ThreatQ v2

This Integration is part of the ThreatQ Pack.

A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes.

This integration was integrated and tested with API versions 4 and 5 of ThreatQ.

Configure ThreatQ v2 on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services .
2. Search for ThreatQ v2.
3. Click Add instance to create and configure a new integration instance.
   • Name : a textual name for the integration instance.
   • ThreatQ server URL (e.g. https://192.168.1.136)
   • ThreatQ client ID
   • Email
   • Indicator threshold (minimum TQ score to consider the indicator malicious).
   • Trust any certificate (not secure)
   • Use system proxy settings
4. Click Test to validate the new instance.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. threatq-search-by-name: threatq-search-by-name
2. Check an IP address: ip
3. Check a URL: url
4. Check a file: file
5. Check an email: email
6. Check a domain: domain
7. Create an indicator: threatq-create-indicator
8. Add an attribute: threatq-add-attribute
9. Modify an attribute: threatq-modify-attribute
10. Link two objects: threatq-link-objects
11. Create an adversary: threatq-create-adversary
12. Create an event: threatq-create-event
13. Get related indicators: threatq-get-related-indicators
14. Update an indicator status: threatq-update-status
15. Get related events: threatq-get-related-events
16. Get related adversaries: threatq-get-related-adversaries
17. Upload a file: threatq-upload-file
18. Search by Object type and ID: threatq-search-by-id
19. Unlink two objects: threatq-unlink-objects
20. Delete an object: threatq-delete-object
21. Add a source to an object: threatq-add-source
22. Delete a source from an object: threatq-delete-source
23. Delete an attribute: threatq-delete-attribute
24. Edit an adversary: threatq-edit-adversary
25. Edit an indicator: threatq-edit-indicator
26. Edit an event: threatq-edit-event
27. Update a score of an indictor: threatq-update-score
28. Download a file to Cortex XSOAR: threatq-download-file
29. Get all indicators: threatq-get-all-indicators:
30. Get a list of events: threatq-get-all-events
31. Get a list of all adversaries: threatq-get-all-adversaries

1. Search for object by name

---

Searches for objects by name in the ThreatQ repository.

Base Command

threatq-search-by-name

Input

Argument Name	Description	Required
name	Name of the object to search.	Required
limit	The maximum number of records to retrieve.	Optional

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	Number	The ID of the Indicator.
ThreatQ.Indicator.Value	String	The value of the Indicator.
ThreatQ.Event.ID	Number	The ID of the Event.
ThreatQ.Event.Title	String	The title of the Event.
ThreatQ.Adversary.ID	Number	The ID of the Adversary.
ThreatQ.Adversary.Name	String	The name of the Adversary.

Command Example

  !threatq-search-by-name name=test limit=6

Human Readable Output

2. Check an IP address

---

Checks the reputation of an IP address in ThreatQ.

Base Command

ip

Input

Argument Name	Description	Required
ip	The IP address to check.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The value of the indicator.
DBotScore.Type	String	The type of the indicator.
DBotScore.Vendor	String	The vendor of the indicator.
DBotScore.Score	Number	The DBot Score of the indicator.
IP.Address	String	The IP Address.
IP.Malicious.Vendor	String	The IP address of the Vendor.
IP.Malicious.Description	String	The description of the Malicious IP address.
ThreatQ.Indicator.ID	Number	The ID of the Indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	String	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

  !ip ip=91.140.64.113

Human Readable Output

3. Check a URL

---

Checks the reputation of a URL in ThreatQ.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

url

Input

Argument Name	Description	Required
url	The URL to check.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The value of the indicator.
DBotScore.Type	String	The type of the indicator.
DBotScore.Vendor	String	The vendor of the indicator.
DBotScore.Score	Number	The DBot Score of the indicator.
URL.Data	String	The URL.
URL.Malicious.Vendor	String	The vendor of the malicious URL.
URL.Malicious.Description	String	The description of the malicious URL.
ThreatQ.Indicator.ID	Number	The ID of the indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source of the indicator.
ThreatQ.Indicator.Source.Name	String	The source of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

  !url url=https://www.paloaltonetworks.com/

Human Readable Output

4. Check a file

---

Checks the reputation of a file in ThreatQ.

Base Command

file

Input

Argument Name	Description	Required
file	The MD5, SHA-1 or SHA-256 file to check.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The value of the indicator.
DBotScore.Type	String	The type of the indicator.
DBotScore.Vendor	String	The vendor of the indicator.
DBotScore.Score	Number	The DBot Score of the indicator.
File.Name	String	The name of the file.
File.MD5	String	The MD5 of the file.
File.SHA1	String	The SHA1 of the file.
File.SHA256	String	The SHA256 of the file.
File.SHA512	String	The SHA512 of the file.
File.Path	String	The path of the file.
File.Malicious.Vendor	String	The vendor of the malicious file.
File.Malicious.Description	String	The description of the malicious file.
ThreatQ.Indicator.ID	Number	The ID of the indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	String	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

  !file file=a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

Human Readable Output

5. Check an email

---

Checks the reputation of an email in ThreatQ.

Base Command

email

Input

Argument Name	Description	Required
email	The email address to check.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The value of the indicator.
DBotScore.Type	String	The type of the indicator.
DBotScore.Vendor	String	The vendor of the indicator.
DBotScore.Score	Number	The DBot Score of the indicator.
Account.Email.Address	String	The Email Address.
Account.Malicious.Vendor	String	The vendor of the malicious account.
Account.Malicious.Description	String	The description of the malicious account.
ThreatQ.Indicator.ID	Number	The ID of the indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	String	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

  !email email=example.gmail.com

Human Readable Output

6. Check a domain

---

Checks the reputation of a domain in ThreatQ.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

domain

Input

Argument Name	Description	Required
domain	The domain or FQDN to check.	Required

Context Output

Path	Type	Description
DBotScore.Indicator	String	The value of the indicator.
DBotScore.Vendor	String	The vendor of the indicator.
DBotScore.Type	String	The type of the indicator.
DBotScore.Score	Number	The DBot Score of the indicator.
Domain.Name	String	The name of the domain.
Domain.Malicious.Vendor	String	The vendor of the malicious domain.
Domain.Malicious.Description	String	The description of the malicious domain.
ThreatQ.Indicator.ID	Number	The ID of the indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	String	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

!domain domain=www.testdomain.com

Human Readable Output

7. Create an indicator

---

Creates a new indicator in ThreatQ.

Base Command

threatq-create-indicator

Input

Argument Name	Description	Required
type	The type of indicator, such as email address, IP address, Registry key, binary string, and so on.	Required
status	The status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted".	Required
value	The value of the indicator.	Required
sources	List of Sources names, separated by commas.	Optional
attributes_names	Attributes names list, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list.	Optional
attributes_values	Attributes values list, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list.	Optional

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	Number	The ID of the indicator.
ThreatQ.Indicator.Value	String	The value of the indicator.
ThreatQ.Indicator.Source.ID	Number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	String	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	Number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value	String	The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name	String	The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt	Date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	Date	The last update date of the indicator.
ThreatQ.Indicator.Status	String	The status of the indicator.
ThreatQ.Indicator.TQScore	Number	The ThreatQ score of the indicator.
ThreatQ.Indicator.Description	String	The description of the indicator.
ThreatQ.Indicator.Type	String	The type of the indicator.

Command Example

  !threatq-create-indicator value=232.12.34.135 status=Review type="IP Address" attributes_names=TestAttr1,TestAttr2 attributes_values=Val1,Val2 sources=arian@demisto.com

Human Readable Output

8. Add an attribute

---

Adds an attribute to an object in ThreatQ.

Base Command

threatq-add-attribute

Input

Argument Name	Description	Required
name	The name of the attribute to add.	Required
value	The value of the attribute to add.	Required
obj_type	The type of the object to add. Can be: "indicator", "event", "adversary", or "attachment".	Required
obj_id	The ID of the Object.	Required

Context Output

There are no context output for this command.

Command Example

  !threatq-add-attribute obj_type=indicator obj_id=173317 name=TestAttr3 value=Val3

Human Readable Output

9. Modify an attribute

---

Modifies an attribute for an object in ThreatQ.

Base Command

threatq-modify-attribute

Input

Argument Name	Description	Required
obj_type	The type of the object. Can be: "indicator", "event", "adversary", or "attachment".	Required
obj_id	The ID of the object.	Required
attribute_id	The ID of the attribute to modify.	Required
attribute_value	The new value of the attribute.	Required

Command Example

  !threatq-modify-attribute attribute_id=996895 attribute_value=NewVal obj_id=173317 obj_type=indicator

Human Readable Output

10. Link two objects

---

Links two objects together in ThreatQ.

Base Command

threatq-link-objects

Input

Argument Name	Description	Required
obj1_id	The ID of the first object.	Required
obj2_id	The ID of the second object.	Required
obj1_type	The type of the first object. Can be: "indicator", "adversary", or "event".	Required
obj2_type	The type of the second object. Can be: "indicator", "adversary", or "event".	Required

Command Example

  !threatq-link-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary

Human Readable Output

11. Create an adversary

---

Creates a new adversary in ThreatQ.

Base Command

threatq-create-adversary

Input

Argument Name	Description	Required
name	Name of the adversary to create.	Required
sources	List of sources names, separated by commas.	Optional
attributes_names	List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list.	Optional
attributes_values	List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list.	Optional

Context Output

Path	Type	Description
ThreatQ.Adversary.Name	string	The name of the adversary.
ThreatQ.Adversary.ID	number	The ID of the adversary.
ThreatQ.Adversary.Source.ID	number	The source ID of the adversary.
ThreatQ.Adversary.Source.Name	string	The source name of the adversary.
ThreatQ.Adversary.Attribute.ID	number	The ID of the adversary's attribute.
ThreatQ.Adversary.Attribute.Name	string	The name of the adversary's attribute.
ThreatQ.Adversary.Attribute.Value	string	The value of the adversary's attribute.
ThreatQ.Adversary.UpdatedAt	date	The creation date of the adversary.
ThreatQ.Adversary.CreatedAt	date	The last update date of the adversary.

Command Example

  !threatq-create-adversary name="Reut Shalem"

Human Readable Output

12. Create an event

---

Creates a new event in ThreatQ.

Base Command

threatq-create-event

Input

Argument Name	Description	Required
title	Title of the event.	Required
type	The type of the event, such as malware, watchlist, command and control, and so on.	Required
date	Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd	Required
sources	List of sources names, separated by commas.	Optional
attributes_names	List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list.	Optional
attributes_values	List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list.	Optional

Context Output

Path	Type	Description
ThreatQ.Event.ID	number	The ID of the event.
ThreatQ.Event.Source.ID	number	The source ID of the event.
ThreatQ.Event.Source.Name	string	The source name of the event.
ThreatQ.Event.Attribute.ID	number	The ID of the event attribute.
ThreatQ.Event.Attribute.Name	string	The name of the event attribute.
ThreatQ.Event.Attribute.Value	string	The attribute value of the event.
ThreatQ.Event.UpdatedAt	date	The last update date of the event.
ThreatQ.Event.CreatedAt	date	The creation date of the event.
ThreatQ.Event.Type	string	The type of the event.
ThreatQ.Event.Description	string	The description of the event.
ThreatQ.Event.Title	string	The title of the event.
ThreatQ.Event.Occurred	date	The date of the event that happened.

Command Example

  !threatq-create-event date="2019-09-30 20:00:00" title="Offra Alta" type=Incident

Human Readable Output

13. Get related indicators

---

Retrieves related indicators for an object in ThreatQ.

Base Command

threatq-get-related-indicators

Input

Argument Name	Description	Required
obj_id	The ID of the object.	Required
obj_type	The type of the object. Can be: "indicator", "event", or "adversary".	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.RelatedIndicator.ID	number	The ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Source.ID	number	The source ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Source.Name	string	The source name of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.ID	number	The attribute ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.Name	string	The attribute name of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.Value	string	The attribute value of the related indicator.
ThreatQ.Indicator.RelatedIndicator.UpdatedAt	date	The last update date of the related indicator.
ThreatQ.Indicator.RelatedIndicator.CreatedAt	date	The creation date of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Type	string	The type of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Description	string	The description of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Value	string	The value of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Status	string	The status of the related indicator.
ThreatQ.Indicator.RelatedIndicator.TQScore	number	The ThreatQ score of the related indicator.
ThreatQ.Indicator.ID	number	The ID of the indicator.
ThreatQ.Event.RelatedIndicator.ID	number	The ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Source.ID	number	The source ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Source.Name	string	The source name of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.ID	number	The attribute ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.Name	string	The attribute name of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.Value	string	The attribute value of the related indicator.
ThreatQ.Event.RelatedIndicator.UpdatedAt	date	The last update date of the related indicator.
ThreatQ.Event.RelatedIndicator.CreatedAt	date	The creation date of the related indicator.
ThreatQ.Event.RelatedIndicator.Type	string	The type of the related indicator.
ThreatQ.Event.RelatedIndicator.Description	string	The description of the related indicator.
ThreatQ.Event.RelatedIndicator.Value	string	The value of the related indicator.
ThreatQ.Event.RelatedIndicator.Status	string	The status of the related indicator.
ThreatQ.Event.RelatedIndicator.TQScore	number	The ThreatQ score of the related indicator.
ThreatQ.Event.ID	number	ID of the Event.
ThreatQ.Adversary.RelatedIndicator.ID	number	ID of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Source.ID	number	Source ID of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Source.Name	string	Source name of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.ID	number	ID attribute of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.Name	string	Attribute name of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.Value	string	Attribute value of the related indicator.
ThreatQ.Adversary.RelatedIndicator.UpdatedAt	date	The last update date of the related indicator.
ThreatQ.Adversary.RelatedIndicator.CreatedAt	date	The creation date of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Type	string	The type of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Description	string	Description of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Value	string	The value of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Status	string	The status of the related indicator.
ThreatQ.Adversary.RelatedIndicator.TQScore	number	The ThreatQ score of the related indicator.
ThreatQ.Adversary.ID	number	ID of the Adversary.

Command Example

  !threatq-get-related-indicators obj_id=1 obj_type=adversary

Human Readable Output

14. Update an indicator status

---

Updates an indicator status in ThreatQ.

Base Command

threatq-update-status

Input

Argument Name	Description	Required
id	The ID of the indicator.	Required
status	The new status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted".	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	Number	ID of the indicator.
ThreatQ.Indicator.Status	String	Status of the indicator.

Command Example

  !threatq-update-status id=173317 status=Whitelisted

Human Readable Output

15. Get related events

---

Retrieves related events of an object in ThreatQ.

Base Command

threatq-get-related-events

Input

Argument Name	Description	Required
obj_id	ID of the object.	Required
obj_type	The type of the object. Can be: "indicator", "event", or "adversary".	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.RelatedEvent.ID	number	ID of the related event.
ThreatQ.Indicator.RelatedEvent.Source.ID	number	Source ID of the related event.
ThreatQ.Indicator.RelatedEvent.Source.Name	string	Source name of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.ID	number	The attribute ID of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.Name	string	The attribute name of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.Value	string	The attribute value of the related event.
ThreatQ.Indicator.RelatedEvent.UpdatedAt	date	The last update date of the related event.
ThreatQ.Indicator.RelatedEvent.CreatedAt	date	The creation date of the related event.
ThreatQ.Indicator.RelatedEvent.Description	string	Description of the related event.
ThreatQ.Indicator.RelatedEvent.Title	string	The title of the related event.
ThreatQ.Indicator.RelatedEvent.Occurred	date	The date of occurrence of the related event.
ThreatQ.Indicator.RelatedEvent.Type	string	The type of the related event.
ThreatQ.Indicator.ID	number	The ID of the Indicator.
ThreatQ.Event.RelatedEvent.ID	number	The ID of the related event.
ThreatQ.Event.RelatedEvent.Source.ID	number	The source ID of the related event.
ThreatQ.Event.RelatedEvent.Source.Name	string	The source name of the related event.
ThreatQ.Event.RelatedEvent.Attribute.ID	number	The attribute ID of the related event.
ThreatQ.Event.RelatedEvent.Attribute.Name	string	The attribute name of the related event.
ThreatQ.Event.RelatedEvent.Attribute.Value	string	The attribute value of the related event.
ThreatQ.Event.RelatedEvent.UpdatedAt	date	The last update date of the related event.
ThreatQ.Event.RelatedEvent.CreatedAt	date	The creation date of the related event.
ThreatQ.Event.RelatedEvent.Description	string	The description of the related event.
ThreatQ.Event.RelatedEvent.Title	string	The title of the related event.
ThreatQ.Event.RelatedEvent.Occurred	date	The date of occurrence of the related event.
ThreatQ.Event.RelatedEvent.Type	string	The type of the related event.
ThreatQ.Event.ID	number	The ID of the Event.
ThreatQ.Adversary.RelatedEvent.ID	number	The ID of the related event.
ThreatQ.Adversary.RelatedEvent.Source.ID	number	The source ID of the related event.
ThreatQ.Adversary.RelatedEvent.Source.Name	string	The source name of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.ID	number	The attribute ID of the of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.Name	string	The attribute name of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.Value	string	The attribute value of the related event.
ThreatQ.Adversary.RelatedEvent.UpdatedAt	date	The last update date of the related event.
ThreatQ.Adversary.RelatedEvent.CreatedAt	date	The creation date of the related event.
ThreatQ.Adversary.RelatedEvent.Description	string	The description of the related event.
ThreatQ.Adversary.RelatedEvent.Title	string	The title of the related event.
ThreatQ.Adversary.RelatedEvent.Occurred	date	The date of occurrence of the related event.
ThreatQ.Adversary.RelatedEvent.Type	string	The type of the related event.
ThreatQ.Adversary.ID	number	ID of the Adversary.

Command Example

  !threatq-get-related-events obj_id=1 obj_type=adversary

Human Readable Output

16. Get related adversaries

---

Retrieve related adversaries from an object in ThreatQ.

Base Command

threatq-get-related-adversaries

Input

Argument Name	Description	Required
obj_id	ID of the object.	Required
obj_type	The type of the object. Can be: "indicator", "event", or "adversary".	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.RelatedAdversary.ID	number	ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Source.ID	number	Source ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Source.Name	string	The Source name of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.ID	number	The attribute ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.Name	string	The attribute name of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.Value	string	The attribute value of the related adversary.
ThreatQ.Indicator.RelatedAdversary.UpdatedAt	date	The last update date of the related adversary.
ThreatQ.Indicator.RelatedAdversary.CreatedAt	date	The creation date of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Name	string	The name of the related adversary.
ThreatQ.Indicator.ID	number	The ID of the Indicator.
ThreatQ.Event.RelatedAdversary.ID	number	The ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Source.ID	number	The source ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Source.Name	string	The source name of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.ID	number	The attribute ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.Name	string	The Attribute name of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.Value	string	The attribute value of the related adversary.
ThreatQ.Event.RelatedAdversary.UpdatedAt	date	The last update date of the related adversary.
ThreatQ.Event.RelatedAdversary.CreatedAt	date	The creation date of the related adversary.
ThreatQ.Event.RelatedAdversary.Name	string	The name of the related adversary.
ThreatQ.Event.ID	number	The ID of the Event.
ThreatQ.Adversary.RelatedAdversary.ID	number	The ID of the Related adversary.
ThreatQ.Adversary.RelatedAdversary.Source.ID	number	The source ID of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Source.Name	string	The source name of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.ID	number	The attribute ID of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.Name	string	The attribute name of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.Value	string	The attribute value of the related adversary.
ThreatQ.Adversary.RelatedAdversary.UpdatedAt	date	The last update date of the related adversary.
ThreatQ.Adversary.RelatedAdversary.CreatedAt	date	The creation date of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Name	string	The name of the related adversary.
ThreatQ.Adversary.ID	number	The ID of the Adversary.

Command Example

  !threatq-get-related-adversaries obj_id=1 obj_type=adversary

Human Readable Output

17. Upload a-file

---

Uploads a file to ThreatQ.

Base Command

threatq-upload-file

Input

Argument Name	Description	Required
entry_id	The file entry ID in Cortex XSOAR.	Required
file_category	Category of the file, such as CrowdStrike Intelligence, FireEye Analysis, PDF, and so on.	Required
malware_safety_lock	Zips malware files for safer downloading. Can be: "on", or "off". Default is off.	Optional
title	Title of the File. Default is the file name.	Optional

Context Output

Path	Type	Description
ThreatQ.File.CreatedAt	Date	Date of the file upload.
ThreatQ.File.Size	Number	Size (in bytes) of the file.
ThreatQ.File.MD5	String	The MD5 of the file.
ThreatQ.File.ID	Number	The File ID in ThreatQ.
ThreatQ.File.Name	String	The name of the File.
ThreatQ.File.Title	String	The title of the file.
ThreatQ.File.UpdatedAt	Date	The last update of the file.
ThreatQ.File.MalwareLocked	Number	Whether malware files are zipped.
ThreatQ.File.ContentType	String	The content type of the file.
ThreatQ.File.Category	String	The type of the file.
ThreatQ.File.Source.ID	Number	The source of the file.
ThreatQ.File.Source.Name	String	The source name of the file.
ThreatQ.File.Attribute.ID	Number	The attribute ID of the file.
ThreatQ.File.Attribute.Name	String	The attribute name of the file.
ThreatQ.File.Attribute.Value	String	The attribute value of the file.

Command Example

  !threatq-upload-file entry_id=5379@9da8d636-cf30-42c2-8263-d09f5268be8a file_category="Generic Text" title="File Title"

Human Readable Output

18. Search by Object type and ID

---

Searches for an object by object type and ID.

Base Command

threatq-search-by-id

Input

Argument Name	Description	Required
obj_type	The type of the object. Can be: "indicator", "event", "attachment" or "adversary".	Required
obj_id	The ID of the Object.	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	number	ID of the indicator.
ThreatQ.Indicator.Source.ID	number	Source ID of the indicator.
ThreatQ.Indicator.Source.Name	string	Source name of the indicator.
ThreatQ.Indicator.Attribute.ID	number	Attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name	string	Attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value	string	Attribute value of the indicator.
ThreatQ.Indicator.CreatedAt	date	Creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	date	Last update date of the indicator.
ThreatQ.Indicator.Description	string	Description of the indicator.
ThreatQ.Indicator.Value	string	The value of the indicator.
ThreatQ.Indicator.Status	string	The status of indicator.
ThreatQ.Indicator.Type	string	The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore	number	The ThreatQ Score of the indicator.
ThreatQ.Event.ID	number	The ID of the indicator.
ThreatQ.Event.Source.ID	number	The source ID of the indicator.
ThreatQ.Event.Source.Name	string	The source name of the indicator.
ThreatQ.Event.Attribute.ID	number	The attribute ID of the indicator.
ThreatQ.Event.Attribute.Name	string	The attribute name of the indicator.
ThreatQ.Event.Attribute.Value	string	The attribute value of the indicator.
ThreatQ.Event.UpdatedAt	date	The last update date of the event.
ThreatQ.Event.CreatedAt	date	The creation date of the event.
ThreatQ.Event.Type	string	The type of the event.
ThreatQ.Event.Description	string	Description of the event.
ThreatQ.Event.Title	string	The title of the event.
ThreatQ.Event.Occurred	date	The date that the event happened.
ThreatQ.Adversary.Name	string	The name of the adversary.
ThreatQ.Adversary.ID	number	The ID of the adversary.
ThreatQ.Adversary.Source.ID	number	The source of the adversary.
ThreatQ.Adversary.Source.Name	string	The source name of the adversary.
ThreatQ.Adversary.Attribute.ID	number	The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name	string	The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value	string	The attribute value of the adversary.
ThreatQ.Adversary.UpdatedAt	date	The creation date of the adversary.
ThreatQ.Adversary.CreatedAt	date	The last update date of the adversary.
ThreatQ.File.CreatedAt	Date	Date of the file upload.
ThreatQ.File.Size	Number	Size (in bytes) of the file.
ThreatQ.File.MD5	String	The MD5 hash of the file.
ThreatQ.File.ID	Number	The File ID in ThreatQ.
ThreatQ.File.Name	String	The name of the File.
ThreatQ.File.Title	String	The title of the file.
ThreatQ.File.UpdatedAt	Date	The last update of the file.
ThreatQ.File.MalwareLocked	Number	Whether malware files are zipped.
ThreatQ.File.ContentType	String	The content type of the file.
ThreatQ.File.Category	String	The type of the file.
ThreatQ.File.Source.ID	Number	The source of the file.
ThreatQ.File.Source.Name	String	The source name of the file.
ThreatQ.File.Attribute.ID	Number	The attribute ID of the file.
ThreatQ.File.Attribute.Name	String	The attribute name of the file.
ThreatQ.File.Attribute.Value	String	The attribute value of the file.

Command Example

  !threatq-search-by-id obj_id=173317 obj_type=indicator

Human Readable Output

19. Unlink two objects

---

Unlinks two objects in ThreatQ.

Base Command

threatq-unlink-objects

Input

Argument Name	Description	Required
obj1_id	The ID of the first object.	Required
obj1_type	The type of the first object. Can be: "adversary", "indicator", or "event".	Required
obj2_id	The ID of the second object.	Required
obj2_type	The type of the second object. Can be: "adversary", "indicator", or "event".	Required

Command Example

  !threatq-unlink-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary

Human Readable Output

20. Delete an object

---

Deletes an object in ThreatQ.

Base Command

threatq-delete-object

Input

Argument Name	Description	Required
obj_id	ID of the Object.	Required
obj_type	The type of the object. Can be: "indicator", "event", "adversary" or "attachment".	Required

Command Example

  !threatq-delete-object obj_id=104 obj_type=event

Human Readable Output

21. Add a source to an object

---

Adds a source to an object in ThreatQ.

Base Command

threatq-add-source

Input

Argument Name	Description	Required
obj_id	ID of an Object.	Required
obj_type	The type of the object. Can be: "indicator", "event", "adversary", or "attachment".	Required
source	The source name.	Required

Command Example

  !threatq-add-source obj_id=173317 obj_type=indicator source="AlienVault OTX"

Human Readable Output

22. Delete a source from an object

---

Deletes a source from an object in ThreatQ.

Base Command

threatq-delete-source

Input

Argument Name	Description	Required
source_id	ID of the source.	Required
obj_id	ID of the object.	Required
obj_type	The type of the object. Can be: "indicator", "event", "adversary", or "attachment".	Required

Command Example

  !threatq-delete-source obj_id=173317 obj_type=indicator source_id=3333819

Human Readable Output

23. Delete an attribute

---

Deletes an attribute from an object in ThreatQ.

Base Command

threatq-delete-attribute

Input

Argument Name	Description	Required
attribute_id	ID of the attribute.	Required
obj_id	ID of the object.	Required
obj_type	The type of the object. Can be: "indicator", "event", "adversary", or "attachment".	Required

Command Example

  !threatq-delete-attribute attribute_id=996896 obj_id=173317 obj_type=indicator

Human Readable Output

24. Edit an adversary

---

Updates an adversary name in ThreatQ.

Base Command

threatq-edit-adversary

Input

Argument Name	Description	Required
id	ID of the Adversary to update.	Required
name	Name of the new adversary.	Required

Context Output

Path	Type	Description
ThreatQ.Adversary.Name	string	The name of the adversary.
ThreatQ.Adversary.ID	number	The ID of the adversary.
ThreatQ.Adversary.Source.ID	number	The source ID of the adversary.
ThreatQ.Adversary.Source.Name	string	The source name of the adversary.
ThreatQ.Adversary.Attribute.ID	number	The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name	string	The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value	string	The value of the adversary.
ThreatQ.Adversary.UpdatedAt	date	The creation date of the adversary.
ThreatQ.Adversary.CreatedAt	date	The last update date of the adversary.

Command Example

  !threatq-edit-adversary id=23 name="New Adversary Name"

Human Readable Output

25. Edit an indicator

---

Updates an indicator in ThreatQ.

Base Command

threatq-edit-indicator

Input

Argument Name	Description	Required
id	The ID of the indicator.	Required
value	The value of the new indicator.	Optional
type	The type of the new indicator, such as email address, Filename, Binary string and so on.	Optional
description	The description of the indicator.	Optional

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	number	The ID of the indicator.
ThreatQ.Indicator.Source.ID	number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	string	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name	string	The attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value	string	The attribute value of the indicator.
ThreatQ.Indicator.CreatedAt	date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	date	The last update date of the indicator.
ThreatQ.Indicator.Description	string	The description of the indicator.
ThreatQ.Indicator.Value	string	The value of the indicator.
ThreatQ.Indicator.Status	string	The status of the indicator.
ThreatQ.Indicator.Type	string	The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore	number	The ThreatQ Score of the indicator.

Command Example

  !threatq-edit-indicator id=173317 description="This is a new description" type="Email Address" value=goo@test.com

Human Readable Output

26. Edit an event

---

Updates an event in ThreatQ.

Base Command

threatq-edit-event

Input

Argument Name	Description	Required
id	The ID of the Event.	Required
title	The title of the new event.	Optional
date	Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd	Optional
type	Type of the event, such as DoS Attack, Malware, Watchlist, and so on.	Optional
description	Description of the event.	Optional

Context Output

Path	Type	Description
ThreatQ.Event.ID	number	The ID of the event.
ThreatQ.Event.Source.ID	number	The source ID of the event.
ThreatQ.Event.Source.Name	string	The source name of the event.
ThreatQ.Event.Attribute.ID	number	The attribute ID of the event.
ThreatQ.Event.Attribute.Name	string	The attribute name of the event.
ThreatQ.Event.Attribute.Value	string	The attribute value of the event.
ThreatQ.Event.UpdatedAt	date	The last update date of the event.
ThreatQ.Event.CreatedAt	date	The creation date of the event.
ThreatQ.Event.Type	string	The type of the event.
ThreatQ.Event.Description	string	The description of the event.
ThreatQ.Event.Title	string	The title of the event.
ThreatQ.Event.Occurred	date	The date that the event happened.

Command Example

  !threatq-edit-event id=1 date="2019-09-30 21:00:00" description="The event will take place in Expo Tel Aviv" type="Command and Control"

Human Readable Output

27. Update a score of an indicator

---

Modifies an indicator's score in ThreatQ. The final indicator score is the highest of the manual and generated scores.

Base Command

threatq-update-score

Input

Argument Name	Description	Required
id	The ID of the indicator.	Required
score	The manual indicator score. Can be: "Generated Score" or "1", "2", "3", "4", "5", "6", "7", "8", "9" or "10".	Required

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	number	The ID of the indicator.
ThreatQ.Indicator.Source.ID	number	The source ID of the indicator.
ThreatQ.Indicator.Source.Name	string	The source name of the indicator.
ThreatQ.Indicator.Attribute.ID	number	The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name	string	The attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value	string	The attribute value of the indicator.
ThreatQ.Indicator.CreatedAt	date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	date	The last update date of the indicator.
ThreatQ.Indicator.Description	string	The description of the indicator.
ThreatQ.Indicator.Value	string	The value of the indicator.
ThreatQ.Indicator.Status	string	The status of the Indicator.
ThreatQ.Indicator.Type	string	The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore	number	The ThreatQ Score of the indicator.

Command Example

  !threatq-update-score id=173317 score=2

Human Readable Output

28. Download a file to Cortex XSOAR

---

Downloads a file from ThreatQ to Cortex XSOAR.

Base Command

threatq-download-file

Input

Argument Name	Description	Required
id	The ID of the file.	Required

Command Example

  !threatq-download-file id=88

Human Readable Output

29. Get all indicators

---

Retrieves all indicators in ThreatQ.

Base Command

threatq-get-all-indicators

Input

Argument Name	Description	Required
page	The result page number to return. Default is 0.	Optional
limit	The maximum number of indicators return. Default is 50.	Optional

Context Output

Path	Type	Description
ThreatQ.Indicator.ID	number	ID of the indicator.
ThreatQ.Indicator.Source.ID	number	Source ID of the indicator.
ThreatQ.Indicator.Source.Name	string	Source name of the indicator.
ThreatQ.Indicator.Attribute.ID	number	Attribute ID of the of the indicator.
ThreatQ.Indicator.Attribute.Name	string	Attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value	string	Attribute value of the indicator.
ThreatQ.Indicator.CreatedAt	date	The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt	date	The last update date of the indicator.
ThreatQ.Indicator.Description	string	The description of the indicator.
ThreatQ.Indicator.Value	string	The value of the indicator.
ThreatQ.Indicator.Status	string	The status of the indicator.
ThreatQ.Indicator.Type	string	The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore	number	The ThreatQ Score of the indicator.

Command Example

  
  !threatq-get-all-indicators limit=30 page=10

Human Readable Output

30. Get a list of events

---

Retrieves all events in ThreatQ.

Base Command

threatq-get-all-events

Input

Argument Name	Description	Required
page	The result page number to return. Default is 0.	Optional
limit	The maximum number of events to return. Default is 50.	Optional

Context Output

Path	Type	Description
ThreatQ.Event.ID	number	The ID of the event.
ThreatQ.Event.Source.ID	number	The source ID of the event.
ThreatQ.Event.Source.Name	string	The source name of the event.
ThreatQ.Event.Attribute.ID	number	The attribute ID of the event.
ThreatQ.Event.Attribute.Name	string	The attribute name of the event.
ThreatQ.Event.Attribute.Value	string	The attribute value of the event.
ThreatQ.Event.UpdatedAt	date	The last update date of the event.
ThreatQ.Event.CreatedAt	date	The creation date of the event.
ThreatQ.Event.Type	string	The type of the event.
ThreatQ.Event.Description	string	The description of the event.
ThreatQ.Event.Title	string	The title of the event.
ThreatQ.Event.Occurred	date	The date the event happened.

Command Example

  !threatq-get-all-events limit=30 page=10

Human Readable Output

31. Get a list of all adversaries

---

Returns all adversaries in ThreatQ.

Base Command

threatq-get-all-adversaries

Input

Argument Name	Description	Required
page	The result page number to return. Default is 0.	Optional
limit	The maximum number of objects to return in one response (maximum is 200).	Optional

Context Output

Path	Type	Description
ThreatQ.Adversary.Name	string	The name of the adversary.
ThreatQ.Adversary.ID	number	The ID of the of the adversary.
ThreatQ.Adversary.Source.ID	number	The source ID of the adversary.
ThreatQ.Adversary.Source.Name	string	The source name of the adversary.
ThreatQ.Adversary.Attribute.ID	number	The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name	string	The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value	string	The attribute value of the adversary.
ThreatQ.Adversary.UpdatedAt	date	The creation date of the adversary.
ThreatQ.Adversary.CreatedAt	date	The last update date of the adversary.

Command Example

  !threatq-get-all-events limit=30 page=10

Human Readable Output