Skip to main content

Anomali ThreatStream Feed

This Integration is part of the Anomali ThreatStream Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use the Anomali ThreatStream Feed Integration to fetch indicators from the Anomali ThreatStream.

Configure Anomali ThreatStream Feed in Cortex#

ParameterDescriptionRequired
Fetch indicatorsEnable this checkbox to automatically pull indicators from the Anomali ThreatStream at regular intervals.
Fetch byFetch by the modification or creation time of the indicators.True
Server URL (e.g., https://www.test.com)Confirm that the pre-filled URL matches the correct API endpoint for your Anomali ThreatStream instance.True
UsernameTrue
API KeyTrue
Feed Fetch IntervalFalse
Confidence ThresholdWill only return indicators above the confidence threshold.False
Source ReliabilityReliability of the source providing the intelligence data.True
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. Indicator's TLP will override the default value.False
Indicator ReputationIndicators from this integration instance will be marked with this reputation. If not selected, Indicators' verdicts are determined by their Dbot score from the API. The default is Unknown.False
Indicator Expiration MethodThe method by which to expire indicators from this feed for this integration instance.False
Create relationshipsFalse
Trust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

threatstream-feed-get-indicators#


Gets indicators from the feed. This command is mainly used for testing and debugging purposes.

Base Command#

threatstream-feed-get-indicators

Input#

Argument NameDescriptionRequired
indicator_typeThe indicator type to analyze. If not selected, indicators from all types are retrieved. Possible values are: domain, ip, md5, url, email.Optional
limitMaximum number of objects to return. Default is 10.Optional
sort_bySort the records in descending order according to the Created or Modified Time. Possible values are: Created Time, Modified Time. Default is Modified Time.Optional

Context Output#

There is no context output for this command.

Command example#

!threatstream-feed-get-indicators indicator_type="domain" limit="5" sort_by="Created Time"

Human Readable Output#

Indicators from Anomali ThreatStream Feed#

SourceThreatStreamIDDomainModifiedConfidenceCreationTagsTrafficLightProtocol
Demisto440576095my.domainnn_test.com2023-12-24T00:00:05.890Z502023-06-20T08:07:33.841Zvalues: tag3452, tag23452
Demisto440126275my.domain_987.com2023-12-24T00:00:05.877Z502023-06-19T12:14:52.216Zvalues: tag3452, tag23452
Demisto439658732my.domain1357.com2023-09-16T10:10:05.788Z502023-06-18T10:02:07.876Z
dummydomain.com284008208test_domain_121.com2025-04-05T01:48:33.997Z02021-11-16T09:40:10.407Zvalues: tag4567amber
Analyst231953546abc_test_domain1.com2023-07-17T09:55:54.228Z602021-04-06T09:36:09.122Zvalues: tag1356