Skip to main content

ThreatX

This Integration is part of the ThreatX Pack.#

Use the ThreatX integration to enrich intel and automate enforcement actions on the ThreatX Next Gen WAF.

Use Cases

  • Add and remove CIDR ranges and IP addresses to various block lists or the allow list
  • Gather Entity metadata for intel enrichment and DBot scoring
  • Set Entity notes for SOC integration or further automation

Configure ThreatX on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ThreatX.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Customer Name : Contact the ThreatX SOC for your Customer Name
    • ThreatX Server URL (e.g., https://provision.threatx.io/ )
    • API Key : Contact the ThreatX SOC for your API Key
    • DBot Score Threshold : Set the threshold ThreatX Risk score (1 to 100) which will be translated to Malicious DBot scores. Default is 70.
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Temporarily block an IP address or CIDR: threatx-block-ip
  2. Unblock an IP address or CIDR: threatx-unblock-ip
  3. Block list an IP address or CIDR: threatx-blacklist-ip
  4. Remove an IP address or CIDR from the block list: threatx-unblacklist-ip
  5. Add an IP address or CIDR to allow list: threatx-whitelist-ip
  6. Remove an IP address or CIDR from the allow list: threatx-unwhitelist-ip
  7. Get entity information: threatx-get-entities
  8. Get entity notes: threatx-get-entity-notes
  9. Add a note to an entity: threatx-add-entity-note

1. Temporarily block an IP address or CIDR

Temporarily blocks an IP address or CIDR.

Base Command

threatx-block-ip

Input
Argument Name Description Required
ip IP address or CIDR, for example: "10.1.1.1" or "10.1.1.0/24". Required
description The description of the IP record in the block list. The default value is: "Added by ThreatX Cortex XSOAR Integration". Optional

Context Output
Path Type Description
IP.Address string IP address or CIDR that was blocked.

Command Example 
!threatx-block-ip ip=12.12.12.12

Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Blocklist entry for ip 12.12.12.12 added

2. Unblock an IP address or CIDR

Unblocks a blocked IP address or CIDR.

Base Command

threatx-unblock-ip

Input
Argument Name Description Required
ip IP address or CIDR, for example: "10.1.1.1" or "10.1.1.0/24". Required

Context Output
Path Type Description
IP.Address string IP address or CIDR that was unblocked.

Command Example 
!threatx-unblock-ip ip=12.12.12.12

Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Block list entry for ip 12.12.12.12 removed

3. Block list an IP address or CIDR

Adds an IP address or CIDR to the block list.

Base Command

threatx-blacklist-ip

Input
Argument Name Description Required
ip IP address or CIDR in CSV format, for example: "10.1.1.1,10.1.1.0/24". Required
description The description of the IP record in the block list. The default value is: "Added by ThreatX Cortex XSOAR Integration". Optional

Context Output
Path Type Description
IP.Address string IP address or CIDR that was added to the blacklist.

Command Example 
!threatx-blacklist-ip ip=12.12.12.12

Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Block list entry for ip 12.12.12.12 added

4. Remove an IP address or CIDR from the block list

Removes an IP address or CIDR from the block list.

Base Command

threatx-unblacklist-ip

Input
Argument Name Description Required
ip IP address or CIDR, for example: "10.1.1.1" or "10.1.1.0/24". Required

Context Output
Path Type Description
IP.Address string IP address or CIDR that was removed from the block list.

Command Example 
!threatx-unblacklist-ip ip=12.12.12.12
Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Block list entry for ip 12.12.12.12 removed

5. Add an IP address or CIDR to allow list

Adds an IP address or CIDR to the allow list.

Base Command

threatx-whitelist-ip

Input
Argument Name Description Required
ip IP address or CIDR, for example: "10.1.1.1" or "10.1.1.0/24". Required
description The description of the IP record in the allow list. The default value is: "Added by ThreatX Cortex XSOAR Integration". Optional

Context Output
Path Type Description
IP.Address string IP address or CIDR was added to the allow list.

Command Example 
!threatx-whitelist-ip ip=12.12.12.12

Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Whitelist entry for ip 12.12.12.12 added

6. Remove an IP address or CIDR from the allow list

Removes an IP address or CIDR from the allow list.

Base Command

threatx-unwhitelist-ip

Input
Argument Name Description Required
ip IP address or CIDR, for example: "10.1.1.1" or "10.1.1.0/24". Required

Context Output
Path Type Description
IP.Address string IP address or CIDR that was removed from the allow list.

Command Example 
!threatx-unwhitelist-ip ip=12.12.12.12

Context Example 
{
    "IP": [
        {
            "Address": "12.12.12.12"
        }
    ]
}

Human Readable Output
Result
Allow list entry for ip 12.12.12.12 removed

7. Get entity information

Returns high-level entity information by Entity ID, Entity Name, or Entity IP.

Base Command

threatx-get-entities

Input
Argument Name Description Required
timeframe Look-back timeframe for the query. Options are 1-Hour, 1-Day, 1-Week, 1-Month, or 3-Months. Note: long look-back timeframes for a large number of Entities can timeout. Required
entity_name CSV list of Entity names. Optional
entity_id CSV list of Entity ID hashes. Optional
entity_ip CSV list of Entity IP addresses. Optional

Context Output
Path Type Description
Threatx.Entity.ID string ID hash of the Entity
Threatx.Entity.Name string Name of the Entity
Threatx.Entity.IP string IP address of the Entity
Threatx.Entity.Risk integer Risk score of the Entity

Command Example 
!threatx-get-entities timeframe=1-Day entity_name=CynicalGraaf,OveconfidentRas

Context Example 
{
    "Threatx": {
        "Entity": [
            {
                "ID": "1061035762581303669",
                "Name": "OveconfidentRas",
                "Risk": 0,
                "IP": [
                    201.93.212.87
                ]
            },
            {
                "ID": "566056709675514809",
                "Name": "CynicalGraaf",
                "Risk": 0,
                "IP": [
                    1.125.227.13
                ]
            }
        ]
    }
}

Human Readable Output
ThreatX Risk Score IP Addresses Name ID
0 201.93.212.87 OveconfidentRas 1061035762581303669
55 1.125.227.13 CynicalGraaf 566056709675514809

8. Get entity notes

Returns the notes attached to an entity by Entity ID.

Base Command

threatx-get-entity-notes

Input
Argument Name Description Required
entity_id ID hash of the Entity. To retrieve this value, run the threatx-get-entities command. Required

Context Output
Path Type Description
Threatx.Entity.ID string ID hash of the Entity
Threatx.Entity.Note.content string Content of the Note
Threatx.Entity.Note.timestamp string Timestamp of the Note
Threatx.Entity.Note.username string Author of the Note

Command Example 
!threatx-get-entity-notes entity_id=566056709675514809

Context Example 
{
    "Threatx": {
        "Entity": [
            {
                "ID": "566056709675514809",
                "Note": [
                    {
                        "content": "Demisto test note.",
                        "entity_id": "566056709675514809",
                        "timestamp": "2019-05-31 18:41:09",
                        "username": "user@domain.com"
                    }
                ]
            }
        ]
    }
}

Human Readable Output
Username Timestamp Entity Id Content
user@domain.com 2019-05-31 18:41:09 566056709675514809 Demisto test note.
user@domain.com 2019-05-30 23:36:23 566056709675514809 this is a test note
user@domain.com 2019-05-12 21:36:12 566056709675514809 Another test note
user@domain.com 2019-05-12 21:34:48 566056709675514809 test-note-from-demisto

9. Add a note to an entity

Adds a new note to an entity.

Base Command

threatx-add-entity-note

Input
Argument Name Description Required
entity_id ID hash of the Entity. To retrieve this value, run the threatx-get-entities command. Required
message Contents of the note. Required

Context Output

There is no context output for this command.

Command Example 
!threatx-add-entity-note entity_id=566056709675514809 message="test note."

Human Readable Output
Result
Note for Entity<id=566056709675514809> created
Edit this page
Report an Issue