Skip to main content

ThreatMiner

This Integration is part of the ThreatMiner Pack.#

Data Mining for Threat Intelligence

Configure ThreatMiner on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatMiner.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Maximum results per query, enter 'all' to get unlimited resultsFalse
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    ThreatMiner API URLTrue
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

domain#


Retrieves data from ThreatMiner about a specified domain.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain name to get information for.Required

Context Output#

PathTypeDescription
ThreatMiner.Domain.Whois.ServerstringWhois server address.
ThreatMiner.Domain.Whois.CreateDatedateCreation date.
ThreatMiner.Domain.Whois.UpdateDatedateLast update date.
ThreatMiner.Domain.Whois.ExpirationdateExpiration date.
ThreatMiner.Domain.Whois.NameServersstringWhois name servers.
ThreatMiner.Domain.PassiveDNS.IPstringPassive DNS IP address.
ThreatMiner.Domain.PassiveDNS.FirstSeendatePassive DNS first seen date.
ThreatMiner.Domain.PassiveDNS.LastSeendatePassive DNS last seen date.
ThreatMiner.Domain.SubdomainsstringSubdomains.
ThreatMiner.Domain.URI.AddressstringRelated URIs.
ThreatMiner.Domain.URI.LastSeenstringURI last seen date.
ThreatMiner.Domain.MD5stringRelated samples' MD5 hash.
Domain.NamestringSearched domain name
ThreatMiner.Domain.Whois.DomainstringDomain name that was searched.
Domain.DNSunknownIPs resolved by DNS.
Domain.Whois.CreateDatedateCreation date.
Domain.Whois.UpdateDatedateLast update date.
Domain.Whois.ExpirationdateExpiration date.
Domain.Whois.Registrant.NamestringName of the registrant
Domain.Whois.Registrant.EmailstringEmail of the registrant
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

ip#


Retrieves data from ThreatMiner about a specified IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to get information for.Required

Context Output#

PathTypeDescription
ThreatMiner.IP.AddressstringIP address that was searched.
ThreatMiner.IP.Whois.ReversestringWhois reverse name.
ThreatMiner.IP.Whois.BgpstringBGP prefix.
ThreatMiner.IP.Whois.CountrystringRelated country.
ThreatMiner.IP.Whois.ASNstringRelated ASN.
ThreatMiner.IP.Whois.OrgstringOrganization name.
ThreatMiner.IP.PassiveDNS.DomainstringPassiveDNS domain.
ThreatMiner.IP.PassiveDNS.FirstSeendatePassive DNS first seen date.
ThreatMiner.IP.PassiveDNS.LastSeendatePassive DNS last seen date.
ThreatMiner.IP.URI.AddressstringRelated URIs.
ThreatMiner.IP.URI.LastSeendateURI last seen date.
ThreatMiner.IP.MD5stringRelated samples MD5 hash.
ThreatMiner.IP.SSLstringSSL certificates.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressunknownIP address that was searched.
IP.Geo.CountryunknownRelated country.
IP.ASNunknownRelated ASN.

file#


Retrieves data from ThreatMiner about a specified file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash (md5, sha1, sha256).Required
thresholdIf ThreatScore is greater or equal than the threshold, then file will be considered malicious. Default is 10.Optional

Context Output#

PathTypeDescription
ThreatMiner.File.MD5stringFile MD5 hash.
ThreatMiner.File.SHA1stringFile SHA1 hash.
ThreatMiner.File.SHA256stringFile SHA256 hash.
ThreatMiner.File.TypestringFile type.
ThreatMiner.File.NamestringFile name.
ThreatMiner.File.ArchitecturestringFile architecture.
ThreatMiner.File.SizestringFile size.
ThreatMiner.File.AnalyzeddateFile analyzed date.
ThreatMiner.File.HTTP.DomainstringHTTP traffic to domain.
ThreatMiner.File.HTTP.URLstringHTTP traffic to URL.
ThreatMiner.File.HTTP.UseragentstringHTTP user agent.
ThreatMiner.File.Domains.IPstringRelated IP address.
ThreatMiner.File.Domains.DomainstringRelated domain name.
ThreatMiner.File.MutantsstringUsed mutexes.
ThreatMiner.File.RegistrystringUsed registry keys.
ThreatMiner.File.AV.NamestringDetected AV name.
ThreatMiner.File.AV.DetectionstringAV detection.
File.MD5stringFile MD5 hash.
File.SHA1stringFile SHA1 hash.
File.SHA256stringFile SHA256 hash.
File.Malicious.DetectionsnumberFor malicious files, the total number of detections.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
File.NamestringFile name.