Skip to main content

Threat Crowd v2

Query Threat Crowd for reports. This integration was integrated and tested with version v2 of ThreatCrowd

Configure ThreatCrowd v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatCrowd v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    ServerTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Max Number of EntriesHow many entries to fetch. For full data use -1.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Get a report of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipAn IP address for which to retrieve a report.Required
limitMaximum number of results to fetch.Optional

Context Output#

PathTypeDescription
IP.AddressStringIP address.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
ThreatCrowd.IP.hashesStringHashes related to the ip.
ThreatCrowd.IP.permalinkStringThe link to ip in the product.
ThreatCrowd.IP.referencesStringReferences related to the ip.
ThreatCrowd.IP.resolutionsStringResolutions related to the ip.
ThreatCrowd.IP.valueStringThe ip value.
ThreatCrowd.IP.votesNumberThe votes given to the ip.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!ip ip="x.x.x.x"

Context Example#

{
"DBotScore": {
"Indicator": "x.x.x.x",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "ip",
"Vendor": "Threat Crowd"
},
"IP": {
"Address": "x.x.x.x",
"Malicious": {
"Description": null,
"Vendor": "Threat Crowd"
}
},
"ThreatCrowd": {
"IP": {
"hashes": [
"06d40abb65ee157ff2574df8d24743f1",
"16e0a5aa50917ecadc0c2a7726e72ad0",
"1e77eaba33333c91adfa28e97558677a",
"210b6e761b4cb7d71e862606c0f28846",
"226751fb62f99ff5a2c948dea15319df",
"23ad6fc6ddb25a0974b90d9ec2df7757",
"2f80660b47db546c6907edd95868b901",
"36e6f6f725c77e505ccb466069c41c15",
"3e06f3e3f4da7ea914bbd42bd17c7aef",
"4d8d5d96caa717c92fea5ac2b1d6ae23"
],
"permalink": "https://www.threatcrowd.org/ip.php?ip=x.x.x.x",
"references": [],
"resolutions": [
{
"domain": "example.example.net",
"last_resolved": "2018-08-05"
},
{
"domain": "www.example.com",
"last_resolved": "2020-01-11"
}
],
"response_code": "1",
"value": "x.x.x.x",
"votes": -1
}
}
}

Human Readable Output#

Threat crowd report for ip x.x.x.x:#

DBotScore: BAD#

Resolutions#

domainlast_resolved
example.example.net2018-08-05
www.example.com2020-01-11

Hashes#

Hashes
16e0a5aa50917ecadc0c2a7726e72ad0
1e77eaba33333c91adfa28e97558677a
210b6e761b4cb7d71e862606c0f28846
226751fb62f99ff5a2c948dea15319df
23ad6fc6ddb25a0974b90d9ec2df7757
2f80660b47db546c6907edd95868b901
36e6f6f725c77e505ccb466069c41c15
3e06f3e3f4da7ea914bbd42bd17c7aef
4d8d5d96caa717c92fea5ac2b1d6ae23

References#

No entries.

domain#


Get a report of a domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain for which to retrieve a report.Required
limitMaximum number of results to fetch.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
ThreatCrowd.Domain.hashesStringHashes related to the domain.
ThreatCrowd.Domain.permalinkStringA link to domain search in the product.
ThreatCrowd.Domain.referencesStringReferences related to the domain.
ThreatCrowd.Domain.resolutionsStringResolutions related to the domain.
ThreatCrowd.Domain.subdomainsStringThe subdomains related to the domain.
ThreatCrowd.Domain.emailsStringThe emails related to the domain.
ThreatCrowd.Domain.valueStringThe name of the domain.
ThreatCrowd.Domain.votesNumberThe votes given to the domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!domain domain="example.com"

Context Example#

{
"DBotScore": {
"Indicator": "example.com",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "domain",
"Vendor": "Threat Crowd"
},
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "Threat Crowd"
},
"Name": "example.com"
},
"ThreatCrowd": {
"Domain": {
"emails": [
"domains@example.com",
"example@example.com"
],
"hashes": [],
"permalink": "https://www.threatcrowd.org/domain.php?domain=example.com",
"references": [
"example.example.example"
],
"response_code": "1",
"subdomains": [
"media.example.com",
"e.example.com",
"finance.example.com"
],
"value": "example.com",
"votes": -1
}
}
}

Human Readable Output#

Threat crowd report for domain example.com#

DBotScore: BAD#

Resolutions#

ip_addresslast_resolved
x.x.x.x2014-04-01
x.x.x.x2020-07-22
x.x.x.x2021-03-05
x.x.x.x2020-10-18

Subdomains#

subdomains
example.example.com

emailspermalinkreferencesresponse_codevaluevotes
domains@example.info,
example@example.com
https://www.threatcrowd.org/domain.php?domain=example.comexample.example1example.com

email#


Get a report of an email address.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailThe email address for which to retrieve a report.Required
limitMaximum number of results to fetch.Optional

Context Output#

PathTypeDescription
ThreatCrowd.Account.valueStringThe email address.
ThreatCrowd.Account.domainsStringThe domains related to the email address.
ThreatCrowd.Account.permalinkStringThe Link to the email address in the product.
ThreatCrowd.Account.referencesStringThe refernces related to the email address.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!email email=example@example.com

Context Example#

{
"DBotScore": {
"Indicator": "example@example.com",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "email",
"Vendor": "Threat Crowd"
},
"Email": {
"Address": "example@example.com"
},
"ThreatCrowd": {
"Account": {
"domains": [
"example.com",
"example2.com",
"example3.com",
],
"permalink": "https://www.threatcrowd.org/email.php?email=example@example.com",
"references": [],
"response_code": "1",
"value": "example@example.com"
}
}
}

Human Readable Output#

Threat crowd report for Email example@example.com DBotScore: None

Results#

domainspermalinkresponse_codevalue
example.com,
https://www.threatcrowd.org/email.php?email=example@example.com1

threat-crowd-antivirus#


Get a report of an antivirus.

Base Command#

threat-crowd-antivirus

Input#

Argument NameDescriptionRequired
antivirusThe antivirus for which to retrieve a report.Required
limitMaximum number of results to fetch.Optional

Context Output#

PathTypeDescription
ThreatCrowd.AntiVirus.hashesStringThe hashes related to the antivirus
ThreatCrowd.AntiVirus.permalinkStringThe link to the antivitrus in the product
ThreatCrowd.AntiVirus.referencesUnknownThe references of the antivirus.
ThreatCrowd.AntiVirus.valueStringThe name of the antivirus

Command Example#

!threat-crowd-antivirus antivirus="plugx" using=ThreatCrowdv2_instance_1

Context Example#

{
"ThreatCrowd": {
"AntiVirus": {
"hashes": [
"31d0e421894004393c48de1769744687",
"5cd3f073caac28f915cf501d00030b31",
"bbd9acdd758ec2316855306e83dba469",
"ef9d8cd06de03bd5f07b01c1cce9761f",
"06bd026c77ce6ab8d85b6ae92bb34034",
"2af64ba808c79dccd2c1d84f010b22d7",
"47a311084bffddf6c00b4eb947b4086b",
"4c5e55c2ce6e9176970aeecf9533cdbf",
"4f92b6c9c55142ee562e8237ce1436a2",
"876f24c4102a4e911ab77ee328643dd2"
],
"permalink": "https://www.threatcrowd.org/listMalware.php?antivirus=plugx",
"references": [],
"response_code": "1",
"value": "plugx"
}
}
}

Human Readable Output#

Threat crowd report for antivirus plugx#

hashespermalinkresponse_codevalue
31d0e421894004393c48de1769744687,
5cd3f073caac28f915cf501d00030b31,
bbd9acdd758ec2316855306e83dba469,
ef9d8cd06de03bd5f07b01c1cce9761f,
06bd026c77ce6ab8d85b6ae92bb34034,
2af64ba808c79dccd2c1d84f010b22d7,
47a311084bffddf6c00b4eb947b4086b,
4c5e55c2ce6e9176970aeecf9533cdbf,
4f92b6c9c55142ee562e8237ce1436a2,
876f24c4102a4e911ab77ee328643dd2
https://www.threatcrowd.org/listMalware.php?antivirus=plugx1plugx

file#


Get a report of a hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe hash for which to retrieve a report.Required
limitMaximum number of results to fetch.Optional

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
ThreatCrowd.File.sha1StringThe SHA1 hash of the file.
ThreatCrowd.File.referencesStringThe refernces related to the file.
ThreatCrowd.File.permalinkStringThe link to the file in the product.
ThreatCrowd.File.ipsStringThe ips related to the file.
ThreatCrowd.File.domainsStringThe domains related to the file.
ThreatCrowd.File.valueStringThe file identifier.
ThreatCrowd.File.scansStringThe scans related to thefile.
ThreatCrowd.File.md5StringThe MD5 of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!file file=31d0e421894004393c48de1769744687 using=ThreatCrowdv2_instance_1

Context Example#

{
"DBotScore": {
"Indicator": "31d0e421894004393c48de1769744687",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "file",
"Vendor": "Threat Crowd"
},
"File": {
"MD5": "31d0e421894004393c48de1769744687",
"SHA1": "4f0eb746d81a616fb9bdff058997ef47a4209a76"
},
"ThreatCrowd": {
"File": {
"domains": [
"hpservice.homepc.it",
"facebook.controlliamo.com"
],
"ips": [
"8.8.8.8"
],
"md5": "31d0e421894004393c48de1769744687",
"permalink": "https://www.threatcrowd.org/malware.php?md5=31d0e421894004393c48de1769744687",
"references": [],
"response_code": "1",
"scans": [
"Error Scanning File",
"Malware-gen*Win32*Malware-gen",
"Gen*Variant.Symmi.50061",
"W32/Trojan.VSQD-1927",
"BDS/Plugx.266990",
"Gen*Variant.Symmi.50061",
"Gen*Variant.Symmi.50061",
"Win32/Korplug.CF",
"W32/FakeAV.CX",
"Generic11_c.CDQL"
],
"sha1": "4f0eb746d81a616fb9bdff058997ef47a4209a76",
"value": "31d0e421894004393c48de1769744687"
}
}
}

Human Readable Output#

Threat crowd report for File 31d0e421894004393c48de1769744687:

DBotScore: None#

Results#

domainsipsmd5permalinkreferencesresponse_codescanssha1value
hpservice.homepc.it,facebook.controlliamo.com8.8.8.831d0e421894004393c48de1769744687https://www.threatcrowd.org/malware.php?md5=31d0e421894004393c48de17697446871Error Scanning File,Malware-genWin32Malware-gen,GenVariant.Symmi.50061,W32/Trojan.VSQD-1927,BDS/Plugx.266990,GenVariant.Symmi.50061,Gen*Variant.Symmi.50061,Win32/Korplug.CF,W32/FakeAV.CX,Generic11_c.CDQL4f0eb746d81a616fb9bdff058997ef47a4209a7631d0e421894004393c48de1769744687