Skip to main content

ThreatExchange (Deprecated)

This Integration is part of the ThreatExchange Pack.#

Deprecated

Use the ThreatExchange v2 integration instead.

Receive threat intelligence about applications, IP addresses, URLs and hashes, a service by Facebook

Configure ThreatExchange in Cortex#

ParameterDescriptionRequired
Server URL (e.g. https://192.168.0.1)True
App IDTrue
App SecretTrue
Source ReliabilityReliability of the source providing the intelligence data.True
Use system proxy settingsFalse
Trust any certificate (not secure)False
Api versionTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Checks the file reputation of the given hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1 and SHA256 hashes.Required
limitThe maximum number of results per page. The maximum is 1000. Default is 20. Default is 20.Optional
headersA comma-separated list of headers to display in human-readable format. For example: header1,header2,header3.Optional
sinceThe start timestamp for collecting malware, format: 1391813489.Optional
untilThe end timestamp for collecting malware, format: 1391813489.Optional

Context Output#

PathTypeDescription
File.MD5unknownBad MD5 hash found.
File.SHA1unknownBad SHA1 hash found.
File.SHA256unknownBad SHA256 hash found.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual score.
File.Malicious.VendorunknownFor malicious files, the vendor that made the decision
File.Malicious.DescriptionunknownFor malicious files, the reason that the vendor made the decision.
File.Malicious.ScoreunknownFor malicious files, the score from the vendor.

Command Example#

!file file=bf4692a98a658dd7fb3599a47b6b48188a12345

Context Example#

{
"DBotScore": [
{
"Indicator": "bf4692a98a658dd7fb3599a47b6b48188a12345",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "hash",
"Vendor": "ThreatExchange"
},
{
"Indicator": "bf4692a98a658dd7fb3599a47b6b48188a12345",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "file",
"Vendor": "ThreatExchange"
}
]
}

Human Readable Output#

ThreatExchange does not have details about bf4692a98a658dd7fb3599a47b6b48188a12345

ip#


Checks the reputation of the given IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
headersA comma-separated list of headers to display in human-readable format. For example: header1,header2,header3.Optional

Context Output#

PathTypeDescription
IP.AddressunknownBad IP address found.
IP.Malicious.VendorunknownFor malicious IPs addresse, the vendor that made the decision.
IP.Malicious.DescriptionunknownFor malicious IP addresses, the reason that the vendor made the decision.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual score.
IP.Malicious.ScoreunknownFor malicious IP addresses, the score from the vendor.

Command Example#

!ip ip=8.8.8.8

Context Example#

{
"DBotScore": [
{
"Indicator": "8.8.8.8",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "ip",
"Vendor": "ThreatExchange"
},
{
"Indicator": "8.8.8.8",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "ip",
"Vendor": "ThreatExchange"
}
],
"IP": null
}

Human Readable Output#

ThreatExchange IP Reputation#

added_onconfidencedescriptionidindicatorlast_updatedownerprivacy_typeraw_indicatorreview_statusseverityshare_levelstatustype
2015-07-07T22:36:04+000050Known DNS server881335228606937{"id":"501655576609539","indicator":"8.8.8.8","type":"IP_ADDRESS"}2020-07-24T05:25:48+0000{"id":"588498724619612","email":"threatexchange@support.facebook.com","name":"Facebook CERT ThreatExchange"}VISIBLE8.8.8.8REVIEWED_AUTOMATICALLYINFOGREENNON_MALICIOUSIP_ADDRESS
2018-04-09T23:00:40+0000501521082241333529{"id":"501655576609539","indicator":"8.8.8.8","type":"IP_ADDRESS"}2020-07-24T21:52:30+0000{"id":"1656584897716085","email":"threatexchange@support.facebook.com","name":"JoeSandbox Analysis"}HAS_PRIVACY_GROUP8.8.8.8REVIEWED_AUTOMATICALLYINFOREDUNKNOWNIP_ADDRESS

url#


Check URL Reputation

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to be checked.Required
limitThe maximum number of results per page. The maximum is 1000. Default is 20. Default is 20.Optional
headersHeaders to display in Human readable format, comma separated format, for example: header1,header2,header3.Optional
sinceThe start timestamp for collecting malware, format: 1391813489.Optional
untilThe end timestamp for collecting malware, format: 1391813489.Optional

Context Output#

PathTypeDescription
URL.DataunknownBad URLs found
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual score.
URL.Malicious.VendorunknownFor malicious URLs, the vendor that made the decision
URL.Malicious.DescriptionunknownFor malicious URLs, the reason for the vendor to make the decision
URL.Malicious.ScoreunknownFor malicious URLs, the score from the vendor

Command Example#

!url url=https://www.test.com/

Context Example#

{
"DBotScore": [
{
"Indicator": "https://www.test.com/",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "url",
"Vendor": "ThreatExchange"
}
],
"URL": null
}

Human Readable Output#

ThreatExchange URL Reputation#

added_onconfidenceidindicatorlast_updatedownerprivacy_typeraw_indicatorreview_statusseverityshare_levelstatustype
2018-07-11T09:50:34+0000251904903709602326{"id":"838258172933557","indicator":"https://www.test.com/","type":"URI"}2020-07-24T19:24:35+0000{"id":"210126779388350","email":"threatexchange@support.facebook.com","name":"URLQueryThreatData Feed"}VISIBLEhttps://www.test.com/REVIEWED_AUTOMATICALLYWARNINGWHITEUNKNOWNURI
2015-07-09T03:04:19+00001835880593160550{"id":"838258172933557","indicator":"https://www.test.com/","type":"URI"}2020-07-24T03:37:14+0000{"id":"820763734618599","email":"threatexchange@support.facebook.com","name":"Facebook Administrator"}HAS_PRIVACY_GROUPhttps://www.test.com/REVIEWED_AUTOMATICALLYINFOREDUNKNOWNURI

domain#


Check domain reputation

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain name to check reputation.Required
limitThe maximum number of results per page. The maximum is 1000. Default is 20. Default is 20.Optional
headersHeaders to display in Human readable format, comma separated format, for example: header1,header2,header3.Optional
sinceThe start timestamp for collecting malware, format: 1391813489.Optional
untilThe end timestamp for collecting malware, format: 1391813489.Optional

Context Output#

PathTypeDescription
Domain.NameunknownBad domain found
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual score.
Domain.Malicious.VendorunknownFor malicious domains, the vendor that made the decision
Domain.Malicious.DescriptionunknownFor malicious domains, the reason that the vendor made the decision.

Command Example#

!domain domain=google.com

Context Example#

{
"DBotScore": [
{
"Indicator": "google.com",
"Reliability": "C - Fairly reliable",
"Score": 0,
"Type": "domain",
"Vendor": "ThreatExchange"
},
{
"Indicator": "google.com",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "domain",
"Vendor": "ThreatExchange"
}
],
"Domain": null
}

Human Readable Output#

ThreatExchange Domain Reputation#

added_onconfidenceidindicatorlast_updatedownerprivacy_typeraw_indicatorreview_statusseverityshare_levelstatustype
2018-05-02T18:05:33+0000751688788781168786{"id":"826838047363868","indicator":"google.com","type":"DOMAIN"}2020-07-24T21:13:36+0000{"id":"1656584897716085","email":"threatexchange@support.facebook.com","name":"JoeSandbox Analysis"}HAS_PRIVACY_GROUPgoogle.comUNREVIEWEDINFOREDUNKNOWNDOMAIN
2015-09-04T22:03:24+000050955242124521797{"id":"826838047363868","indicator":"google.com","type":"DOMAIN"}2020-07-24T01:04:11+0000{"id":"588498724619612","email":"threatexchange@support.facebook.com","name":"Facebook CERT ThreatExchange"}VISIBLEgoogle.comREVIEWED_MANUALLYINFOWHITENON_MALICIOUSDOMAIN

threatexchange-query#


Searches for subjective opinions on indicators of compromise stored in ThreatExchange

Base Command#

threatexchange-query

Input#

Argument NameDescriptionRequired
textFree-form text field with a value to search for. This can be a file hash or a string found in other fields of the objects.Optional
typeThe type of descriptor to search for. For more information see: https://developers.facebook.com/docs/threat-exchange/reference/apis/indicator-type/v2.9.Optional
limitThe maximum number of results per page. The maximum is 1000. Default is 20. Default is 20.Optional
headersHeaders to display in Human readable format, comma separated format, for example: header1,header2,header3.Optional
sinceThe start timestamp for collecting malware, format: 1391813489.Optional
untilThe end timestamp for collecting malware, format: 1391813489.Optional

Context Output#

There is no context output for this command.

Command Example#

!threatexchange-query text=geektime type=URI limit=3

Context Example#

{
"queryResult": [
{
"added_on": "2018-08-30T07:12:28+0000",
"confidence": 50,
"id": "2036544083043163",
"indicator": {
"id": "2036543926376512",
"indicator": "http://www.geektime.co.il/wp-content/uploads/2016/09/",
"type": "URI"
},
"last_updated": "2021-03-03T02:41:06+0000",
"owner": {
"email": "threatexchange@support.facebook.com",
"id": "820763734618599",
"name": "Facebook Administrator"
},
"privacy_type": "VISIBLE",
"raw_indicator": "http://www.geektime.co.il/wp-content/uploads/2016/09/",
"review_status": "REVIEWED_AUTOMATICALLY",
"severity": "INFO",
"share_level": "GREEN",
"status": "UNKNOWN",
"type": "URI"
}
]
}

Human Readable Output#

ThreatExchange Query Result#

added_onconfidenceidindicatorlast_updatedownerprivacy_typeraw_indicatorreview_statusseverityshare_levelstatustype
2018-08-30T07:12:28+0000502036544083043163{"id":"2036543926376512","indicator":"http://www.geektime.co.il/wp-content/uploads/2016/09/","type":"URI"}2021-03-03T02:41:06+0000{"id":"820763734618599","email":"threatexchange@support.facebook.com","name":"Facebook Administrator"}VISIBLEhttp://www.geektime.co.il/wp-content/uploads/2016/09/REVIEWED_AUTOMATICALLYINFOGREENUNKNOWNURI
2018-08-28T14:59:24+0000501799344580151062{"id":"1799344400151080","indicator":"http://www.geektime.co.il/wp-content/uploads/2016/05/","type":"URI"}2020-07-24T20:12:26+0000{"id":"820763734618599","email":"threatexchange@support.facebook.com","name":"Facebook Administrator"}VISIBLEhttp://www.geektime.co.il/wp-content/uploads/2016/05/REVIEWED_AUTOMATICALLYINFOGREENUNKNOWNURI
2018-08-24T20:16:16+0000502265237266824665{"id":"2265236920158033","indicator":"http://www.geektime.co.il/wp-content/uploads/2016/07/","type":"URI"}2020-07-24T18:45:09+0000{"id":"820763734618599","email":"threatexchange@support.facebook.com","name":"Facebook Administrator"}VISIBLEhttp://www.geektime.co.il/wp-content/uploads/2016/07/REVIEWED_AUTOMATICALLYINFOGREENUNKNOWNURI

threatexchange-members#


Returns a list of current members of the ThreatExchange, alphabetized by application name. Each application may also include an optional contact email address. You can set this address, if desired, under the settings panel for your application

Base Command#

threatexchange-members

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!threatexchange-members

Human Readable Output#

ThreatExchange Members#

emailidname
example@example.comexample_id_1Example Name 1
example2@example.comexample_id_2Example Name 2
example3@example.comexample_id_3Example Name 3
example4@example.comexample_id_4Example Name4