Skip to main content

ThreatstreamBuildIocImportJson

This Script is part of the Anomali ThreatStream Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.

Script Data#

NameDescription
Script Typepython3
Tagsbasescript
Cortex XSOAR Version6.8.0

Inputs#

Argument NameDescription
email_valuesA comma-separated list of emails.
md5_valuesA comma-separated list of MD5 hashes.
ip_valuesA comma-separated list of IPs.
url_valuesA comma-separated list of URLs.
domain_valuesA comma-separated list of domains.
email_indicator_typeThe indicator type (Itype) of the emails provided. By default the type will be “Malware Email” (mal_email).
md5_indicator_typeThe indicator type (Itype) of the hashes provided. By default the type will be “Malware MD5” (mal_md5).
ip_indicator_typeThe indicator type (Itype) of the ip provided. By default the type will be “Malware IP” (mal_ip).
url_indicator_typeThe indicator type (Itype) of the URLs provided. By default the type will be “Malware URL” (mal_url).
domain_indicator_typeThe indicator type (Itype) of the domains provided. By default the type will be “Malware Domain” (mal_domain).
indicator_queryThe indicators query, based lucene search syntax.

Note: If both a query (indicator_query) and values (e.g., email_values) are provided as arguments, the values will be ignored.

Outputs#

PathDescriptionType
ThreatstreamBuildIocImportJsonThe string output represents a JSON object.String

Script Examples#

Example command#

!ThreatstreamBuildIocImportJson indicator_query="type: Domain"

Context Example#

{
"ThreatstreamBuildIocImportJson": "{'objects': [{'value': 'my.domain1.com', 'itype': 'mal_domain'}, {'value': 'my.domain2.com', 'itype': 'mal_domain'}]}"
}

Human Readable Output#

{'objects': [{'value': 'my.domain1.com', 'itype': 'mal_domain'}, {'value': 'my.domain2.com', 'itype': 'mal_domain'}]}

Example command#

!ThreatstreamBuildIocImportJson indicator_query="type: Domain" domain_indicator_type=spam_domain

Context Example#

{
"ThreatstreamBuildIocImportJson": "{'objects': [{'value': 'my.domain1.com', 'itype': 'spam_domain'}, {'value': 'my.domain2.com', 'itype': 'spam_domain'}]}"
}

Human Readable Output#

{'objects': [{'value': 'my.domain1.com', 'itype': 'spam_domain'}, {'value': 'my.domain2.com', 'itype': 'spam_domain'}]}

Edit this page
Report an Issue