Skip to main content

Anomali ThreatStream v3

This Integration is part of the Anomali ThreatStream Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use Anomali ThreatStream to query and submit threats.

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure Anomali ThreatStream v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Anomali ThreatStream v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g., https://www.test.com)True
    UsernameTrue
    API KeyTrue
    URL thresholdFalse
    IP thresholdFalse
    Domain thresholdFalse
    File thresholdFalse
    Email thresholdFalse
    Include inactive resultsWhether to include inactive indicators in reputation commands.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Create relationshipsCreate relationships between indicators as part of enrichment.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP to check.Required
thresholdIf confidence is greater than the threshold the IP address is considered malicious, otherwise it is considered good. This argument overrides the default IP threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.ASNStringThe Autonomous System (AS) number associated with the indicator.
IP.AddressStringThe IP address of the indicator.
IP.Geo.CountryStringThe country associated with the indicator.
IP.Geo.LocationStringThe longitude and latitude of the IP address.
ThreatStream.IP.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.IP.AddressStringThe IP address of the indicator.
ThreatStream.IP.CountryStringThe country associated with the indicator.
ThreatStream.IP.TypeStringThe indicator type.
ThreatStream.IP.ModifiedStringThe time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time in UTC time.
ThreatStream.IP.SeverityStringThe indicator severity ("very-high", "high", "medium", or "low").
ThreatStream.IP.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.IP.StatusStringThe status assigned to the indicator.
ThreatStream.IP.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.IP.SourceStringThe indicator source.
IP.Malicious.VendorStringThe vendor that reported the indicator as malicious.
ThreatStream.IP.TagsUnknownTags assigned to the IP.
IP.TagsUnknownList of IP Tags.
IP.ThreatTypesUnknownThreat types associated with the IP.

Command Example#

!ip ip=78.78.78.67

Human Readable Output#

No intelligence has been found for 78.78.78.67

domain#


Checks the reputation of the given domain name.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain name to check.Required
thresholdIf confidence is greater than the threshold the Domain is considered malicious, otherwise it is considered good. This argument overrides the default Domain threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name.
Domain.DNSStringThe IP addresses resolved by DNS.
Domain.WHOIS.CreationDateDateThe date the domain was created. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
Domain.WHOIS.UpdatedDateDateThe date the domain was last updated. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
Domain.WHOIS.Registrant.NameStringThe registrant name.
Domain.WHOIS.Registrant.EmailStringThe registrant email address.
Domain.WHOIS.Registrant.PhoneStringThe registrant phone number.
ThreatStream.Domain.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.Domain.AddressStringThe indicator domain name.
ThreatStream.Domain.CountryStringThe country associated with the indicator.
ThreatStream.Domain.TypeStringThe indicator type.
ThreatStream.Domain.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.Domain.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.Domain.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.Domain.StatusStringThe status assigned to the indicator.
ThreatStream.Domain.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.Domain.SourceStringThe indicator source.
Domain.Malicious.VendorStringThe vendor that reported the indicator as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.Domain.TagsUnknownTags assigned to the domain.
Domain.TagsUnknownList of domain tags.
Domain.ThreatTypesUnknownThreat types associated with the domain.

Command Example#

!domain domain=y.gp

Context Example#

{
"DBotScore": {
"Indicator": "y.gp",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "Anomali ThreatStream v3"
},
"Domain": {
"CreationDate": "2021-09-14T13:19:23.801Z",
"DNS": "78.78.78.67",
"Geo": {
"Country": "DE",
"Location": "51.2993,9.491"
},
"Name": "y.gp",
"Organization": "Hetzner Online GmbH",
"Relationships": [
{
"EntityA": "y.gp",
"EntityAType": "Domain",
"EntityB": "78.78.78.67",
"EntityBType": "IP",
"Relationship": "resolved-from"
}
],
"Tags": [
"malware"
],
"ThreatTypes": [
{
"threatcategory": "malware",
"threatcategoryconfidence": null
}
],
"TrafficLightProtocol": "amber",
"UpdatedDate": "2021-09-14T13:19:23.801Z",
"WHOIS": {
"CreationDate": "2021-09-14T13:19:23.801Z",
"UpdatedDate": "2021-09-14T13:19:23.801Z"
}
},
"ThreatStream": {
"Domain": {
"ASN": "24940",
"Address": "y.gp",
"Confidence": 50,
"Country": "DE",
"Modified": "2021-09-14T13:19:23.801Z",
"Organization": "Hetzner Online GmbH",
"Severity": "very-high",
"Source": "Analyst",
"Status": "active",
"Tags": [
"malware"
],
"Type": "domain"
}
}
}

Human Readable Output#

Domain reputation for: y.gp#

ASNAddressConfidenceCountryModifiedOrganizationSeveritySourceStatusTagsType
24940y.gp50DE2021-09-14T13:19:23.801ZHetzner Online GmbHvery-highAnalystactivemalwaredomain

file#


Checks the reputation of the given hash of the file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe hash of file to check.Required
thresholdIf the confidence is greater than the threshold the hash of the file is considered malicious, otherwise it is considered good. This argument overrides the default file threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.Malicious.VendorStringThe vendor that reported the indicator as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.File.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.File.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.File.StatusStringThe status assigned to the indicator.
ThreatStream.File.TypeStringThe indicator type.
ThreatStream.File.MD5StringThe MD5 hash of the indicator.
ThreatStream.File.SHA1StringThe SHA1 hash of the indicator.
ThreatStream.File.SHA256StringThe SHA256 hash of the indicator.
ThreatStream.File.SHA512StringThe SHA512 hash of the indicator.
ThreatStream.File.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.File.SourceStringThe indicator source.
ThreatStream.File.TagsUnknownTags assigned to the file.
File.TagsUnknownList of file tags.
File.ThreatTypesUnknownThreat types associated with the file.

Command Example#

!file file=178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

Context Example#

{
"DBotScore": {
"Indicator": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "file",
"Vendor": "Anomali ThreatStream v3"
},
"File": {
"SHA256": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1",
"Tags": [
"apt"
],
"ThreatTypes": [
{
"threatcategory": "apt",
"threatcategoryconfidence": null
}
]
},
"ThreatStream": {
"File": {
"Confidence": 50,
"Modified": "2021-09-13T12:40:42.596Z",
"SHA256": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1",
"Severity": "medium",
"Source": "TestSource",
"Status": "active",
"Tags": [
"apt"
],
"Type": "SHA256"
}
}
}

Human Readable Output#

File reputation for: 178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1#

ConfidenceModifiedSHA256SeveritySourceStatusTagsType
502021-09-13T12:40:42.596Z178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1mediumTestSourceactiveaptSHA256

threatstream-email-reputation#


Checks the reputation of the given email address.

Base Command#

threatstream-email-reputation

Input#

Argument NameDescriptionRequired
emailThe email address to check.Required
thresholdIf the confidence is greater than the threshold the email address is considered malicious, otherwise it is considered good. This argument overrides the default email threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe tested indicator.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
ThreatStream.EmailReputation.SeverityStringThe indicator severity ("very-high", "high", "medium", "low").
ThreatStream.EmailReputation.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.EmailReputation.StatusStringThe status assigned to the indicator.
ThreatStream.EmailReputation.TypeStringThe indicator type.
ThreatStream.EmailReputation.EmailStringThe indicator email address.
ThreatStream.EmailReputation.SourceStringThe indicator source.
ThreatStream.EmailReputation.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.EmailReputation.TagsUnknownTags assigned to the email.

Command Example#

!threatstream-email-reputation email=egov@ac.in

Context Example#

{
"DBotScore": {
"Indicator": "egov@ac.in",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "email",
"Vendor": "Anomali ThreatStream v3"
},
"Email": {
"Address": "egov@ac.in"
},
"ThreatStream": {
"EmailReputation": {
"Confidence": 10000,
"Email": "egov@ac.in",
"Modified": "2021-08-01T10:35:53.484Z",
"Severity": "high",
"Source": "Analyst",
"Status": "active",
"Tags": [
"apt"
],
"Type": "email"
}
}
}

Human Readable Output#

Email reputation for: egov@ac.in#

ConfidenceEmailModifiedSeveritySourceStatusTagsType
10000egov@ac.in2021-08-01T10:35:53.484ZhighAnalystactiveaptemail

threatstream-get-passive-dns#


Returns enrichment data for Domain or IP for available observables.

Base Command#

threatstream-get-passive-dns

Input#

Argument NameDescriptionRequired
typeThe type of passive DNS search ("ip", "domain"). Possible values are: ip, domain. Default is ip.Required
valuePossible values are "IP" or "Domain".Required
limitThe maximum number of results to return. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatStream.PassiveDNS.DomainStringThe domain value.
ThreatStream.PassiveDNS.IpStringThe IP value.
ThreatStream.PassiveDNS.RrtypeStringThe Rrtype value.
ThreatStream.PassiveDNS.SourceStringThe source value.
ThreatStream.PassiveDNS.FirstSeenStringThe first seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time, in UTC time.
ThreatStream.PassiveDNS.LastSeenStringThe last seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.

Command Example#

!threatstream-get-passive-dns type="domain" value="y.gp" limit="1"

Context Example#

{
"ThreatStream": {
"PassiveDNS": [
{
"Domain": "y.gp",
"FirstSeen": "2015-07-20 02:33:47",
"Ip": "78.78.78.67",
"LastSeen": "2015-12-19 06:44:35",
"Rrtype": "A",
"Source": "Anomali Labs"
}
]
}
}

Human Readable Output#

Passive DNS enrichment data for: y.gp#

DomainFirstSeenIpLastSeenRrtypeSource
y.gp2015-07-20 02:33:4778.78.78.672015-12-19 06:44:35AAnomali Labs

threatstream-import-indicator-with-approval#


Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL.

Base Command#

threatstream-import-indicator-with-approval

Input#

Argument NameDescriptionRequired
confidenceThe observable certainty level of a reported indicator type. Default is 50.Optional
classificationWhether the indicator data is public or private to the organization. Possible values are: private, public. Default is private.Optional
threat_typeType of threat associated with the imported observables. Can be "adware", "anomalous", "anonymization", "apt", "bot", "brute", "c2", "compromised", "crypto", "data_leakage", "ddos", "dyn_dns", "exfil", "exploit", "hack_tool", "i2p", "informational", "malware", "p2p", "parked", "phish", "scan", "sinkhole", "spam", "suppress", "suspicious", "tor", or "vps". Possible values are: adware, anomalous, anonymization, apt, bot, brute, c2, compromised, crypto, data_leakage, ddos, dyn_dns, exfil, exploit, hack_tool, i2p, informational, malware, p2p, parked, phish, scan, sinkhole, spam, suppress, suspicious, tor, vps. Default is exploit.Optional
severityThe potential impact of the indicator type with which the observable is believed to be associated. Can be "low", "medium", "high", or "very-high". Possible values are: low, medium, high, very-high. Default is low.Optional
import_typeThe import type of the indicator. Can be "datatext", "file-id", or "url". Possible values are: datatext, file-id, url.Required
import_valueThe source of imported data. Can be one of the following: url, datatext of file-id of uploaded file to the War Room. Supported file types for file-id are: CSV, HTML, IOC, JSON, PDF, TXT.Required
ip_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported IP-type observable when an explicit itype is not specified for it.Optional
domain_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported domain-type observable when an explicit itype is not specified for it.Optional
url_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported URL-type observable when an explicit itype is not specified for it.Optional
email_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported email-type observable when an explicit itype is not specified for it.Optional
md5_mappingIndicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported MD5-type observable when an explicit itype is not specified for it.Optional

Context Output#

There is no context output for this command.

Command Example#

!threatstream-import-indicator-with-approval import_type=datatext import_value=78.78.78.67

Context Example#

{
"ThreatStream": {
"Import": {
"ImportID": "36118"
}
}
}

Human Readable Output#

The data was imported successfully. The ID of imported job is: 36118

threatstream-import-indicator-without-approval#


Imports indicators (observables) into ThreatStream. Approval is not required for the imported data. You must have the Approve Intel user permission to import without approval using the API.

Base Command#

threatstream-import-indicator-without-approval

Input#

Argument NameDescriptionRequired
confidenceThe observable certainty level of a reported indicator type. Default is 50.Optional
source_confidence_weightTo use your specified confidence entirely and not re-assess the value using machine learning algorithms, set sourceconfidence weight to 100.Optional
expiration_tsThe time stamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00.Optional
severityThe severity to assign to the observable when it is imported. Can be "low", "medium", "high" , or "very-high". Possible values are: low, medium, high, very-high.Optional
tagsA comma-separated list of tags. For example, tag1,tag2.Optional
trustedcirclesA comma-separated list of trusted circle IDs with which threat data should be shared.Optional
classificationDenotes whether the indicator data is public or private to the organization. Possible values are: private, public.Required
allow_unresolvedWhether unresolved domain observables are included in the file will be accepted as valid in ThreatStream and imported. Possible values are: yes, no.Optional
file_idThe entry ID of a file (containing a JSON with an "objects" array and "meta" maps) that is uploaded to the War Room.Required

Context Output#

There is no context output for this command.

Command Example#

!threatstream-import-indicator-without-approval classification=private file_id=2761@3c9bd2a0-9eac-465b-8799-459df4997b2d

Human Readable Output#

The data was imported successfully.

threatstream-get-model-list#


Returns a list of threat models.

Base Command#

threatstream-get-model-list

Input#

Argument NameDescriptionRequired
modelThe threat model of the returned list. Can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport.Required
limitLimits the model size list. Specifying limit=0 returns up to a maximum of 1000 models. For limit=0, the output is not set in the context. Default is 50.Optional

Context Output#

PathTypeDescription
ThreatStream.List.TypeStringThe threat model type.
ThreatStream.List.NameStringThe threat model name.
ThreatStream.List.IDStringThe threat model ID.
ThreatStream.List.CreatedTimeStringThe date and time of threat model creation. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time in UTC time.

Command Example#

!threatstream-get-model-list model=actor limit=10

Context Example#

{
"ThreatStream": {
"List": [
{
"CreatedTime": "2019-02-19T16:42:00.933984",
"ID": 1,
"Name": "Fleahopper Actor",
"Type": "Actor"
},
{
"CreatedTime": "2019-08-24T02:47:29.204380",
"ID": 10158,
"Name": "report actor 1",
"Type": "Actor"
},
{
"CreatedTime": "2019-08-28T16:35:39.316135",
"ID": 10159,
"Name": "report actor 1",
"Type": "Actor"
},
{
"CreatedTime": "2020-10-14T12:28:54.937276",
"ID": 10909,
"Name": "MANDRA",
"Type": "Actor"
},
{
"CreatedTime": "2021-09-14T13:37:02.111599",
"ID": 26769,
"Name": "New_Created_Actor",
"Type": "Actor"
}
]
}
}

Human Readable Output#

List of Actors#

CreatedTimeIDNameType
2019-02-19T16:42:00.9339841Fleahopper ActorActor
2019-08-24T02:47:29.20438010158report actor 1Actor
2019-08-28T16:35:39.31613510159report actor 1Actor
2020-10-14T12:28:54.93727610909MANDRAActor
2021-09-14T13:37:02.11159926769New_Created_ActorActor

threatstream-get-model-description#


Returns an HTML file with a description of the threat model.

Base Command#

threatstream-get-model-description

Input#

Argument NameDescriptionRequired
modelThe threat model. Can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport.Required
idThe threat model ID.Required

Context Output#

PathTypeDescription
File.NameStringThe file name of the model description.
File.EntryIDStringThe entry ID of the model description.

Command Example#

!threatstream-get-model-description model=actor id=1

Context Example#

{
"File": {
"EntryID": "3171@3c9bd2a0-9eac-465b-8799-459df4997b2d",
"Extension": "html",
"Info": "text/html; charset=utf-8",
"MD5": "18d7610f85c1216e78c59cbde5c470d9",
"Name": "actor_1.html",
"SHA1": "c778f72fd7799108db427f632ca6b2bb07c9bde4",
"SHA256": "6d06bdc613490216373e2b189c8d41143974c7a128da26e8fc4ba4f45a7e718b",
"SHA512": "989b0ae32b61b3b5a7ea1c3e629b50f07e7086310f8e4057ec046b368e55fc82cae873bd81eada657d827c96c71253b6ba3688561844ce983cdc5019d9666aa4",
"SSDeep": "48:32u8P32apgpIph9/gldn2++TnlCC4i72gSmB2rXpzNZx:32tuapgpCglM++TCE2gSN/",
"Size": 1868,
"Type": "ASCII text, with very long lines, with no line terminators"
}
}

Human Readable Output#

threatstream-get-indicators-by-model#


Returns a list of indicators associated with the specified model and ID of the model.

Base Command#

threatstream-get-indicators-by-model

Input#

Argument NameDescriptionRequired
modelThe threat model. Can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, signature, ttp, vulnerability, tipreport.Required
idThe model ID.Required
limitThe maximum number of results to return. Default is 20.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe indicator severity associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-get-indicators-by-model id=731 model=incident

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 181481953,
"IType": "mal_email",
"Modified": "2021-03-25T13:27:58.922Z",
"Organization": "",
"Severity": "low",
"Source": "Analyst",
"Status": "inactive",
"Tags": "tag-approved",
"Type": "email",
"Value": "testemail123@test.com"
}
],
"ModelID": "731",
"ModelType": "Incident"
}
}
}

Human Readable Output#

Indicators list for Threat Model Incident with id 731#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50181481953mal_email2021-03-25T13:27:58.922ZlowAnalystinactivetag-approvedemailtestemail123@test.com

threatstream-submit-to-sandbox#


Submits a file or URL to the ThreatStream-hosted sandbox for detonation.

Base Command#

threatstream-submit-to-sandbox

Input#

Argument NameDescriptionRequired
submission_classificationClassification of the Sandbox submission. Can be "private" or "public". Possible values are: private, public. Default is private.Optional
report_platformThe platform on which the submitted URL or file is run. To obtain a list supported platforms run the threatstream-supported-platforms command. Can be "WINDOWS7", or "WINDOWSXP". Possible values are: WINDOWS7, WINDOWSXP. Default is WINDOWS7.Optional
submission_typeThe detonation type. Can be "file" or "url". Possible values are: file, url. Default is file.Required
submission_valueThe submission value. Possible values are a valid URL or a file ID that was uploaded to the War Room to detonate.Required
premium_sandboxWhether the premium sandbox should be used for detonation. Possible values are: false, true. Default is false.Optional
detailA comma-separated list of additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI.Optional

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe report ID submitted to the sandbox.
ThreatStream.Analysis.StatusStringThe analysis status.
ThreatStream.Analysis.PlatformStringThe platform of the submission submitted to the sandbox.

Command Example#

!threatstream-submit-to-sandbox submission_classification="private" report_platform="WINDOWS7" submission_type="file" submission_value="1711@3c9bd2a0-9eac-465b-8799-459df4997b2d" premium_sandbox="false"

Context Example#

{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": 12418,
"Status": "processing"
}
}
}

Human Readable Output#

The submission info for 1711@3c9bd2a0-9eac-465b-8799-459df4997b2d#

PlatformReportIDStatus
WINDOWS712418processing

threatstream-get-analysis-status#


Returns the current status of the report submitted to the sandbox. The report ID is returned from the threatstream-submit-to-sandbox command.

Base Command#

threatstream-get-analysis-status

Input#

Argument NameDescriptionRequired
report_idThe report ID to check the status.Required

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe report ID of the file or URL that was detonated in the sandbox.
ThreatStream.Analysis.StatusStringThe report status of the file or URL that was detonated in the sandbox.
ThreatStream.Analysis.PlatformStringThe platform used for detonation.
ThreatStream.Analysis.VerdictStringThe report verdict of the file or URL detonated in the sandbox. The verdict remains "benign" until detonation is complete.

Command Example#

!threatstream-get-analysis-status report_id=12414

Context Example#

{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": "12414",
"Status": "errors",
"Verdict": "Benign"
}
}
}

Human Readable Output#

The analysis status for id 12414#

PlatformReportIDStatusVerdict
WINDOWS712414errorsBenign

threatstream-analysis-report#


Returns the report of a file or URL submitted to the sandbox.

Base Command#

threatstream-analysis-report

Input#

Argument NameDescriptionRequired
report_idThe report ID to return.Required

Context Output#

PathTypeDescription
ThreatStream.Analysis.ReportIDStringThe ID of the report submitted to the sandbox.
ThreatStream.Analysis.CategoryStringThe report category.
ThreatStream.Analysis.StartedStringThe detonation start time.
ThreatStream.Analysis.CompletedStringThe detonation completion time.
ThreatStream.Analysis.DurationNumberThe duration of the detonation (in seconds).
ThreatStream.Analysis.VmNameStringThe VM name.
ThreatStream.Analysis.VmIDStringThe VM ID.
ThreatStream.Analysis.Network.UdpSourceStringThe UDP source.
ThreatStream.Analysis.Network.UdpDestinationStringThe UDP destination.
ThreatStream.Analysis.Network.UdpPortStringThe UDP port.
ThreatStream.Analysis.Network.IcmpSourceStringThe ICMP source.
ThreatStream.Analysis.Network.IcmpDestinationStringThe ICMP destination.
ThreatStream.Analysis.Network.IcmpPortStringThe ICMP port.
ThreatStream.Analysis.Network.TcpSourceStringThe TCP source.
ThreatStream.Analysis.Network.TcpDestinationStringThe TCP destination.
ThreatStream.Analysis.Network.TcpPortStringThe TCP port.
ThreatStream.Analysis.Network.HttpSourceStringThe source of the HTTP address.
ThreatStream.Analysis.Network.HttpDestinatonStringThe destination of the HTTP address.
ThreatStream.Analysis.Network.HttpPortStringThe port of the HTTP address.
ThreatStream.Analysis.Network.HttpsSourceStringThe source of the HTTPS address.
ThreatStream.Analysis.Network.HttpsDestinatonStringThe destination of the HTTPS address.
ThreatStream.Analysis.Network.HttpsPortStringThe port of the HTTPS address.
ThreatStream.Analysis.Network.HostsStringThe network analysis hosts.
ThreatStream.Analysis.VerdictStringThe verdict of the sandbox detonation.

Command Example#

!threatstream-analysis-report report_id="12212"

Context Example#

{
"ThreatStream": {
"Analysis": {
"Category": "Url",
"Completed": "2021-08-19 06:51:52",
"Duration": 152,
"Network": [
{
"UdpDestination": "8.8.8.8",
"UdpPort": 53,
"UdpSource": "192.168.2.4"
},
{
"TcpDestination": "78.78.78.67",
"TcpPort": 443,
"TcpSource": "78.78.78.67"
},
{
"TcpDestination": "78.78.78.67",
"TcpPort": 443,
"TcpSource": "78.78.78.67"
},
{
"HttpsDestination": "78.78.78.67",
"HttpsPort": 443,
"HttpsSource": "78.78.78.67"
},
{
"Hosts": "78.78.78.67"
}
],
"ReportID": "12212",
"Started": "2021-08-19 06:49:20",
"Verdict": "Benign",
"VmID": "",
"VmName": ""
}
}
}

Human Readable Output#

Report 12212 analysis results#

CategoryCompletedDurationReportIDStartedVerdictVmIDVmName
Url2021-08-19 06:51:52152122122021-08-19 06:49:20Benign

threatstream-get-indicators#


Return filtered indicators from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.

Base Command#

threatstream-get-indicators

Input#

Argument NameDescriptionRequired
queryThe Anomali Observable Search Filter Language query to filter indicator results. If a query is passed as an argument, it overrides all other arguments.Optional
asnThe Autonomous System (AS) number associated with the indicator.Optional
confidenceThe observable certainty level
of a reported indicator type. Confidence scores range from 0-100 in increasing order of confidence, and are assigned by ThreatStream based on several factors.
Optional
countryThe country associated with the indicator.Optional
created_tsWhen the indicator was first seen on
the ThreatStream cloud platform. The date must be specified in this format:
YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
For example, 2014-10-02T20:44:35.
Optional
idThe unique ID for the indicator.Optional
is_publicWhether the classification of the indicator is public. Default is "false". Possible values are: false, true.Optional
indicator_severityThe severity assigned to the indicator by ThreatStream.Optional
orgThe registered owner (organization) of the IP address associated with the indicator.Optional
statusThe status assigned to the indicator. Can be "active", "inactive", or "falsepos". Possible values are: active, inactive, falsepos.Optional
tags_nameThe tag assigned to the indicator.Optional
typeThe type of indicator. Can be "domain", "email", "ip", "MD5", "string", or "url". Possible values are: domain, email, ip, md5, string, url.Optional
indicator_valueThe value of the indicator. .Optional
limitThe maximum number of results to return from ThreatStream. Default is 20. Default is 20.Optional

Context Output#

PathTypeDescription
ThreatStream.Indicators.ITypeStringThe indicator type.
ThreatStream.Indicators.ModifiedStringThe date and time the indicator was last updated in ThreatStream. The date format is: YYYYMMDDThhmmss, where T denotes the start of the value
for time in UTC time.
ThreatStream.Indicators.ConfidenceStringThe observable certainty level of a reported indicator type.
ThreatStream.Indicators.ValueStringThe indicator value.
ThreatStream.Indicators.StatusStringThe indicator status.
ThreatStream.Indicators.OrganizationStringThe registered owner (organization) of the IP address associated with the indicator.
ThreatStream.Indicators.CountryStringThe country associated with the indicator.
ThreatStream.Indicators.TagsStringThe tag assigned to the indicator.
ThreatStream.Indicators.SourceStringThe indicator source.
ThreatStream.Indicators.IDStringThe indicator ID.
ThreatStream.Indicators.ASNStringThe Autonomous System (AS) number associated with the indicator.
ThreatStream.Indicators.SeverityStringThe severity assigned to the indicator.

Command Example#

!threatstream-get-indicators type=ip status=active limit=5

Context Example#

{
"ThreatStream": {
"Indicators": [
{
"ASN": "",
"Confidence": 100,
"Country": null,
"ID": 239450621,
"IType": "apt_ip",
"Modified": "2021-05-24T16:42:09.245Z",
"Organization": "",
"Severity": "very-high",
"Source": "Analyst",
"Status": "active",
"Tags": null,
"Type": "ip",
"Value": "78.78.78.67"
},
{
"ASN": "",
"Confidence": -1,
"Country": null,
"ID": 235549247,
"IType": "apt_ip",
"Modified": "2021-04-29T16:02:17.558Z",
"Organization": "",
"Severity": "very-high",
"Source": "Analyst",
"Status": "active",
"Tags": null,
"Type": "ip",
"Value": "78.78.78.67"
}
]
}
}

Human Readable Output#

The indicators results#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
100239450621apt_ip2021-05-24T16:42:09.245Zvery-highAnalystactiveip78.78.78.67
-1235549247apt_ip2021-04-29T16:02:17.558Zvery-highAnalystactiveip78.78.78.67

threatstream-add-tag-to-model#


Adds tags to intelligence to filter for related entities.

Base Command#

threatstream-add-tag-to-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model entity to which to add the tag. Can be "actor", "campaign", "incident", "intelligence", "signature", "tipreport", "ttp", or "vulnerability". Possible values are: actor, campaign, incident, intelligence, signature, tipreport, ttp, vulnerability. Default is intelligence.Optional
tagsA comma separated list of tags applied to the specified threat model entities or observable. .Required
model_idThe ID of the model to which to add the tag.Required

Context Output#

There is no context output for this command.

Command Example#

!threatstream-add-tag-to-model model=incident model_id=130 tags="suspicious,not valid"

Human Readable Output#

Added successfully tags: ['suspicious', 'not valid'] to incident with 130

threatstream-create-model#


Creates a threat model with the specified parameters.

Base Command#

threatstream-create-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model to create. Can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, ttp, vulnerability, tipreport.Required
nameThe name of the threat model to create.Required
is_publicWhether the scope of threat model is visible. Possible values are: true, false. Default is false.Optional
tlpThe Traffic Light Protocol designation for the threat model. Can be "red", "amber", "green", or "white". Possible values are: red, amber, green, white. Default is red.Optional
tagsA comma separated list of tags.Optional
intelligenceA comma separated list of indicators IDs associated with the threat model on the ThreatStream platform.Optional
descriptionThe description of the threat model.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-create-model model=actor name="New_Created_Actor_1" description="Description of the actor threat model" intelligence=191431508 tags="new actor,test" tlp=red

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 191431508,
"IType": "apt_md5",
"Modified": "2021-09-13T12:40:42.596Z",
"Organization": "",
"Severity": "medium",
"Source": "TestSource",
"Status": "active",
"Tags": null,
"Type": "SHA256",
"Value": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1"
}
],
"ModelID": 26770,
"ModelType": "Actor"
}
}
}

Human Readable Output#

Indicators list for Threat Model Actor with id 26770#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50191431508apt_md52021-09-13T12:40:42.596ZmediumTestSourceactiveSHA256178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

threatstream-update-model#


Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.

Base Command#

threatstream-update-model

Input#

Argument NameDescriptionRequired
modelThe type of threat model to update. Can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport". Possible values are: actor, campaign, incident, ttp, vulnerability, tipreport.Required
model_idThe ID of the threat model to update.Required
nameThe name of the threat model to update.Optional
is_publicWhether the scope of threat model is visible. Possible values are: true, false. Default is false.Optional
tlpThe Traffic Light Protocol designation for the threat model. Can be "red", "amber", "green", or "white". Possible values are: red, amber, green, white. Default is red.Optional
tagsA comma separated list of tags.Optional
intelligenceA comma separated list of indicator IDs associated with the threat model on the ThreatStream platform.Optional
descriptionThe description of the threat model.Optional

Context Output#

PathTypeDescription
ThreatStream.Model.ModelTypeStringThe threat model type.
ThreatStream.Model.ModelIDStringThe threat model ID.
ThreatStream.Model.Indicators.ValueStringThe value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.IDStringThe ID of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ITypeStringThe iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.SeverityStringThe severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ConfidenceStringThe confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.CountryStringThe country of the indicator associated with the specified model.
ThreatStream.Model.Indicators.OrganizationStringThe organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASNStringThe ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.StatusStringThe status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.TagsStringThe tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ModifiedStringThe date and time the indicator was last modified.
ThreatStream.Model.Indicators.SourceStringThe indicator source.
ThreatStream.Model.Indicators.TypeStringThe indicator type.

Command Example#

!threatstream-update-model model=actor model_id=26769 intelligence=191431508 tags="updated tag,gone"

Context Example#

{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 50,
"Country": null,
"ID": 191431508,
"IType": "apt_md5",
"Modified": "2021-09-13T12:40:42.596Z",
"Organization": "",
"Severity": "medium",
"Source": "TestSource",
"Status": "active",
"Tags": null,
"Type": "SHA256",
"Value": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1"
}
],
"ModelID": "26769",
"ModelType": "Actor"
}
}
}

Human Readable Output#

Indicators list for Threat Model Actor with id 26769#

ASNConfidenceCountryIDITypeModifiedOrganizationSeveritySourceStatusTagsTypeValue
50191431508apt_md52021-09-13T12:40:42.596ZmediumTestSourceactiveSHA256178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

threatstream-supported-platforms#


Returns a list of supported platforms for default or premium sandbox.

Base Command#

threatstream-supported-platforms

Input#

Argument NameDescriptionRequired
sandbox_typeThe type of sandbox ("default" or "premium"). Possible values are: default, premium. Default is default.Optional

Context Output#

PathTypeDescription
ThreatStream.PremiumPlatforms.NameStringThe name of the supported platform for premium sandbox.
ThreatStream.PremiumPlatforms.TypesStringThe type of supported submissions for premium sandbox.
ThreatStream.PremiumPlatforms.LabelStringThe display name of the supported platform of premium sandbox.
ThreatStream.DefaultPlatforms.NameStringThe name of the supported platform for standard sandbox.
ThreatStream.DefaultPlatforms.TypesStringThe type of the supported submissions for standard sandbox.
ThreatStream.DefaultPlatforms.LabelStringThe display name of the supported platform of standard sandbox.

Command Example#

!threatstream-supported-platforms sandbox_type=default

Context Example#

{
"ThreatStream": {
"DefaultPlatforms": [
{
"Label": "Windows 7",
"Name": "WINDOWS7",
"Platform": "windows",
"Types": [
"file",
"url"
]
}
]
}
}

Human Readable Output#

Supported platforms for default sandbox#

LabelNamePlatformTypes
Windows 7WINDOWS7windowsfile,
url

url#


Checks the reputation of the given URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL to check.Required
thresholdIf confidence is greater than the threshold the URL is considered malicious, otherwise it is considered good. This argument overrides the default URL threshold defined as a parameter.Optional
include_inactiveWhether to include results with an inactive status. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
URL.DataStringThe URL of the indicator.
URL.Malicious.VendorStringThe vendor that reported the indicator as malicious.
ThreatStream.URL.ModifiedStringThe date and time the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time in UTC time.
ThreatStream.URL.ConfidenceStringThe observable certainty level of a reported indicator type. Confidence score ranges from 0-100, in increasing order of confidence.
ThreatStream.URL.StatusStringThe indicator status.
ThreatStream.URL.OrganizationStringThe name of the business that owns the IP address associated with the indicator.
ThreatStream.URL.AddressStringThe indicator URL.
ThreatStream.URL.CountryStringThe country associated with the indicator.
ThreatStream.URL.TypeStringThe indicator type.
ThreatStream.URL.SourceStringThe indicator source.
ThreatStream.URL.SeverityStringThe indicator severity ("very-high", "high", "medium", or "low").
ThreatStream.URL.TagsUnknownTags assigned to the URL.
URL.TagsUnknownList of URL tags.
URL.ThreatTypesUnknownThreat types associated with the url.

Command Example#

!url url=http://www.ujhy1.com/

Human Readable Output#

No intelligence has been found for http://www.ujhy1.com/

Additional Considerations for this version#

  • Remove the default_threshold integration parameter.
  • Add integration parameter for global threshold in ip, domain, file, url, and threatstream-email-reputation commands.
  • Add Include inactive results checkbox in integration settings for the ability to get inactive results.