Anomali ThreatStream

Overview

Anomali ThreatStream (previously ThreatStream Optic) is a threat-intelligence integration that enables you to pull threat intelligence from the ThreatStream platform and use in third-party tools. The integration works with the v2 API on product version 2.5.4, using the intelligence resource.

Commands:


Prerequisites

You need to retrieve your Anomali ThreatStream credentials, which you will enter in Demisto.

  • user ID
  • API key

If you do not have these credentials, register at http://ui.threatstream.com .


Configure Demisto to Integrate with Anamoli ThreatStream

  1. Navigate to to Settings > Integrations > Servers & Services.
  2. Search for the Anomali ThreatStream integration.
  3. Click Add instance to create and configure a new integration instance.
    • Name | a meaningful name for the integration instance. (Required)
    • Server URL | Anomali ThreatStream hostname or IP address and port. For example: https:// api.threatstream.com. (Required)
    • User name | Anomali ThreatStream user name. (Required)
    • API Key | The API key you copied in the previous procedure. (Required)
  4. Click the Test button to verify the the URL and token.
    A green light means the test was successful. If you experience any issues, contact Demisto Support .

Use Cases

Use this integration to retrieve threat intelligence from the ThreatStream cloud. You can specify criteria by which the intelligence should be retrieved, as shown in the commands below. The integration supports getting reputation for IP, domain, file and email.


Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Retrieve Threat Intelligence: threatstream-intelligence

Use this command to retrieve threat intelligence from the ThreatStream cloud.

Inputs

Input Parameter Description Notes
limit Specify the amount of records in a response. Integer
asn Autonomous System (AS) number associated with the indicator.
confidence Confidence value assigned to the indicator.
country Country associated with the indicator. Country code.
created_ts Date and time when the indicator was first detected on the ThreatStream cloud platform. For example, 2014-10-02T20:44:35
expiration_ts Time stamp of when intelligence will expire on ThreatStream. Time stamp is UTC.
feed_id Numeric ID of the threat feed that generated the indicator.
id Unique ID for the indicator.
import_session_id ID of import session that the indicator was imported to.
ip IP address associated with the indicator, if the imported indicator is a domain or a URL.
is_public Classification of the indicator, either public or private .
itype Indicator type.
latitude The IP's geo-location latitude.
longitude The IP's geo-location longitude.
meta.detail A string that contains a tag associated with the indicator. Use the tag to search for related incidents.
meta.detail2 Additional details associated with the state of the indicator. For example, why an indicator is marked false-positive .
meta.maltype Tag that specifies the malware associated with an indicator.
meta.severity Severity assigned to the indicator through machine-learning algorithms that ThreatStream deploys.
modified_ts When the indicator was last updated on the ThreatStream cloud platform.
org Registered owner (organization) of the IP address associated with the indicator.
owner_ organization_id ID of the (ThreatStream)organization that brought in the indicator through either a threat feed or the import process.
rdns Domain name (obtained through reverse domain name lookup) associated with the IP address that is associated with the indicator.
source_reported_ confidence A risk score, from 0 to 100, provided by the source of the indicator.
status Status assigned to the indicator.
tags.name Tag assigned to the indicator.
threat_type Summarized threat type of the indicator. For example, malware, compromised, apt, c2, and so on.
trusted_circle_ids IDs of the trusted circles that the indicator is shared with.
type Type of indicator: domain, email, ip, md5, string, url.
update_id An incremental numeric identifier associated with each update to intelligence on ThreatStream.
value Value of the indicator.

Context Output

Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score

JSON Output

{ 
"meta":{
"limit":1,
"next":"/api/v2/intelligence/?username=Vijay.bolina%40bhnetwork.com\u0026country=IL\u0026api_key=664d849bf78c8cca2a43115ca03ce33d3bfcded2\u0026limit=1\u0026offset=1",
"offset":0,
"previous":null,
"took":39,
"total_count":49906
},
"objects":[
{
"asn":"12849",
"confidence":100,
"country":"IL",
"created_ts":"2018-01-03T16:59:29.054Z",
"description":null,
"expiration_ts":"2018-04-12T13:37:28.417Z",
"feed_id":122,
"id":50460807643,
"import_session_id":null,
"ip":"5.29.211.60",
"is_public":false,
"itype":"tor_ip",
"latitude":"32.332900",
"longitude":"34.859900",
"meta":{
"detail2":"bifocals_deactivated_on_2018-04-10_20:32:42.816201",
"severity":"low"
},
"modified_ts":"2018-04-11T13:37:28.423Z",
"org":"HOTnet",
"owner_organization_id":2,
"rdns":null,
"resource_uri":"/api/v2/intelligence/50460807643/",
"retina_confidence":-1,
"source":"TOR Exit Nodes",
"source_reported_confidence":100,
"status":"active",
"tags":null,
"threat_type":"tor",
"threatscore":25,
"trusted_circle_ids":[
146
],
"type":"ip",
"update_id":1763222542,
"uuid":"56260f15-377a-48e7-ad40-121f8580a4c5",
"value":"5.29.211.60",
"workgroups":[

War Room Output

Command: !threatstream-intelligence limit="1" country="IL"

image

Check IP/domain reputation: domain

Inputs

Input Parameter Description
domain The domain name you want to check the reputation for.
threshold The ThreatScore that determines if a domain is considered malicious.

Context Output

Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score

JSON Output

{  
   "meta":{  
      "limit":1000,
      "next":null,
      "offset":0,
      "previous":null,
      "took":4,
      "total_count":1
   },
   "objects":[  
      {  
         "asn":"",
         "confidence":17,
         "country":"RO",
         "created_ts":"2017-06-02T18:09:41.986Z",
         "description":null,
         "expiration_ts":"2017-08-31T11:58:38.253Z",
         "feed_id":0,
         "id":859843899,
         "import_session_id":213529,
         "ip":"185.72.179.152",
         "is_public":true,
         "itype":"adware_domain",
         "latitude":"46.000000",
         "longitude":"25.000000",
         "meta":{  
            "detail":"",
            "detail2":"bifocals_deactivated_on_2017-08-31_12:47:29.013755",
            "severity":"low"
         },
         "modified_ts":"2017-08-31T12:47:28.926Z",
         "org":"Nix Web Solutions Pvt Ltd",
         "owner_organization_id":738,
         "rdns":null,
         "resource_uri":"/api/v2/intelligence/859843899/",
         "retina_confidence":17,
         "source":"Analyst",
         "source_reported_confidence":90,
         "status":"inactive",
         "tags":[  
            {  
               "id":"rd4",
               "name":"pony"
            }
         ],
         "threat_type":"adware",
         "threatscore":4,
         "trusted_circle_ids":null,
         "type":"domain",
         "update_id":1023048164,
         "value":"kpanels.in",
         "workgroups":null
      }
   ]
}

War Room Output

Command: !domain domain="kpanels.in" threshold="3"

image

Check file's checksum reputation: file

Inputs

Input Parameter Description
domain The domain name you want to check the reputation for.
threshold The ThreatScore that determines if a file is considered malicious.

Context Output

Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score

JSON Output

{  
   "meta":{  
      "limit":1000,
      "next":null,
      "offset":0,
      "previous":null,
      "took":45,
      "total_count":1
   },
   "objects":[  
      {  
         "asn":"",
         "confidence":92,
         "country":null,
         "created_ts":"2017-06-07T13:01:10.143Z",
         "description":null,
         "expiration_ts":"2017-09-04T13:31:00.194Z",
         "feed_id":0,
         "id":872721081,
         "import_session_id":214717,
         "ip":null,
         "is_public":true,
         "itype":"apt_md5",
         "latitude":null,
         "longitude":null,
         "meta":{  
            "detail":"",
            "detail2":"imported by user 3096",
            "severity":"very-high"
         },
         "modified_ts":"2017-06-07T13:03:03.200Z",
         "org":"",
         "owner_organization_id":738,
         "rdns":null,
         "resource_uri":"/api/v2/intelligence/872721081/",
         "retina_confidence":-1,
         "source":"Analyst",
         "source_reported_confidence":92,
         "status":"active",
         "tags":[  
            {  
               "id":"03e",
               "name":"trickbot"
            }
         ],
         "threat_type":"apt",
         "threatscore":79,
         "trusted_circle_ids":null,
         "type":"md5",
         "update_id":854928373,
         "value":"3e5d63b93a68d715f7559f42285223f4",
         "workgroups":null
      }
   ]
}

War Room Output

Command: !file file="3e5d63b93a68d715f7559f42285223f4" threshold="3"

image

Check Email Address Reputation: threatstream-email-reputation

Inputs

Input Parameter Description
domain The domain name you want to check the reputation for.
threshold The ThreatScore that determines if an email is considered malicious.

Context Output

Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score

JSON Output

{  
   "meta":{  
      "limit":1000,
      "next":null,
      "offset":0,
      "previous":null,
      "took":4,
      "total_count":1
   },
   "objects":[  
      {  
         "asn":"",
         "confidence":17,
         "country":"RO",
         "created_ts":"2017-06-02T18:09:41.986Z",
         "description":null,
         "expiration_ts":"2017-08-31T11:58:38.253Z",
         "feed_id":0,
         "id":859843899,
         "import_session_id":213529,
         "ip":"185.72.179.152",
         "is_public":true,
         "itype":"adware_domain",
         "latitude":"46.000000",
         "longitude":"25.000000",
         "meta":{  
            "detail":"",
            "detail2":"bifocals_deactivated_on_2017-08-31_12:47:29.013755",
            "severity":"low"
         },
         "modified_ts":"2017-08-31T12:47:28.926Z",
         "org":"Nix Web Solutions Pvt Ltd",
         "owner_organization_id":738,
         "rdns":null,
         "resource_uri":"/api/v2/intelligence/859843899/",
         "retina_confidence":17,
         "source":"Analyst",
         "source_reported_confidence":90,
         "status":"inactive",
         "tags":[  
            {  
               "id":"rd4",
               "name":"pony"
            }
         ],
         "threat_type":"adware",
         "threatscore":4,
         "trusted_circle_ids":null,
         "type":"domain",
         "update_id":1023048164,
         "value":"kpanels.in",
         "workgroups":null
      }
   ]
}

War Room Output

Command: !threatstream-email-reputation email="mailonline_16@filposcv.com" threshold="3"

image

Check IP Reputation: ip

Inputs

Input Parameter Description
domain The domain name you want to check the reputation for.
threshold The ThreatScore that determines if a domain is considered malicious.

Context Output

Path: DBotScore.Indicator
Description: The tested indicator
Path: DBotScore.Type
Description: The indicator type
Path: DBotScore.Vendor
Description: Vendor used to calculate the score
Path: DBotScore.Score
Description: The actual score

JSON Output

{  
   "meta":{  
      "limit":1000,
      "next":null,
      "offset":0,
      "previous":null,
      "took":4,
      "total_count":1
   },
   "objects":[  
      {  
         "asn":"12400",
         "confidence":69,
         "country":"IL",
         "created_ts":"2018-03-13T10:45:16.182Z",
         "description":null,
         "expiration_ts":"2018-03-20T10:45:16.178Z",
         "feed_id":112,
         "id":50591222843,
         "import_session_id":null,
         "ip":"176.228.66.70",
         "is_public":false,
         "itype":"scan_ip",
         "latitude":"31.964200",
         "longitude":"34.804400",
         "meta":{  
            "detail2":"bifocals_deactivated_on_2018-03-20_13:56:34.918843",
            "severity":"medium"
         },
         "modified_ts":"2018-03-20T13:56:34.461Z",
         "org":"Orange Israel",
         "owner_organization_id":2,
         "rdns":null,
         "resource_uri":"/api/v2/intelligence/50591222843/",
         "retina_confidence":69,
         "source":"Anomali Labs MHN",
         "source_reported_confidence":70,
         "status":"inactive",
         "tags":null,
         "threat_type":"scan",
         "threatscore":25,
         "trusted_circle_ids":[  
            145
         ],
         "type":"ip",
         "update_id":1695845308,
         "uuid":"09688972-7581-4fb9-8e50-7c99a02cd442",
         "value":"176.228.66.70",
         "workgroups":[  

         ]
      }
   ]
}

War Room Output

Command: !ip ip="176.228.66.70" threshold="3"

image

Troubleshooting

The integration was tested with the v2 API on version 2.5.4.

  • If a command does not return a response, the server might be down, or an incorrect address was entered.
  • If you receive a 401 Unauthorized error, the API credentials might be incorrect.