Skip to main content

Anomali ThreatStream v3

This Integration is part of the Anomali ThreatStream Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use Anomali ThreatStream to query and submit threats.

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure Anomali ThreatStream v3 in Cortex#

ParameterDescriptionRequired
Server URL (e.g., https://www.test.com)True
UsernameTrue
API KeyTrue
URL thresholdFalse
IP thresholdFalse
Domain thresholdFalse
File thresholdFalse
Email thresholdEmail indicators with confidence value above this threshold are considered malicious.False
Include inactive resultsWhether to include inactive indicators in reputation commands.False
Source ReliabilityReliability of the source providing the intelligence data.True
Trust any certificate (not secure)False
Use system proxy settingsFalse
Create relationshipsCreate relationships between indicators as part of enrichment.False
Remote APIGather additional information about the threat model from remote APIs.False
Default DBOT score for indicators with low confidenceFalse

Configure Indicator Threshold Parameters#

Each indicator has a threshold parameter and an integer confidence value that impacts the indicator's DBotScore calculation.
The indicator DBotScore is calculated as follows:

  • If you do not specify the threshold parameter value in your instance configuration (recommended):
    If the indicator confidence > 65, the DBotScore value is set to 3 (Malicious).
    If the indicator confidence is between 25 and 65, the DBotScore value is set to 2 (Suspicious).
    If the indicator confidence < 25, the DBotScore value is set to 1 (Good).
    For example, If the IP threshold value is not specified during configuration and the IP indicator confidence value is 45, the DBotScore value is set to 2 (Suspicious).
  • If you configure the threshold parameter value:
    If the indicator confidence value is above the threshold parameter value, the DBotScore is set to 3 (Malicious). Otherwise the DBotScore is set to 1 (Good).
    Note: You cannot define a threshold that sets the DBotScore to 2 (Suspicious).
    For example, if in the instance configuration you set File threshold to 10 and the confidence value is 15, the DBotScore is set to 3 (Malicious).

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP to check.Required
thresholdIf confidence is greater than the threshold the IP address is considered malicious, otherwise it is considered good. This argument overrides the default IP threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional
threat_model_associationEnhance generic reputation commands to include additional information such as Threat Bulletins, Attach patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.ASNStringThe Autonomous System (AS) number associated with the indicator.
IP.AddressStringThe IP address of the indicator.
IP.Geo.CountryStringThe country associated with the indicator.
IP.Geo.LocationStringThe longitude and latitude of the IP address.
ThreatStream.IP.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.IP.AddressStringThe IP address of the indicator.
ThreatStream.IP.CountryStringThe country associated with the indicator.
ThreatStream.IP.TypeStringThe indicator type.
ThreatStream.IP.ModifiedStringThe time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time in UTC time.
ThreatStream.IP.SeverityStringThe indicator severity ("very-high", "high", "medium", or "low").
ThreatStream.IP.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.IP.StatusStringThe status assigned to the indicator.
ThreatStream.IP.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.IP.SourceStringThe indicator source.
IP.Malicious.VendorStringThe vendor that reported the indicator as malicious.
ThreatStream.IP.TagsUnknownTags assigned to the IP.
ThreatStream.IP.ITypeStringThe itype of the indicator associated with the specified model.
IP.TagsUnknownList of IP tags.
IP.ThreatTypesUnknownThreat types associated with the IP.
ThreatStream.IP.Actor.assignee_userUnknownThe assignee user of the threat actor.
ThreatStream.IP.Actor.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.IP.Actor.association_info.createdDateThe date the association info was created.
ThreatStream.IP.Actor.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.IP.Actor.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.IP.Actor.created_tsDateThe date the threat actor was created.
ThreatStream.IP.Actor.feed_idNumberThe feed ID of the threat actor.
ThreatStream.IP.Actor.idNumberThe ID of the threat actor.
ThreatStream.IP.Actor.is_anonymousBooleanWhether the threat actor is anonymous.
ThreatStream.IP.Actor.is_cloneableStringWhether the threat actor is cloneable.
ThreatStream.IP.Actor.is_publicBooleanWhether the threat actor is public.
ThreatStream.IP.Actor.is_teamBooleanWhether the threat actor is a team.
ThreatStream.IP.Actor.modified_tsDateThe date the threat actor was modified.
ThreatStream.IP.Actor.nameStringThe name of the threat actor.
ThreatStream.IP.Actor.organization_idNumberThe organization ID of the threat actor.
ThreatStream.IP.Actor.owner_user_idNumberThe owner user ID of the threat actor.
ThreatStream.IP.Actor.primary_motivationUnknownThe primary motivation of the threat actor.
ThreatStream.IP.Actor.publication_statusStringThe publication status of the threat actor.
ThreatStream.IP.Actor.published_tsDateThe date the threat actor was published.
ThreatStream.IP.Actor.resource_levelUnknownThe resource level of the threat actor.
ThreatStream.IP.Actor.resource_uriStringThe resource URI of the threat actor.
ThreatStream.IP.Actor.source_createdUnknownThe date the source was created.
ThreatStream.IP.Actor.source_modifiedUnknownThe date the source was modified.
ThreatStream.IP.Actor.start_dateUnknownThe start date.
ThreatStream.IP.Actor.tagsStringThe tags of the threat indicator.
ThreatStream.IP.Actor.tags_v2.idStringThe ID of the tag.
ThreatStream.IP.Actor.tags_v2.nameStringThe name of the tag.
ThreatStream.IP.Actor.tlpStringThe TLP of the threat actor.
ThreatStream.IP.Actor.uuidStringThe UUID of the threat actor.
ThreatStream.IP.Signature.assignee_userUnknownThe assignee user of the signature.
ThreatStream.IP.Signature.association_info.commentUnknownThe comment in the association info of the signature.
ThreatStream.IP.Signature.association_info.createdDateThe date the association info was created.
ThreatStream.IP.Signature.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.IP.Signature.can_add_public_tagsBooleanWhether you can add public tags to the signature.
ThreatStream.IP.Signature.created_tsDateThe date the signature was created.
ThreatStream.IP.Signature.feed_idNumberThe feed ID of the signature.
ThreatStream.IP.Signature.idNumberThe ID of the signature.
ThreatStream.IP.Signature.is_anonymousBooleanWhether the signature was anonymous.
ThreatStream.IP.Signature.is_cloneableStringWhether the signature is cloneable.
ThreatStream.IP.Signature.is_publicBooleanWhether the signature is public.
ThreatStream.IP.Signature.is_teamBooleanWhether the signature is a team signature.
ThreatStream.IP.Signature.modified_tsDateThe date the signature was modified.
ThreatStream.IP.Signature.nameStringThe name of the signature.
ThreatStream.IP.Signature.organization_idNumberThe organization ID of the signature.
ThreatStream.IP.Signature.owner_user_idNumberThe owner user ID of the signature.
ThreatStream.IP.Signature.primary_motivationUnknownThe primary motivation of the signature.
ThreatStream.IP.Signature.publication_statusStringThe publication status of the signature.
ThreatStream.IP.Signature.published_tsDateThe date the signature was published.
ThreatStream.IP.Signature.resource_levelUnknownThe resource level of the signature.
ThreatStream.IP.Signature.resource_uriStringThe resource URI of the signature.
ThreatStream.IP.Signature.source_createdUnknownThe date the source was created.
ThreatStream.IP.Signature.source_modifiedUnknownThe date the source was modified.
ThreatStream.IP.Signature.start_dateUnknownThe start date.
ThreatStream.IP.Signature.tagsStringThe tags of the threat indicator.
ThreatStream.IP.Signature.tags_v2.idStringThe ID of the tag.
ThreatStream.IP.Signature.tags_v2.nameStringThe name of the tag.
ThreatStream.IP.Signature.tlpStringThe TLP of the signature.
ThreatStream.IP.Signature.uuidStringThe UUID of the signature.
ThreatStream.IP.ThreatBulletin.all_circles_visibleBooleanWhether all of the circles are visible.
ThreatStream.IP.ThreatBulletin.assignee_orgStringThe assignee organization.
ThreatStream.IP.ThreatBulletin.assignee_org_idStringThe assignee organization ID.
ThreatStream.IP.ThreatBulletin.assignee_org_nameStringThe assignee organization name.
ThreatStream.IP.ThreatBulletin.assignee_userStringThe assignee user.
ThreatStream.IP.ThreatBulletin.assignee_user_idStringThe assignee user ID.
ThreatStream.IP.ThreatBulletin.assignee_user_nameUnknownThe assignee user name.
ThreatStream.IP.ThreatBulletin.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.IP.ThreatBulletin.association_info.createdDateThe date the association info was created.
ThreatStream.IP.ThreatBulletin.association_info.from_idStringThe ID from which the association info is related.
ThreatStream.IP.ThreatBulletin.body_content_typeStringThe body content type.
ThreatStream.IP.ThreatBulletin.campaignUnknownThe campaign of the threat bulletin.
ThreatStream.IP.ThreatBulletin.can_add_public_tagsBooleanWhether you can add public tags.
ThreatStream.IP.ThreatBulletin.created_tsDateThe date the threat bulletin was created.
ThreatStream.IP.ThreatBulletin.feed_idNumberThe feed ID of the threat bulletin.
ThreatStream.IP.ThreatBulletin.idStringThe ID of the threat bulletin.
ThreatStream.IP.ThreatBulletin.is_anonymousBooleanWhether the threat bulletin is anonymous.
ThreatStream.IP.ThreatBulletin.is_cloneableStringWhether the threat bulletin is cloneable.
ThreatStream.IP.ThreatBulletin.is_editableBooleanWhether the threat bulletin is editable.
ThreatStream.IP.ThreatBulletin.is_emailBooleanWhether the threat bulletin is an email.
ThreatStream.IP.ThreatBulletin.is_publicBooleanWhether the threat bulletin is public.
ThreatStream.IP.ThreatBulletin.modified_tsDateThe date the threat bulletin was modified.
ThreatStream.IP.ThreatBulletin.nameStringThe name of the threat bulletin.
ThreatStream.IP.ThreatBulletin.original_sourceStringThe original source of the threat bulletin.
ThreatStream.IP.ThreatBulletin.original_source_idUnknownThe original source ID of the threat bulletin.
ThreatStream.IP.ThreatBulletin.owner_org.idStringThe owner organization ID.
ThreatStream.IP.ThreatBulletin.owner_org.nameStringThe owner organization name.
ThreatStream.IP.ThreatBulletin.owner_org.resource_uriStringThe owner organization URI.
ThreatStream.IP.ThreatBulletin.owner_org_idNumberThe ID of the owner user.
ThreatStream.IP.ThreatBulletin.owner_org_nameStringThe name of the owner organization.
ThreatStream.IP.ThreatBulletin.owner_user.avatar_s3_urlUnknownThe URL of the owner user.
ThreatStream.IP.ThreatBulletin.owner_user.can_share_intelligenceBooleanWhether you can share intelligence.
ThreatStream.IP.ThreatBulletin.owner_user.emailStringThe email of the owner user.
ThreatStream.IP.ThreatBulletin.owner_user.idStringThe ID of the owner user.
ThreatStream.IP.ThreatBulletin.owner_user.is_activeBooleanWhether the owner user is active.
ThreatStream.IP.ThreatBulletin.owner_user.is_readonlyBooleanWhether the owner user has read-only permission.
ThreatStream.IP.ThreatBulletin.owner_user.must_change_passwordBooleanWhether the owner user must change the password.
ThreatStream.IP.ThreatBulletin.owner_user.nameStringThe owner user name.
ThreatStream.IP.ThreatBulletin.owner_user.nicknameStringThe owner user nickname.
ThreatStream.IP.ThreatBulletin.owner_user.organization.idStringThe ID of the owner user organization.
ThreatStream.IP.ThreatBulletin.owner_user.organization.nameStringThe name of the owner user organization.
ThreatStream.IP.ThreatBulletin.owner_user.organization.resource_uriStringThe resource URI of the owner user organization.
ThreatStream.IP.ThreatBulletin.owner_user.resource_uriStringThe resource URI of the owner user.
ThreatStream.IP.ThreatBulletin.owner_user_idNumberThe owner user ID of the threat bulletin.
ThreatStream.IP.ThreatBulletin.owner_user_nameStringThe owner user name of the threat bulletin.
ThreatStream.IP.ThreatBulletin.parentUnknownThe parent of the threat bulletin.
ThreatStream.IP.ThreatBulletin.published_tsUnknownThe date the threat bulletin was published.
ThreatStream.IP.ThreatBulletin.resource_uriStringThe resource URI of the threat bulletin.
ThreatStream.IP.ThreatBulletin.sourceUnknownThe source of the threat bulletin.
ThreatStream.IP.ThreatBulletin.source_createdUnknownThe date the source was created.
ThreatStream.IP.ThreatBulletin.source_modifiedUnknownThe date the source was modified.
ThreatStream.IP.ThreatBulletin.starred_by_meBooleanWhether the threat bulletin was started by me.
ThreatStream.IP.ThreatBulletin.starred_total_countNumberThe total number of times the threat bulletin was starred.
ThreatStream.IP.ThreatBulletin.statusStringThe status of the threat bulletin.
ThreatStream.IP.ThreatBulletin.threat_actorUnknownThe threat actor of the threat bulletin.
ThreatStream.IP.ThreatBulletin.tlpUnknownThe TLP of the threat bulletin.
ThreatStream.IP.ThreatBulletin.ttpUnknownThe TTP of the threat bulletin.
ThreatStream.IP.ThreatBulletin.uuidStringThe UUID of the threat bulletin.
ThreatStream.IP.ThreatBulletin.votes.meUnknownThe number of votes by me.
ThreatStream.IP.ThreatBulletin.votes.totalNumberThe number of total votes.
ThreatStream.IP.ThreatBulletin.watched_by_meBooleanWhether the threat bulletin was watched by me.
ThreatStream.IP.ThreatBulletin.watched_total_countNumberThe total number of watchers.
ThreatStream.IP.TTP.assignee_userUnknownThe assignee user of the TTP.
ThreatStream.IP.TTP.association_info.commentUnknownThe comment in the association info of the TTP.
ThreatStream.IP.TTP.association_info.createdDateThe date the association info was created.
ThreatStream.IP.TTP.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.IP.TTP.can_add_public_tagsBooleanWhether you can add public tags to the TTP.
ThreatStream.IP.TTP.created_tsDateThe date the TTP was created.
ThreatStream.IP.TTP.feed_idNumberThe feed ID of the TTP.
ThreatStream.IP.TTP.idNumberThe ID of the TTP.
ThreatStream.IP.TTP.is_anonymousBooleanWhether the TTP was anonymous.
ThreatStream.IP.TTP.is_cloneableStringWhether the TTP was cloneable.
ThreatStream.IP.TTP.is_publicBooleanWhether the TTP is public.
ThreatStream.IP.TTP.is_teamBooleanWhether the TTP is a team.
ThreatStream.IP.TTP.modified_tsDateThe date the TTP was modified.
ThreatStream.IP.TTP.nameStringThe name of the TTP.
ThreatStream.IP.TTP.organization_idNumberThe organization ID of the TTP.
ThreatStream.IP.TTP.owner_user_idNumberThe owner user ID of the TTP.
ThreatStream.IP.TTP.primary_motivationUnknownThe primary motivation of the TTP.
ThreatStream.IP.TTP.publication_statusStringThe publication status of the TTP.
ThreatStream.IP.TTP.published_tsDateThe date the TTP was published.
ThreatStream.IP.TTP.resource_levelUnknownThe resource level of the TTP.
ThreatStream.IP.TTP.resource_uriStringThe resource URI of the TTP.
ThreatStream.IP.TTP.source_createdUnknownThe date the source was created.
ThreatStream.IP.TTP.source_modifiedUnknownThe date the source was modified.
ThreatStream.IP.TTP.start_dateUnknownThe start date.
ThreatStream.IP.TTP.tagsStringThe tags of the threat indicator.
ThreatStream.IP.TTP.tags_v2.idStringThe ID of the tag.
ThreatStream.IP.TTP.tags_v2.nameStringThe name of the tag.
ThreatStream.IP.TTP.tlpStringThe TLP of the TTP.
ThreatStream.IP.TTP.uuidStringThe UUID of the TTP.
ThreatStream.IP.Vulnerability.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.IP.Vulnerability.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.IP.Vulnerability.association_info.createdDateThe date the association info was created.
ThreatStream.IP.Vulnerability.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.IP.Vulnerability.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.IP.Vulnerability.circles.idStringThe ID of the circle.
ThreatStream.IP.Vulnerability.circles.nameStringThe name of the circle.
ThreatStream.IP.Vulnerability.circles.resource_uriStringThe resource URI of the circle.
ThreatStream.IP.Vulnerability.created_tsDateThe date the vulnerability was created.
ThreatStream.IP.Vulnerability.feed_idNumberThe feed ID of the vulnerability.
ThreatStream.IP.Vulnerability.idNumberThe ID of the vulnerability.
ThreatStream.IP.Vulnerability.is_anonymousBooleanWhether the vulnerability is anonymous.
ThreatStream.IP.Vulnerability.is_cloneableStringWhether the vulnerability is cloneable.
ThreatStream.IP.Vulnerability.is_publicBooleanWhether the vulnerability is public.
ThreatStream.IP.Vulnerability.is_systemBooleanWhether the vulnerability is in the system.
ThreatStream.IP.Vulnerability.modified_tsDateThe date the vulnerability was modified.
ThreatStream.IP.Vulnerability.nameStringThe name of the vulnerability.
ThreatStream.IP.Vulnerability.organization_idNumberThe organization ID of the vulnerability.
ThreatStream.IP.Vulnerability.owner_user_idUnknownThe owner user ID of the vulnerability.
ThreatStream.IP.Vulnerability.publication_statusStringThe publication status of the vulnerability.
ThreatStream.IP.Vulnerability.published_tsDateThe date the vulnerability was published.
ThreatStream.IP.Vulnerability.resource_uriStringThe resource URI of the vulnerability.
ThreatStream.IP.Vulnerability.sourceStringThe source of the vulnerability.
ThreatStream.IP.Vulnerability.source_createdUnknownThe feed ID of the vulnerability.
ThreatStream.IP.Vulnerability.source_modifiedUnknownWhether the source was modified.
ThreatStream.IP.Vulnerability.tagsStringThe tags of the vulnerability.
ThreatStream.IP.Vulnerability.tags_v2.idStringThe ID of the tag.
ThreatStream.IP.Vulnerability.tags_v2.nameStringThe name of the tag.
ThreatStream.IP.Vulnerability.tlpStringThe TLP of the vulnerability.
ThreatStream.IP.Vulnerability.update_idNumberThe update ID of the vulnerability.
ThreatStream.IP.Vulnerability.uuidStringThe UUID of the vulnerability.
ThreatStream.IP.Campaign.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.IP.Campaign.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.IP.Campaign.association_info.createdDateThe date the association info was created.
ThreatStream.IP.Campaign.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.IP.Campaign.can_add_public_tagsBooleanWhether you can add public tags to the campaign.
ThreatStream.IP.Campaign.created_tsDateThe date the campaign was created.
ThreatStream.IP.Campaign.end_dateUnknownThe end date of the campaign.
ThreatStream.IP.Campaign.feed_idNumberThe feed ID of the campaign.
ThreatStream.IP.Campaign.idNumberThe ID of the campaign.
ThreatStream.IP.Campaign.is_anonymousBooleanWhether the campaign is anonymous.
ThreatStream.IP.Campaign.is_cloneableStringWhether the campaign is cloneable.
ThreatStream.IP.Campaign.is_publicBooleanWhether the campaign is public.
ThreatStream.IP.Campaign.modified_tsDateThe date the campaign was modified.
ThreatStream.IP.Campaign.nameStringThe name of the campaign.
ThreatStream.IP.Campaign.objectiveUnknownThe objective of the campaign.
ThreatStream.IP.Campaign.organization_idNumberThe organization ID of the campaign.
ThreatStream.IP.Campaign.owner_user_idNumberThe owner user ID of the campaign.
ThreatStream.IP.Campaign.publication_statusStringThe publication status of the campaign.
ThreatStream.IP.Campaign.published_tsUnknownThe date the campaign was published.
ThreatStream.IP.Campaign.resource_uriStringThe resource URI of the campaign.
ThreatStream.IP.Campaign.source_createdDateThe date the campaign was created.
ThreatStream.IP.Campaign.source_modifiedDateWhether the source was modified.
ThreatStream.IP.Campaign.start_dateUnknownThe start date of the campaign.
ThreatStream.IP.Campaign.status.display_nameStringThe display name of the status.
ThreatStream.IP.Campaign.status.idNumberThe ID of the status of the campaign.
ThreatStream.IP.Campaign.status.resource_uriStringThe resource URI of the status of the campaign.
ThreatStream.IP.Campaign.tlpStringThe TLP of the campaign.
ThreatStream.IP.Campaign.uuidStringThe UUID of the campaign.

Command example#

!ip ip=23.98.23.98 threat_model_association=True

Context Example#

{
"DBotScore": {
"Indicator": "23.98.23.98",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "ip",
"Vendor": "Anomali ThreatStream v3 May"
},
"IP": {
"Address": "23.98.23.98",
"Malicious": {
"Description": null,
"Vendor": "Anomali ThreatStream v3 May"
},
"Relationships": [
{
"EntityA": "23.98.23.98",
"EntityAType": "IP",
"EntityB": "Test Investigation",
"EntityBType": "Campaign",
"Relationship": "related-to"
}
],
"Tags": [
"apt",
"PANW_Test"
],
"ThreatTypes": [
{
"threatcategory": "apt",
"threatcategoryconfidence": null
}
]
},
"ThreatStream": {
"IP": {
"ASN": "",
"Actor": [],
"Address": "23.98.23.98",
"Campaign": [
{
"assignee_user": {
"email": "user@email.com",
"id": "111",
"name": "",
"resource_uri": "/api/v1/user/111/"
},
"association_info": [
{
"comment": null,
"created": "2022-08-01T09:52:10.246877",
"from_id": 239450621,
"sro": {}
}
],
"can_add_public_tags": true,
"circles": [],
"created_ts": "2022-08-01T09:52:10.252091",
"end_date": null,
"feed_id": 0,
"id": 111111,
"intelligence_initiatives": [],
"is_anonymous": false,
"is_cloneable": "yes",
"is_public": false,
"modified_ts": "2022-08-01T09:52:10.246877",
"name": "Test Investigation",
"objective": null,
"organization_id": 88,
"owner_user_id": 111,
"publication_status": "new",
"published_ts": null,
"resource_uri": "/api/v1/campaign/111111/",
"source_created": null,
"source_modified": null,
"start_date": null,
"status": {
"display_name": "Ongoing",
"id": 1,
"resource_uri": "/api/v1/campaignstatus/1/"
},
"tags": [],
"tags_v2": [],
"tlp": "white",
"uuid": "9b7872f1-beb7-42d7-a500-d37df74af644",
"workgroups": []
}
],
"Confidence": 100,
"Country": null,
"IType": "apt_ip",
"Modified": "2022-08-01T09:46:41.715Z",
"Organization": "",
"Severity": "very-high",
"Signature": [],
"Source": "Analyst",
"Status": "active",
"TTP": [],
"Tags": [
"apt",
"PANW_Test"
],
"ThreatBulletin": [],
"Type": "ip",
"Vulnerability": []
}
}
}

Human Readable Output#

IP reputation for: 23.98.23.98#

ASNAddressConfidenceCountryITypeModifiedOrganizationSeveritySourceStatusTagsType
23.98.23.98100apt_ip2022-08-01T09:46:41.715Zvery-highAnalystactiveapt, PANW_Testip

Actor details:#

No entries.

Signature details:#

No entries.

ThreatBulletin details:#

No entries.

TTP details:#

No entries.

Vulnerability details:#

No entries.

Campaign details:#

nameid
Test Investigation111111

domain#


Checks the reputation of the given domain name.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain name to check.Required
thresholdIf confidence is greater than the threshold the domain is considered malicious, otherwise it is considered good. This argument overrides the default domain threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional
threat_model_associationEnhance generic reputation commands to include additional information such as Threat Bulletins, Attach patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name.
Domain.DNSStringThe IP addresses resolved by the DNS.
Domain.WHOIS.CreationDateDateThe date the domain was created. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
Domain.WHOIS.UpdatedDateDateThe date the domain was last updated. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
Domain.WHOIS.Registrant.NameStringThe registrant name.
Domain.WHOIS.Registrant.EmailStringThe registrant email address.
Domain.WHOIS.Registrant.PhoneStringThe registrant phone number.
ThreatStream.Domain.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.Domain.AddressStringThe indicator domain name.
ThreatStream.Domain.CountryStringThe country associated with the indicator.
ThreatStream.Domain.TypeStringThe indicator type.
ThreatStream.Domain.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.Domain.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.Domain.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.Domain.StatusStringThe status assigned to the indicator.
ThreatStream.Domain.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.Domain.SourceStringThe indicator source.
Domain.Malicious.VendorStringThe vendor that reported the indicator as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.Domain.TagsUnknownTags assigned to the domain.
ThreatStream.Domain.ITypeStringThe itype of the indicator associated with the specified model.
Domain.TagsUnknownList of domain tags.
Domain.ThreatTypesUnknownThreat types associated with the domain.
ThreatStream.Domain.Actor.assignee_userUnknownThe assignee user of the threat actor.
ThreatStream.Domain.Actor.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.Domain.Actor.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.Actor.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.Domain.Actor.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.Domain.Actor.created_tsDateThe date the threat actor was created.
ThreatStream.Domain.Actor.feed_idNumberThe feed ID of the threat actor.
ThreatStream.Domain.Actor.idNumberThe ID of the threat actor.
ThreatStream.Domain.Actor.is_anonymousBooleanWhether the threat actor is anonymous.
ThreatStream.Domain.Actor.is_cloneableStringWhether the threat actor is cloneable.
ThreatStream.Domain.Actor.is_publicBooleanWhether the threat actor is public.
ThreatStream.Domain.Actor.is_teamBooleanWhether the threat actor is a team.
ThreatStream.Domain.Actor.modified_tsDateThe date the threat actor was modified.
ThreatStream.Domain.Actor.nameStringThe name of the threat actor.
ThreatStream.Domain.Actor.organization_idNumberThe organization ID of the threat actor.
ThreatStream.Domain.Actor.owner_user_idNumberThe owner user ID of the threat actor.
ThreatStream.Domain.Actor.primary_motivationUnknownThe primary motivation of the threat actor.
ThreatStream.Domain.Actor.publication_statusStringThe publication status of the threat actor.
ThreatStream.Domain.Actor.published_tsDateThe date the threat actor was published.
ThreatStream.Domain.Actor.resource_levelUnknownThe resource level of the threat actor.
ThreatStream.Domain.Actor.resource_uriStringThe resource URI of the threat actor.
ThreatStream.Domain.Actor.source_createdUnknownThe date the source was created.
ThreatStream.Domain.Actor.source_modifiedUnknownThe date the source was modified.
ThreatStream.Domain.Actor.start_dateUnknownThe start date.
ThreatStream.Domain.Actor.tagsStringThe tags of the threat indicator.
ThreatStream.Domain.Actor.tags_v2.idStringThe ID of the tag.
ThreatStream.Domain.Actor.tags_v2.nameStringThe name of the tag.
ThreatStream.Domain.Actor.tlpStringThe TLP of the threat actor.
ThreatStream.Domain.Actor.uuidStringThe UUID of the threat actor.
ThreatStream.Domain.Signature.assignee_userUnknownThe assignee user of the signature.
ThreatStream.Domain.Signature.association_info.commentUnknownThe comment in the association info of the signature.
ThreatStream.Domain.Signature.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.Signature.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.Domain.Signature.can_add_public_tagsBooleanWhether you can add public tags to the signature.
ThreatStream.Domain.Signature.created_tsDateThe date the signature was created.
ThreatStream.Domain.Signature.feed_idNumberThe feed ID of the signature.
ThreatStream.Domain.Signature.idNumberThe ID of the signature.
ThreatStream.Domain.Signature.is_anonymousBooleanWhether the signature is anonymous.
ThreatStream.Domain.Signature.is_cloneableStringWhether the signature is cloneable.
ThreatStream.Domain.Signature.is_publicBooleanWhether the signature is public.
ThreatStream.Domain.Signature.is_teamBooleanWhether the signature is a team signature.
ThreatStream.Domain.Signature.modified_tsDateThe date the signature was modified.
ThreatStream.Domain.Signature.nameStringThe name of the signature.
ThreatStream.Domain.Signature.organization_idNumberThe organization ID of the signature.
ThreatStream.Domain.Signature.owner_user_idNumberThe owner user ID of the signature.
ThreatStream.Domain.Signature.primary_motivationUnknownThe primary motivation of the signature.
ThreatStream.Domain.Signature.publication_statusStringThe publication status of the signature.
ThreatStream.Domain.Signature.published_tsDateThe date the signature was published.
ThreatStream.Domain.Signature.resource_levelUnknownThe resource level of the signature.
ThreatStream.Domain.Signature.resource_uriStringThe resource URI of the signature.
ThreatStream.Domain.Signature.source_createdUnknownThe date the source was created.
ThreatStream.Domain.Signature.source_modifiedUnknownThe date the source was modified.
ThreatStream.Domain.Signature.start_dateUnknownThe start date.
ThreatStream.Domain.Signature.tagsStringThe tags of the threat indicator.
ThreatStream.Domain.Signature.tags_v2.idStringThe ID of the tag.
ThreatStream.Domain.Signature.tags_v2.nameStringThe name of the tag.
ThreatStream.Domain.Signature.tlpStringThe TLP of the signature.
ThreatStream.Domain.Signature.uuidStringThe UUID of the signature.
ThreatStream.Domain.ThreatBulletin.all_circles_visibleBooleanWhether all of the circles are visible.
ThreatStream.Domain.ThreatBulletin.assignee_orgStringThe assignee organization.
ThreatStream.Domain.ThreatBulletin.assignee_org_idStringThe assignee organization ID.
ThreatStream.Domain.ThreatBulletin.assignee_org_nameStringThe assignee organization name.
ThreatStream.Domain.ThreatBulletin.assignee_userStringThe assignee user.
ThreatStream.Domain.ThreatBulletin.assignee_user_idStringThe assignee user ID.
ThreatStream.Domain.ThreatBulletin.assignee_user_nameUnknownThe assignee user name.
ThreatStream.Domain.ThreatBulletin.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.Domain.ThreatBulletin.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.ThreatBulletin.association_info.from_idStringThe ID from which the association info is related.
ThreatStream.Domain.ThreatBulletin.body_content_typeStringThe body content type.
ThreatStream.Domain.ThreatBulletin.campaignUnknownThe campaign of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.can_add_public_tagsBooleanWhether you can add public tags.
ThreatStream.Domain.ThreatBulletin.created_tsDateThe date the threat bulletin was created.
ThreatStream.Domain.ThreatBulletin.feed_idNumberThe feed ID of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.idStringThe ID of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.is_anonymousBooleanWhether the threat bulletin is anonymous.
ThreatStream.Domain.ThreatBulletin.is_cloneableStringWhether the threat bulletin is cloneable.
ThreatStream.Domain.ThreatBulletin.is_editableBooleanWhether the threat bulletin is editable.
ThreatStream.Domain.ThreatBulletin.is_emailBooleanWhether the threat bulletin is an email.
ThreatStream.Domain.ThreatBulletin.is_publicBooleanWhether the threat bulletin is public.
ThreatStream.Domain.ThreatBulletin.modified_tsDateThe date the threat bulletin was modified.
ThreatStream.Domain.ThreatBulletin.nameStringThe name of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.original_sourceStringThe original source of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.original_source_idUnknownThe original source ID of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.owner_org.idStringThe owner organization ID.
ThreatStream.Domain.ThreatBulletin.owner_org.nameStringThe owner organization name.
ThreatStream.Domain.ThreatBulletin.owner_org.resource_uriStringThe owner organization URI.
ThreatStream.Domain.ThreatBulletin.owner_org_idNumberThe ID of the owner user.
ThreatStream.Domain.ThreatBulletin.owner_org_nameStringThe name of the owner organization.
ThreatStream.Domain.ThreatBulletin.owner_user.avatar_s3_urlUnknownThe URL of the owner user.
ThreatStream.Domain.ThreatBulletin.owner_user.can_share_intelligenceBooleanWhether you can share intelligence.
ThreatStream.Domain.ThreatBulletin.owner_user.emailStringThe email of the owner user.
ThreatStream.Domain.ThreatBulletin.owner_user.idStringThe ID of the owner user.
ThreatStream.Domain.ThreatBulletin.owner_user.is_activeBooleanWhether the owner user is active.
ThreatStream.Domain.ThreatBulletin.owner_user.is_readonlyBooleanWhether the owner user has read-only permission.
ThreatStream.Domain.ThreatBulletin.owner_user.must_change_passwordBooleanWhether the owner user must change the password.
ThreatStream.Domain.ThreatBulletin.owner_user.nameStringThe owner user name.
ThreatStream.Domain.ThreatBulletin.owner_user.nicknameStringThe owner user nickname.
ThreatStream.Domain.ThreatBulletin.owner_user.organization.idStringThe ID of the owner user organization.
ThreatStream.Domain.ThreatBulletin.owner_user.organization.nameStringThe name of the owner user organization.
ThreatStream.Domain.ThreatBulletin.owner_user.organization.resource_uriStringThe resource URI of the owner user organization.
ThreatStream.Domain.ThreatBulletin.owner_user.resource_uriStringThe resource URI of the owner user.
ThreatStream.Domain.ThreatBulletin.owner_user_idNumberThe owner user ID of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.owner_user_nameStringThe owner user name of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.parentUnknownThe parent of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.published_tsUnknownThe date the threat bulletin was published.
ThreatStream.Domain.ThreatBulletin.resource_uriStringThe resource URI of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.sourceUnknownThe source of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.source_createdUnknownThe date the source was created.
ThreatStream.Domain.ThreatBulletin.source_modifiedUnknownThe date the source was modified.
ThreatStream.Domain.ThreatBulletin.starred_by_meBooleanWhether the threat bulletin was started by me.
ThreatStream.Domain.ThreatBulletin.starred_total_countNumberThe total number of times the threat bulletin was starred.
ThreatStream.Domain.ThreatBulletin.statusStringThe status of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.threat_actorUnknownThe threat actor of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.tlpUnknownThe TLP of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.ttpUnknownThe TTP of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.uuidStringThe UUID of the threat bulletin.
ThreatStream.Domain.ThreatBulletin.votes.meUnknownThe number of votes by me.
ThreatStream.Domain.ThreatBulletin.votes.totalNumberThe number of total votes.
ThreatStream.Domain.ThreatBulletin.watched_by_meBooleanWhether the threat bulletin was watched by me.
ThreatStream.Domain.ThreatBulletin.watched_total_countNumberThe total number of watchers.
ThreatStream.Domain.TTP.assignee_userUnknownThe assignee user of the TTP.
ThreatStream.Domain.TTP.association_info.commentUnknownThe comment in the association info of the TTP.
ThreatStream.Domain.TTP.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.TTP.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.Domain.TTP.can_add_public_tagsBooleanWhether you can add public tags to the TTP.
ThreatStream.Domain.TTP.created_tsDateThe date the TTP was created.
ThreatStream.Domain.TTP.feed_idNumberThe feed ID of the TTP.
ThreatStream.Domain.TTP.idNumberThe ID of the TTP.
ThreatStream.Domain.TTP.is_anonymousBooleanWhether the TTP was anonymous.
ThreatStream.Domain.TTP.is_cloneableStringWhether the TTP was cloneable.
ThreatStream.Domain.TTP.is_publicBooleanWhether the TTP is public.
ThreatStream.Domain.TTP.is_teamBooleanWhether the TTP is a team.
ThreatStream.Domain.TTP.modified_tsDateThe date the TTP was modified.
ThreatStream.Domain.TTP.nameStringThe name of the TTP.
ThreatStream.Domain.TTP.organization_idNumberThe organization ID of the TTP.
ThreatStream.Domain.TTP.owner_user_idNumberThe owner user ID of the TTP.
ThreatStream.Domain.TTP.primary_motivationUnknownThe primary motivation of the TTP.
ThreatStream.Domain.TTP.publication_statusStringThe publication status of the TTP.
ThreatStream.Domain.TTP.published_tsDateThe date the TTP was published.
ThreatStream.Domain.TTP.resource_levelUnknownThe resource level of the TTP.
ThreatStream.Domain.TTP.resource_uriStringThe resource URI of the TTP.
ThreatStream.Domain.TTP.source_createdUnknownThe date the source was created.
ThreatStream.Domain.TTP.source_modifiedUnknownThe date the source was modified.
ThreatStream.Domain.TTP.start_dateUnknownThe start date.
ThreatStream.Domain.TTP.tagsStringThe tags of the threat indicator.
ThreatStream.Domain.TTP.tags_v2.idStringThe ID of the tag.
ThreatStream.Domain.TTP.tags_v2.nameStringThe name of the tag.
ThreatStream.Domain.TTP.tlpStringThe TLP of the TTP.
ThreatStream.Domain.TTP.uuidStringThe UUID of the TTP.
ThreatStream.Domain.Vulnerability.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.Domain.Vulnerability.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.Domain.Vulnerability.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.Vulnerability.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.Domain.Vulnerability.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.Domain.Vulnerability.circles.idStringThe ID of the circle.
ThreatStream.Domain.Vulnerability.circles.nameStringThe name of the circle.
ThreatStream.Domain.Vulnerability.circles.resource_uriStringThe resource URI of the circle.
ThreatStream.Domain.Vulnerability.created_tsDateThe date the vulnerability was created.
ThreatStream.Domain.Vulnerability.feed_idNumberThe feed ID of the vulnerability.
ThreatStream.Domain.Vulnerability.idNumberThe ID of the vulnerability.
ThreatStream.Domain.Vulnerability.is_anonymousBooleanWhether the vulnerability is anonymous.
ThreatStream.Domain.Vulnerability.is_cloneableStringWhether the vulnerability is cloneable.
ThreatStream.Domain.Vulnerability.is_publicBooleanWhether the vulnerability is public.
ThreatStream.Domain.Vulnerability.is_systemBooleanWhether the vulnerability is in the system.
ThreatStream.Domain.Vulnerability.modified_tsDateThe date the vulnerability was modified.
ThreatStream.Domain.Vulnerability.nameStringThe name of the vulnerability.
ThreatStream.Domain.Vulnerability.organization_idNumberThe organization ID of the vulnerability.
ThreatStream.Domain.Vulnerability.owner_user_idUnknownThe owner user ID of the vulnerability.
ThreatStream.Domain.Vulnerability.publication_statusStringThe publication status of the vulnerability.
ThreatStream.Domain.Vulnerability.published_tsDateThe date the vulnerability was published.
ThreatStream.Domain.Vulnerability.resource_uriStringThe resource URI of the vulnerability.
ThreatStream.Domain.Vulnerability.sourceStringThe source of the vulnerability.
ThreatStream.Domain.Vulnerability.source_createdUnknownThe feed ID of the vulnerability.
ThreatStream.Domain.Vulnerability.source_modifiedUnknownWhether the source was modified.
ThreatStream.Domain.Vulnerability.tagsStringThe tags of the vulnerability.
ThreatStream.Domain.Vulnerability.tags_v2.idStringThe ID of the tag.
ThreatStream.Domain.Vulnerability.tags_v2.nameStringThe name of the tag.
ThreatStream.Domain.Vulnerability.tlpStringThe TLP of the vulnerability.
ThreatStream.Domain.Vulnerability.update_idNumberThe update ID of the vulnerability.
ThreatStream.Domain.Vulnerability.uuidStringThe UUID of the vulnerability.
ThreatStream.Domain.Campaign.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.Domain.Campaign.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.Domain.Campaign.association_info.createdDateThe date the association info was created.
ThreatStream.Domain.Campaign.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.Domain.Campaign.can_add_public_tagsBooleanWhether you can add public tags to the campaign.
ThreatStream.Domain.Campaign.created_tsDateThe date the campaign was created.
ThreatStream.Domain.Campaign.end_dateUnknownThe end date of the campaign.
ThreatStream.Domain.Campaign.feed_idNumberThe feed ID of the campaign.
ThreatStream.Domain.Campaign.idNumberThe ID of the campaign.
ThreatStream.Domain.Campaign.is_anonymousBooleanWhether the campaign is anonymous.
ThreatStream.Domain.Campaign.is_cloneableStringWhether the campaign is cloneable.
ThreatStream.Domain.Campaign.is_publicBooleanWhether the campaign is public.
ThreatStream.Domain.Campaign.modified_tsDateThe date the campaign was modified.
ThreatStream.Domain.Campaign.nameStringThe name of the campaign.
ThreatStream.Domain.Campaign.objectiveUnknownThe objective of the campaign.
ThreatStream.Domain.Campaign.organization_idNumberThe organization ID of the campaign.
ThreatStream.Domain.Campaign.owner_user_idNumberThe owner user ID of the campaign.
ThreatStream.Domain.Campaign.publication_statusStringThe publication status of the campaign.
ThreatStream.Domain.Campaign.published_tsUnknownThe date the campaign was published.
ThreatStream.Domain.Campaign.resource_uriStringThe resource URI of the campaign.
ThreatStream.Domain.Campaign.source_createdDateThe date the campaign was created.
ThreatStream.Domain.Campaign.source_modifiedDateWhether the source was modified.
ThreatStream.Domain.Campaign.start_dateUnknownThe start date of the campaign.
ThreatStream.Domain.Campaign.status.display_nameStringThe display name of the status.
ThreatStream.Domain.Campaign.status.idNumberThe ID of the status of the campaign.
ThreatStream.Domain.Campaign.status.resource_uriStringThe resource URI of the status of the campaign.
ThreatStream.Domain.Campaign.tlpStringThe TLP of the campaign.
ThreatStream.Domain.Campaign.uuidStringThe UUID of the campaign.

Command example#

!domain domain=y.gp threat_model_association=True

Context Example#

{
"DBotScore": {
"Indicator": "y.gp",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "Anomali ThreatStream v3 May"
},
"Domain": {
"CreationDate": "2021-03-31T10:17:13.553Z",
"DNS": "1.2.4.5",
"Geo": {
"Country": "DE",
"Location": "51.2993,9.491"
},
"Name": "y.gp",
"Organization": "Hetzner Online GmbH",
"Relationships": [
{
"EntityA": "y.gp",
"EntityAType": "Domain",
"EntityB": "1.2.4.5",
"EntityBType": "IP",
"Relationship": "resolved-from"
}
],
"Tags": [
"malware"
],
"ThreatTypes": [
{
"threatcategory": "malware",
"threatcategoryconfidence": null
}
],
"TrafficLightProtocol": "amber",
"UpdatedDate": "2021-03-31T10:17:56.207Z",
"WHOIS": {
"CreationDate": "2021-03-31T10:17:13.553Z",
"UpdatedDate": "2021-03-31T10:17:56.207Z"
}
},
"ThreatStream": {
"Domain": {
"ASN": "24940",
"Actor": [],
"Address": "y.gp",
"Campaign": [],
"Confidence": 50,
"Country": "DE",
"IType": "mal_domain",
"Modified": "2021-03-31T10:17:56.207Z",
"Organization": "Hetzner Online GmbH",
"Severity": "very-high",
"Signature": [],
"Source": "Analyst",
"Status": "active",
"TTP": [],
"Tags": [
"malware"
],
"ThreatBulletin": [],
"Type": "domain",
"Vulnerability": []
}
}
}

Human Readable Output#

Domain reputation for: y.gp#

ASNAddressConfidenceCountryITypeModifiedOrganizationSeveritySourceStatusTagsType
24940y.gp50DEmal_domain2021-03-31T10:17:56.207ZHetzner Online GmbHvery-highAnalystactivemalwaredomain

Actor details:#

No entries.

Signature details:#

No entries.

ThreatBulletin details:#

No entries.

TTP details:#

No entries.

Vulnerability details:#

No entries.

Campaign details:#

No entries.

file#


Checks the reputation of the given hash of the file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe hash of file to check.Required
thresholdIf the confidence is greater than the threshold the hash of the file is considered malicious, otherwise it is considered good. This argument overrides the default file threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional
threat_model_associationEnhance generic reputation commands to include additional information such as Threat Bulletins, Attach patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.Malicious.VendorStringThe vendor that reported the indicator as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.File.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.File.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.File.StatusStringThe status assigned to the indicator.
ThreatStream.File.TypeStringThe indicator type.
ThreatStream.File.MD5StringThe MD5 hash of the indicator.
ThreatStream.File.SHA1StringThe SHA1 hash of the indicator.
ThreatStream.File.SHA256StringThe SHA256 hash of the indicator.
ThreatStream.File.SHA512StringThe SHA512 hash of the indicator.
ThreatStream.File.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.File.SourceStringThe indicator source.
ThreatStream.File.TagsUnknownTags assigned to the file.
ThreatStream.File.ITypeStringThe itype of the indicator associated with the specified model.
File.TagsUnknownList of file tags.
File.ThreatTypesUnknownThreat types associated with the file.
ThreatStream.File.Actor.assignee_userUnknownThe assignee user of the threat actor.
ThreatStream.File.Actor.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.File.Actor.association_info.createdDateThe date the association info was created.
ThreatStream.File.Actor.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.File.Actor.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.File.Actor.created_tsDateThe date the threat actor was created.
ThreatStream.File.Actor.feed_idNumberThe feed ID of the threat actor.
ThreatStream.File.Actor.idNumberThe ID of the threat actor.
ThreatStream.File.Actor.is_anonymousBooleanWhether the threat actor is anonymous.
ThreatStream.File.Actor.is_cloneableStringWhether the threat actor is cloneable.
ThreatStream.File.Actor.is_publicBooleanWhether the threat actor is public.
ThreatStream.File.Actor.is_teamBooleanWhether the threat actor is a team.
ThreatStream.File.Actor.modified_tsDateThe date the threat actor was modified.
ThreatStream.File.Actor.nameStringThe name of the threat actor.
ThreatStream.File.Actor.organization_idNumberThe organization ID of the threat actor.
ThreatStream.File.Actor.owner_user_idNumberThe owner user ID of the threat actor.
ThreatStream.File.Actor.primary_motivationUnknownThe primary motivation of the threat actor.
ThreatStream.File.Actor.publication_statusStringThe publication status of the threat actor.
ThreatStream.File.Actor.published_tsDateThe date the threat actor was published.
ThreatStream.File.Actor.resource_levelUnknownThe resource level of the threat actor.
ThreatStream.File.Actor.resource_uriStringThe resource URI of the threat actor.
ThreatStream.File.Actor.source_createdUnknownThe date the source was created.
ThreatStream.File.Actor.source_modifiedUnknownThe date the source was modified.
ThreatStream.File.Actor.start_dateUnknownThe start date.
ThreatStream.File.Actor.tagsStringThe tags of the threat indicator.
ThreatStream.File.Actor.tags_v2.idStringThe ID of the tag.
ThreatStream.File.Actor.tags_v2.nameStringThe name of the tag.
ThreatStream.File.Actor.tlpStringThe TLP of the threat actor.
ThreatStream.File.Actor.uuidStringThe UUID of the threat actor.
ThreatStream.File.Signature.assignee_userUnknownThe assignee user of the signature.
ThreatStream.File.Signature.association_info.commentUnknownThe comment in the association info of the signature.
ThreatStream.File.Signature.association_info.createdDateThe date the association info was created.
ThreatStream.File.Signature.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.File.Signature.can_add_public_tagsBooleanWhether you can add public tags to the signature.
ThreatStream.File.Signature.created_tsDateThe date the signature was created.
ThreatStream.File.Signature.feed_idNumberThe feed ID of the signature.
ThreatStream.File.Signature.idNumberThe ID of the signature.
ThreatStream.File.Signature.is_anonymousBooleanWhether the signature is anonymous.
ThreatStream.File.Signature.is_cloneableStringWhether the signature is cloneable.
ThreatStream.File.Signature.is_publicBooleanWhether the signature is public.
ThreatStream.File.Signature.is_teamBooleanWhether the signature is a team signature.
ThreatStream.File.Signature.modified_tsDateThe date the signature was modified.
ThreatStream.File.Signature.nameStringThe name of the signature.
ThreatStream.File.Signature.organization_idNumberThe organization ID of the signature.
ThreatStream.File.Signature.owner_user_idNumberThe owner user ID of the signature.
ThreatStream.File.Signature.primary_motivationUnknownThe primary motivation of the signature.
ThreatStream.File.Signature.publication_statusStringThe publication status of the signature.
ThreatStream.File.Signature.published_tsDateThe date the signature was published.
ThreatStream.File.Signature.resource_levelUnknownThe resource level of the signature.
ThreatStream.File.Signature.resource_uriStringThe resource URI of the signature.
ThreatStream.File.Signature.source_createdUnknownThe date the source was created.
ThreatStream.File.Signature.source_modifiedUnknownThe date the source was modified.
ThreatStream.File.Signature.start_dateUnknownThe start date.
ThreatStream.File.Signature.tagsStringThe tags of the threat indicator.
ThreatStream.File.Signature.tags_v2.idStringThe ID of the tag.
ThreatStream.File.Signature.tags_v2.nameStringThe name of the tag.
ThreatStream.File.Signature.tlpStringThe TLP of the signature.
ThreatStream.File.Signature.uuidStringThe UUID of the signature.
ThreatStream.File.ThreatBulletin.all_circles_visibleBooleanWhether all of the circles are visible.
ThreatStream.File.ThreatBulletin.assignee_orgStringThe assignee organization.
ThreatStream.File.ThreatBulletin.assignee_org_idStringThe assignee organization ID.
ThreatStream.File.ThreatBulletin.assignee_org_nameStringThe assignee organization name.
ThreatStream.File.ThreatBulletin.assignee_userStringThe assignee user.
ThreatStream.File.ThreatBulletin.assignee_user_idStringThe assignee user ID.
ThreatStream.File.ThreatBulletin.assignee_user_nameUnknownThe assignee user name.
ThreatStream.File.ThreatBulletin.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.File.ThreatBulletin.association_info.createdDateThe date the association info was created.
ThreatStream.File.ThreatBulletin.association_info.from_idStringThe ID from which the association info is related.
ThreatStream.File.ThreatBulletin.body_content_typeStringThe body content type.
ThreatStream.File.ThreatBulletin.campaignUnknownThe campaign of the threat bulletin.
ThreatStream.File.ThreatBulletin.can_add_public_tagsBooleanWhether you can add public tags.
ThreatStream.File.ThreatBulletin.created_tsDateThe date the threat bulletin was created.
ThreatStream.File.ThreatBulletin.feed_idNumberThe feed ID of the threat bulletin.
ThreatStream.File.ThreatBulletin.idStringThe ID of the threat bulletin.
ThreatStream.File.ThreatBulletin.is_anonymousBooleanWhether the threat bulletin is anonymous.
ThreatStream.File.ThreatBulletin.is_cloneableStringWhether the threat bulletin is cloneable.
ThreatStream.File.ThreatBulletin.is_editableBooleanWhether the threat bulletin is editable.
ThreatStream.File.ThreatBulletin.is_emailBooleanWhether the threat bulletin is an email.
ThreatStream.File.ThreatBulletin.is_publicBooleanWhether the threat bulletin is public.
ThreatStream.File.ThreatBulletin.modified_tsDateThe date the threat bulletin was modified.
ThreatStream.File.ThreatBulletin.nameStringThe name of the threat bulletin.
ThreatStream.File.ThreatBulletin.original_sourceStringThe original source of the threat bulletin.
ThreatStream.File.ThreatBulletin.original_source_idUnknownThe original source ID of the threat bulletin.
ThreatStream.File.ThreatBulletin.owner_org.idStringThe owner organization ID.
ThreatStream.File.ThreatBulletin.owner_org.nameStringThe owner organization name.
ThreatStream.File.ThreatBulletin.owner_org.resource_uriStringThe owner organization URI.
ThreatStream.File.ThreatBulletin.owner_org_idNumberThe ID of the owner user.
ThreatStream.File.ThreatBulletin.owner_org_nameStringThe name of the owner organization.
ThreatStream.File.ThreatBulletin.owner_user.avatar_s3_urlUnknownThe URL of the owner user.
ThreatStream.File.ThreatBulletin.owner_user.can_share_intelligenceBooleanWhether you can share intelligence.
ThreatStream.File.ThreatBulletin.owner_user.emailStringThe email of the owner user.
ThreatStream.File.ThreatBulletin.owner_user.idStringThe ID of the owner user.
ThreatStream.File.ThreatBulletin.owner_user.is_activeBooleanWhether the owner user is active.
ThreatStream.File.ThreatBulletin.owner_user.is_readonlyBooleanWhether the owner user has read-only permission.
ThreatStream.File.ThreatBulletin.owner_user.must_change_passwordBooleanWhether the owner user must change the password.
ThreatStream.File.ThreatBulletin.owner_user.nameStringThe owner user name.
ThreatStream.File.ThreatBulletin.owner_user.nicknameStringThe owner user nickname.
ThreatStream.File.ThreatBulletin.owner_user.organization.idStringThe ID of the owner user organization.
ThreatStream.File.ThreatBulletin.owner_user.organization.nameStringThe name of the owner user organization.
ThreatStream.File.ThreatBulletin.owner_user.organization.resource_uriStringThe resource URI of the owner user organization.
ThreatStream.File.ThreatBulletin.owner_user.resource_uriStringThe resource URI of the owner user.
ThreatStream.File.ThreatBulletin.owner_user_idNumberThe owner user ID of the threat bulletin.
ThreatStream.File.ThreatBulletin.owner_user_nameStringThe owner user name of the threat bulletin.
ThreatStream.File.ThreatBulletin.parentUnknownThe parent of the threat bulletin.
ThreatStream.File.ThreatBulletin.published_tsUnknownThe date the threat bulletin was published.
ThreatStream.File.ThreatBulletin.resource_uriStringThe resource URI of the threat bulletin.
ThreatStream.File.ThreatBulletin.sourceUnknownThe source of the threat bulletin.
ThreatStream.File.ThreatBulletin.source_createdUnknownThe date the source was created.
ThreatStream.File.ThreatBulletin.source_modifiedUnknownThe date the source was modified.
ThreatStream.File.ThreatBulletin.starred_by_meBooleanWhether the threat bulletin was started by me.
ThreatStream.File.ThreatBulletin.starred_total_countNumberThe total number of times the threat bulletin was starred.
ThreatStream.File.ThreatBulletin.statusStringThe status of the threat bulletin.
ThreatStream.File.ThreatBulletin.threat_actorUnknownThe threat actor of the threat bulletin.
ThreatStream.File.ThreatBulletin.tlpUnknownThe TLP of the threat bulletin.
ThreatStream.File.ThreatBulletin.ttpUnknownThe TTP of the threat bulletin.
ThreatStream.File.ThreatBulletin.uuidStringThe UUID of the threat bulletin.
ThreatStream.File.ThreatBulletin.votes.meUnknownThe number of votes by me.
ThreatStream.File.ThreatBulletin.votes.totalNumberThe number of total votes.
ThreatStream.File.ThreatBulletin.watched_by_meBooleanWhether the threat bulletin was watched by me.
ThreatStream.File.ThreatBulletin.watched_total_countNumberThe total number of watchers.
ThreatStream.File.TTP.assignee_userUnknownThe assignee user of the TTP.
ThreatStream.File.TTP.association_info.commentUnknownThe comment in the association info of the TTP.
ThreatStream.File.TTP.association_info.createdDateThe date the association info was created.
ThreatStream.File.TTP.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.File.TTP.can_add_public_tagsBooleanWhether you can add public tags to the TTP.
ThreatStream.File.TTP.created_tsDateThe date the TTP was created.
ThreatStream.File.TTP.feed_idNumberThe feed ID of the TTP.
ThreatStream.File.TTP.idNumberThe ID of the TTP.
ThreatStream.File.TTP.is_anonymousBooleanWhether the TTP was anonymous.
ThreatStream.File.TTP.is_cloneableStringWhether the TTP was cloneable.
ThreatStream.File.TTP.is_publicBooleanWhether the TTP is public.
ThreatStream.File.TTP.is_teamBooleanWhether the TTP is a team.
ThreatStream.File.TTP.modified_tsDateThe date the TTP was modified.
ThreatStream.File.TTP.nameStringThe name of the TTP.
ThreatStream.File.TTP.organization_idNumberThe organization ID of the TTP.
ThreatStream.File.TTP.owner_user_idNumberThe owner user ID of the TTP.
ThreatStream.File.TTP.primary_motivationUnknownThe primary motivation of the TTP.
ThreatStream.File.TTP.publication_statusStringThe publication status of the TTP.
ThreatStream.File.TTP.published_tsDateThe date the TTP was published.
ThreatStream.File.TTP.resource_levelUnknownThe resource level of the TTP.
ThreatStream.File.TTP.resource_uriStringThe resource URI of the TTP.
ThreatStream.File.TTP.source_createdUnknownThe date the source was created.
ThreatStream.File.TTP.source_modifiedUnknownThe date the source was modified.
ThreatStream.File.TTP.start_dateUnknownThe start date.
ThreatStream.File.TTP.tagsStringThe tags of the threat indicator.
ThreatStream.File.TTP.tags_v2.idStringThe ID of the tag.
ThreatStream.File.TTP.tags_v2.nameStringThe name of the tag.
ThreatStream.File.TTP.tlpStringThe TLP of the TTP.
ThreatStream.File.TTP.uuidStringThe UUID of the TTP.
ThreatStream.File.Vulnerability.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.File.Vulnerability.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.File.Vulnerability.association_info.createdDateThe date the association info was created.
ThreatStream.File.Vulnerability.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.File.Vulnerability.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.File.Vulnerability.circles.idStringThe ID of the circle.
ThreatStream.File.Vulnerability.circles.nameStringThe name of the circle.
ThreatStream.File.Vulnerability.circles.resource_uriStringThe resource URI of the circle.
ThreatStream.File.Vulnerability.created_tsDateThe date the vulnerability was created.
ThreatStream.File.Vulnerability.feed_idNumberThe feed ID of the vulnerability.
ThreatStream.File.Vulnerability.idNumberThe ID of the vulnerability.
ThreatStream.File.Vulnerability.is_anonymousBooleanWhether the vulnerability is anonymous.
ThreatStream.File.Vulnerability.is_cloneableStringWhether the vulnerability is cloneable.
ThreatStream.File.Vulnerability.is_publicBooleanWhether the vulnerability is public.
ThreatStream.File.Vulnerability.is_systemBooleanWhether the vulnerability is in the system.
ThreatStream.File.Vulnerability.modified_tsDateThe date the vulnerability was modified.
ThreatStream.File.Vulnerability.nameStringThe name of the vulnerability.
ThreatStream.File.Vulnerability.organization_idNumberThe organization ID of the vulnerability.
ThreatStream.File.Vulnerability.owner_user_idUnknownThe owner user ID of the vulnerability.
ThreatStream.File.Vulnerability.publication_statusStringThe publication status of the vulnerability.
ThreatStream.File.Vulnerability.published_tsDateThe date the vulnerability was published.
ThreatStream.File.Vulnerability.resource_uriStringThe resource URI of the vulnerability.
ThreatStream.File.Vulnerability.sourceStringThe source of the vulnerability.
ThreatStream.File.Vulnerability.source_createdUnknownThe feed ID of the vulnerability.
ThreatStream.File.Vulnerability.source_modifiedUnknownWhether the source was modified.
ThreatStream.File.Vulnerability.tagsStringThe tags of the vulnerability.
ThreatStream.File.Vulnerability.tags_v2.idStringThe ID of the tag.
ThreatStream.File.Vulnerability.tags_v2.nameStringThe name of the tag.
ThreatStream.File.Vulnerability.tlpStringThe TLP of the vulnerability.
ThreatStream.File.Vulnerability.update_idNumberThe update ID of the vulnerability.
ThreatStream.File.Vulnerability.uuidStringThe UUID of the vulnerability.
ThreatStream.File.Campaign.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.File.Campaign.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.File.Campaign.association_info.createdDateThe date the association info was created.
ThreatStream.File.Campaign.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.File.Campaign.can_add_public_tagsBooleanWhether you can add public tags to the campaign.
ThreatStream.File.Campaign.created_tsDateThe date the campaign was created.
ThreatStream.File.Campaign.end_dateUnknownThe end date of the campaign.
ThreatStream.File.Campaign.feed_idNumberThe feed ID of the campaign.
ThreatStream.File.Campaign.idNumberThe ID of the campaign.
ThreatStream.File.Campaign.is_anonymousBooleanWhether the campaign is anonymous.
ThreatStream.File.Campaign.is_cloneableStringWhether the campaign is cloneable.
ThreatStream.File.Campaign.is_publicBooleanWhether the campaign is public.
ThreatStream.File.Campaign.modified_tsDateThe date the campaign was modified.
ThreatStream.File.Campaign.nameStringThe name of the campaign.
ThreatStream.File.Campaign.objectiveUnknownThe objective of the campaign.
ThreatStream.File.Campaign.organization_idNumberThe organization ID of the campaign.
ThreatStream.File.Campaign.owner_user_idNumberThe owner user ID of the campaign.
ThreatStream.File.Campaign.publication_statusStringThe publication status of the campaign.
ThreatStream.File.Campaign.published_tsUnknownThe date the campaign was published.
ThreatStream.File.Campaign.resource_uriStringThe resource URI of the campaign.
ThreatStream.File.Campaign.source_createdDateThe date the campaign was created.
ThreatStream.File.Campaign.source_modifiedDateWhether the source was modified.
ThreatStream.File.Campaign.start_dateUnknownThe start date of the campaign.
ThreatStream.File.Campaign.status.display_nameStringThe display name of the status.
ThreatStream.File.Campaign.status.idNumberThe ID of the status of the campaign.
ThreatStream.File.Campaign.status.resource_uriStringThe resource URI of the status of the campaign.
ThreatStream.File.Campaign.tlpStringThe TLP of the campaign.
ThreatStream.File.Campaign.uuidStringThe UUID of the campaign.

Command example#

!file file=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f threat_model_association=True

Context Example#

{
"DBotScore": {
"Indicator": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "file",
"Vendor": "Anomali ThreatStream v3 May"
},
"File": {
"Hashes": [
{
"type": "SHA256",
"value": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
}
],
"Relationships": [
{
"EntityA": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"EntityAType": "File",
"EntityB": "Alert report",
"EntityBType": "Threat Actor",
"Relationship": "related-to"
}
],
"SHA256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"Tags": [
"apt"
],
"ThreatTypes": [
{
"threatcategory": "apt",
"threatcategoryconfidence": null
}
],
"TrafficLightProtocol": "red"
},
"ThreatStream": {
"File": {
"Actor": [
{
"aliases": [],
"assignee_user": null,
"association_info": [
{
"comment": null,
"created": "2022-07-11T16:26:11.530823",
"from_id": 366645476,
"sro": {}
}
],
"can_add_public_tags": true,
"circles": [],
"created_ts": "2022-04-25T03:06:21.595651",
"feed_id": 269,
"id": 47096,
"intelligence_initiatives": [],
"is_anonymous": false,
"is_cloneable": "yes",
"is_public": true,
"is_team": false,
"modified_ts": "2022-07-11T16:30:00.437522",
"name": "Alert report",
"organization_id": 17,
"owner_user_id": 327,
"primary_motivation": null,
"publication_status": "published",
"published_ts": "2022-04-25T03:06:21.481665",
"resource_level": null,
"resource_uri": "/api/v1/actor/47096/",
"source_created": null,
"source_modified": null,
"start_date": null,
"tags": [
"packetstorm",
"microsoft"
],
"tags_v2": [
{
"id": "gvp",
"name": "microsoft"
},
{
"id": "wli",
"name": "packetstorm"
}
],
"tlp": "red",
"uuid": "0db81103-6728-4051-9fe0-4022ae24cc24",
"workgroups": []
}
],
"Campaign": [],
"Confidence": 50,
"IType": "apt_md5",
"Modified": "2022-07-11T16:30:00.359Z",
"SHA256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"Severity": "very-high",
"Signature": [
{
"assignee_user": null,
"association_info": [
{
"comment": null,
"created": "2022-07-11T16:27:15.271832",
"from_id": 366645476,
"sro": {}
}
],
"can_add_public_tags": true,
"circles": [],
"created_ts": "2020-07-31T20:56:33.459260",
"feed_id": 155,
"id": 333,
"intelligence_initiatives": [],
"is_anonymous": false,
"is_cloneable": "yes",
"is_public": true,
"modified_ts": "2022-08-02T06:20:19.772588",
"name": "signature_threat_model_2",
"organization_id": 39,
"owner_user_id": 64,
"publication_status": "published",
"published_ts": "2020-07-31T20:56:33.295192",
"resource_uri": "/api/v1/signature/333/",
"s_type": "Carbon Black Query",
"source_created": null,
"source_modified": null,
"tags": [
"actor_tag1"
],
"tags_v2": [
{
"id": "igh",
"name": "actor_tag1"
}
],
"tlp": "white",
"uuid": "4c0d74d9-6bd5-45c0-a288-5bc1d714eee8",
"workgroups": []
}
],
"Source": "user@email.com",
"Status": "active",
"TTP": [
{
"assignee_user": null,
"association_info": [
{
"comment": null,
"created": "2022-07-11T16:27:43.327492",
"from_id": 366645476,
"sro": {}
}
],
"can_add_public_tags": true,
"children": [],
"circles": [],
"created_ts": "2019-02-19T20:48:37.938265",
"feed_id": 3,
"id": 1500,
"intelligence_initiatives": [],
"is_anonymous": false,
"is_category": false,
"is_cloneable": "yes",
"is_mitre": false,
"is_public": true,
"modified_ts": "2022-08-02T06:17:07.420212",
"name": "FleaHopper TTP",
"organization_id": 4,
"owner_user_id": 7,
"publication_status": "published",
"published_ts": "2019-02-19T20:48:37.665110",
"resource_uri": "/api/v1/ttp/1500/",
"source_created": null,
"source_modified": null,
"tags": [],
"tags_v2": [],
"tlp": "red",
"uuid": null,
"workgroups": []
}
],
"Tags": [
"apt"
],
"ThreatBulletin": [],
"Type": "SHA256",
"Vulnerability": [
{
"assignee_user": null,
"association_info": [
{
"comment": null,
"created": "2022-07-11T16:16:43.125297",
"from_id": 366645476,
"sro": {}
}
],
"can_add_public_tags": true,
"circles": [
{
"id": "310",
"name": "NVD CVEs",
"resource_uri": "/api/v1/trustedcircle/310/"
}
],
"created_ts": "2022-06-28T00:14:01.266128",
"feed_id": 0,
"id": 177244,
"intelligence_initiatives": [],
"is_anonymous": false,
"is_cloneable": "yes_private_only",
"is_public": false,
"is_system": true,
"modified_ts": "2022-07-11T13:54:00",
"name": "CVE-2022-31098",
"organization_id": 1,
"owner_user_id": null,
"publication_status": "published",
"published_ts": "2022-06-27T22:15:00",
"resource_uri": "/api/v1/vulnerability/177244/",
"source": "mitre",
"source_created": null,
"source_modified": null,
"tags": [
"CWE-532"
],
"tags_v2": [
{
"id": "30h",
"name": "CWE-532"
}
],
"tlp": "white",
"update_id": 8849957,
"uuid": "9f209a42-4cd2-4405-8176-3a925c86ac03",
"workgroups": []
}
]
}
}
}

Human Readable Output#

File reputation for: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f#

ConfidenceITypeModifiedSHA256SeveritySourceStatusTagsType
50apt_md52022-07-11T16:30:00.359Z275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0fvery-highuser@email.comactiveaptSHA256

Actor details:#

nameid
Alert report47096

Signature details:#

nameid
signature_threat_model_2333

ThreatBulletin details:#

No entries.

TTP details:#

nameid
FleaHopper TTP1500

Vulnerability details:#

nameid
CVE-2022-31098177244

Campaign details:#

No entries.

threatstream-email-reputation#


Checks the reputation of the given email address.

Base Command#

threatstream-email-reputation

Input#

Argument NameDescriptionRequired
emailThe email address to check.Required
thresholdIf the confidence is greater than the threshold the email address is considered malicious, otherwise it is considered good. This argument overrides the default email threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe tested indicator.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.EmailReputation.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.EmailReputation.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.EmailReputation.StatusStringThe status assigned to the indicator.
ThreatStream.EmailReputation.TypeStringThe indicator type.
ThreatStream.EmailReputation.EmailStringThe indicator email address.
ThreatStream.EmailReputation.SourceStringThe indicator source.
ThreatStream.EmailReputation.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.EmailReputation.TagsUnknownTags assigned to the email.

Command Example#

!threatstream-email-reputation email=egov@ac.in

Context Example#

{
"DBotScore": {
"Indicator": "egov@ac.in",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "email",
"Vendor": "Anomali ThreatStream v3"
},
"Email": {
"Address": "egov@ac.in"
},
"ThreatStream": {
"EmailReputation": {
"Confidence": 10000,
"Email": "egov@ac.in",
"Modified": "2021-08-01T10:35:53.484Z",
"Severity": "high",
"Source": "Analyst",
"Status": "active",
"Tags": [
"apt"
],
"Type": "email"
}
}
}

Human Readable Output#

Email reputation for: egov@ac.in#

ConfidenceEmailModifiedSeveritySourceStatusTagsType
10000egov@ac.in2021-08-01T10:35:53.484ZhighAnalystactiveaptemail

threatstream-get-passive-dns#


Returns enrichment data for Domain or IP for available observables.

Base Command#

threatstream-get-passive-dns

Input#

Argument NameDescriptionRequired
typeThe type of passive DNS search ("ip", "domain"). Possible values are: ip, domain. Default is ip.Required
valueThe values that can be sent to the API should correspond to the type that is chosen. For example, if IP is chosen in the type argument, then a valid IP address should be sent in the value argument.Required
limitThe maximum number of results to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
ThreatStream.PassiveDNS.DomainStringThe domain value.
ThreatStream.PassiveDNS.IpStringThe IP value.
ThreatStream.PassiveDNS.RrtypeStringThe RRTYPE value.
ThreatStream.PassiveDNS.SourceStringThe source value.
ThreatStream.PassiveDNS.FirstSeenStringThe first seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time, in UTC time.
ThreatStream.PassiveDNS.LastSeenStringThe last seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.

Command example#

!threatstream-get-passive-dns type="domain" value="y.gp" limit="1"

Context Example#

{
"ThreatStream": {
"PassiveDNS": [
{
"Domain": "y.gp",
"FirstSeen": "2015-07-20 02:33:47",
"Ip": "78.78.78.67",
"LastSeen": "2015-12-19 06:44:35",
"Rrtype": "A",
"Source": "Anomali Labs"
}
]
}
}

Human Readable Output#

Passive DNS enrichment data for: y.gp#

DomainFirstSeenIpLastSeenRrtypeSource
y.gp2015-07-20 02:33:4778.78.78.672015-12-19 06:44:35AAnomali Labs

threatstream-import-indicator-with-approval#


Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. You must have the Approve Import privilege in order to import observables through the API with default_state set to active.

Base Command#

threatstream-import-indicator-with-approval

Input#

Argument NameDescriptionRequired
confidenceThe observable certainty level of a reported indicator type. Default is 50.Optional
source_confidence_weightRatio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence entirely and not re-assess the value using machine learning algorithms, set this argument to 100.Optional
classificationWhether the indicator data is public or private to the organization. Possible values are: private, public. Default is private.Optional
threat_typeType of threat associated with the imported observables. Possible values are: adware, anomalous, anonymization, apt, bot, brute, c2, compromised, crypto, data_leakage, ddos, dyn_dns, exfil, exploit, hack_tool, i2p, informational, malware, p2p, parked, phish, scan, sinkhole, spam, suppress, suspicious, tor, vps. Default is exploit.Optional
severityThe potential impact of the indicator type with which the observable is believed to be associated. Possible values are: low, medium, high, very-high. Default is low.Optional
import_typeThe import type of the indicator. Possible values are: datatext, file-id, url.Required
import_valueThe imported data source. Can be one of the following: url or file-id datatext of the file uploaded to the War Room. Supported file types for file-id are: CSV, HTML, IOC, JSON, PDF, TXT.Required
ip_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported IP-type observable when an explicit itype is not specified for it.Optional
domain_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported domain-type observable when an explicit itype is not specified for it.Optional
url_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported URL-type observable when an explicit itype is not specified for it.Optional
email_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported email-type observable when an explicit itype is not specified for it.Optional
md5_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported MD5-type observable when an explicit itype is not specified for it.Optional
tagsA comma-separated list of tags applied to the imported observables. For example, tag1,tag2.Optional
tags_tlpYou can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable. Possible values are: Red, Amber, Green, White.Optional
expiration_tsThe timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date.Optional
default_stateWhether the import job must be approved from the ThreatStream user interface before observables become active. When default_state is set to active, observables become active upon submission, without requiring approval. In these cases, an import job is created on ThreatStream which is automatically approved. Possible values are: active, inactive. Default is inactive.Optional

Context Output#

PathTypeDescription
ThreatStream.Import.JobIDNumberThe identifier for the job on ThreatStream.
ThreatStream.Import.ImportIDNumberThe ID for the import job.

Command Example#

!threatstream-import-indicator-with-approval import_type=datatext import_value=78.78.78.67

Context Example#

{
"ThreatStream": {
"Import": {
"ImportID": "111111",
"JobID": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
}
}

Human Readable Output#

The data was imported successfully. The ID of imported job is: 111111. The identifier for the job on ThreatStream is: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

threatstream-import-indicator-without-approval#


Imports indicators (observables) into ThreatStream. Approval is not required for the imported data. You must have the Approve Intel user permission to import without approval using the API.

Note: This command indicates that the JSON you submitted was valid. However, in cases where data is incorrect or required fields are left unspecified, observables can be ignored or imported as false positive. Valid itypes values for the JSON can be found in the Anomaly ThreatStream API documentation under the Indicator Types in Threat Stream API section.

Base Command#

threatstream-import-indicator-without-approval

Input#

Argument NameDescriptionRequired
confidenceThe observable certainty level of a reported indicator type. Default is 50.Optional
source_confidence_weightRatio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence entirely and not re-assess the value using machine learning algorithms, set this argument to 100.Optional
expiration_tsThe timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date.Optional
severityThe severity to assign to the observable when it is imported. Possible values are: low, medium, high, very-high.Optional
tagsA comma-separated list of tags applied to the imported observables. For example, tag1,tag2. Note: In cases where tags are specified at both the global and per observable level, tags specified per observable overwrite global tags.Optional
trustedcirclesA comma-separated list of trusted circle IDs with which threat data should be shared.Optional
classificationDenotes whether the indicator data is public or private to the organization. Possible values are: private, public.Required
allow_unresolvedWhether unresolved domain observables included in the file will be accepted as valid in ThreatStream and imported. Possible values are: yes, no.Optional
file_idThe entry ID of a file (containing a JSON with an "objects" array and "meta" maps) that is uploaded to the War Room. It is recommended to use the "ThreatstreamBuildIocImportJson" script to build a valid JSON file if possible.Optional
indicators_jsonThe “meta” section will be added to this json, and we will send this json to the api endpoint. It is recommended to use the "ThreatstreamBuildIocImportJson" script to build a valid JSON file if possible.Optional
tags_tlpYou can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable. Possible values are: Red, Amber, Green, White.Optional

Context Output#

There is no context output for this command.

Command Example#

!threatstream-import-indicator-without-approval classification=private file_id=2761@3c9bd2a0-9eac-465b-8799-459df4997b2d

Human Readable Output#

The data was imported successfully.

threatstream-get-model-list#


Returns a list of threat models.

Base Command#

threatstream-get-model-list

Input#

Argument NameDescriptionRequired
modelThe threat model of the returned list. Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern.Required
limitLimits the model size list. Specifying limit=0 returns up to a maximum of 1000 models. For limit=0, the output is not set in the context.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.List.TypeStringThe threat model type.
ThreatStream.List.NameStringThe threat model name.
ThreatStream.List.IDStringThe threat model ID.
ThreatStream.List.CreatedTimeStringThe date and time of threat model creation. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time in UTC time.

Command Example#

!threatstream-get-model-list model=actor limit=10

Context Example#

{
"ThreatStream": {
"List": [
{
"CreatedTime": "2019-02-19T16:42:00.933984",
"ID": 1,
"Name": "Fleahopper Actor",
"Type": "Actor"
},
{
"CreatedTime": "2019-08-24T02:47:29.204380",
"ID": 10158,
"Name": "report actor 1",
"Type": "Actor"
},
{
"CreatedTime": "2019-08-28T16:35:39.316135",
"ID": 10159,
"Name": "report actor 1",
"Type": "Actor"
},
{
"CreatedTime": "2020-10-14T12:28:54.937276",
"ID": 10909,
"Name": "MANDRA",
"Type": "Actor"
},
{
"CreatedTime": "2021-09-14T13:37:02.111599",
"ID": 26769,
"Name": "New_Created_Actor",
"Type": "Actor"
}
]
}
}

Human Readable Output#

List of Actors#

CreatedTimeIDNameType
2019-02-19T16:42:00.9339841Fleahopper ActorActor
2019-08-24T02:47:29.20438010158report actor 1Actor
2019-08-28T16:35:39.31613510159report actor 1Actor
2020-10-14T12:28:54.93727610909MANDRAActor
2021-09-14T13:37:02.11159926769New_Created_ActorActor

threatstream-get-model-description#


Returns an HTML file with a description of the threat model.

Base Command#

threatstream-get-model-description

Input#

Argument NameDescriptionRequired
modelThe threat model. Can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport.Required
idThe threat model ID.Required

Context Output#

PathTypeDescription
File.NameStringThe file name of the model description.
File.EntryIDStringThe entry ID of the model description.

Command Example#

!threatstream-get-model-description model=actor id=1

Context Example#

{
"File": {
"EntryID": "3171@3c9bd2a0-9eac-465b-8799-459df4997b2d",
"Extension": "html",
"Info": "text/html; charset=utf-8",
"MD5": "18d7610f85c1216e78c59cbde5c470d9",
"Name": "actor_1.html",
"SHA1": "c778f72fd7799108db427f632ca6b2bb07c9bde4",
"SHA256": "6d06bdc613490216373e2b189c8d41143974c7a128da26e8fc4ba4f45a7e718b",
"SHA512": "989b0ae32b61b3b5a7ea1c3e629b50f07e7086310f8e4057ec046b368e55fc82cae873bd81eada657d827c96c71253b6ba3688561844ce983cdc5019d9666aa4",
"SSDeep": "48:32u8P32apgpIph9/gldn2++TnlCC4i72gSmB2rXpzNZx:32tuapgpCglM++TCE2gSN/",
"Size": 1868,
"Type": "ASCII text, with very long lines, with no line terminators"
}
}

Human Readable Output#

threatstream-get-indicators-by-model#


Returns a list of indicators associated with the specified model and ID of the model.

Base Command#

threatstream-get-indicators-by-model

Input#

Argument NameDescriptionRequired
modelThe threat model of the returned list. Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern.Required
limitLimits the model size list. Specifying limit=0 returns up to a maximum of 1000 models. For limit=0, the output is not set in the context.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe indicator severity associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-get-indicators-by-model id=731 model=incident

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 181481953,
"IType": "mal_email",
"Modified": "2021-03-25T13:27:58.922Z",
"Organization": "",
"Severity": "low",
"Source": "Analyst",
"Status": "inactive",
"Tags": "tag-approved",
"Type": "email",
"Value": "testemail123@test.com"
}
],
"ModelID": "731",
"ModelType": "Incident"
}
}
}

Human Readable Output#

Indicators list for Threat Model Incident with id 731#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50181481953mal_email2021-03-25T13:27:58.922ZlowAnalystinactivetag-approvedemailtestemail123@test.com

threatstream-submit-to-sandbox#


Submits a file or URL to the ThreatStream-hosted sandbox for detonation.

Base Command#

threatstream-submit-to-sandbox

Input#

Argument NameDescriptionRequired
submission_classificationClassification of the Sandbox submission. Can be "private" or "public". Possible values are: private, public. Default is private.Optional
report_platformThe platform on which the submitted URL or file is run. To obtain a list supported platforms run the threatstream-supported-platforms command. Can be "WINDOWS7", or "WINDOWSXP". Possible values are: WINDOWS7, WINDOWSXP. Default is WINDOWS7.Optional
submission_typeThe detonation type. Can be "file" or "url". Possible values are: file, url. Default is file.Required
submission_valueThe submission value. Possible values are a valid URL or a file ID that was uploaded to the War Room to detonate.Required
premium_sandboxWhether the premium sandbox should be used for detonation. Possible values are: false, true. Default is false.Optional
detailA comma-separated list of additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI.Optional
import_indicatorsIf you want to initiate an import job for observables discovered during detonation, set this value to true. Default value is true.Optional

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe report ID submitted to the sandbox.
ThreatStream.Analysis.StatusStringThe analysis status.
ThreatStream.Analysis.PlatformStringThe platform of the submission submitted to the sandbox.

Command Example#

!threatstream-submit-to-sandbox submission_classification="private" report_platform="WINDOWS7" submission_type="file" submission_value="1711@3c9bd2a0-9eac-465b-8799-459df4997b2d" premium_sandbox="false"

Context Example#

{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": 12418,
"Status": "processing"
}
}
}

Human Readable Output#

The submission info for 1711@3c9bd2a0-9eac-465b-8799-459df4997b2d#

PlatformReportIDStatus
WINDOWS712418processing

threatstream-get-analysis-status#


Returns the current status of the report submitted to the sandbox. The report ID is returned from the threatstream-submit-to-sandbox command.

Base Command#

threatstream-get-analysis-status

Input#

Argument NameDescriptionRequired
report_idThe report ID to check the status.Required

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe report ID of the file or URL that was detonated in the sandbox.
ThreatStream.Analysis.StatusStringThe report status of the file or URL that was detonated in the sandbox.
ThreatStream.Analysis.PlatformStringThe platform used for detonation.
ThreatStream.Analysis.VerdictStringThe report verdict of the file or URL detonated in the sandbox. The verdict remains "benign" until detonation is complete.

Command Example#

!threatstream-get-analysis-status report_id=12414

Context Example#

{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": "12414",
"Status": "errors",
"Verdict": "Benign"
}
}
}

Human Readable Output#

The analysis status for id 12414#

PlatformReportIDStatusVerdict
WINDOWS712414errorsBenign

threatstream-analysis-report#


Returns the report of a file or URL submitted to the sandbox.

Base Command#

threatstream-analysis-report

Input#

Argument NameDescriptionRequired
report_idThe report ID to return.Required

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe ID of the report submitted to the sandbox.
ThreatStream.Analysis.CategoryStringThe report category.
ThreatStream.Analysis.StartedStringThe detonation start time.
ThreatStream.Analysis.CompletedStringThe detonation completion time.
ThreatStream.Analysis.DurationNumberThe duration of the detonation (in seconds).
ThreatStream.Analysis.VmNameStringThe VM name.
ThreatStream.Analysis.VmIDStringThe VM ID.
ThreatStream.Analysis.Network.UdpSourceStringThe UDP source.
ThreatStream.Analysis.Network.UdpDestinationStringThe UDP destination.
ThreatStream.Analysis.Network.UdpPortStringThe UDP port.
ThreatStream.Analysis.Network.IcmpSourceStringThe ICMP source.
ThreatStream.Analysis.Network.IcmpDestinationStringThe ICMP destination.
ThreatStream.Analysis.Network.IcmpPortStringThe ICMP port.
ThreatStream.Analysis.Network.TcpSourceStringThe TCP source.
ThreatStream.Analysis.Network.TcpDestinationStringThe TCP destination.
ThreatStream.Analysis.Network.TcpPortStringThe TCP port.
ThreatStream.Analysis.Network.HttpSourceStringThe source of the HTTP address.
ThreatStream.Analysis.Network.HttpDestinatonStringThe destination of the HTTP address.
ThreatStream.Analysis.Network.HttpPortStringThe port of the HTTP address.
ThreatStream.Analysis.Network.HttpsSourceStringThe source of the HTTPS address.
ThreatStream.Analysis.Network.HttpsDestinatonStringThe destination of the HTTPS address.
ThreatStream.Analysis.Network.HttpsPortStringThe port of the HTTPS address.
ThreatStream.Analysis.Network.HostsStringThe network analysis hosts.
ThreatStream.Analysis.VerdictStringThe verdict of the sandbox detonation.

Command Example#

!threatstream-analysis-report report_id="12212"

Context Example#

{
"ThreatStream": {
"Analysis": {
"Category": "Url",
"Completed": "2021-08-19 06:51:52",
"Duration": 152,
"Network": [
{
"UdpDestinaton": "1.2.4.5",
"UdpPort": 53,
"UdpSource": "192.168.2.4"
},
{
"Hosts": "78.78.78.67"
}
],
"ReportID": "12212",
"Started": "2021-08-19 06:49:20",
"Verdict": "Benign",
"VmID": "",
"VmName": ""
}
}
}

Human Readable Output#

Report 12212 analysis results#

CategoryCompletedDurationReportIDStartedVerdictVmIDVmName
Url2021-08-19 06:51:52152122122021-08-19 06:49:20Benign

threatstream-get-indicators#


Return filtered indicators from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.

Base Command#

threatstream-get-indicators

Input#

Argument NameDescriptionRequired
queryThe Anomali Observable Search Filter Language query to filter indicator results. If a query is passed as an argument, it overrides all other arguments.Optional
asnThe Autonomous System (AS) number associated with the indicator.Optional
confidenceThe observable certainty level
of a reported indicator type. Confidence scores range from 0-100 in increasing order of confidence, and are assigned by ThreatStream based on several factors.
Optional
countryThe country associated with the indicator.Optional
created_tsThe date the indicator was first seen on
the ThreatStream cloud platform. The date must be specified in this format:
YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
For example, 2014-10-02T20:44:35.
Optional
idThe unique ID for the indicator.Optional
is_publicWhether the classification of the indicator is public. Default is "false". Possible values are: false, true.Optional
indicator_severityThe severity assigned to the indicator by ThreatStream.Optional
orgThe registered owner (organization) of the IP address associated with the indicator.Optional
statusThe status assigned to the indicator. Possible values are: active, inactive, falsepos.Optional
tags_nameThe tag assigned to the indicator.Optional
typeThe type of indicator. Possible values are: domain, email, ip, md5, string, url.Optional
indicator_valueThe value of the indicator. .Optional
limitThe maximum number of results to return from ThreatStream. Default value is 20.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.Indicators.ITypeStringThe indicator type.
ThreatStream.Indicators.ModifiedStringThe date and time the indicator was last updated in ThreatStream. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
ThreatStream.Indicators.ConfidenceStringThe observable certainty level of a reported indicator type.
ThreatStream.Indicators.ValueStringThe indicator value.
ThreatStream.Indicators.StatusStringThe indicator status.
ThreatStream.Indicators.OrganizationStringThe registered owner (organization) of the IP address associated with the indicator.
ThreatStream.Indicators.CountryStringThe country associated with the indicator.
ThreatStream.Indicators.TagsStringThe tag assigned to the indicator.
ThreatStream.Indicators.SourceStringThe indicator source.
ThreatStream.Indicators.IDStringThe indicator ID.
ThreatStream.Indicators.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.Indicators.SeverityStringThe severity assigned to the indicator.

Command Example#

!threatstream-get-indicators type=ip status=active limit=5

Context Example#

{
"ThreatStream": {
"Indicators": [
{
"ASN": "",
"Confidence": 100,
"Country": null,
"ID": 239450621,
"IType": "apt_ip",
"Modified": "2021-05-24T16:42:09.245Z",
"Organization": "",
"Severity": "very-high",
"Source": "Analyst",
"Status": "active",
"Tags": null,
"Type": "ip",
"Value": "78.78.78.67"
},
{
"ASN": "",
"Confidence": -1,
"Country": null,
"ID": 235549247,
"IType": "apt_ip",
"Modified": "2021-04-29T16:02:17.558Z",
"Organization": "",
"Severity": "very-high",
"Source": "Analyst",
"Status": "active",
"Tags": null,
"Type": "ip",
"Value": "78.78.78.67"
}
]
}
}

Human Readable Output#

The indicators results#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
100239450621apt_ip2021-05-24T16:42:09.245Zvery-highAnalystactiveip78.78.78.67
-1235549247apt_ip2021-04-29T16:02:17.558Zvery-highAnalystactiveip78.78.78.67

threatstream-add-tag-to-model#


Adds tags to intelligence to filter for related entities.

Base Command#

threatstream-add-tag-to-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model entity to which to add the tag. Can be "actor", "campaign", "incident", "intelligence", "signature", "tipreport", "ttp", or "vulnerability". Possible values are: actor, campaign, incident, intelligence, signature, tipreport, ttp, vulnerability. Default is intelligence.Optional
tagsA comma separated list of tags applied to the specified threat model entities or observable. .Required
model_idThe ID of the model to which to add the tag.Required

Context Output#

There is no context output for this command.

Command Example#

!threatstream-add-tag-to-model model=incident model_id=130 tags="suspicious,not valid"

Human Readable Output#

Added successfully tags: ['suspicious', 'not valid'] to incident with 130

threatstream-create-model#


Creates a threat model with the specified parameters.

Base Command#

threatstream-create-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model to create. Can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, ttp, vulnerability, tipreport.Required
nameThe name of the threat model to create.Required
is_publicWhether the scope of threat model is visible. Possible values are: true, false. Default is false.Optional
tlpThe Traffic Light Protocol designation for the threat model. Can be "red", "amber", "green", or "white". Possible values are: red, amber, green, white. Default is red.Optional
tagsA comma separated list of tags.Optional
intelligenceA comma separated list of indicators IDs associated with the threat model on the ThreatStream platform.Optional
descriptionThe description of the threat model.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-create-model model=actor name="New_Created_Actor_1" description="Description of the actor threat model" intelligence=191431508 tags="new actor,test" tlp=red

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 191431508,
"IType": "apt_md5",
"Modified": "2021-09-13T12:40:42.596Z",
"Organization": "",
"Severity": "medium",
"Source": "TestSource",
"Status": "active",
"Tags": null,
"Type": "SHA256",
"Value": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1"
}
],
"ModelID": 26770,
"ModelType": "Actor"
}
}
}

Human Readable Output#

Indicators list for Threat Model Actor with id 26770#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50191431508apt_md52021-09-13T12:40:42.596ZmediumTestSourceactiveSHA256178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

threatstream-update-model#


Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.

Base Command#

threatstream-update-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model to update. Can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, ttp, vulnerability, tipreport.Required
model_idThe ID of the threat model to update.Required
nameThe name of the threat model to update.Optional
is_publicWhether the scope of threat model is visible. Possible values are: true, false. Default is false.Optional
tlpThe Traffic Light Protocol designation for the threat model. Can be "red", "amber", "green", or "white". Possible values are: red, amber, green, white. Default is red.Optional
tagsA comma separated list of tags.Optional
intelligenceA comma separated list of indicator IDs associated with the threat model on the ThreatStream platform.Optional
descriptionThe description of the threat model.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model.
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-update-model model=actor model_id=26769 intelligence=191431508 tags="updated tag,gone"

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 191431508,
"IType": "apt_md5",
"Modified": "2021-09-13T12:40:42.596Z",
"Organization": "",
"Severity": "medium",
"Source": "TestSource",
"Status": "active",
"Tags": null,
"Type": "SHA256",
"Value": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1"
}
],
"ModelID": "26769",
"ModelType": "Actor"
}
}
}

Human Readable Output#

Indicators list for Threat Model Actor with id 26769#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50191431508apt_md52021-09-13T12:40:42.596ZmediumTestSourceactiveSHA256178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

threatstream-supported-platforms#


Returns a list of supported platforms for default or premium sandbox.

Base Command#

threatstream-supported-platforms

Input#

Argument NameDescriptionRequired
sandbox_typeThe type of sandbox. Possible values are: default, premium. Default is default.Optional
limitThe maximum number of results to return from ThreatStream. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
ThreatStream.PremiumPlatforms.NameStringThe name of the supported platform for premium sandbox.
ThreatStream.PremiumPlatforms.TypesStringThe type of supported submissions for premium sandbox.
ThreatStream.PremiumPlatforms.LabelStringThe display name of the supported platform of premium sandbox.
ThreatStream.DefaultPlatforms.NameStringThe name of the supported platform for standard sandbox.
ThreatStream.DefaultPlatforms.TypesStringThe type of the supported submissions for standard sandbox.
ThreatStream.DefaultPlatforms.LabelStringThe display name of the supported platform of standard sandbox.

Command Example#

!threatstream-supported-platforms sandbox_type=default

Context Example#

{
"ThreatStream": {
"DefaultPlatforms": [
{
"Label": "Windows 7",
"Name": "WINDOWS7",
"Platform": "windows",
"Types": [
"file",
"url"
]
}
]
}
}

Human Readable Output#

Supported platforms for default sandbox#

LabelNamePlatformTypes
Windows 7WINDOWS7windowsfile,
url

url#


Checks the reputation of the given URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL to check.Required
thresholdIf confidence is greater than the threshold the URL is considered malicious, otherwise it is considered good. This argument overrides the default URL threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional
threat_model_associationEnhance generic reputation commands to include additional information such as Threat Bulletins, Attach patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
URL.DataStringThe URL of the indicator.
URL.Malicious.VendorStringThe vendor that reported the indicator as malicious.
ThreatStream.URL.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.URL.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.URL.StatusStringThe indicator status.
ThreatStream.URL.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.URL.AddressStringThe indicator URL.
ThreatStream.URL.CountryStringThe country associated with the indicator.
ThreatStream.URL.TypeStringThe indicator type.
ThreatStream.URL.SourceStringThe indicator source.
ThreatStream.URL.SeverityStringThe indicator severity ("very-high", "high", "medium", or "low").
ThreatStream.URL.TagsUnknownTags assigned to the URL.
ThreatStream.URL.ITypeStringThe itype of the indicator associated with the specified model.
URL.TagsUnknownList of URL tags.
URL.ThreatTypesUnknownThreat types associated with the url.
ThreatStream.URL.Actor.assignee_userUnknownThe assignee user of the threat actor.
ThreatStream.URL.Actor.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.URL.Actor.association_info.createdDateThe date the association info was created.
ThreatStream.URL.Actor.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.URL.Actor.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.URL.Actor.created_tsDateThe date the threat actor was created.
ThreatStream.URL.Actor.feed_idNumberThe feed ID of the threat actor.
ThreatStream.URL.Actor.idNumberThe ID of the threat actor.
ThreatStream.URL.Actor.is_anonymousBooleanWhether the threat actor is anonymous.
ThreatStream.URL.Actor.is_cloneableStringWhether the threat actor is cloneable.
ThreatStream.URL.Actor.is_publicBooleanWhether the threat actor is public.
ThreatStream.URL.Actor.is_teamBooleanWhether the threat actor is a team.
ThreatStream.URL.Actor.modified_tsDateThe date the threat actor was modified.
ThreatStream.URL.Actor.nameStringThe name of the threat actor.
ThreatStream.URL.Actor.organization_idNumberThe organization ID of the threat actor.
ThreatStream.URL.Actor.owner_user_idNumberThe owner user ID of the threat actor.
ThreatStream.URL.Actor.primary_motivationUnknownThe primary motivation of the threat actor.
ThreatStream.URL.Actor.publication_statusStringThe publication status of the threat actor.
ThreatStream.URL.Actor.published_tsDateThe date the threat actor was published.
ThreatStream.URL.Actor.resource_levelUnknownThe resource level of the threat actor.
ThreatStream.URL.Actor.resource_uriStringThe resource URI of the threat actor.
ThreatStream.URL.Actor.source_createdUnknownThe date the source was created.
ThreatStream.URL.Actor.source_modifiedUnknownThe date the source was modified.
ThreatStream.URL.Actor.start_dateUnknownThe start date.
ThreatStream.URL.Actor.tagsStringThe tags of the threat indicator.
ThreatStream.URL.Actor.tags_v2.idStringThe ID of the tag.
ThreatStream.URL.Actor.tags_v2.nameStringThe name of the tag.
ThreatStream.URL.Actor.tlpStringThe TLP of the threat actor.
ThreatStream.URL.Actor.uuidStringThe UUID of the threat actor.
ThreatStream.URL.Signature.assignee_userUnknownThe assignee user of the signature.
ThreatStream.URL.Signature.association_info.commentUnknownThe comment in the association info of the signature.
ThreatStream.URL.Signature.association_info.createdDateThe date the association info was created.
ThreatStream.URL.Signature.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.URL.Signature.can_add_public_tagsBooleanWhether you can add public tags to the signature.
ThreatStream.URL.Signature.created_tsDateThe date the signature was created.
ThreatStream.URL.Signature.feed_idNumberThe feed ID of the signature.
ThreatStream.URL.Signature.idNumberThe ID of the signature.
ThreatStream.URL.Signature.is_anonymousBooleanWhether the signature is anonymous.
ThreatStream.URL.Signature.is_cloneableStringWhether the signature is cloneable.
ThreatStream.URL.Signature.is_publicBooleanWhether the signature is public.
ThreatStream.URL.Signature.is_teamBooleanWhether the signature is a team signature.
ThreatStream.URL.Signature.modified_tsDateThe date the signature was modified.
ThreatStream.URL.Signature.nameStringThe name of the signature.
ThreatStream.URL.Signature.organization_idNumberThe organization ID of the signature.
ThreatStream.URL.Signature.owner_user_idNumberThe owner user ID of the signature.
ThreatStream.URL.Signature.primary_motivationUnknownThe primary motivation of the signature.
ThreatStream.URL.Signature.publication_statusStringThe publication status of the signature.
ThreatStream.URL.Signature.published_tsDateThe date the signature was published.
ThreatStream.URL.Signature.resource_levelUnknownThe resource level of the signature.
ThreatStream.URL.Signature.resource_uriStringThe resource URI of the signature.
ThreatStream.URL.Signature.source_createdUnknownThe date the source was created.
ThreatStream.URL.Signature.source_modifiedUnknownThe date the source was modified.
ThreatStream.URL.Signature.start_dateUnknownThe start date.
ThreatStream.URL.Signature.tagsStringThe tags of the threat indicator.
ThreatStream.URL.Signature.tags_v2.idStringThe ID of the tag.
ThreatStream.URL.Signature.tags_v2.nameStringThe name of the tag.
ThreatStream.URL.Signature.tlpStringThe TLP of the signature.
ThreatStream.URL.Signature.uuidStringThe UUID of the signature.
ThreatStream.URL.ThreatBulletin.all_circles_visibleBooleanWhether all of the circles are visible.
ThreatStream.URL.ThreatBulletin.assignee_orgStringThe assignee organization.
ThreatStream.URL.ThreatBulletin.assignee_org_idStringThe assignee organization ID.
ThreatStream.URL.ThreatBulletin.assignee_org_nameStringThe assignee organization name.
ThreatStream.URL.ThreatBulletin.assignee_userStringThe assignee user.
ThreatStream.URL.ThreatBulletin.assignee_user_idStringThe assignee user ID.
ThreatStream.URL.ThreatBulletin.assignee_user_nameUnknownThe assignee user name.
ThreatStream.URL.ThreatBulletin.association_info.commentUnknownThe comment in the association info of the threat actor.
ThreatStream.URL.ThreatBulletin.association_info.createdDateThe date the association info was created.
ThreatStream.URL.ThreatBulletin.association_info.from_idStringThe ID from which the association info is related.
ThreatStream.URL.ThreatBulletin.body_content_typeStringThe body content type.
ThreatStream.URL.ThreatBulletin.campaignUnknownThe campaign of the threat bulletin.
ThreatStream.URL.ThreatBulletin.can_add_public_tagsBooleanWhether you can add public tags.
ThreatStream.URL.ThreatBulletin.created_tsDateThe date the threat bulletin was created.
ThreatStream.URL.ThreatBulletin.feed_idNumberThe feed ID of the threat bulletin.
ThreatStream.URL.ThreatBulletin.idStringThe ID of the threat bulletin.
ThreatStream.URL.ThreatBulletin.is_anonymousBooleanWhether the threat bulletin is anonymous.
ThreatStream.URL.ThreatBulletin.is_cloneableStringWhether the threat bulletin is cloneable.
ThreatStream.URL.ThreatBulletin.is_editableBooleanWhether the threat bulletin is editable.
ThreatStream.URL.ThreatBulletin.is_emailBooleanWhether the threat bulletin is an email.
ThreatStream.URL.ThreatBulletin.is_publicBooleanWhether the threat bulletin is public.
ThreatStream.URL.ThreatBulletin.modified_tsDateThe date the threat bulletin was modified.
ThreatStream.URL.ThreatBulletin.nameStringThe name of the threat bulletin.
ThreatStream.URL.ThreatBulletin.original_sourceStringThe original source of the threat bulletin.
ThreatStream.URL.ThreatBulletin.original_source_idUnknownThe original source ID of the threat bulletin.
ThreatStream.URL.ThreatBulletin.owner_org.idStringThe owner organization ID.
ThreatStream.URL.ThreatBulletin.owner_org.nameStringThe owner organization name.
ThreatStream.URL.ThreatBulletin.owner_org.resource_uriStringThe owner organization URI.
ThreatStream.URL.ThreatBulletin.owner_org_idNumberThe ID of the owner user.
ThreatStream.URL.ThreatBulletin.owner_org_nameStringThe name of the owner organization.
ThreatStream.URL.ThreatBulletin.owner_user.avatar_s3_urlUnknownThe URL of the owner user.
ThreatStream.URL.ThreatBulletin.owner_user.can_share_intelligenceBooleanWhether you can share intelligence.
ThreatStream.URL.ThreatBulletin.owner_user.emailStringThe email of the owner user.
ThreatStream.URL.ThreatBulletin.owner_user.idStringThe ID of the owner user.
ThreatStream.URL.ThreatBulletin.owner_user.is_activeBooleanWhether the owner user is active.
ThreatStream.URL.ThreatBulletin.owner_user.is_readonlyBooleanWhether the owner user has read-only permission.
ThreatStream.URL.ThreatBulletin.owner_user.must_change_passwordBooleanWhether the owner user must change the password.
ThreatStream.URL.ThreatBulletin.owner_user.nameStringThe owner user name.
ThreatStream.URL.ThreatBulletin.owner_user.nicknameStringThe owner user nickname.
ThreatStream.URL.ThreatBulletin.owner_user.organization.idStringThe ID of the owner user organization.
ThreatStream.URL.ThreatBulletin.owner_user.organization.nameStringThe name of the owner user organization.
ThreatStream.URL.ThreatBulletin.owner_user.organization.resource_uriStringThe resource URI of the owner user organization.
ThreatStream.URL.ThreatBulletin.owner_user.resource_uriStringThe resource URI of the owner user.
ThreatStream.URL.ThreatBulletin.owner_user_idNumberThe owner user ID of the threat bulletin.
ThreatStream.URL.ThreatBulletin.owner_user_nameStringThe owner user name of the threat bulletin.
ThreatStream.URL.ThreatBulletin.parentUnknownThe parent of the threat bulletin.
ThreatStream.URL.ThreatBulletin.published_tsUnknownThe date the threat bulletin was published.
ThreatStream.URL.ThreatBulletin.resource_uriStringThe resource URI of the threat bulletin.
ThreatStream.URL.ThreatBulletin.sourceUnknownThe source of the threat bulletin.
ThreatStream.URL.ThreatBulletin.source_createdUnknownThe date the source was created.
ThreatStream.URL.ThreatBulletin.source_modifiedUnknownThe date the source was modified.
ThreatStream.URL.ThreatBulletin.starred_by_meBooleanWhether the threat bulletin was started by me.
ThreatStream.URL.ThreatBulletin.starred_total_countNumberThe total number of times the threat bulletin was starred.
ThreatStream.URL.ThreatBulletin.statusStringThe status of the threat bulletin.
ThreatStream.URL.ThreatBulletin.threat_actorUnknownThe threat actor of the threat bulletin.
ThreatStream.URL.ThreatBulletin.tlpUnknownThe TLP of the threat bulletin.
ThreatStream.URL.ThreatBulletin.ttpUnknownThe TTP of the threat bulletin.
ThreatStream.URL.ThreatBulletin.uuidStringThe UUID of the threat bulletin.
ThreatStream.URL.ThreatBulletin.votes.meUnknownThe number of votes by me.
ThreatStream.URL.ThreatBulletin.votes.totalNumberThe number of total votes.
ThreatStream.URL.ThreatBulletin.watched_by_meBooleanWhether the threat bulletin was watched by me.
ThreatStream.URL.ThreatBulletin.watched_total_countNumberThe total number of watchers.
ThreatStream.URL.TTP.assignee_userUnknownThe assignee user of the TTP.
ThreatStream.URL.TTP.association_info.commentUnknownThe comment in the association info of the TTP.
ThreatStream.URL.TTP.association_info.createdDateThe date the association info was created.
ThreatStream.URL.TTP.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.URL.TTP.can_add_public_tagsBooleanWhether you can add public tags to the TTP.
ThreatStream.URL.TTP.created_tsDateThe date the TTP was created.
ThreatStream.URL.TTP.feed_idNumberThe feed ID of the TTP.
ThreatStream.URL.TTP.idNumberThe ID of the TTP.
ThreatStream.URL.TTP.is_anonymousBooleanWhether the TTP was anonymous.
ThreatStream.URL.TTP.is_cloneableStringWhether the TTP was cloneable.
ThreatStream.URL.TTP.is_publicBooleanWhether the TTP is public.
ThreatStream.URL.TTP.is_teamBooleanWhether the TTP is a team.
ThreatStream.URL.TTP.modified_tsDateThe date the TTP was modified.
ThreatStream.URL.TTP.nameStringThe name of the TTP.
ThreatStream.URL.TTP.organization_idNumberThe organization ID of the TTP.
ThreatStream.URL.TTP.owner_user_idNumberThe owner user ID of the TTP.
ThreatStream.URL.TTP.primary_motivationUnknownThe primary motivation of the TTP.
ThreatStream.URL.TTP.publication_statusStringThe publication status of the TTP.
ThreatStream.URL.TTP.published_tsDateThe date the TTP was published.
ThreatStream.URL.TTP.resource_levelUnknownThe resource level of the TTP.
ThreatStream.URL.TTP.resource_uriStringThe resource URI of the TTP.
ThreatStream.URL.TTP.source_createdUnknownThe date the source was created.
ThreatStream.URL.TTP.source_modifiedUnknownThe date the source was modified.
ThreatStream.URL.TTP.start_dateUnknownThe start date.
ThreatStream.URL.TTP.tagsStringThe tags of the threat indicator.
ThreatStream.URL.TTP.tags_v2.idStringThe ID of the tag.
ThreatStream.URL.TTP.tags_v2.nameStringThe name of the tag.
ThreatStream.URL.TTP.tlpStringThe TLP of the TTP.
ThreatStream.URL.TTP.uuidStringThe UUID of the TTP.
ThreatStream.URL.Vulnerability.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.URL.Vulnerability.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.URL.Vulnerability.association_info.createdDateThe date the association info was created.
ThreatStream.URL.Vulnerability.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.URL.Vulnerability.can_add_public_tagsBooleanWhether you can add public tags to the threat actor.
ThreatStream.URL.Vulnerability.circles.idStringThe ID of the circle.
ThreatStream.URL.Vulnerability.circles.nameStringThe name of the circle.
ThreatStream.URL.Vulnerability.circles.resource_uriStringThe resource URI of the circle.
ThreatStream.URL.Vulnerability.created_tsDateThe date the vulnerability was created.
ThreatStream.URL.Vulnerability.feed_idNumberThe feed ID of the vulnerability.
ThreatStream.URL.Vulnerability.idNumberThe ID of the vulnerability.
ThreatStream.URL.Vulnerability.is_anonymousBooleanWhether the vulnerability is anonymous.
ThreatStream.URL.Vulnerability.is_cloneableStringWhether the vulnerability is cloneable.
ThreatStream.URL.Vulnerability.is_publicBooleanWhether the vulnerability is public.
ThreatStream.URL.Vulnerability.is_systemBooleanWhether the vulnerability is in the system.
ThreatStream.URL.Vulnerability.modified_tsDateThe date the vulnerability was modified.
ThreatStream.URL.Vulnerability.nameStringThe name of the vulnerability.
ThreatStream.URL.Vulnerability.organization_idNumberThe organization ID of the vulnerability.
ThreatStream.URL.Vulnerability.owner_user_idUnknownThe owner user ID of the vulnerability.
ThreatStream.URL.Vulnerability.publication_statusStringThe publication status of the vulnerability.
ThreatStream.URL.Vulnerability.published_tsDateThe date the vulnerability was published.
ThreatStream.URL.Vulnerability.resource_uriStringThe resource URI of the vulnerability.
ThreatStream.URL.Vulnerability.sourceStringThe source of the vulnerability.
ThreatStream.URL.Vulnerability.source_createdUnknownThe feed ID of the vulnerability.
ThreatStream.URL.Vulnerability.source_modifiedUnknownWhether the source was modified.
ThreatStream.URL.Vulnerability.tagsStringThe tags of the vulnerability.
ThreatStream.URL.Vulnerability.tags_v2.idStringThe ID of the tag.
ThreatStream.URL.Vulnerability.tags_v2.nameStringThe name of the tag.
ThreatStream.URL.Vulnerability.tlpStringThe TLP of the vulnerability.
ThreatStream.URL.Vulnerability.update_idNumberThe update ID of the vulnerability.
ThreatStream.URL.Vulnerability.uuidStringThe UUID of the vulnerability.
ThreatStream.URL.Campaign.assignee_userUnknownThe assignee user of the vulnerability.
ThreatStream.URL.Campaign.association_info.commentUnknownThe comment in the association info of the vulnerability.
ThreatStream.URL.Campaign.association_info.createdDateThe date the association info was created.
ThreatStream.URL.Campaign.association_info.from_idNumberThe ID from which the association info is related.
ThreatStream.URL.Campaign.can_add_public_tagsBooleanWhether you can add public tags to the campaign.
ThreatStream.URL.Campaign.created_tsDateThe date the campaign was created.
ThreatStream.URL.Campaign.end_dateUnknownThe end date of the campaign.
ThreatStream.URL.Campaign.feed_idNumberThe feed ID of the campaign.
ThreatStream.URL.Campaign.idNumberThe ID of the campaign.
ThreatStream.URL.Campaign.is_anonymousBooleanWhether the campaign is anonymous.
ThreatStream.URL.Campaign.is_cloneableStringWhether the campaign is cloneable.
ThreatStream.URL.Campaign.is_publicBooleanWhether the campaign is public.
ThreatStream.URL.Campaign.modified_tsDateThe date the campaign was modified.
ThreatStream.URL.Campaign.nameStringThe name of the campaign.
ThreatStream.URL.Campaign.objectiveUnknownThe objective of the campaign.
ThreatStream.URL.Campaign.organization_idNumberThe organization ID of the campaign.
ThreatStream.URL.Campaign.owner_user_idNumberThe owner user ID of the campaign.
ThreatStream.URL.Campaign.publication_statusStringThe publication status of the campaign.
ThreatStream.URL.Campaign.published_tsUnknownThe date the campaign was published.
ThreatStream.URL.Campaign.resource_uriStringThe resource URI of the campaign.
ThreatStream.URL.Campaign.source_createdDateThe date the campaign was created.
ThreatStream.URL.Campaign.source_modifiedDateWhether the source was modified.
ThreatStream.URL.Campaign.start_dateUnknownThe start date of the campaign.
ThreatStream.URL.Campaign.status.display_nameStringThe display name of the status.
ThreatStream.URL.Campaign.status.idNumberThe ID of the status of the campaign.
ThreatStream.URL.Campaign.status.resource_uriStringThe resource URI of the status of the campaign.
ThreatStream.URL.Campaign.tlpStringThe TLP of the campaign.
ThreatStream.URL.Campaign.uuidStringThe UUID of the campaign.

Command example#

!url url=http://www.ujhy1.com/ threat_model_association=True

Context Example#

{
"DBotScore": {
"Indicator": "http://www.ujhy1.com/",
"Message": "No results found.",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "url",
"Vendor": "Anomali ThreatStream v3 May"
},
"URL": {
"Data": "http://www.ujhy1.com/"
}
}

Human Readable Output#

Anomali ThreatStream v3 May:#

URLResult
http://www.ujhy1.com/Not found

Additional Considerations for this version#

  • Remove the default_threshold integration parameter.
  • Add integration parameter for global threshold in ip, domain, file, url, and threatstream-email-reputation commands.
  • Add Include inactive results checkbox in integration settings for the ability to get inactive results.

threatstream-search-intelligence#


Returns filtered intelligence from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.

Base Command#

threatstream-search-intelligence

Input#

Argument NameDescriptionRequired
valueThe value of an intelligence.Optional
uuidThe UUID of an intelligence. When several UUIDs stated, an “OR” operator is used.Optional
typeThe type of an intelligence. Possible values are: domain, email, ip, md5, string, url.Optional
itypeThe itType of an intelligence. (e.g., apt_ip, apt_email).Optional
statusThe status of an intelligence. Possible values are: active, inactive, falsepos.Optional
tagsThe tags of an intelligence. Comma-separated list. When several tags are stated, an “OR” operator is used.Optional
asnThe ASN of an intelligence.Optional
confidenceThe confidence of an intelligence. Input will be operator then value, i.e., “gt 65” or “lt 85”. If only a value is stated, then it must match exactly.Optional
threat_typeThe threat type of an intelligence.Optional
is_publicWhether the intelligence is public.Optional
queryQuery that overrides all other arguments. The filter operators used for the filter language query are the symbolic form (=, <, >, and so on) and not the descriptive form (exact, lt, gt, and so on). E.g., (confidence>=90+AND+(itype="apt_ip"+OR+itype="bot_ip"+OR+itype="c2_ip")).Optional
update_id_gtAn incrementing numeric identifier associated with each update to intelligence on ThreatStream. If specified, then it is recommended to use order_by=update_id.Optional
order_byHow to order the results.Optional
limitThe maximum number of results to return from ThreatStream. The maximum number of returned results is 1000. For more results, use the page and page_size arguments. Default is 50.Optional
pagePage number to get result from. Needs to be used with page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.Intelligence.source_createdStringThe source from which the intelligence was created.
ThreatStream.Intelligence.statusStringThe status of the intelligence.
ThreatStream.Intelligence.itypeStringThe itype of the intelligence.
ThreatStream.Intelligence.expiration_tsDateThe expiration timestamp of the intelligence.
ThreatStream.Intelligence.ipStringThe IP address of the intelligence.
ThreatStream.Intelligence.is_editableBooleanWhether the intelligence is editable.
ThreatStream.Intelligence.feed_idStringThe feed ID of the intelligence.
ThreatStream.Intelligence.update_idStringThe update ID of the intelligence.
ThreatStream.Intelligence.valueStringThe value of the intelligence.
ThreatStream.Intelligence.is_publicBooleanWhether the intelligence is public.
ThreatStream.Intelligence.threattypeStringThe threat type of the intelligence.
ThreatStream.Intelligence.workgroupsStringThe work groups of the intelligence.
ThreatStream.Intelligence.confidenceStringThe confidence of the intelligence.
ThreatStream.Intelligence.uuidStringThe UUID of the intelligence.
ThreatStream.Intelligence.retina_confidenceStringThe retina confidence of the intelligence.
ThreatStream.Intelligence.trusted_circle_idsStringThe trusted circleIDs of the intelligence.
ThreatStream.Intelligence.idStringThe ID of the intelligence.
ThreatStream.Intelligence.sourceStringThe source of the iIntelligence.
ThreatStream.Intelligence.owner_organization_idStringThe owner organization ID of the intelligence.
ThreatStream.Intelligence.import_session_idStringThe import session ID of the intelligence.
ThreatStream.Intelligence.source_modifiedBooleanWhether the the source was modified.
ThreatStream.Intelligence.typeStringThe type of the intelligence.
ThreatStream.Intelligence.descriptionStringThe description of the intelligence.
ThreatStream.Intelligence.tagsStringThe tags of the intelligence.
ThreatStream.Intelligence.threatscoreStringThe threat score of the intelligence.
ThreatStream.Intelligence.latitudeStringThe latitude of the intelligence.
ThreatStream.Intelligence.longitudeStringThe longitude of the intelligence.
ThreatStream.Intelligence.modified_tsDateThe date the intelligence was modified.
ThreatStream.Intelligence.orgStringThe organization of the intelligence.
ThreatStream.Intelligence.asnNumberThe ASN of the intelligence.
ThreatStream.Intelligence.created_tsDateThe date the intelligence was created.
ThreatStream.Intelligence.tlpStringThe TLP of the intelligence.
ThreatStream.Intelligence.is_anonymousBooleanWhether the intelligence is anonymous.
ThreatStream.Intelligence.countryStringThe country of the intelligence.
ThreatStream.Intelligence.source_reported_confidenceStringThe confidence of the reported source.
ThreatStream.Intelligence.subtypeStringThe subtype of the intelligence.
ThreatStream.Intelligence.resource_uriStringThe resource URI of the intelligence
ThreatStream.Intelligence.severityStringThe severity of the intelligence.

Command example#

!threatstream-search-intelligence limit=1 status=inactive value=1.2.4.5

Context Example#

{
"ThreatStream": {
"Intelligence": [
{
"asn": "",
"can_add_public_tags": true,
"confidence": 100,
"country": null,
"created_ts": "2022-04-21T14:27:51.242Z",
"description": null,
"expiration_ts": "2022-07-20T14:27:51.041Z",
"feed_id": 0,
"id": 355250247,
"import_session_id": null,
"ip": "1.2.4.5",
"is_anonymous": false,
"is_editable": false,
"is_public": true,
"itype": "c2_ip",
"latitude": null,
"longitude": null,
"meta": {
"detail2": "bifocals_deactivated_on_2022-07-20_14:30:00.151050",
"severity": "medium"
},
"modified_ts": "2022-07-20T14:30:02.307Z",
"org": "",
"owner_organization_id": 67,
"rdns": null,
"resource_uri": "/api/v2/intelligence/355250247/",
"retina_confidence": -1,
"sort": [
1658327402307,
"355250247"
],
"source": "Analyst",
"source_created": null,
"source_modified": null,
"source_reported_confidence": 100,
"status": "inactive",
"subtype": null,
"tags": [
{
"id": "4w0",
"name": "abc"
},
{
"id": "o8x",
"name": "feb3fbcf-d18c-4a1a-89af-fbe054e16f6c"
},
{
"id": "vuj",
"name": "Playboook_source_without_approval_on_cloud"
}
],
"threat_type": "c2",
"threatscore": 70,
"tlp": null,
"trusted_circle_ids": null,
"type": "ip",
"update_id": 940700580,
"uuid": "3e141a49-6fc9-4567-8efb-919565a39752",
"value": "1.2.4.5",
"workgroups": []
}
]
}
}

Human Readable Output#

The intelligence results#

Can Add Public TagsConfidenceCreated TsExpiration TsFeed IdIdIpIs AnonymousIs EditableIs PublicItypeMetaModified TsOwner Organization IdResource UriRetina ConfidenceSortSourceSource Reported ConfidenceStatusTagsThreat TypeThreatscoreTypeUpdate IdUuidValue
true1002022-04-21T14:27:51.242Z2022-07-20T14:27:51.041Z03552502471.2.4.5falsefalsetruec2_ipdetail2: bifocals_deactivated_on_2022-07-20_14:30:00.151050
severity: medium
2022-07-20T14:30:02.307Z67/api/v2/intelligence/355250247/-11658327402307,
355250247
Analyst100inactive{'id': '4w0', 'name': 'abc'},
{'id': 'o8x', 'name': 'feb3fbcf-d18c-4a1a-89af-fbe054e16f6c'},
{'id': 'vuj', 'name': 'Playboook_source_without_approval_on_cloud'}
c270ip9407005803e141a49-6fc9-4567-8efb-919565a397521.2.4.5

threatstream-list-rule#


Gets a list of rules from ThreatStream.

Base Command#

threatstream-list-rule

Input#

Argument NameDescriptionRequired
rule_idUnique ID assigned to the rule.Optional
limitThe maximum number of results to return. Default is 50.Optional
pageThe page number of the results to retrieve.Optional
page_sizeThe maximum number of objects to retrieve per page.Optional

Context Output#

PathTypeDescription
ThreatStream.Rule.adv_keywordUnknownAdvanced keyword or regular expression that the rule is designed to match.
ThreatStream.Rule.backfillUnknownObjects that define additional filters or conditions for the rule.
ThreatStream.Rule.create_investigationBooleanWhether an investigation should be created when the rule is triggered.
ThreatStream.Rule.created_tsDateRule creation time.
ThreatStream.Rule.descriptionUnknownThe rule description.
ThreatStream.Rule.exclude_notify_org_whitelistedBooleanWhether to exclude the rule from matching observables that are included in the organization whitelist.
ThreatStream.Rule.exclude_notify_owner_orgBooleanWhether to exclude the rule from keyword matches on observables imported by the organization from keyword match or hourly digest email notifications.
ThreatStream.Rule.has_associationsBooleanWhether the rule has associations.
ThreatStream.Rule.idNumberUnique ID assigned to the rule.
ThreatStream.Rule.intelligence_initiativesUnknownIntelligence initiatives associated with the rule.
ThreatStream.Rule.is_editableBooleanIndicates whether the imported rule can be updated by an intelligence source.
ThreatStream.Rule.is_enabledBooleanWhether the rule is currently enabled.
ThreatStream.Rule.keywordStringKeyword associated with the rule.
ThreatStream.Rule.keywordsStringA list of keywords associated with the rule.
ThreatStream.Rule.match_actorsBooleanWhether the rule matches keywords in newly created actors.
ThreatStream.Rule.match_all_tmBooleanWhether the rule should match against all threat models.
ThreatStream.Rule.match_attackpatternsBooleanWhether the rule matches keywords in newly created attack patterns.
ThreatStream.Rule.match_campaignsBooleanWhether the rule matches keywords in newly created campaigns.
ThreatStream.Rule.match_courseofactionsBooleanWhether the rule matches keywords in newly created course of actions.
ThreatStream.Rule.match_customtmsBooleanWhether the rule should match custom threat models.
ThreatStream.Rule.match_identitiesBooleanWhether the rule matches keywords in newly created identities.
ThreatStream.Rule.match_incidentsBooleanWhether the rule matches keywords in newly created incidents.
ThreatStream.Rule.match_infrastructuresBooleanWhether the rule matches keywords in newly created infrastructures.
ThreatStream.Rule.match_intrusionsetsBooleanWhether the rule matches keywords in newly created intrusion sets.
ThreatStream.Rule.match_malwareBooleanWhether the rule matches keywords in newly created malware.
ThreatStream.Rule.match_observablesBooleanWhether the rule matches keywords in newly created observables.
ThreatStream.Rule.match_reportedfilesBooleanWhether the rule should match keywords in newly created sandbox reports.
ThreatStream.Rule.match_signaturesBooleanWhether the rule should match keywords in newly created signatures.
ThreatStream.Rule.match_tipsBooleanWhether the rule matches keywords in newly created threat bulletins.
ThreatStream.Rule.match_toolsBooleanWhether the rule should match keywords in newly created tools.
ThreatStream.Rule.match_ttpsBooleanWhether the rule should match keywords in newly created TTPs.
ThreatStream.Rule.match_vulnerabilitiesBooleanWhether the rule matches keywords in newly created vulnerabilities.
ThreatStream.Rule.matchesNumberTotal number of keyword matches for the rule.
ThreatStream.Rule.messagesUnknownMessages or notifications generated by the rule.
ThreatStream.Rule.modified_tsDateTimestamp of when the rule was last modified, in UTC format.
ThreatStream.Rule.nameStringThe rule name.
ThreatStream.Rule.notify_list_groupsUnknownList of groups that should be notified when the rule triggers an alert.
ThreatStream.Rule.notify_meBooleanWhether the user who created the rule should be notified when the rule triggers an alert.
ThreatStream.Rule.org_idNumberID associated with the organization that created the rule.
ThreatStream.Rule.org_sharedBooleanWhether a rule is shared across an organization.
ThreatStream.Rule.organization.idStringID associated with the organization that created the rule.
ThreatStream.Rule.organization.nameStringName associated with the organization that created the rule.
ThreatStream.Rule.organization.resource_uriStringResource URI associated with the organization that created the rule.
ThreatStream.Rule.resource_uriStringResource URI associated with the rule.
ThreatStream.Rule.user.avatar_s3_urlUnknownURL for the avatar image associated with the user who created the rule.
ThreatStream.Rule.user.can_share_intelligenceBooleanWhether the user who created the rule can share intelligence.
ThreatStream.Rule.user.emailStringEmail of the user who created the rule.
ThreatStream.Rule.user.idStringID of the user who created the rule.
ThreatStream.Rule.user.is_activeBooleanWhether the user who created the rule is active.
ThreatStream.Rule.user.is_readonlyBooleanWhether the user who created the rule should be restricted to Read Only status.
ThreatStream.Rule.user.must_change_passwordBooleanWhether the user who created the rule will be forced to change their password the next time they log in.
ThreatStream.Rule.user.nameStringName of the user who created the rule.
ThreatStream.Rule.user.nicknameStringNickname of the user who created the rule.
ThreatStream.Rule.user.organization.idStringThe ID associated to the organization.
ThreatStream.Rule.user.organization.nameStringThe user's organization name.
ThreatStream.Rule.user.organization.resource_uriStringThe user's organization resource URI.
ThreatStream.Rule.user.resource_uriStringThe user's resource URI.
ThreatStream.Rule.user_idNumberUser ID of the user who created the rule.
ThreatStream.Rule.workgroupsUnknownAssigned workgroups.
ThreatStream.Rule.actors.idStringActor's ID associated with the rule.
ThreatStream.Rule.actors.nameStringActor's name associated with the rule.
ThreatStream.Rule.actors.resource_uriStringActor's resource URI associated with the rule.
ThreatStream.Rule.attackpatternsUnknownAttack patterns associated with the rule.
ThreatStream.Rule.campaigns.idStringCampaign's ID associated with the rule.
ThreatStream.Rule.campaigns.nameStringCampaign's name associated with the rule.
ThreatStream.Rule.campaigns.resource_uriStringCampaign's resource URI associated with the rule.
ThreatStream.Rule.courseofactionUnknownCourse of action entities associated with the rule.
ThreatStream.Rule.customtmsUnknownCustom threat model entities associated with the rule.
ThreatStream.Rule.exclude_impactsStringIndicator types that are excluded from rule matches.
ThreatStream.Rule.identitiesUnknownList of identities associated with the rule.
ThreatStream.Rule.incidents.idStringIncident's ID associated with the rule.
ThreatStream.Rule.incidents.nameStringIncident's name associated with the rule.
ThreatStream.Rule.incidents.resource_uriStringIncident's resource URI associated with the rule.
ThreatStream.Rule.infrastructureUnknownInfrastructure entities associated with the rule.
ThreatStream.Rule.intrusionsetsUnknownIntrusion sets associated with the rule.
ThreatStream.Rule.investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Rule.investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Rule.investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Rule.investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Rule.investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Rule.investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Rule.investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Rule.investigation.assignee.must_change_passwordBooleanWhether the investigation assignee user will be forced to change their password the next time they log in.
ThreatStream.Rule.investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Rule.investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Rule.investigation.assignee.resource_uriStringResource URI associated with investigation assignee user.
ThreatStream.Rule.investigation.idStringThe ID of the investigation.
ThreatStream.Rule.investigation.nameStringThe name of the investigation.
ThreatStream.Rule.investigation.resource_uriStringThe resource URI of the investigation.
ThreatStream.Rule.investigation.usersUnknownList of users associated with the investigation created by the rule.
ThreatStream.Rule.investigation.workgroupsUnknownAssigned workgroups.
ThreatStream.Rule.malware.idStringID of the malware that associates to the rule.
ThreatStream.Rule.malware.nameStringName of the malware that associates to the rule.
ThreatStream.Rule.malware.resource_uriStringResource URI of the malware that associates to the rule.
ThreatStream.Rule.match_impactsStringIndicator types in which you want to look for rule matches at the exclusion of all others.
ThreatStream.Rule.signatures.idStringID of the signature that associates to the rule.
ThreatStream.Rule.signatures.nameStringName of the signature that associates to the rule.
ThreatStream.Rule.signatures.resource_uriStringResource URI of the signature that associates to the rule.
ThreatStream.Rule.tags.nameStringName of the tag applied to matched entities.
ThreatStream.Rule.tips.idStringID of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.nameStringName of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.resource_uriStringResource URI of the threat bulletin that associates to matched entities.
ThreatStream.Rule.toolsUnknownList of tools associated with the rule.
ThreatStream.Rule.ttps.idStringID of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.nameStringName of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.resource_uriStringResource URI of the TTPs that associates to the rule.
ThreatStream.Rule.vulnerabilities.idStringID of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.nameStringName of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.resource_uriStringResource URI of the vulnerability with which to associate matched entities.

Command example#

!threatstream-list-rule page=2 page_size=2

Context Example#

{
"ThreatStream": {
"Rule": [
{
"adv_keyword": null,
"backfill": [],
"create_investigation": false,
"created_ts": "2023-03-30T13:25:42.306343",
"description": null,
"exclude_notify_org_whitelisted": false,
"exclude_notify_owner_org": false,
"has_associations": false,
"id": 44444,
"intelligence_initiatives": [],
"is_editable": true,
"is_enabled": true,
"keyword": "keywords",
"keywords": [
"keywords"
],
"match_actors": false,
"match_all_tm": false,
"match_attackpatterns": false,
"match_campaigns": false,
"match_courseofactions": false,
"match_customtms": false,
"match_identities": false,
"match_incidents": false,
"match_infrastructures": false,
"match_intrusionsets": false,
"match_malware": false,
"match_observables": false,
"match_reportedfiles": false,
"match_signatures": false,
"match_tips": false,
"match_tools": false,
"match_ttps": false,
"match_vulnerabilities": false,
"matches": 0,
"messages": [],
"modified_ts": "2023-03-30T13:25:45.435220",
"name": "rule_2",
"notify_list_groups": [],
"notify_me": true,
"org_id": 11,
"org_shared": false,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/rule/44444/",
"tags": [],
"user": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"user_id": 111,
"workgroups": []
},
{
"adv_keyword": null,
"backfill": [],
"create_investigation": false,
"created_ts": "2023-03-30T13:25:05.014893",
"description": null,
"exclude_notify_org_whitelisted": false,
"exclude_notify_owner_org": false,
"has_associations": false,
"id": 55555,
"intelligence_initiatives": [],
"is_editable": true,
"is_enabled": true,
"keyword": "keywords",
"keywords": [
"keywords"
],
"match_actors": false,
"match_all_tm": false,
"match_attackpatterns": false,
"match_campaigns": false,
"match_courseofactions": false,
"match_customtms": false,
"match_identities": false,
"match_incidents": false,
"match_infrastructures": false,
"match_intrusionsets": false,
"match_malware": false,
"match_observables": false,
"match_reportedfiles": false,
"match_signatures": false,
"match_tips": false,
"match_tools": false,
"match_ttps": false,
"match_vulnerabilities": false,
"matches": 0,
"messages": [],
"modified_ts": "2023-03-30T13:25:09.301784",
"name": "rule_1",
"notify_list_groups": [],
"notify_me": true,
"org_id": 11,
"org_shared": false,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/rule/55555/",
"tags": [],
"user": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"user_id": 111,
"workgroups": []
}
]
}
}

Human Readable Output#

Rules#

NameIdMatchesCreated AtModified AtIs Notify MeIs Enabled
rule_24444402023-03-30T13:25:42.3063432023-03-30T13:25:45.435220truetrue
rule_15555502023-03-30T13:25:05.0148932023-03-30T13:25:09.301784truetrue

threatstream-create-rule#


Create a rule in the ThreatStream platform.

Base Command#

threatstream-create-rule

Input#

Argument NameDescriptionRequired
rule_nameThe name of the rule.Required
keywordsA comma-separated list of keywords for which you want the rule to match. Keywords added to rules must adhere to the following requirements: IP addresses must be expressed as regular expressions. IP subnets should be expressed using CIDR notation and not as regular expressions. Do not start or end keywords with *. Keywords must contain at least three characters.Required
match_includeA comma-separated list of fields you want the rule to match to their keywords. Possible values: observables, sandbox reports, threat bulletins, signatures, vulnerabilities.Required
actor_idsA comma-separated list of IDs of the actors with which you want to associate matched entities. Use the threatstream-get-model-list command to get the actor IDs.Optional
campaign_idsA comma-separated list of IDs of the campaigns with which you want to associate matched entities. Use the threatstream-get-model-list command to get the campaign IDs.Optional
investigation_actionThe action you want to perform related to the investigation. Default is 'No Action'. Possible values are: Create New, Add To Existing, No Action.Optional
new_investigation_nameThe investigation name. Required when 'Create New' is selected in the investigation_action argument.Optional
existing_investigation_idExisting investigation ID. Required when 'Add To Existing' is selected in the investigation_action argument. Use the threatstream-list-investigation command to get the investigation ID.Optional
exclude_indicatorA comma-separated list of indicator types you want to exclude from rule matches. Example: actor_ipv6.Optional
include_indicatorA comma-separated list of indicator types you want to include from rule matches. Example: actor_ipv6.Optional
exclude_notify_org_whitelistedWhether you want to exclude the rule from matching observables that are included in your organization whitelist. Possible values are: True, False.Optional
exclude_notify_owner_orgWhether you want to exclude keyword matches on observables imported by your organization from a keyword match or hourly digest email notifications. Possible values are: True, False.Optional
incident_idsA comma-separated list of IDs of the incidents with which you want to associate matched entities. Use the threatstream-get-model-list command to get the incident IDs.Optional
malware_idsA comma-separated list of IDs of the malwares with which you want to associate matched entities. Use the threatstream-get-model-list command to get the malware IDs.Optional
signature_idsA comma-separated list of IDs of the signatures with which you want to associate matched entities. Use the threatstream-get-model-list command to get the signature IDs.Optional
threat_bulletin_idsA comma-separated list of IDs of the threat bulletin with which you want to associate matched entities. Use the threatstream-get-model-list command to get the threat bulletin IDs.Optional
ttp_idsA comma-separated list of IDs of the TTPs with which you want to associate matched entities. Use the threatstream-get-model-list command to get the TTPs IDs.Optional
vulnerability_idsA comma-separated list of IDs of the vulnerabilities with which you want to associate matched entities. Use the threatstream-get-model-list command to get the vulnerabilities IDs.Optional
tagsA comma-separated list of IDs of the tags with which you want to associate matched entities.Optional

Context Output#

PathTypeDescription
ThreatStream.Rule.actors.idStringActor's ID associated with the rule.
ThreatStream.Rule.actors.nameStringActor's name associated with the rule.
ThreatStream.Rule.actors.resource_uriStringActor's resource URI associated with the rule.
ThreatStream.Rule.adv_keywordUnknownAdvanced keyword or regular expression that the rule is designed to match.
ThreatStream.Rule.attackpatternsUnknownAttack patterns associated with the rule.
ThreatStream.Rule.backfillUnknownObjects that define additional filters or conditions for the rule.
ThreatStream.Rule.campaigns.idStringCampaign's ID associated with the rule.
ThreatStream.Rule.campaigns.nameStringCampaign's name associated with the rule.
ThreatStream.Rule.campaigns.resource_uriStringCampaign's resource URI associated with the rule.
ThreatStream.Rule.courseofactionUnknownCourse of action entities associated with the rule.
ThreatStream.Rule.create_investigationBooleanWhether an investigation should be created when the rule is triggered.
ThreatStream.Rule.created_tsDateRule creation time.
ThreatStream.Rule.customtmsUnknownCustom threat model entities associated with the rule.
ThreatStream.Rule.descriptionUnknownThe rule description.
ThreatStream.Rule.exclude_impactsStringIndicator types that are excluded from rule matches.
ThreatStream.Rule.exclude_notify_org_whitelistedBooleanWhether observables whitelisted by your organization are excluded from rule matches.
ThreatStream.Rule.exclude_notify_owner_orgBooleanWhether to exclude keyword matches on observables imported by your organization from keyword match or hourly digest email notifications.
ThreatStream.Rule.idNumberUnique ID assigned to the rule.
ThreatStream.Rule.identitiesUnknownList of identities associated with the rule.
ThreatStream.Rule.incidents.idStringIncident's ID associated with the rule.
ThreatStream.Rule.incidents.nameStringIncident's name associated with the rule.
ThreatStream.Rule.incidents.resource_uriStringIncident's resource URI associated with the rule.
ThreatStream.Rule.infrastructureUnknownInfrastructure entities associated with the rule.
ThreatStream.Rule.intelligence_initiativesUnknownIntelligence initiatives associated with the rule.
ThreatStream.Rule.intrusionsetsUnknownIntrusion sets associated with the rule.
ThreatStream.Rule.investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Rule.investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Rule.investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Rule.investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Rule.investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Rule.investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Rule.investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Rule.investigation.assignee.must_change_passwordBooleanWhether the assignee user will be forced to change their password the next time they log in.
ThreatStream.Rule.investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Rule.investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Rule.investigation.assignee.resource_uriStringResource URI associated with investigation assignee user.
ThreatStream.Rule.investigation.investigation_config.nameStringThe name of the investigation configuration associated with the rule.
ThreatStream.Rule.investigation.idStringThe ID of the investigation.
ThreatStream.Rule.investigation.nameStringThe name of the investigation.
ThreatStream.Rule.investigation.resource_uriStringThe resource URI of the investigation.
ThreatStream.Rule.investigation.usersUnknownList of users associated with the investigation created by the rule.
ThreatStream.Rule.investigation.workgroupsUnknownAssigned workgroups.
ThreatStream.Rule.is_editableBooleanIndicates whether the imported rule can be updated by an intelligence source.
ThreatStream.Rule.is_enabledBooleanWhether the rule is currently enabled.
ThreatStream.Rule.keywordStringKeyword associated with the rule.
ThreatStream.Rule.keywordsStringA list of keywords associated with the rule.
ThreatStream.Rule.malware.idStringID of the malware that associates to the rule.
ThreatStream.Rule.malware.nameStringName of the malware that associates to the rule.
ThreatStream.Rule.malware.resource_uriStringResource URI of the malware that associates to the rule.
ThreatStream.Rule.match_actorsBooleanWhether the rule matches keywords in newly created actors.
ThreatStream.Rule.match_all_tmBooleanWhether the rule should match against all threat models.
ThreatStream.Rule.match_attackpatternsBooleanWhether the rule matches keywords in newly created attack patterns.
ThreatStream.Rule.match_campaignsBooleanWhether the rule matches keywords in newly created campaigns.
ThreatStream.Rule.match_courseofactionsBooleanWhether the rule matches keywords in newly created course of actions.
ThreatStream.Rule.match_customtmsBooleanWhether the rule should match custom threat models.
ThreatStream.Rule.match_identitiesBooleanWhether the rule matches keywords in newly created identities.
ThreatStream.Rule.match_impactsStringIndicator types in which you want to look for rule matches at the exclusion of all others.
ThreatStream.Rule.match_incidentsBooleanWhether the rule matches keywords in newly created incidents.
ThreatStream.Rule.match_infrastructuresBooleanWhether the rule matches keywords in newly created infrastructures.
ThreatStream.Rule.match_intrusionsetsBooleanWhether the rule matches keywords in newly created intrusion sets.
ThreatStream.Rule.match_malwareBooleanWhether the rule matches keywords in newly created malware.
ThreatStream.Rule.match_observablesBooleanWhether the rule matches keywords in newly created observables.
ThreatStream.Rule.match_reportedfilesBooleanWhether the rule should match keywords in newly created sandbox reports.
ThreatStream.Rule.match_signaturesBooleanWhether the rule should match keywords in newly created signatures.
ThreatStream.Rule.match_tipsBooleanWhether the rule should match keywords in newly created threat bulletins.
ThreatStream.Rule.match_toolsBooleanWhether the rule should match keywords in newly created tools.
ThreatStream.Rule.match_ttpsBooleanWhether the rule should match keywords in newly created TTPs.
ThreatStream.Rule.match_vulnerabilitiesBooleanWhether the rule should match keywords in newly created vulnerabilities.
ThreatStream.Rule.matchesNumberTotal number of keyword matches for the rule.
ThreatStream.Rule.messagesUnknownMessages or notifications generated by the rule.
ThreatStream.Rule.modified_tsDateTimestamp of when the rule was last modified, in UTC format.
ThreatStream.Rule.nameStringThe rule name.
ThreatStream.Rule.notify_list_groupsUnknownList of groups that should be notified when the rule triggers an alert.
ThreatStream.Rule.notify_meBooleanWhether the user who created the rule should be notified when the rule triggers an alert.
ThreatStream.Rule.org_idNumberID associated with the organization that created the rule.
ThreatStream.Rule.org_sharedBooleanWhether a rule is shared across an organization.
ThreatStream.Rule.organization.idStringID associated with the organization that created the rule.
ThreatStream.Rule.organization.nameStringName associated with the organization that created the rule.
ThreatStream.Rule.organization.resource_uriStringResource URI associated with the organization that created the rule.
ThreatStream.Rule.resource_uriStringResource URI associated with the rule.
ThreatStream.Rule.signatures.idStringID of the signature that associates to the rule.
ThreatStream.Rule.signatures.nameStringName of the signature that associates to the rule.
ThreatStream.Rule.signatures.resource_uriStringResource URI of the signature that associates to the rule.
ThreatStream.Rule.tags.nameStringName of the tag applied to matched entities.
ThreatStream.Rule.tips.idStringID of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.nameStringName of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.resource_uriStringResource URI of the threat bulletin that associates to matched entities.
ThreatStream.Rule.toolsUnknownList of tools associated with the rule.
ThreatStream.Rule.ttps.idStringID of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.nameStringName of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.resource_uriStringResource URI of the TTPs that associates to the rule.
ThreatStream.Rule.user.avatar_s3_urlUnknownURL for the avatar image associated with the user who created the rule.
ThreatStream.Rule.user.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Rule.user.emailStringEmail of the user who created the rule.
ThreatStream.Rule.user.idStringID of the user who created the rule.
ThreatStream.Rule.user.is_activeBooleanWhether the user who created the rule is active.
ThreatStream.Rule.user.is_readonlyBooleanWhether the user who created the rule should be restricted to Read Only status.
ThreatStream.Rule.user.must_change_passwordBooleanWhether the user who created the rule will be forced to change their password the next time they log in.
ThreatStream.Rule.user.nameStringName of the user who created the rule.
ThreatStream.Rule.user.nicknameStringNickname of the user who created the rule.
ThreatStream.Rule.user.organization.idStringThe ID associated with the organization.
ThreatStream.Rule.user.organization.nameStringThe user's organization name.
ThreatStream.Rule.user.organization.resource_uriStringThe user's organization resource URI.
ThreatStream.Rule.user.resource_uriStringThe user's resource URI.
ThreatStream.Rule.user_idNumberUser ID of the user who created the rule.
ThreatStream.Rule.vulnerabilities.idStringID of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.nameStringName of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.resource_uriStringID of the vulnerability with which to associate matched entities.
ThreatStream.Rule.workgroupsUnknownAssigned workgroups.

Command example#

!threatstream-create-rule rule_name=test_rule keywords=some_keywords match_include=signatures

Context Example#

{
"ThreatStream": {
"Rule": {
"actors": [],
"adv_keyword": null,
"attackpatterns": [],
"backfill": [],
"campaigns": [],
"courseofaction": [],
"create_investigation": false,
"created_ts": "2023-04-03T14:01:19.322247",
"customtms": [],
"description": null,
"exclude_impacts": [],
"exclude_notify_org_whitelisted": false,
"exclude_notify_owner_org": false,
"id": 14093,
"identities": [],
"incidents": [],
"infrastructure": [],
"intrusionsets": [],
"investigation": null,
"is_editable": true,
"is_enabled": true,
"keyword": "some_keywords",
"keywords": [
"some_keywords"
],
"malware": [],
"match_actors": false,
"match_all_tm": false,
"match_attackpatterns": false,
"match_campaigns": false,
"match_courseofactions": false,
"match_customtms": false,
"match_identities": false,
"match_impacts": [],
"match_incidents": false,
"match_infrastructures": false,
"match_intrusionsets": false,
"match_malware": false,
"match_observables": false,
"match_reportedfiles": false,
"match_signatures": true,
"match_tips": false,
"match_tools": false,
"match_ttps": false,
"match_vulnerabilities": false,
"matches": 0,
"messages": [],
"modified_ts": "2023-04-03T14:01:19.322261",
"name": "test_rule",
"notify_list_groups": [],
"notify_me": true,
"org_id": 11,
"org_shared": false,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/rule/14093/",
"signatures": [],
"tags": [],
"tips": [],
"tools": [],
"ttps": [],
"user": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"user_id": 111,
"vulnerabilities": [],
"workgroups": []
}
}
}

Human Readable Output#

The rule was created successfully with id: 14093.

threatstream-update-rule#


Updates existing rule from ThreatStream.

Note: Executing this command will overwrite any existing values.

Base Command#

threatstream-update-rule

Input#

Argument NameDescriptionRequired
rule_idThe rule ID.Required
rule_nameThe rule name.Optional
keywordsA comma-separated list of keywords for which you want the rule to match. Keywords added to rules must adhere to the following requirements: IP addresses must be expressed as regular expressions. IP subnets should be expressed using CIDR notation and not as regular expressions. Do not start or end keywords with *. Keywords must contain at least three characters.Optional
match_includeA comma-separated list of fields you want the rule to match to their keywords. Possible values: observables, sandbox reports, threat bulletins, signatures, vulnerabilities.Optional
actor_idsA comma-separated list of IDs of the actors with which you want to associate matched entities. Use the threatstream-get-model-list command to get the actor IDs.Optional
campaign_idsA comma-separated list of IDs of the campaigns with which you want to associate matched entities. Use the threatstream-get-model-list command to get the campaign IDs.Optional
investigation_actionThe action you want to perform related to the investigation. Default is 'No Action'. Possible values are: Create New, Add To Existing, No Action.Optional
new_investigation_nameThe investigation name. Required when 'Create New' is selected in the investigation_action argument.Optional
existing_investigation_idExisting investigation ID. Required when 'Add To Existing' is selected in the investigation_action argument. Use the threatstream-list-investigation command to get the investigation ID.Optional
exclude_indicatorA comma-separated list of indicator types you want to exclude from rule matches.Optional
include_indicatorA comma-separated list of indicator types you want to include from rule matches.Optional
exclude_notify_org_whitelistedWhether observables whitelisted by your organization are excluded from rule matches. Possible values are: True, False.Optional
exclude_notify_owner_orgWhether you want to exclude keyword matches on observables imported by your organization from a keyword match or hourly digest email notifications. Possible values are: True, False. Default is False.Optional
incident_idsA comma-separated list of IDs of the incidents with which you want to associate matched entities. Use the threatstream-get-model-list command to get the incident IDs.Optional
malware_idsA comma-separated list of IDs of the malwares with which you want to associate matched entities. Use the threatstream-get-model-list command to get the malware IDs.Optional
signature_idsA comma-separated list of IDs of the signatures with which you want to associate matched entities. Use the threatstream-get-model-list command to get the signature IDs.Optional
threat_bulletin_idsA comma-separated list of IDs of the threat bulletin with which you want to associate matched entities. Use the threatstream-get-model-list command to get the threat bulletin IDs.Optional
ttp_idsA comma-separated list of IDs of the TTPs with which you want to associate matched entities. Use the threatstream-get-model-list command to get the TTPs IDs.Optional
vulnerability_idsA comma-separated list of IDs of the vulnerabilities with which you want to associate matched entities. Use the threatstream-get-model-list command to get the vulnerabilities IDs.Optional
tagsA comma-separated list of tags. For example, tag1,tag2.Optional

Context Output#

PathTypeDescription
ThreatStream.Rule.actors.idStringActor's ID associated with the rule.
ThreatStream.Rule.actors.nameStringActor's name associated with the rule.
ThreatStream.Rule.actors.resource_uriStringActor's resource URI associated with the rule.
ThreatStream.Rule.adv_keywordUnknownAdvanced keyword or regular expression that the rule is designed to match.
ThreatStream.Rule.attackpatternsUnknownAttack patterns associated with the rule.
ThreatStream.Rule.backfillUnknownObjects that define additional filters or conditions for the rule.
ThreatStream.Rule.campaigns.idStringCampaign's ID associated with the rule.
ThreatStream.Rule.campaigns.nameStringCampaign's name associated with the rule.
ThreatStream.Rule.campaigns.resource_uriStringCampaign's resource URI associated with the rule.
ThreatStream.Rule.courseofactionUnknownCourse of action entities associated with the rule.
ThreatStream.Rule.create_investigationBooleanWhether an investigation should be created when the rule is triggered.
ThreatStream.Rule.created_tsDateRule creation time.
ThreatStream.Rule.customtmsUnknownCustom threat model entities associated with the rule.
ThreatStream.Rule.descriptionStringThe rule description.
ThreatStream.Rule.exclude_impactsStringIndicator types that are excluded from rule matches.
ThreatStream.Rule.exclude_notify_org_whitelistedBooleanWhether observables whitelisted by your organization are excluded from rule matches.
ThreatStream.Rule.exclude_notify_owner_orgBooleanWhether to exclude keyword matches on observables imported by your organization from keyword match or hourly digest email notifications.
ThreatStream.Rule.idNumberUnique ID assigned to the rule.
ThreatStream.Rule.identitiesUnknownList of identities associated with the rule.
ThreatStream.Rule.incidents.idStringIncident's ID associated with the rule.
ThreatStream.Rule.incidents.nameStringIncident's name associated with the rule.
ThreatStream.Rule.incidents.resource_uriStringIncident's resource URI associated with the rule.
ThreatStream.Rule.infrastructureUnknownInfrastructure entities associated with the rule.
ThreatStream.Rule.intelligence_initiativesUnknownIntelligence initiatives associated with the rule.
ThreatStream.Rule.intrusionsetsUnknownIntrusion sets associated with the rule.
ThreatStream.Rule.investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Rule.investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Rule.investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Rule.investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Rule.investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Rule.investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Rule.investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Rule.investigation.assignee.must_change_passwordBooleanWhether the assignee user will be forced to change their password the next time they log in.
ThreatStream.Rule.investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Rule.investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Rule.investigation.assignee.resource_uriStringResource URI associated with investigation assignee user.
ThreatStream.Rule.investigation.investigation_config.nameStringThe name of the investigation configuration associated with the rule.
ThreatStream.Rule.investigation.idStringThe ID of the investigation.
ThreatStream.Rule.investigation.nameStringThe name of the investigation.
ThreatStream.Rule.investigation.resource_uriStringThe resource URI of the investigation.
ThreatStream.Rule.investigation.usersUnknownList of users associated with the investigation created by the rule.
ThreatStream.Rule.investigation.workgroupsUnknownAssigned workgroups.
ThreatStream.Rule.is_editableBooleanIndicates whether the imported entity can be updated by an intelligence source.
ThreatStream.Rule.is_enabledBooleanWhether the rule is currently enabled.
ThreatStream.Rule.keywordStringKeyword associated with the rule.
ThreatStream.Rule.keywordsStringA list of keywords associated with the rule.
ThreatStream.Rule.malware.idStringID of the malware that associates to the rule.
ThreatStream.Rule.malware.nameStringName of the malware that associates to the rule.
ThreatStream.Rule.malware.resource_uriStringResource URI of the malware that associates to the rule.
ThreatStream.Rule.match_actorsBooleanWhether the rule matches keywords in newly created actors.
ThreatStream.Rule.match_all_tmBooleanWhether the rule should match against all threat models.
ThreatStream.Rule.match_attackpatternsBooleanWhether the rule matches keywords in newly created attack patterns.
ThreatStream.Rule.match_campaignsBooleanWhether the rule matches keywords in newly created campaigns.
ThreatStream.Rule.match_courseofactionsBooleanWhether the rule matches keywords in newly created course of action.
ThreatStream.Rule.match_customtmsBooleanWhether the rule should match custom threat models.
ThreatStream.Rule.match_identitiesBooleanWhether the rule matches keywords in newly created identities.
ThreatStream.Rule.match_impactsStringIndicator types in which you want to look for rule matches at the exclusion of all others.
ThreatStream.Rule.match_incidentsBooleanWhether the rule matches keywords in newly created incidents.
ThreatStream.Rule.match_infrastructuresBooleanWhether the rule matches keywords in newly created infrastructures.
ThreatStream.Rule.match_intrusionsetsBooleanWhether the rule matches keywords in newly created intrusion sets.
ThreatStream.Rule.match_malwareBooleanWhether the rule matches keywords in newly created malware.
ThreatStream.Rule.match_observablesBooleanWhether the rule matches keywords in newly created observables.
ThreatStream.Rule.match_reportedfilesBooleanWhether the rule should match keywords in newly created sandbox reports.
ThreatStream.Rule.match_signaturesBooleanWhether the rule should match keywords in newly created signatures.
ThreatStream.Rule.match_tipsBooleanWhether the rule should match keywords in newly created threat bulletins.
ThreatStream.Rule.match_toolsBooleanWhether the rule should match keywords in newly created tools.
ThreatStream.Rule.match_ttpsBooleanWhether the rule should match keywords in newly created TTPs.
ThreatStream.Rule.match_vulnerabilitiesBooleanWhether the rule should match keywords in newly created vulnerabilities.
ThreatStream.Rule.matchesNumberTotal number of keyword matches for the rule.
ThreatStream.Rule.messagesUnknownMessages or notifications generated by the rule.
ThreatStream.Rule.modified_tsDateTimestamp of when the rule was last modified, in UTC format.
ThreatStream.Rule.nameStringThe rule name.
ThreatStream.Rule.notify_list_groupsUnknownList of groups that should be notified when the rule triggers an alert.
ThreatStream.Rule.notify_meBooleanWhether the user who created the rule should be notified when the rule triggers an alert.
ThreatStream.Rule.org_idNumberID associated with the organization that created the rule.
ThreatStream.Rule.org_sharedBooleanWhether a rule is shared across an organization.
ThreatStream.Rule.organization.idStringID associated with the organization that created the rule.
ThreatStream.Rule.organization.nameStringName associated with the organization that created the rule.
ThreatStream.Rule.organization.resource_uriStringResource URI associated with the organization that created the rule.
ThreatStream.Rule.resource_uriStringResource URI associated with the rule.
ThreatStream.Rule.signatures.idStringID of the signature that associates to the rule.
ThreatStream.Rule.signatures.nameStringName of the signature that associates to the rule.
ThreatStream.Rule.signatures.resource_uriStringResource URI of the signature that associates to the rule.
ThreatStream.Rule.tags.nameStringName of the tag applied to matched entities.
ThreatStream.Rule.tips.idStringID of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.nameStringName of the threat bulletin that associates to matched entities.
ThreatStream.Rule.tips.resource_uriStringResource URI of the threat bulletin that associates to matched entities.
ThreatStream.Rule.toolsUnknownList of tools associated with the rule.
ThreatStream.Rule.ttps.idStringID of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.nameStringName of the TTPs that associates to the rule.
ThreatStream.Rule.ttps.resource_uriStringResource URI of the TTPs that associates to the rule.
ThreatStream.Rule.user.avatar_s3_urlUnknownURL for the avatar image associated with the user who created the rule.
ThreatStream.Rule.user.can_share_intelligenceBooleanWhether the user who created the rule can share intelligence.
ThreatStream.Rule.user.emailStringEmail of the user who created the rule.
ThreatStream.Rule.user.idStringID of the user who created the rule.
ThreatStream.Rule.user.is_activeBooleanWhether the user who created the rule is active.
ThreatStream.Rule.user.is_readonlyBooleanWhether the user who created the rule should be restricted to Read Only status.
ThreatStream.Rule.user.must_change_passwordBooleanWhether the user who created the rule will be forced to change their password the next time they log in.
ThreatStream.Rule.user.nameStringName of the user who created the rule.
ThreatStream.Rule.user.nicknameStringNickname of the user who created the rule.
ThreatStream.Rule.user.organization.idStringThe ID associated with the organization.
ThreatStream.Rule.user.organization.nameStringThe user's organization name.
ThreatStream.Rule.user.organization.resource_uriStringThe user's organization resource URI.
ThreatStream.Rule.user.resource_uriStringThe user's resource URI.
ThreatStream.Rule.user_idNumberUser ID of the user who created the rule.
ThreatStream.Rule.vulnerabilities.idStringID of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.nameStringName of the vulnerability with which to associate matched entities.
ThreatStream.Rule.vulnerabilities.resource_uriStringResource URI of the vulnerability with which to associate matched entities.
ThreatStream.Rule.workgroupsUnknownAssigned workgroups.

Command example#

!threatstream-update-rule rule_id=14093 keywords=some_keywords match_include=signatures

Context Example#

{
"ThreatStream": {
"Rule": {
"actors": [],
"adv_keyword": null,
"attackpatterns": [],
"backfill": [],
"campaigns": [],
"courseofaction": [],
"create_investigation": false,
"created_ts": "2023-04-03T14:01:19.321124",
"customtms": [],
"description": null,
"exclude_impacts": [],
"exclude_notify_org_whitelisted": false,
"exclude_notify_owner_org": false,
"id": 14093,
"identities": [],
"incidents": [],
"infrastructure": [],
"intrusionsets": [],
"investigation": null,
"is_editable": true,
"is_enabled": true,
"keyword": "some_keywords",
"keywords": [
"some_keywords"
],
"malware": [],
"match_actors": false,
"match_all_tm": false,
"match_attackpatterns": false,
"match_campaigns": false,
"match_courseofactions": false,
"match_customtms": false,
"match_identities": false,
"match_impacts": [],
"match_incidents": false,
"match_infrastructures": false,
"match_intrusionsets": false,
"match_malware": false,
"match_observables": false,
"match_reportedfiles": false,
"match_signatures": true,
"match_tips": false,
"match_tools": false,
"match_ttps": false,
"match_vulnerabilities": false,
"matches": 0,
"messages": [],
"modified_ts": "2023-04-03T14:02:45.179609",
"name": "test_rule",
"notify_list_groups": [],
"notify_me": true,
"org_id": 11,
"org_shared": false,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/rule/14093/",
"signatures": [],
"tags": [],
"tips": [],
"tools": [],
"ttps": [],
"user": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"user_id": 111,
"vulnerabilities": [],
"workgroups": []
}
}
}

Human Readable Output#

Rules#

NameIdMatchesCreated AtModified AtIs Notify MeIs Enabled
test_rule1409302023-04-03T14:01:19.3211242023-04-03T14:02:45.179609truetrue

threatstream-delete-rule#


Delete a rule from ThreatStream.

Base Command#

threatstream-delete-rule

Input#

Argument NameDescriptionRequired
rule_idThe rule ID.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-delete-rule rule_id=14093

Human Readable Output#

The rule was deleted successfully.

threatstream-list-user#


Gets list of users from ThreatStream. Only users with org admin permission can run this command.

Required Permissions#

org admin

Base Command#

threatstream-list-user

Input#

Argument NameDescriptionRequired
user_idID of the user. If specified, returns the specific user.Optional
limitThe maximum number of results to return. Default is 50.Optional
pageThe page number of the results to retrieve.Optional
page_sizeThe maximum number of objects to retrieve per page.Optional

Context Output#

PathTypeDescription
ThreatStream.User.avatar_s3_urlStringURL for the avatar image associated with the user.
ThreatStream.User.can_approve_intelBooleanWhether the user can approve intel.
ThreatStream.User.can_import_to_taxii_inboxBooleanWhether the user can import to TAXII inbox.
ThreatStream.User.can_see_api_keyBooleanWhether the user can see the API key.
ThreatStream.User.can_share_intelligenceBooleanWhether the user can share intelligence.
ThreatStream.User.can_submit_sandboxBooleanWhether the user can submit a sandbox.
ThreatStream.User.can_use_chatBooleanWhether the user can use chat.
ThreatStream.User.can_use_matchBooleanWhether the user can use match.
ThreatStream.User.date_joinedDateTimestamp when the user was added to ThreatStream.
ThreatStream.User.date_password_changedUnknownTimestamp when the user last changed their password.
ThreatStream.User.emailStringThe user email.
ThreatStream.User.is_activeBooleanWhether the user is active.
ThreatStream.User.is_lockedBooleanWhether the user is currently locked.
ThreatStream.User.is_org_adminBooleanWhether the user is an Org Admin.
ThreatStream.User.is_readonlyBooleanWhether the user should be restricted to Read Only status.
ThreatStream.User.is_tfa_exemptBooleanWhether the user is excluded from having to use multi-factor authentication.
ThreatStream.User.last_access_tsDateTimestamp when the user last accessed ThreatStream.
ThreatStream.User.last_loginUnknownTimestamp when the user was last authenticated to ThreatStream.
ThreatStream.User.must_change_passwordBooleanWhether the user will be forced to change their password the next time they log in.
ThreatStream.User.nameStringName entered by the user on the My Profile tab within ThreatStream settings.
ThreatStream.User.next_password_change_tsUnknownFuture timestamp when the user will be forced to change their password.
ThreatStream.User.nicknameStringThe user nickname.
ThreatStream.User.resource_uriStringResource URI of the user.
ThreatStream.User.user_idStringID of the user.

Command example#

!threatstream-list-user

Context Example#

{
"ThreatStream": {
"User": [
{
"avatar_s3_url": "",
"can_approve_intel": true,
"can_import_to_taxii_inbox": false,
"can_see_api_key": true,
"can_share_intelligence": false,
"can_submit_sandbox": true,
"can_use_chat": false,
"can_use_match": true,
"date_joined": "2020-08-26T12:54:37",
"date_password_changed": null,
"email": "user@email.com",
"is_active": true,
"is_locked": false,
"is_org_admin": true,
"is_readonly": false,
"is_tfa_exempt": false,
"last_access_ts": "2023-04-03T14:02:59.193422",
"last_login": "2023-03-30T10:36:23.792915",
"must_change_password": false,
"name": "",
"next_password_change_ts": null,
"nickname": "",
"resource_uri": "/api/v1/orgadmin/111/",
"user_id": "111"
},
{
"avatar_s3_url": "",
"can_approve_intel": false,
"can_import_to_taxii_inbox": false,
"can_see_api_key": true,
"can_share_intelligence": false,
"can_submit_sandbox": false,
"can_use_chat": false,
"can_use_match": true,
"date_joined": "2022-08-26T16:51:25",
"date_password_changed": null,
"email": "user@email.com",
"is_active": true,
"is_locked": false,
"is_org_admin": false,
"is_readonly": false,
"is_tfa_exempt": false,
"last_access_ts": "1970-01-01T00:00:00",
"last_login": null,
"must_change_password": true,
"name": "",
"next_password_change_ts": null,
"nickname": "",
"resource_uri": "/api/v1/orgadmin/222/",
"user_id": "222"
},
{
"avatar_s3_url": "",
"can_approve_intel": true,
"can_import_to_taxii_inbox": false,
"can_see_api_key": true,
"can_share_intelligence": false,
"can_submit_sandbox": true,
"can_use_chat": false,
"can_use_match": true,
"date_joined": "2020-08-26T12:53:08",
"date_password_changed": null,
"email": "user@email.com",
"is_active": true,
"is_locked": false,
"is_org_admin": false,
"is_readonly": false,
"is_tfa_exempt": false,
"last_access_ts": "2023-03-30T10:36:06.847434",
"last_login": "2023-03-26T10:47:59.037318",
"must_change_password": false,
"name": "",
"next_password_change_ts": null,
"nickname": "",
"resource_uri": "/api/v1/orgadmin/333/",
"user_id": "333"
}
]
}
}

Human Readable Output#

Users#

User IdEmailIs ActiveLast Login
111user@email.comtrue2023-03-30T10:36:23.792915
222user@email.comtrue
333user@email.comtrue2023-03-26T10:47:59.037318

threatstream-list-investigation#


Gets a list of investigations from ThreatStream.

Base Command#

threatstream-list-investigation

Input#

Argument NameDescriptionRequired
investigation_idID of the investigation. If specified, returns the specific investigation.Optional
limitThe maximum number of results to return. Default is 50.Optional
pageThe page number of the results to retrieve.Optional
page_sizeThe maximum number of objects to retrieve per page.Optional

Context Output#

PathTypeDescription
ThreatStream.Investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Investigation.assignee.must_change_passwordBooleanWhether the assignee user will be forced to change their password the next time they log in.
ThreatStream.Investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Investigation.assignee.resource_uriStringResource URI associated with the investigation assignee user.
ThreatStream.Investigation.attachmentsUnknownThe investigation attachments.
ThreatStream.Investigation.candidate_sessionUnknownInvestigation candidate session details.
ThreatStream.Investigation.circlesUnknownIDs of the trusted circles with which the investigation is shared.
ThreatStream.Investigation.created_tsDateTimestamp when the investigation was created.
ThreatStream.Investigation.descriptionStringThe investigation description.
ThreatStream.Investigation.elementsNumberThe number of elements associated with the investigation.
ThreatStream.Investigation.graph_contentBooleanThe investigation graph content details.
ThreatStream.Investigation.idNumberThe ID of the investigation.
ThreatStream.Investigation.intelligence_initiativesUnknownIntelligence initiatives associated with the investigation.
ThreatStream.Investigation.investigation_attachmentsUnknownList of attachments that are associated with the investigation.
ThreatStream.Investigation.is_publicBooleanWhether the entity is public or private.
ThreatStream.Investigation.modified_tsDateThe date the investigation was modified.
ThreatStream.Investigation.nameStringThe investigation name.
ThreatStream.Investigation.owner_org.idStringThe owner organization ID.
ThreatStream.Investigation.owner_org.nameStringThe owner organization name.
ThreatStream.Investigation.owner_org.resource_uriStringThe owner organization resource URI.
ThreatStream.Investigation.owner_org_idUnknownThe owner organization ID.
ThreatStream.Investigation.pending_import_sessionsUnknownNumber of sessions that are currently waiting to be imported into the investigation.
ThreatStream.Investigation.priorityStringThe priority of the investigation.
ThreatStream.Investigation.reporter.emailStringEmail address of the user who created the investigation.
ThreatStream.Investigation.reporter.idStringID of the user who created the investigation.
ThreatStream.Investigation.reporter.nameStringName of the user who created the investigation.
ThreatStream.Investigation.reporter.resource_uriStringResource URI of the user who created the investigation.
ThreatStream.Investigation.reporter_idNumberID of the user who created the investigation.
ThreatStream.Investigation.resource_uriStringThe investigation resource URI.
ThreatStream.Investigation.source_typeStringThe type of source used to create the investigation.
ThreatStream.Investigation.statusStringThe investigation status.
ThreatStream.Investigation.tagsStringThe tags associated with the investigation.
ThreatStream.Investigation.tasksUnknownTasks associated with the investigation.
ThreatStream.Investigation.tlpStringTraffic Light Protocol designation for the investigation—red, amber, green, white.
ThreatStream.Investigation.usersUnknownList of users associated with the investigation.
ThreatStream.Investigation.workgroupsUnknownAssigned workgroups.

Command example#

!threatstream-list-investigation page=2 page_size=2

Context Example#

{
"ThreatStream": {
"Investigation": [
{
"assignee": null,
"circles": [],
"created_ts": "2023-03-30T11:04:35.320726",
"id": 111,
"intelligence_initiatives": [],
"is_public": false,
"modified_ts": "2023-03-30T11:04:38.416192",
"name": "investigation_1",
"owner_org": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"owner_org_id": null,
"priority": "medium",
"reporter": {
"email": "user@email.com",
"id": "111",
"name": "",
"resource_uri": "/api/v1/user/111/"
},
"reporter_id": 111,
"resource_uri": "/api/v1/investigation/111/",
"source_type": "user",
"status": "in-progress",
"tags": [
"tag1",
"tag2"
],
"tlp": "green",
"workgroups": []
},
{
"assignee": null,
"circles": [],
"created_ts": "2023-03-30T11:03:54.265766",
"id": 222,
"intelligence_initiatives": [],
"is_public": false,
"modified_ts": "2023-03-30T11:03:57.703889",
"name": "investigation_2",
"owner_org": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"owner_org_id": null,
"priority": "medium",
"reporter": {
"email": "user@email.com",
"id": "111",
"name": "",
"resource_uri": "/api/v1/user/111/"
},
"reporter_id": 111,
"resource_uri": "/api/v1/investigation/222/",
"source_type": "user",
"status": "in-progress",
"tags": [
"tag1",
"tag2"
],
"tlp": "green",
"workgroups": []
}
]
}
}

Human Readable Output#

Investigations#

NameIdCreated AtStatusSource TypeReporter
investigation_11112023-03-30T11:04:35.320726in-progressuseruser@email.com
investigation_22222023-03-30T11:03:54.265766in-progressuseruser@email.com

threatstream-create-investigation#


Create an investigation at ThreatStream.

Base Command#

threatstream-create-investigation

Input#

Argument NameDescriptionRequired
nameThe name of the investigation.Required
descriptionThe description of the investigation.Optional
priorityThe priority of the investigation. Possible values are: Very Low, Low, Medium, High, Very High.Optional
statusThe status of the investigation. Possible values are: Completed, In-Progress, Pending, Unassigned.Optional
tagsA comma-separated list of tags. For example, tag1,tag2.Optional
tlptlp. Possible values are: White, Green, Amber, Red.Optional
assignee_idAssignee ID. Use the threatstream-list-user command to get the user ID value.Optional
connect_related_indicatorsWhen enabled, observables related to the entity you are associating with the investigation are also added. Possible values are: True, False.Optional
associated_actor_idsA comma-separated list of IDs of the actors with which you want to associate matched entities. Use the threatstream-get-model-list command to get the actor IDs.Optional
associated_campaign_idsA comma-separated list of IDs of the campaigns with which you want to associate matched entities. Use the threatstream-get-model-list command to get the campaign IDs.Optional
associated_incident_idsA comma-separated list of IDs of the incidents with which you want to associate matched entities. Use the threatstream-get-model-list command to get the incident IDs.Optional
associated_observable_idsA comma-separated list of IDs of the observables with which you want to associate matched entities. Use the threatstream-get-indicators command to get the observable IDs.Optional
associated_signature_idsA comma-separated list of IDs of the signatures with which you want to associate matched entities. Use the threatstream-get-model-list command to get the signature IDs.Optional
associated_threat_bulletin_idsA comma-separated list of IDs of the threat bulletin with which you want to associate matched entities. Use the threatstream-get-model-list command to get the threat bulletin IDs.Optional
associated_ttp_idsA comma-separated list of IDs of the TTPs with which you want to associate matched entities. Use the threatstream-get-model-list command to get the TTPs IDs.Optional
associated_vulnerability_idsA comma-separated list of IDs of the vulnerabilities with which you want to associate matched entities. Use the threatstream-get-model-list command to get the vulnerabilities IDs.Optional

Context Output#

PathTypeDescription
ThreatStream.Investigation.add_related_indicatorsNumberWhether to add related indicators to the investigation.
ThreatStream.Investigation.added_elements_countNumberNumber of elements added to the investigation.
ThreatStream.Investigation.all_addedBooleanWhether all the elements were added.
ThreatStream.Investigation.already_exists_elements_countNumberNumber of elements that already exists.
ThreatStream.Investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Investigation.assignee.must_change_passwordBooleanWhether the assignee user will be forced to change their password the next time they log in.
ThreatStream.Investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Investigation.assignee.resource_uriStringResource URI associated with the investigation assignee user.
ThreatStream.Investigation.assignee_idNumberID of the user or workgroup to which the investigation is assigned.
ThreatStream.Investigation.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Investigation.circlesUnknownThe trusted circles with which the investigation is shared.
ThreatStream.Investigation.created_tsDateTimestamp when the investigation was created.
ThreatStream.Investigation.descriptionStringThe investigation description.
ThreatStream.Investigation.elements.add_related_indicatorsNumberWhether to add related indicators to the investigation.
ThreatStream.Investigation.elements.entity.assignee_userUnknownThe assignee user.
ThreatStream.Investigation.elements.entity.created_tsDateTimestamp when the entity was created.
ThreatStream.Investigation.elements.entity.feed_idNumberThe feed ID of the entity.
ThreatStream.Investigation.elements.entity.idNumberUnique ID assigned for the entity.
ThreatStream.Investigation.elements.entity.intelligence_initiativesUnknownIntelligence initiatives associated with the investigation.
ThreatStream.Investigation.elements.entity.is_anonymousBooleanWhether the entity is anonymous.
ThreatStream.Investigation.elements.entity.is_cloneableStringWhether the entity is cloneable.
ThreatStream.Investigation.elements.entity.is_mitreBooleanWhether the entity is mitre.
ThreatStream.Investigation.elements.entity.is_publicBooleanWhether the entity is public or private.
ThreatStream.Investigation.elements.entity.is_teamBooleanWhether the entity is a team.
ThreatStream.Investigation.elements.entity.modified_tsDateTimestamp of when the entity was last updated on ThreatStream, in UTC format.
ThreatStream.Investigation.elements.entity.nameStringThe entity name.
ThreatStream.Investigation.elements.entity.organization_idNumberID of the (ThreatStream) organization that brought in the entity.
ThreatStream.Investigation.elements.entity.owner_user_idNumberID of the ThreatStream user who created the entity.
ThreatStream.Investigation.elements.entity.primary_motivationUnknownThe primary motivation.
ThreatStream.Investigation.elements.entity.publication_statusStringThe publication status of the entity.
ThreatStream.Investigation.elements.entity.published_tsDateTimestamp of when the entity was published on ThreatStream, in UTC format.
ThreatStream.Investigation.elements.entity.resource_levelUnknownThe resource level.
ThreatStream.Investigation.elements.entity.resource_uriStringResource URI of the entity.
ThreatStream.Investigation.elements.entity.source_createdUnknownTimestamp of when the entity was created by its original source.
ThreatStream.Investigation.elements.entity.source_modifiedUnknownTimestamp of when the entity was last updated by its original source.
ThreatStream.Investigation.elements.entity.start_dateUnknownThe start date.
ThreatStream.Investigation.elements.entity.tlpStringTraffic Light Protocol designation for the entity—red, amber, green, white.
ThreatStream.Investigation.elements.entity.uuidStringUUID assigned to the entity.
ThreatStream.Investigation.elements.entity.workgroupsUnknownAssigned workgroups.
ThreatStream.Investigation.elements.idNumberUnique ID assigned to the entity.
ThreatStream.Investigation.elements.r_idNumberUnique ID assigned to the element entity.
ThreatStream.Investigation.elements.r_typeStringType of entity associated with the investigation.
ThreatStream.Investigation.elements.entity.s_typeStringSignature type of entity associated with the investigation.
ThreatStream.Investigation.elements.entity.children.idStringA string representing the ID of the child entity.
ThreatStream.Investigation.elements.entity.children.nameStringA string representing the name of the child entity.
ThreatStream.Investigation.elements.entity.children.resource_uriStringA string representing the resource URI of the child entity.
ThreatStream.Investigation.elements.entity.is_categoryBooleanWhether the entity is a category.
ThreatStream.Investigation.elements.entity.childrenUnknownThe children of the entity.
ThreatStream.Investigation.elements.entity.aliasesUnknownThe aliases of the entity.
ThreatStream.Investigation.elements.entity.is_systemBooleanWhether the entity is a system entity.
ThreatStream.Investigation.elements.entity.sourceStringA string representing the source of the entity.
ThreatStream.Investigation.elements.entity.update_idNumberThe update ID of the entity.
ThreatStream.Investigation.elements.entity.assignee_user.emailStringThe assignee user email.
ThreatStream.Investigation.elements.entity.assignee_user.idStringThe assignee user ID.
ThreatStream.Investigation.elements.entity.assignee_user.nameStringThe assignee user name.
ThreatStream.Investigation.elements.entity.assignee_user.resource_uriStringThe assignee user resource URI.
ThreatStream.Investigation.elements.entity.end_dateUnknownThe end date of the entity.
ThreatStream.Investigation.elements.entity.objectiveUnknownThe objective of the entity.
ThreatStream.Investigation.elements.entity.status.display_nameStringThe display name of the entity.
ThreatStream.Investigation.elements.entity.status.idNumberThe status ID of the entity.
ThreatStream.Investigation.elements.entity.status.resource_uriStringThe resource URI of the status of the entity.
ThreatStream.Investigation.elements.entity.asnStringThe ASN of the entity.
ThreatStream.Investigation.elements.entity.commentsUnknownComments related to the entity.
ThreatStream.Investigation.elements.entity.confidenceNumberThe confidence of the associated entity.
ThreatStream.Investigation.elements.entity.countryStringThe country associated with the entity.
ThreatStream.Investigation.elements.entity.created_byStringA string representing the creator of the entity.
ThreatStream.Investigation.elements.entity.expiration_tsDateThe timestamp when the entity will expire on ThreatStream.
ThreatStream.Investigation.elements.entity.import_session_idNumberA number representing the import session ID of the entity.
ThreatStream.Investigation.elements.entity.import_sourceStringA string representing the import source of the entity.
ThreatStream.Investigation.elements.entity.ipStringThe IP of the entity.
ThreatStream.Investigation.elements.entity.itypeStringThe itype of the entity.
ThreatStream.Investigation.elements.entity.latitudeStringThe latitude of the entity.
ThreatStream.Investigation.elements.entity.longitudeStringThe longitude of the entity.
ThreatStream.Investigation.elements.entity.meta.detail2StringAdditional details associated with state of an entity.
ThreatStream.Investigation.elements.entity.meta.severityStringSeverity assigned to the entity through machine-learning algorithms ThreatStream deploys.
ThreatStream.Investigation.elements.entity.orgStringRegistered owner (organization) associated with the entity.
ThreatStream.Investigation.elements.entity.owner_organization_idNumberThe owner organization ID of the entity.
ThreatStream.Investigation.elements.entity.rdnsUnknownDomain name (obtained through reverse domain name lookup) associated with the entity.
ThreatStream.Investigation.elements.entity.retina_confidenceNumberThe retina confidence of the entity.
ThreatStream.Investigation.elements.entity.source_reported_confidenceNumberThe source reported confidence of the entity.
ThreatStream.Investigation.elements.entity.statusStringThe status of the entity.
ThreatStream.Investigation.elements.entity.subtypeUnknownThe subtype of the entity.
ThreatStream.Investigation.elements.entity.tagsUnknownList of tags associated with the entity.
ThreatStream.Investigation.elements.entity.threat_typeStringType of threat associated with the entity.
ThreatStream.Investigation.elements.entity.threatscoreNumberThe threat score of the entity.
ThreatStream.Investigation.elements.entity.trusted_circle_idsUnknownThe trusted circleIDs of the entity.
ThreatStream.Investigation.elements.entity.trusted_circles_idsUnknownID of the trusted circle to which the entity data should be associated.
ThreatStream.Investigation.elements.entity.typeStringThe type of the entity.
ThreatStream.Investigation.elements.entity.valueStringValue of the entity.
ThreatStream.Investigation.errorsUnknownErrors related to the investigation.
ThreatStream.Investigation.graph_contentUnknownThe investigation graph content details.
ThreatStream.Investigation.idNumberThe ID of the investigation.
ThreatStream.Investigation.intelligence_initiativesUnknownIntelligence initiatives associated with the investigation.
ThreatStream.Investigation.is_publicBooleanWhether the entity is public or private.
ThreatStream.Investigation.modified_tsDateThe date the investigation was modified.
ThreatStream.Investigation.nameStringThe investigation name.
ThreatStream.Investigation.owner_org.idStringThe owner organization ID.
ThreatStream.Investigation.owner_org.nameStringThe owner organization name.
ThreatStream.Investigation.owner_org.resource_uriStringThe owner organization resource URI.
ThreatStream.Investigation.owner_org_idUnknownOrganization ID of the owner.
ThreatStream.Investigation.priorityStringThe priority of the investigation.
ThreatStream.Investigation.reporter.emailStringEmail address of the user who created the investigation.
ThreatStream.Investigation.reporter.idStringID of the user who created the investigation.
ThreatStream.Investigation.reporter.nameStringName of the user who created the investigation.
ThreatStream.Investigation.reporter.resource_uriStringResource URI of the user who created the investigation.
ThreatStream.Investigation.reporter_idNumberID of the user who created the investigation.
ThreatStream.Investigation.resource_uriStringThe investigation resource URI.
ThreatStream.Investigation.source_typeStringThe type of source used to create the investigation.
ThreatStream.Investigation.statusStringThe investigation status.
ThreatStream.Investigation.tagsStringThe tags associated with the investigation.
ThreatStream.Investigation.tlpStringTraffic Light Protocol designation for the investigation—red, amber, green, white.
ThreatStream.Investigation.usersUnknownList of users associated with the investigation.
ThreatStream.Investigation.workgroupsUnknownAssigned workgroups.

Command example#

!threatstream-create-investigation name=new_investigation

Context Example#

{
"ThreatStream": {
"Investigation": {
"add_related_indicators": 0,
"assignee": null,
"circles": [],
"created_ts": "2023-04-03T14:05:47.392664",
"description": null,
"graph_content": null,
"id": 1022,
"intelligence_initiatives": [],
"is_public": false,
"modified_ts": "2023-04-03T14:05:47.392680",
"name": "new_investigation",
"owner_org": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"owner_org_id": null,
"priority": "medium",
"reporter": {
"email": "user@email.com",
"id": "111",
"name": "",
"resource_uri": "/api/v1/user/111/"
},
"reporter_id": 111,
"resource_uri": "/api/v1/investigation/1022/",
"source_type": "user",
"status": "unassigned",
"tags": null,
"tlp": "white",
"users": [],
"workgroups": []
}
}
}

Human Readable Output#

Investigation was created successfully with ID: 1022.

threatstream-update-investigation#


Updates an existing investigation at ThreatStream.

Base Command#

threatstream-update-investigation

Input#

Argument NameDescriptionRequired
investigation_idThe ID of the investigation. Use the threatstream-list-investigation command to get the investigation ID.Required
priorityThe priority of the investigation. Possible values are: Very Low, Low, Medium, High, Very High.Optional
statusThe status of the investigation. Possible values are: Completed, In-Progress, Pending, Unassigned.Optional
tagsA comma-separated list of tags. For example, tag1,tag2.Optional
tlpThe tlp (Traffic Light Protocol designation) of the investigation. Possible values are: White, Green, Amber, Red.Optional
assignee_idAssignee ID. Use the threatstream-list-user command to get the user ID.Optional

Context Output#

PathTypeDescription
ThreatStream.Investigation.add_related_indicatorsNumberErrors related to the investigation.
ThreatStream.Investigation.assignee.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Investigation.assignee.avatar_s3_urlUnknownURL for the avatar image associated with the assignee user.
ThreatStream.Investigation.assignee.can_share_intelligenceBooleanWhether the assignee user can share intelligence.
ThreatStream.Investigation.assignee.emailStringThe email of the assignee user.
ThreatStream.Investigation.assignee.idStringThe ID of the assignee user.
ThreatStream.Investigation.assignee.is_activeBooleanWhether the assignee user is active.
ThreatStream.Investigation.assignee.is_readonlyBooleanWhether the assignee user should be restricted to Read Only status.
ThreatStream.Investigation.assignee.must_change_passwordBooleanWhether the assignee user will be forced to change their password the next time they log in.
ThreatStream.Investigation.assignee.nameStringThe investigation assignee user name.
ThreatStream.Investigation.assignee.nicknameUnknownThe investigation assignee user nickname.
ThreatStream.Investigation.assignee.resource_uriStringResource URI associated with the investigation assignee user.
ThreatStream.Investigation.assignee_idNumberID of the user or workgroup to which the investigation is assigned.
ThreatStream.Investigation.assignee_typeStringType of assignee: "user" or "tsworkgroup".
ThreatStream.Investigation.created_tsDateTimestamp when the investigation was created.
ThreatStream.Investigation.descriptionStringThe investigation description.
ThreatStream.Investigation.elements.add_related_indicatorsNumberWhen enabled, observables related to the entity you are associating with the investigation are also added.
ThreatStream.Investigation.elements.r_idNumberUnique ID assigned to the entity.
ThreatStream.Investigation.elements.r_typeStringType of entity associated with the investigation.
ThreatStream.Investigation.graph_contentUnknownThe investigation graph content details.
ThreatStream.Investigation.idNumberThe ID of the investigation.
ThreatStream.Investigation.is_publicBooleanWhether the entity is public or private.
ThreatStream.Investigation.modified_tsDateThe date the investigation was modified.
ThreatStream.Investigation.nameStringThe investigation name.
ThreatStream.Investigation.owner_org.idStringThe owner organization ID.
ThreatStream.Investigation.owner_org.nameStringThe owner organization name.
ThreatStream.Investigation.owner_org.resource_uriStringThe owner organization resource URI.
ThreatStream.Investigation.owner_org_idUnknownOrganization ID of the owner.
ThreatStream.Investigation.priorityStringThe priority of the investigation.
ThreatStream.Investigation.reporter.emailStringEmail address of the user who created the investigation.
ThreatStream.Investigation.reporter.idStringID of the user who created the investigation.
ThreatStream.Investigation.reporter.nameStringName of the user who created the investigation.
ThreatStream.Investigation.reporter.resource_uriStringResource URI of the user who created the investigation.
ThreatStream.Investigation.reporter_idNumberID of the user who created the investigation.
ThreatStream.Investigation.resource_uriStringThe investigation resource URI.
ThreatStream.Investigation.source_typeStringThe type of source used to create the investigation.
ThreatStream.Investigation.statusStringThe investigation status.
ThreatStream.Investigation.tagsStringThe tags associated with the investigation.
ThreatStream.Investigation.tlpStringTraffic Light Protocol designation for the investigation—red, amber, green, white.

Command example#

!threatstream-update-investigation investigation_id=1022 priority=Low status="In-Progress" assignee_id=203

Context Example#

{
"ThreatStream": {
"Investigation": {
"assignee": {
"assignee_type": "user",
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"resource_uri": "/api/v1/user/111/"
},
"assignee_id": 111,
"assignee_type": "user",
"circles": [],
"created_ts": "2023-04-03T14:05:47.389934",
"description": null,
"graph_content": null,
"id": 1022,
"intelligence_initiatives": [],
"is_public": false,
"modified_ts": "2023-04-03T14:06:53.575922",
"name": "new_investigation",
"owner_org": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"owner_org_id": null,
"priority": "low",
"reporter": {
"email": "user@email.com",
"id": "111",
"name": "",
"resource_uri": "/api/v1/user/111/"
},
"reporter_id": 111,
"resource_uri": "/api/v1/investigation/1022/",
"source_type": "user",
"status": "in-progress",
"tags": null,
"tlp": "white",
"users": [],
"workgroups": []
}
}
}

Human Readable Output#

Investigation was updated successfully with ID: 1022

threatstream-add-investigation-element#


Add an element to the existing investigation at ThreatStream.

Base Command#

threatstream-add-investigation-element

Input#

Argument NameDescriptionRequired
investigation_idThe ID of the investigation. Use the threatstream-get-model-list command to get the investigation ID.Required
connect_related_indicatorsWhen enabled, observables related to the entity you are associating with the investigation are also added. Possible values are: True, False.Optional
associated_actor_idsA comma-separated list of IDs of the actors with which you want to associate matched entities. Use the threatstream-get-model-list command to get the actor IDs.Optional
associated_campaign_idsA comma-separated list of IDs of the campaigns with which you want to associate matched entities. Use the threatstream-get-model-list command to get the campaign IDs.Optional
associated_incident_idsA comma-separated list of IDs of the incidents with which you want to associate matched entities. Use the threatstream-get-model-list command to get the incident IDs.Optional
associated_observable_idsA comma-separated list of IDs of the observables with which you want to associate matched entities. Use the threatstream-get-indicators command to get the observable IDs.Optional
associated_signature_idsA comma-separated list of IDs of the signatures with which you want to associate matched entities. Use the threatstream-get-model-list command to get the signature IDs.Optional
associated_threat_bulletin_idsA comma-separated list of IDs of the threat bulletin with which you want to associate matched entities. Use the threatstream-get-model-list command to get the threat bulletin IDs.Optional
associated_ttp_idsA comma-separated list of IDs of the TTPs with which you want to associate matched entities. Use the threatstream-get-model-list command to get the TTPs IDs.Optional
associated_vulnerability_idsA comma-separated list of IDs of the vulnerabilities with which you want to associate matched entities. Use the threatstream-get-model-list command to get the vulnerabilities IDs.Optional

Context Output#

There is no context output for this command.

Command example#

!threatstream-add-investigation-element investigation_id=1022 associated_campaign_ids=111111

Human Readable Output#

All The elements was added successfully to investigation ID: 1022

threatstream-delete-investigation#


Deletes an existing investigation at ThreatStream.

Base Command#

threatstream-delete-investigation

Input#

Argument NameDescriptionRequired
investigation_idThe ID of the investigation.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-delete-investigation investigation_id=1022

Human Readable Output#

Investigation was deleted successfully.

threatstream-list-whitelist-entry#


Get a list of whitelist entries.

Base Command#

threatstream-list-whitelist-entry

Input#

Argument NameDescriptionRequired
formatDefines the format of the response. Possible values are: CSV, JSON. Default is JSON.Optional
limitThe maximum number of results to return. Default is 50.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
InfoFile.NamestringName of the file.
InfoFile.EntryIDstringThe entry ID of the report.
InfoFile.SizenumberSize of the file.
InfoFile.TypestringFile type, e.g., "PE".
InfoFile.InfostringBasic information of the file.
ThreatStream.WhitelistEntry.created_tsDateTimestamp of when the entry was created.
ThreatStream.WhitelistEntry.idNumberUnique ID associated with the whitelist entry.
ThreatStream.WhitelistEntry.modified_tsDateTimestamp of when the entry was most recently modified.
ThreatStream.WhitelistEntry.notesStringContextual note associated with the entry.
ThreatStream.WhitelistEntry.resource_uriStringResource URI of the entry.
ThreatStream.WhitelistEntry.valueStringValue of the entry.
ThreatStream.WhitelistEntry.value_typeStringValue type of the entry.

Command example#

!threatstream-list-whitelist-entry page=2 page_size=2

Context Example#

{
"ThreatStream": {
"WhitelistEntry": [
{
"created_ts": "2023-04-02T13:18:00.862395",
"id": 111,
"modified_ts": "2023-04-02T13:18:00.862395",
"notes": null,
"resource_uri": "/api/v1/orgwhitelist/111/",
"value": "1.2.4.5",
"value_type": "ip"
},
{
"created_ts": "2023-04-02T13:18:00.862395",
"id": 222,
"modified_ts": "2023-04-02T13:18:00.862395",
"notes": null,
"resource_uri": "/api/v1/orgwhitelist/222/",
"value": "1.2.4.5",
"value_type": "ip"
}
]
}
}

Human Readable Output#

Whitelist entries#

IdValueResource UriCreated AtModified AtValue Type
1111.2.4.5/api/v1/orgwhitelist/111/2023-04-02T13:18:00.8623952023-04-02T13:18:00.862395ip
2221.2.4.5/api/v1/orgwhitelist/222/2023-04-02T13:18:00.8623952023-04-02T13:18:00.862395ip

threatstream-create-whitelist-entry#


Creates a new whitelist entry.

Base Command#

threatstream-create-whitelist-entry

Input#

Argument NameDescriptionRequired
entry_idThe entry ID of the file you want to upload.Optional
cidrA comma-separated list of CIDRs associated with the entry.Optional
domainsA comma-separated list of domains associated with the entry.Optional
emailsA comma-separated list of emails associated with the entry.Optional
ipsA comma-separated list of IPs associated with the entry.Optional
md5A comma-separated list of MD5 hashes associated with the entry.Optional
urlsA comma-separated list of URLs associated with the entry.Optional
user_agentsA comma-separated list of user agents associated with the entry.Optional
noteA note that will be associated with all the indicator types that are provided in the command arguments.Optional

Note: The requirements for the file for the entry_id are: The entries must be contained in a valid CSV file with the following header line: value_type,value,notes. value_type must be specified for each entry, possible types include domain, email, ip, md5, url, user-agent, and cidr. value must be specified for each entry. Values must be valid entries based on the specified type. For example, if you specify ip for type, the corresponding value must be a valid IP address. notes is optional for each entry. All text in the CSV file must be lower-cased.

Context Output#

There is no context output for this command.

Command example#

!threatstream-create-whitelist-entry ips=1.2.4.5

Human Readable Output#

Created 1 item(s).

threatstream-update-whitelist-entry-note#


Modify contextual notes associated with existing whitelist entries

Base Command#

threatstream-update-whitelist-entry-note

Input#

Argument NameDescriptionRequired
entry_idThe ID of the entry you want to update.Required
noteA note that will be associated with all the indicator types that are provided in the command arguments.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-update-whitelist-entry-note note="some_note" entry_id=222

Human Readable Output#

The note was updated successfully.

threatstream-delete-whitelist-entry#


Delete a whitelist entry.

Base Command#

threatstream-delete-whitelist-entry

Input#

Argument NameDescriptionRequired
entry_idThe ID of the entry you want to update. Use the threatstream-list-whitelist-entry command to get the entry ID.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-delete-whitelist-entry entry_id=222

Human Readable Output#

The entity was deleted successfully

threatstream-list-import-job#


Gets an import list.

Base Command#

threatstream-list-import-job

Input#

Argument NameDescriptionRequired
import_idWhen specified, the results returned in the list are limited to specific import ID.Optional
status_inWhen specified, the results returned in the list are limited to the selected status. Possible values are: Processing, Errors, Ready To Review, Rejected, Approved.Optional
limitThe maximum number of results to return. Default is 50.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.Import.approved_by_idUnknownThe ID of the user who approved the import.
ThreatStream.Import.confidenceNumberConfidence scores assigned to the import.
ThreatStream.Import.dateDateA date representing the import date.
ThreatStream.Import.date_modifiedDateA date representing the last modified date of the import.
ThreatStream.Import.default_commentUnknownDefault comment.
ThreatStream.Import.emailStringA string representing the email associated with the import.
ThreatStream.Import.exclude_source_domainBooleanWhether the source domain is excluded.
ThreatStream.Import.expiration_tsDateThe timestamp when the import will expire on ThreatStream.
ThreatStream.Import.fileNameStringA string representing the name of file associated with the import.
ThreatStream.Import.fileTypeStringA string representing the type of file associated with the import.
ThreatStream.Import.file_name_labelUnknownThe file name label.
ThreatStream.Import.idNumberA number representing the import ID.
ThreatStream.Import.intelligence_sourceStringA string representing the intelligence source of the import.
ThreatStream.Import.is_anonymousBooleanWhether the entity is anonymous.
ThreatStream.Import.is_publicBooleanWhether the entity is public or private.
ThreatStream.Import.jobIDUnknownThe job ID.
ThreatStream.Import.messagesStringA string representing the messages associated with the import.
ThreatStream.Import.nameStringThe import name.
ThreatStream.Import.notesStringA string representing the notes associated with the import.
ThreatStream.Import.numIndicatorsNumberThe number of observables that were accepted for importing.
ThreatStream.Import.numRejectedNumberThe number of observables that were rejected for importing.
ThreatStream.Import.num_privateNumberA number representing the number of private entities associated with the import.
ThreatStream.Import.num_publicNumberA number representing the number of public entities associated with the import.
ThreatStream.Import.organization.idStringID associated with the organization that created the import.
ThreatStream.Import.organization.nameStringName associated with the organization that created the import.
ThreatStream.Import.organization.resource_uriStringResource URI associated with the organization that created the import.
ThreatStream.Import.processed_tsDateA date representing the timestamp when the import was processed.
ThreatStream.Import.resource_uriStringResource URI associated with the entity.
ThreatStream.Import.sandbox_submitUnknownThe sandbox submit.
ThreatStream.Import.source_confidence_weightNumberThe source confidence weight of the entity.
ThreatStream.Import.statusStringThe import status.
ThreatStream.Import.threat_typeStringThe threat type.
ThreatStream.Import.tlpUnknownTraffic Light Protocol designation.
ThreatStream.Import.user_idNumberA string representing the ID associated with the user who created the import.
ThreatStream.Import.visibleForReviewBooleanWhether the entity is visible for review.

Command example#

!threatstream-list-import-job page=2 page_size=2

Context Example#

{
"ThreatStream": {
"Import": [
{
"ImportID": 111111,
"JobID": null,
"approved_by": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"approved_by_id": 111,
"confidence": 50,
"date": "2023-04-03T14:27:51.896155",
"date_modified": "2023-04-03T14:27:52.714429",
"default_comment": null,
"email": "user@email.com",
"exclude_source_domain": false,
"expiration_ts": "2023-07-02T14:27:51.887354",
"fileName": null,
"fileType": "analyst",
"file_name_label": null,
"intelligence_initiatives": [],
"intelligence_source": "",
"is_anonymous": false,
"is_public": false,
"messages": "",
"name": "",
"notes": "",
"numIndicators": 0,
"numRejected": 0,
"num_private": 0,
"num_public": 0,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"processed_ts": "2023-04-03T14:27:51.935305",
"resource_uri": "/api/v1/importsession/111111/",
"sandbox_submit": null,
"source_confidence_weight": 0,
"status": "approved",
"tags": [],
"threat_type": "exploit",
"tlp": null,
"trusted_circles": [],
"user_id": 111,
"visibleForReview": true,
"workgroups": []
},
{
"ImportID": 222222,
"JobID": null,
"approved_by": {
"avatar_s3_url": null,
"can_share_intelligence": false,
"email": "user@email.com",
"id": "111",
"is_active": true,
"is_readonly": false,
"must_change_password": false,
"name": "",
"nickname": null,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"resource_uri": "/api/v1/user/111/"
},
"approved_by_id": 111,
"confidence": 50,
"date": "2023-04-03T14:27:22.263119",
"date_modified": "2023-04-03T14:27:23.128873",
"default_comment": null,
"email": "user@email.com",
"exclude_source_domain": false,
"expiration_ts": "2023-07-02T14:27:22.260221",
"fileName": null,
"fileType": "analyst",
"file_name_label": null,
"intelligence_initiatives": [],
"intelligence_source": "",
"is_anonymous": false,
"is_public": false,
"messages": "",
"name": "",
"notes": "",
"numIndicators": 0,
"numRejected": 0,
"num_private": 0,
"num_public": 0,
"organization": {
"id": "11",
"name": "name",
"resource_uri": "resource_uri"
},
"processed_ts": "2023-04-03T14:27:22.290096",
"resource_uri": "/api/v1/importsession/222222/",
"sandbox_submit": null,
"source_confidence_weight": 0,
"status": "approved",
"tags": [],
"threat_type": "exploit",
"tlp": null,
"trusted_circles": [],
"user_id": 111,
"visibleForReview": true,
"workgroups": []
}
]
}
}

Human Readable Output#

Import entries#

IdDateStatusReviewed BySubmitted ByIncludedExcluded
1111112023-04-03T14:27:51.896155approveduser@email.comuser@email.com00
2222222023-04-03T14:27:22.263119approveduser@email.comuser@email.com00

threatstream-approve-import-job#


Approve all observables in an import job.

Base Command#

threatstream-approve-import-job

Required Permissions#

Approve Intel user permission

Input#

Argument NameDescriptionRequired
import_idThe ID of the import job.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-approve-import-job import_id=111111

Human Readable Output#

The import session was successfully approved.

threatstream-search-threat-model#


Retrieve threat model entities from ThreatStream.

Base Command#

threatstream-search-threat-model

Input#

Argument NameDescriptionRequired
model_typeA comma-separated list of model types. Supported values are: actor, attackpattern , campaign, courseofaction, incident,identity, infrastructure, intrusionset, malware,signature, tipreport, ttp, tool, vulnerability.Optional
nameThe name of the threat model.Optional
keyword_searchFree text to search string in the fields: Aliases, Description, Name, Tags.Optional
aliasOther names by which the entity are known.Optional
feed_idNumeric ID of the threat feed that provided the Threat Model entity.Optional
is_emailWhether the entity was created as a result of an email import. Possible values are: True, False.Optional
is_publicWhether the entity is public or private. True—if the entity is public, False—if the entity is private or belongs to a Trusted Circle. Possible values are: True, False.Optional
publication_statusA comma-separated list of publication statuses. Supported values are: new, pending_review, review_requested, reviewed.Optional
signature_typeA comma-separated list of signature types. Supported values are: Bro, Carbon Black Query, ClamAV, Custom, CybOX, OpenIOC, RSA NetWitness, Snort, Splunk Query, Suricata, YARA.Optional
tagsA comma-separated list of additional comments and context associated with the entity when it was imported from its original threat feed.Optional
trusted_circle_idUsed for querying entities associated with specified trusted circles.Optional
limitThe maximum number of results to return. Default is 50.Optional
pagePage number to get result from. Needs to be used with the page_size argument.Optional
page_sizeThe page size of the returned results. Needs to be used with the page argument.Optional

Context Output#

PathTypeDescription
ThreatStream.ThreatModel.source_createdUnknownTimestamp of when the entity was created by its original source.
ThreatStream.ThreatModel.circlesUnknownTrusted circles with which data from streams is shared.
ThreatStream.ThreatModel.feed_idNumberNumeric ID of the threat feed that provided the threat model entity.
ThreatStream.ThreatModel.workgroupsUnknownWorkgroups to which the threat model is visible.
ThreatStream.ThreatModel.aliasesUnknownOther names by which the threat model are known.
ThreatStream.ThreatModel.is_emailUnknownWhether the threat model was created as a result of an email import.
ThreatStream.ThreatModel.published_tsStringTimestamp of when the entity was published on ThreatStream, in UTC format.
ThreatStream.ThreatModel.idNumberUnique ID assigned to the entity.
ThreatStream.ThreatModel.source_modifiedDateTimestamp of when the entity was last updated by its original source.
ThreatStream.ThreatModel.typeStringThe threat model type.
ThreatStream.ThreatModel.start_dateUnknownTime when a threat model was known to have started.
ThreatStream.ThreatModel.publication_statusStringThe publication status. A threat model can be in new, pending_review, review_requested, reviewed, published statuses.
ThreatStream.ThreatModel.end_dateUnknownTime when a threat model was known to have ended.
ThreatStream.ThreatModel.tags.idStringThe ID of the tag assigned to the threat model.
ThreatStream.ThreatModel.tags.nameStringThe name of the tag assigned to the threat model.
ThreatStream.ThreatModel.modified_tsStringTimestamp of when the tag was last updated on ThreatStream, in UTC format.
ThreatStream.ThreatModel.is_publicBooleanWhether the entity is public or private.
ThreatStream.ThreatModel.uuidStringUUID (universally unique identifier) assigned to the threat model for STIX compliance.
ThreatStream.ThreatModel.created_tsStringTimestamp when the threat model was created.
ThreatStream.ThreatModel.tlpStringTLP setting associated with the entity.
ThreatStream.ThreatModel.nameStringName of the entity.
ThreatStream.ThreatModel.statusUnknownStatus of the entity.
ThreatStream.ThreatModel.model_typeStringType of threat model entity.
ThreatStream.ThreatModel.resource_uriStringResource URI associated with the entity.

Command example#

!threatstream-search-threat-model model_type="signature" signature_type="Carbon Black Query,Bro,ClamAV" limit="50" page="2" page_size="2"

Context Example#

{
"ThreatStream": {
"ThreatModel": [
{
"aliases": [],
"circles": [],
"created_ts": "2023-03-19T10:04:13.272377+00:00",
"end_date": null,
"feed_id": 0,
"id": 111111,
"is_email": null,
"is_public": false,
"model_type": "signature",
"modified_ts": "2023-03-19T10:09:09.150405+00:00",
"name": "signature_threat_model_1",
"organization": {
"id": 11,
"title": "title"
},
"owner_user": {
"email": "user@email.com",
"id": 111,
"name": ""
},
"publication_status": "new",
"published_ts": null,
"resource_uri": "/api/v1/signature/111111/",
"sort": [
11111111111111111,
"signature-111111"
],
"source_created": null,
"source_modified": null,
"start_date": null,
"status": null,
"tags": [
{
"id": "as2",
"name": "Reconnaissance",
"org_id": 11,
"tlp": "white"
}
],
"tlp": "red",
"type": "Carbon Black Query",
"uuid": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX",
"workgroups": []
},
{
"aliases": [],
"circles": [],
"created_ts": "2020-07-31T20:56:33.459260+00:00",
"end_date": null,
"feed_id": 155,
"id": 333,
"is_email": null,
"is_public": true,
"model_type": "signature",
"modified_ts": "2022-10-08T05:18:20.389951+00:00",
"name": "signature_threat_model_2",
"publication_status": "published",
"published_ts": "2020-07-31T20:56:33.295192+00:00",
"resource_uri": "/api/v1/signature/333/",
"sort": [
11111111111111111,
"signature-333"
],
"source_created": null,
"source_modified": null,
"start_date": null,
"status": null,
"tags": [
{
"id": "id1",
"name": "actor_tag1"
}
],
"tlp": "white",
"type": "Carbon Black Query",
"uuid": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX",
"workgroups": []
}
]
}
}

Human Readable Output#

Threat model entities#

IdTypeNamePublication StatusModified At
111111signaturesignature_threat_model_1new2023-03-19T10:09:09.150405+00:00
333signaturesignature_threat_model_2published2022-10-08T05:18:20.389951+00:00

threatstream-add-threat-model-association#


Creates associations between threat model entities on the ThreatStream platform.

Base Command#

threatstream-add-threat-model-association

Input#

Argument NameDescriptionRequired
entity_typeThe type of threat model entity to which you are adding the association. Possible values are: Actor, Attack Pattern, Campaign, Course Of Action, Identity, Infrastructure, Intrusion Set, Incident, Malware, Signature, Threat Bulletin, Tool, Ttp, Vulnerability.Required
entity_idThe ID of the threat model entity to which you are adding the association.Required
associated_entity_idsThe entities IDs to associate with the primary entity. Note: The model type of all the IDs must be equal to the type in the “associated_entity_type” argument.Required
associated_entity_typeThe type of threat model entity to which you are adding the association. Possible values are: Actor, Attack Pattern, Campaign, Course Of Action, Identity, Infrastructure, Intrusion Set, Incident, Malware, Signature, Threat Bulletin, Tool, Ttp, Vulnerability.Required

Context Output#

There is no context output for this command.

Command example#

!threatstream-add-threat-model-association entity_type="Actor" entity_id="26769" associated_entity_ids="1111,2222" associated_entity_type="Attack Pattern"

Human Readable Output#

The Attack Pattern entities with ids 2222, 1111 were associated successfully to entity id: 26769.

threatstream-add-indicator-tag#


Add tags to the indicators

Base Command#

threatstream-add-indicator-tag

Input#

Argument NameDescriptionRequired
indicator_idsA comma-separated list of unique IDs of the indicator to which you are adding tags.Required
tagsA comma-separated list of values of the tags you want to add.Required

Context Output#

There is no context output for this command.

threatstream-remove-indicator-tag#


Remove tags from the indicators

Base Command#

threatstream-remove-indicator-tag

Input#

Argument NameDescriptionRequired
indicator_idsA comma-separated list of unique IDs of the indicator to which you are removing tags.Required
tagsA comma-separated list of values of the tags you want to remove.Required

Context Output#

There is no context output for this command.


Clones already imported indicators (observables), used with the edit classification to move to a trusted circle

Base Command#

threatstream-clone-imported-indicator

Input#

Argument NameDescriptionRequired
indicator_idID of the indicator to clone.Required

Context Output#

PathTypeDescription
ThreatStream.Clone.IDStringIndicator ID.
ThreatStream.Clone.Import_Session_IDStringImport Session ID for the clone request.
ThreatStream.Clone.Job_IDStringJob ID for the clone request.

Edit the values for observable that have been cloned

Base Command#

threatstream-edit-classification

Input#

Argument NameDescriptionRequired
import_idImport Session ID of the import session from the clone-imported-indicator command.Required
dataJSON data of edits to be made {"is_public":false,"circles":[12866]}.Required

Context Output#

There is no context output for this command.