Threat Crowd v2 (Deprecated)
This Integration is part of the Threat Crowd (Deprecated) Pack.#
Deprecated
No available replacement.
Query Threat Crowd for reports. This integration was integrated and tested with version v2 of ThreatCrowd
Configure ThreatCrowd v2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ThreatCrowd v2.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server True Source Reliability Reliability of the source providing the intelligence data. True Max Number of Entries How many entries to fetch. For full data use -1. True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
ip#
Get a report of an IP address.
Base Command#
ip
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip | An IP address for which to retrieve a report. | Required |
| limit | Maximum number of results to fetch. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| IP.Address | String | IP address. |
| IP.Malicious.Vendor | String | The vendor reporting the IP address as malicious. |
| IP.Malicious.Description | String | A description explaining why the IP address was reported as malicious. |
| ThreatCrowd.IP.hashes | String | Hashes related to the ip. |
| ThreatCrowd.IP.permalink | String | The link to ip in the product. |
| ThreatCrowd.IP.references | String | References related to the ip. |
| ThreatCrowd.IP.resolutions | String | Resolutions related to the ip. |
| ThreatCrowd.IP.value | String | The ip value. |
| ThreatCrowd.IP.votes | Number | The votes given to the ip. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command Example#
!ip ip="x.x.x.x"
Context Example#
Human Readable Output#
Threat crowd report for ip x.x.x.x:#
DBotScore: BAD#
Resolutions#
domain last_resolved example.example.net 2018-08-05 www.example.com 2020-01-11 Hashes#
Hashes 16e0a5aa50917ecadc0c2a7726e72ad0 1e77eaba33333c91adfa28e97558677a 210b6e761b4cb7d71e862606c0f28846 226751fb62f99ff5a2c948dea15319df 23ad6fc6ddb25a0974b90d9ec2df7757 2f80660b47db546c6907edd95868b901 36e6f6f725c77e505ccb466069c41c15 3e06f3e3f4da7ea914bbd42bd17c7aef 4d8d5d96caa717c92fea5ac2b1d6ae23 References#
No entries.
domain#
Get a report of a domain.
Base Command#
domain
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain for which to retrieve a report. | Required |
| limit | Maximum number of results to fetch. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Domain.Name | String | The domain name, for example: "google.com". |
| Domain.Malicious.Vendor | String | The vendor reporting the domain as malicious. |
| Domain.Malicious.Description | String | A description explaining why the domain was reported as malicious. |
| ThreatCrowd.Domain.hashes | String | Hashes related to the domain. |
| ThreatCrowd.Domain.permalink | String | A link to domain search in the product. |
| ThreatCrowd.Domain.references | String | References related to the domain. |
| ThreatCrowd.Domain.resolutions | String | Resolutions related to the domain. |
| ThreatCrowd.Domain.subdomains | String | The subdomains related to the domain. |
| ThreatCrowd.Domain.emails | String | The emails related to the domain. |
| ThreatCrowd.Domain.value | String | The name of the domain. |
| ThreatCrowd.Domain.votes | Number | The votes given to the domain. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command Example#
!domain domain="example.com"
Context Example#
Human Readable Output#
Threat crowd report for domain example.com#
DBotScore: BAD#
Resolutions#
ip_address last_resolved x.x.x.x 2014-04-01 x.x.x.x 2020-07-22 x.x.x.x 2021-03-05 x.x.x.x 2020-10-18 Subdomains#
subdomains example.example.com
emails permalink references response_code value votes domains@example.info,
example@example.comhttps://www.threatcrowd.org/domain.php?domain=example.com example.example 1 example.com
email#
Get a report of an email address.
Base Command#
email
Input#
| Argument Name | Description | Required |
|---|---|---|
| The email address for which to retrieve a report. | Required | |
| limit | Maximum number of results to fetch. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ThreatCrowd.Account.value | String | The email address. |
| ThreatCrowd.Account.domains | String | The domains related to the email address. |
| ThreatCrowd.Account.permalink | String | The Link to the email address in the product. |
| ThreatCrowd.Account.references | String | The refernces related to the email address. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command Example#
!email email=example@example.com
Context Example#
Human Readable Output#
Threat crowd report for Email example@example.com DBotScore: None
Results#
domains permalink response_code value example.com, https://www.threatcrowd.org/email.php?email=example@example.com 1
threat-crowd-antivirus#
Get a report of an antivirus.
Base Command#
threat-crowd-antivirus
Input#
| Argument Name | Description | Required |
|---|---|---|
| antivirus | The antivirus for which to retrieve a report. | Required |
| limit | Maximum number of results to fetch. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ThreatCrowd.AntiVirus.hashes | String | The hashes related to the antivirus |
| ThreatCrowd.AntiVirus.permalink | String | The link to the antivitrus in the product |
| ThreatCrowd.AntiVirus.references | Unknown | The references of the antivirus. |
| ThreatCrowd.AntiVirus.value | String | The name of the antivirus |
Command Example#
!threat-crowd-antivirus antivirus="plugx" using=ThreatCrowdv2_instance_1
Context Example#
Human Readable Output#
Threat crowd report for antivirus plugx#
hashes permalink response_code value 31d0e421894004393c48de1769744687,
5cd3f073caac28f915cf501d00030b31,
bbd9acdd758ec2316855306e83dba469,
ef9d8cd06de03bd5f07b01c1cce9761f,
06bd026c77ce6ab8d85b6ae92bb34034,
2af64ba808c79dccd2c1d84f010b22d7,
47a311084bffddf6c00b4eb947b4086b,
4c5e55c2ce6e9176970aeecf9533cdbf,
4f92b6c9c55142ee562e8237ce1436a2,
876f24c4102a4e911ab77ee328643dd2https://www.threatcrowd.org/listMalware.php?antivirus=plugx 1 plugx
file#
Get a report of a hash.
Base Command#
file
Input#
| Argument Name | Description | Required |
|---|---|---|
| file | The hash for which to retrieve a report. | Required |
| limit | Maximum number of results to fetch. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
| File.Malicious.Description | String | A description explaining why the file was determined to be malicious. |
| ThreatCrowd.File.sha1 | String | The SHA1 hash of the file. |
| ThreatCrowd.File.references | String | The refernces related to the file. |
| ThreatCrowd.File.permalink | String | The link to the file in the product. |
| ThreatCrowd.File.ips | String | The ips related to the file. |
| ThreatCrowd.File.domains | String | The domains related to the file. |
| ThreatCrowd.File.value | String | The file identifier. |
| ThreatCrowd.File.scans | String | The scans related to thefile. |
| ThreatCrowd.File.md5 | String | The MD5 of the file. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command Example#
!file file=31d0e421894004393c48de1769744687 using=ThreatCrowdv2_instance_1
Context Example#
Human Readable Output#
Threat crowd report for File 31d0e421894004393c48de1769744687:
DBotScore: None#
Results#
domains ips md5 permalink references response_code scans sha1 value hpservice.homepc.it,facebook.controlliamo.com 8.8.8.8 31d0e421894004393c48de1769744687 https://www.threatcrowd.org/malware.php?md5=31d0e421894004393c48de1769744687 1 Error Scanning File,Malware-genWin32Malware-gen,GenVariant.Symmi.50061,W32/Trojan.VSQD-1927,BDS/Plugx.266990,GenVariant.Symmi.50061,Gen*Variant.Symmi.50061,Win32/Korplug.CF,W32/FakeAV.CX,Generic11_c.CDQL 4f0eb746d81a616fb9bdff058997ef47a4209a76 31d0e421894004393c48de1769744687