tag associated with the indicator. | Use the tag to search for related incidents. |
| meta.detail2 | Additional details associated with the state of the indicator. For example, why an indicator is marked false-positive . | |
| meta.maltype | Tag that specifies the malware associated with an indicator. | |
| meta.severity | Severity assigned to the indicator through machine-learning algorithms that ThreatStream deploys. | |
| modified_ts | When the indicator was last updated on the ThreatStream cloud platform. | |
| org | Registered owner (organization) of the IP address associated with the indicator. | |
| owner_ organization_id | ID of the (ThreatStream)organization that brought in the indicator through either a threat feed or the import process. | |
| rdns | Domain name (obtained through reverse domain name lookup) associated with the IP address that is associated with the indicator. | |
| source_reported_ confidence | A risk score, from 0 to 100, provided by the source of the indicator. | |
| status | Status assigned to the indicator. | |
| tags.name | Tag assigned to the indicator. | |
| threat_type | Summarized threat type of the indicator. For example, malware, compromised, apt, c2, and so on. | |
| trusted_circle_ids | IDs of the trusted circles that the indicator is shared with. | |
| type | Type of indicator: domain, email, ip, md5, string, url. | |
| update_id | An incremental numeric identifier associated with each update to intelligence on ThreatStream. | |
| value | Value of the indicator. |
Context Output
Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score
JSON Output
{
"meta":{
"limit":1,
"next":"/api/v2/intelligence/?username=test%test.com\u0026country=IL\u0026api_key=12345678912345678
\u0026limit=1\u0026offset=1",
"offset":0,
"previous":null,
"took":39,
"total_count":49906
},
"objects":[
{
"asn":"12849",
"confidence":100,
"country":"IL",
"created_ts":"2018-01-03T16:59:29.054Z",
"description":null,
"expiration_ts":"2018-04-12T13:37:28.417Z",
"feed_id":122,
"id":50460807643,
"import_session_id":null,
"ip":"5.29.211.60",
"is_public":false,
"itype":"tor_ip",
"latitude":"32.332900",
"longitude":"34.859900",
"meta":{
"detail2":"bifocals_deactivated_on_2018-04-10_20:32:42.816201",
"severity":"low"
},
"modified_ts":"2018-04-11T13:37:28.423Z",
"org":"HOTnet",
"owner_organization_id":2,
"rdns":null,
"resource_uri":"/api/v2/intelligence/50460807643/",
"retina_confidence":-1,
"source":"TOR Exit Nodes",
"source_reported_confidence":100,
"status":"active",
"tags":null,
"threat_type":"tor",
"threatscore":25,
"trusted_circle_ids":[
146
],
"type":"ip",
"update_id":1763222542,
"uuid":"56260f15-377a-48e7-ad40-121f8580a4c5",
"value":"5.29.211.60",
"workgroups":[
War Room Output
Command:
!threatstream-intelligence limit="1" country="IL"
Check IP/domain reputation: domain
Inputs
| Input Parameter | Description |
| domain | The domain name you want to check the reputation for. |
| threshold | The ThreatScore that determines if a domain is considered malicious. |
Context Output
Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score
JSON Output
{
"meta":{
"limit":1000,
"next":null,
"offset":0,
"previous":null,
"took":4,
"total_count":1
},
"objects":[
{
"asn":"",
"confidence":17,
"country":"RO",
"created_ts":"2017-06-02T18:09:41.986Z",
"description":null,
"expiration_ts":"2017-08-31T11:58:38.253Z",
"feed_id":0,
"id":859843899,
"import_session_id":213529,
"ip":"185.72.179.152",
"is_public":true,
"itype":"adware_domain",
"latitude":"46.000000",
"longitude":"25.000000",
"meta":{
"detail":"",
"detail2":"bifocals_deactivated_on_2017-08-31_12:47:29.013755",
"severity":"low"
},
"modified_ts":"2017-08-31T12:47:28.926Z",
"org":"Nix Web Solutions Pvt Ltd",
"owner_organization_id":738,
"rdns":null,
"resource_uri":"/api/v2/intelligence/859843899/",
"retina_confidence":17,
"source":"Analyst",
"source_reported_confidence":90,
"status":"inactive",
"tags":[
{
"id":"rd4",
"name":"pony"
}
],
"threat_type":"adware",
"threatscore":4,
"trusted_circle_ids":null,
"type":"domain",
"update_id":1023048164,
"value":"kpanels.in",
"workgroups":null
}
]
}
War Room Output
Command:
!domain domain="kpanels.in" threshold="3"
Check file's checksum reputation: file
Inputs
| Input Parameter | Description |
| domain | The domain name you want to check the reputation for. |
| threshold | The ThreatScore that determines if a file is considered malicious. |
Context Output
Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score
JSON Output
{
"meta":{
"limit":1000,
"next":null,
"offset":0,
"previous":null,
"took":45,
"total_count":1
},
"objects":[
{
"asn":"",
"confidence":92,
"country":null,
"created_ts":"2017-06-07T13:01:10.143Z",
"description":null,
"expiration_ts":"2017-09-04T13:31:00.194Z",
"feed_id":0,
"id":872721081,
"import_session_id":214717,
"ip":null,
"is_public":true,
"itype":"apt_md5",
"latitude":null,
"longitude":null,
"meta":{
"detail":"",
"detail2":"imported by user 3096",
"severity":"very-high"
},
"modified_ts":"2017-06-07T13:03:03.200Z",
"org":"",
"owner_organization_id":738,
"rdns":null,
"resource_uri":"/api/v2/intelligence/872721081/",
"retina_confidence":-1,
"source":"Analyst",
"source_reported_confidence":92,
"status":"active",
"tags":[
{
"id":"03e",
"name":"trickbot"
}
],
"threat_type":"apt",
"threatscore":79,
"trusted_circle_ids":null,
"type":"md5",
"update_id":854928373,
"value":"3e5d63b93a68d715f7559f42285223f4",
"workgroups":null
}
]
}
War Room Output
Command:
!file file="3e5d63b93a68d715f7559f42285223f4" threshold="3"
Check Email Address Reputation: threatstream-email-reputation
Inputs
| Input Parameter | Description |
| domain | The domain name you want to check the reputation for. |
| threshold | The ThreatScore that determines if an email is considered malicious. |
Context Output
Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score
JSON Output
{
"meta":{
"limit":1000,
"next":null,
"offset":0,
"previous":null,
"took":4,
"total_count":1
},
"objects":[
{
"asn":"",
"confidence":17,
"country":"RO",
"created_ts":"2017-06-02T18:09:41.986Z",
"description":null,
"expiration_ts":"2017-08-31T11:58:38.253Z",
"feed_id":0,
"id":859843899,
"import_session_id":213529,
"ip":"185.72.179.152",
"is_public":true,
"itype":"adware_domain",
"latitude":"46.000000",
"longitude":"25.000000",
"meta":{
"detail":"",
"detail2":"bifocals_deactivated_on_2017-08-31_12:47:29.013755",
"severity":"low"
},
"modified_ts":"2017-08-31T12:47:28.926Z",
"org":"Nix Web Solutions Pvt Ltd",
"owner_organization_id":738,
"rdns":null,
"resource_uri":"/api/v2/intelligence/859843899/",
"retina_confidence":17,
"source":"Analyst",
"source_reported_confidence":90,
"status":"inactive",
"tags":[
{
"id":"rd4",
"name":"pony"
}
],
"threat_type":"adware",
"threatscore":4,
"trusted_circle_ids":null,
"type":"domain",
"update_id":1023048164,
"value":"kpanels.in",
"workgroups":null
}
]
}
War Room Output
Command:
!threatstream-email-reputation email="mailonline_16@filposcv.com" threshold="3"
Check IP Reputation: ip
Inputs
| Input Parameter | Description |
| domain | The domain name you want to check the reputation for. |
| threshold | The ThreatScore that determines if a domain is considered malicious. |
Context Output
Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score
JSON Output
{
"meta":{
"limit":1000,
"next":null,
"offset":0,
"previous":null,
"took":4,
"total_count":1
},
"objects":[
{
"asn":"12400",
"confidence":69,
"country":"IL",
"created_ts":"2018-03-13T10:45:16.182Z",
"description":null,
"expiration_ts":"2018-03-20T10:45:16.178Z",
"feed_id":112,
"id":50591222843,
"import_session_id":null,
"ip":"176.228.66.70",
"is_public":false,
"itype":"scan_ip",
"latitude":"31.964200",
"longitude":"34.804400",
"meta":{
"detail2":"bifocals_deactivated_on_2018-03-20_13:56:34.918843",
"severity":"medium"
},
"modified_ts":"2018-03-20T13:56:34.461Z",
"org":"Orange Israel",
"owner_organization_id":2,
"rdns":null,
"resource_uri":"/api/v2/intelligence/50591222843/",
"retina_confidence":69,
"source":"Anomali Labs MHN",
"source_reported_confidence":70,
"status":"inactive",
"tags":null,
"threat_type":"scan",
"threatscore":25,
"trusted_circle_ids":[
145
],
"type":"ip",
"update_id":1695845308,
"uuid":"09688972-7581-4fb9-8e50-7c99a02cd442",
"value":"176.228.66.70",
"workgroups":[
]
}
]
}
War Room Output
Command:
!ip ip="176.228.66.70" threshold="3"
Troubleshooting
The integration was tested with the
v2
API on version 2.5.4.
- If a command does not return a response, the server might be down, or an incorrect address was entered.
-
If you receive a
401 Unauthorizederror, the API credentials might be incorrect.