Anomali ThreatStream v2

Use the Anomali ThreatStream integration to query and submit threats.

Anomali ThreatStream v2 Playbook

  • Detonate File - ThreatStream
  • Detonate URL - ThreatStream

Use Cases

  1. Get threat intelligence from the ThreatStream platform.
  2. Create and manage threat models.
  3. Import indicators to ThreatStream platform.
  4. Submit file or URL to sandbox and receive an analysis report.

Configure Anomali ThreatStream v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Anomali ThreatStream v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://www.test.com )
    • Username
    • API Key
    • Threshold of the indicator.
    • Trust any certificate (insecure)
    • Use system proxy
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get the reputation of an IP address: ip
  2. Get the reputation of a domain name: domain
  3. Get the reputation of a file: file
  4. Get the reputation of a URL: url
  5. Get the reputation of an email address: threatstream-email-reputation
  6. Get enrichment data for a domain or IP address: threatstream-get-passive-dns
  7. Import indicators: threatstream-import-indicator-with-approval
  8. Get a list of threat models: threatstream-get-model-list
  9. Get a description of a threat model: threatstream-get-model-description
  10. Get a list of indicators for a threat model: threatstream-get-indicators-by-model
  11. Submit a file or URL for detonation: threatstream-submit-to-sandbox
  12. Get the status of a report: threatstream-get-analysis-status
  13. Get the report of a submitted file or URL: threatstream-analysis-report
  14. Get a list of filtered indicators: threatstream-get-indicators
  15. Add tags to a threat model: threatstream-add-tag-to-model
  16. Create a threat model: threatstream-create-model
  17. Update a threat model: threatstream-update-model
  18. Get a list of supported platforms: threatstream-supported-platforms

1. Get the reputation for an IP address


Checks for and returns the reputation of the given IP address.

Base Command

ip

Input
Argument Name Description Required
ip The IP to check. Required
threshold If the severity is greater than or equal to the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. Optional
include_inactive Whether to include results with the status "Inactive". Default is "True". Optional

Context Output
Path Type Description
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String Vendor used to calculate the score.
IP.ASN String Autonomous System (AS) number associated with the indicator.
IP.Address String IP address of the indicator.
IP.Geo.Country String Country associated with the indicator.
IP.Geo.Location String Longitude and latitude of the IP address.
ThreatStream.IP.ASN String Autonomous System (AS) number associated with the indicator.
ThreatStream.IP.Address String IP address of the indicator.
ThreatStream.IP.Country String Country associated with the indicator.
ThreatStream.IP.Type String The indicator type.
ThreatStream.IP.Modified String Time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
ThreatStream.IP.Severity String The indicator severity ("very-high", "high", "medium", or "low".
ThreatStream.IP.Confidence String Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.IP.Status String Status assigned to the indicator.
ThreatStream.IP.Organization String Name of the business that owns the IP address associated with the indicator.
ThreatStream.IP.Source String The source of the indicator.
DBotScore.Score Number The actual score.
IP.Malicious.Vendor String Vendor that reported the indicator as malicious.

Command Example
ip ip=39.41.26.166 using-brand="Anomali ThreatStream v2"
Context Example
{
    "IP": {
        "Geo": {
            "Country": "PK", 
            "Location": "33.6007,73.0679"
        }, 
        "ASN": "45595", 
        "Address": "39.41.26.166"
    }, 
    "DBotScore": {
        "Vendor": "TOR Exit Nodes", 
        "Indicator": "39.41.26.166", 
        "Score": 2, 
        "Type": "ip"
    }, 
    "ThreatStream.IP": {
        "Status": "active", 
        "Confidence": 96, 
        "Severity": "low", 
        "Country": "PK", 
        "Modified": "2019-06-24T10:10:12.289Z", 
        "Source": "TOR Exit Nodes", 
        "Address": "39.41.26.166", 
        "Organization": "PTCL", 
        "Type": "ip", 
        "ASN": "45595"
    }
}
Human Readable Output

IP reputation for: 39.41.26.166

Address Confidence Source Type Status Modified Organization ASN Country Severity
39.41.26.166 96 TOR Exit Nodes ip active 2019-06-24T10:10:12.289Z PTCL 45595 PK low

2. Get the reputation of a domain name


Checks for and returns the reputation of the given domain name.

Base Command

domain

Input
Argument Name Description Required
domain The domain name to check. Required
threshold If severity is greater than or equal to the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. Optional
include_inactive Whether to include results with status of "Inactive". Default is "True". Optional

Context Output
Path Type Description
Domain.Name String The domain name.
Domain.DNS String IPs resolved by DNS.
Domain.WHOIS.CreationDate Date Date the domain was created. The date format is: YYYYMMDDThhmmss. Where "T" denotes the start of the value for time, in UTC time.
Domain.WHOIS.UpdatedDate Date Date the domain was last updated. The date format is: YYYYMMDDThhmmss. Where "T" denotes the start of the value for time, in UTC time.
Domain.WHOIS.Registrant.Name String Name of the registrant.
Domain.WHOIS.Registrant.Email String Email address of the registrant.
Domain.WHOIS.Registrant.Phone String Phone number of the registrant.
ThreatStream.Domain.ASN String Autonomous System (AS) number associated with the indicator.
ThreatStream.Domain.Address String The domain name of the indicator.
ThreatStream.Domain.Country String Country associated with the indicator.
ThreatStream.Domain.Type String The indicator type.
ThreatStream.Domain.Modified String Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value
for time, in UTC time.
ThreatStream.Domain.Severity String The indicator severity ("very-high", "high", "medium", "low").
ThreatStream.Domain.Confidence String Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.Domain.Status String Status assigned to the indicator.
ThreatStream.Domain.Organization String Name of the business that owns the IP address associated with the indicator.
ThreatStream.Domain.Source String The source of the indicator.
Domain.Malicious.Vendor String Vendor that reported the indicator as malicious.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String Vendor used to calculate the score.
DBotScore.Score Number The actual score.

Command Example
domain domain="microsoftfaq.com" using-brand="Anomali ThreatStream v2" 
Context Example
{
    "ThreatStream.Domain": {
        "Status": "active", 
        "Confidence": 38, 
        "Severity": "high", 
        "Country": null, 
        "Modified": "2019-06-24T08:39:04.644Z", 
        "Source": "Analyst", 
        "Address": "microsoftfaq.com", 
        "Organization": "", 
        "Type": "domain", 
        "ASN": ""
    }, 
    "Domain": {
        "Malicious": {
            "Vendor": "ThreatStream"
        }, 
        "Name": "microsoftfaq.com", 
        "DNS": "127.0.0.1", 
        "WHOIS": {
            "UpdatedDate": "2019-06-24T08:39:04.644Z", 
            "CreationDate": "2019-06-24T08:38:53.246Z", 
            "Registrant": {
                "Phone": "", 
                "Email": "", 
                "Name": "Registrant City:"
            }
        }
    }, 
    "DBotScore": {
        "Vendor": "Analyst", 
        "Indicator": "microsoftfaq.com", 
        "Score": 3, 
        "Type": "domain"
    }
}
Human Readable Output

Domain reputation for: microsoftfaq.com

Address Confidence Source Type Status Modified Organization ASN Country Severity
microsoftfaq.com 38 Analyst domain active 2019-06-24T08:39:04.644Z high

3. Get the reputation of a file


Checks for and returns the reputation of the given MD5 hash of the file.

Base Command

file

Input
Argument Name Description Required
file The MD5 hash of file to check. Required
threshold If severity is greater than or equal to the threshold, then the MD5 hash of file will be considered malicious. This argument will override the default threshold defined as a parameter. Optional
include_inactive Whether to include results with the status "Inactive". Default is "True". Optional

Context Output
Path Type Description
File.MD5 String MD5 hash of the file.
File.Malicious.Vendor String Vendor that reported the indicator as malicious.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String Vendor used to calculate the score.
DBotScore.Score Number The actual score.
ThreatStream.File.Severity String The indicator severity ("very-high", "high", "medium", "low").
ThreatStream.File.Confidence String Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.File.Status String Status assigned to the indicator.
ThreatStream.File.Type String The indicator type.
ThreatStream.File.MD5 String The MD5 hash of the indicator.
ThreatStream.File.Modified String Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
ThreatStream.File.Source String The source of the indicator.

Command Example
file file=07df6c1d9a76d81f191be288d463784b using-brand="Anomali ThreatStream v2"
Context Example
{
    "DBotScore": {
        "Vendor": "URLHaus Hashes", 
        "Indicator": "07df6c1d9a76d81f191be288d463784b", 
        "Score": 2, 
        "Type": "md5"
    }, 
    "ThreatStream.File": {
        "Status": "active", 
        "Confidence": 75, 
        "Severity": "medium", 
        "Modified": "2019-06-24T10:13:27.284Z", 
        "Source": "URLHaus Hashes", 
        "Type": "md5", 
        "MD5": "07df6c1d9a76d81f191be288d463784b"
    }, 
    "File": {
        "MD5": "07df6c1d9a76d81f191be288d463784b"
    }
}
Human Readable Output

MD5 reputation for: 07df6c1d9a76d81f191be288d463784b

Confidence Source Type Status Modified Severity MD5
75 URLHaus Hashes md5 active 2019-06-24T10:13:27.284Z medium 07df6c1d9a76d81f191be288d463784b

4. Get the reputation of a URL


Checks for and returns the reputation of the given URL.

Base Command

url

Input
Argument Name Description Required
url The URL to check. Required
threshold If the severity is greater than or equal to the threshold, then the URL will be considered malicious. This argument will override the default threshold defined as a parameter. Optional
include_inactive Whether to include results with the status "Inactive". Default is "True". Optional

Context Output
Path Type Description
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String Vendor used to calculate the score.
DBotScore.Score Number The actual score.
URL.Data String The URL of the indicator.
URL.Malicious.Vendor String Vendor that reported the indicator as malicious.
ThreatStream.URL.Modified String Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
ThreatStream.URL.Confidence String Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.URL.Status String The status of the indicator.
ThreatStream.URL.Organization String Name of the business that owns the IP address associated with the indicator.
ThreatStream.URL.Address String URL of the indicator.
ThreatStream.URL.Country String Country associated with the indicator.
ThreatStream.URL.Type String The indicator type.
ThreatStream.URL.Source String The source of the indicator.
ThreatStream.URL.Severity String The indicator severity ("very-high", "high", "medium", or "low").

Command Example
url url=http://194.147.35.172/mikey.mpsl using-brand="Anomali ThreatStream v2"
Context Example
{
    "URL": {
        "Malicious": {
            "Vendor": "ThreatStream"
        }, 
        "Data": "http://194.147.35.172/mikey.mpsl"
    }, 
    "ThreatStream.URL": {
        "Status": "active", 
        "Confidence": 90, 
        "Severity": "very-high", 
        "Country": "RU", 
        "Modified": "2019-06-24T10:10:05.890Z", 
        "Source": "H3X Tracker", 
        "Address": "http://194.147.35.172/mikey.mpsl", 
        "Organization": "LLC Baxet", 
        "Type": "url"
    }, 
    "DBotScore": {
        "Vendor": "H3X Tracker", 
        "Indicator": "http://194.147.35.172/mikey.mpsl", 
        "Score": 3, 
        "Type": "url"
    }
}
Human Readable Output

URL reputation for: http://194.147.35.172/mikey.mpsl

Address Confidence Source Type Status Modified Organization Country Severity
http://194.147.35.172/mikey.mpsl 90 H3X Tracker url active 2019-06-24T10:10:05.890Z LLC Baxet RU very-high

5. Get the reputation of an email address


Checks for and returns the reputation of the given email address.

Base Command

threatstream-email-reputation

Input
Argument Name Description Required
email The email address to check. Required
threshold If the severity is greater or equal than the threshold, then the IP address will be considered malicious. This argument will override the default threshold defined as a parameter. Optional
include_inactive Whether to include results with the status "Inactive". Default is "True". Optional

Context Output
Path Type Description
DBotScore.Indicator String The tested indicator.
DBotScore.Type String The indicator type.
DBotScore.Vendor String Vendor used to calculate the score.
DBotScore.Score Number The actual score.
ThreatStream.EmailReputation.Severity String The indicator severity ("very-high", "high", "medium", "low").
ThreatStream.EmailReputation.Confidence String Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence.
ThreatStream.EmailReputation.Status String Status assigned to the indicator.
ThreatStream.EmailReputation.Type String The indicator type.
ThreatStream.EmailReputation.Email String The email address of the indicator.
ThreatStream.EmailReputation.Source String The source of the indicator.
ThreatStream.EmailReputation.Modified String Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.

Command Example
threatstream-email-reputation email=goo@test.com
Context Example
{
    "DBotScore": {
        "Vendor": "Anomali Labs Compromised Credentials", 
        "Indicator": "goo@test.com", 
        "Score": 2, 
        "Type": "email"
    }, 
    "ThreatStream.EmailReputation": {
        "Status": "active", 
        "Confidence": 100, 
        "Severity": "low", 
        "Modified": "2019-06-24T09:50:23.810Z", 
        "Source": "Anomali Labs Compromised Credentials", 
        "Type": "email", 
        "Email": "goo@test.com"
    }
}
Human Readable Output

Email reputation for: foo@test.com

Confidence Source Type Status Modified Severity Email
100 Anomali Labs Compromised Credentials email active 2019-06-24T09:50:23.810Z low foo@test.com

6. Get enrichment data for a domain or IP address


Returns enrichment data for a domain or an IP address, for available observables.

Base Command

threatstream-get-passive-dns

Input
Argument Name Description Required
type The type of passive DNS search ("ip", "domain"). Required
value Possible values are "IP" or "Domain". Required
limit Maximum number of results to return. Default is 50. Optional

Context Output
Path Type Description
ThreatStream.PassiveDNS.Domain String The domain value.
ThreatStream.PassiveDNS.Ip String The IP value.
ThreatStream.PassiveDNS.Rrtype String The Rrtype value.
ThreatStream.PassiveDNS.Source String The source value.
ThreatStream.PassiveDNS.FirstSeen String The first seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
ThreatStream.PassiveDNS.LastSeen String The last seen date. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.

Command Example
threatstream-get-passive-dns type=domain value=discoverer.blog
Context Example
{
    "ThreatStream.PassiveDNS": [
        {
            "Domain": "discoverer.blog", 
            "Ip": "184.168.221.52", 
            "Rrtype": "A", 
            "Source": "Spamhaus", 
            "LastSeen": "2019-06-23T08:09:54", 
            "FirstSeen": "2019-06-23T08:09:54"
        }, 
        {
            "Domain": "discoverer.blog", 
            "Ip": "50.63.202.51", 
            "Rrtype": "A", 
            "Source": "Spamhaus", 
            "LastSeen": "2019-06-21T10:33:54", 
            "FirstSeen": "2019-06-21T10:33:54"
        }
    ]
}
Human Readable Output

Passive DNS enrichment data for: discoverer.blog

Domain Ip Rrtype Source FirstSeen LastSeen
discoverer.blog 184.168.221.52 A Spamhaus 2019-06-23T08:09:54 2019-06-23T08:09:54
discoverer.blog 50.63.202.51 A Spamhaus 2019-06-21T10:33:54 2019-06-21T10:33:54

7. Import indicators


Imports indicators (observables) into ThreatStream. Approval of the imported data is required, using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. Only one argument can be used.

Base Command

threatstream-import-indicator-with-approval

Input
Argument Name Description Required
confidence The level of certainty that an observable is of the reported indicator type. Default is 50. Optional
classification Denotes whether the indicator data is public or private to the organization. Default is "private". Optional
threat_type Type of threat associated with the imported observables. Default is "exploit". Optional
severity Gauges the potential impact of the indicator type the observable is thought to be associated with. Default is "low". Optional
import_type The import type of the indicator. Required
import_value The source of imported data. Can be one of the following: url, data text of file-id of uploaded file to the War Rroom. Supported formats in case of file-id are: CSV, HTML, IOC, JSON, PDF, TXT. Required

Context Output
Path Type Description
ThreatStream.Import.ImportID String The ID of the imported data.

Command Example
threatstream-import-indicator-with-approval import_type="file-id" import_value=5403@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0
Context Example
{
    "File": {
        "EntryID": "5403@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
        "Extension": "csv",
        "Info": "text/csv; charset=utf-8",
        "MD5": "5b7ed7973e4deb3c98ee3a4bd6d911af",
        "Name": "input.csv",
        "SHA1": "055c5002eb5a4d4abe2eb1768e925bfc3a1a763e",
        "SHA256": "fd16220852b39e2c8fa51766750e3991670766512836212c799c5a0537e3ef8c",
        "SSDeep": "3:Wg8oEIjOH9+KS3qvRBTdRi690oVqzBUGyT0/n:Vx0HgKnTdE6eoVafY8",
        "Size": 102,
        "Type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators\n"
    },
    "ThreatStream": {
        "Import": {
            "ImportID": "894516"
        }
    }
}
Human Readable Output

The data was imported successfully. The ID of imported job is: 894514

8. Get a list of threat models


Returns a list of threat models.

Base Command

threatstream-get-model-list

Input
Argument Name Description Required
model Threat model of the returned list. Required
limit Limits the list of models size. Specifying limit=0 will return up to a maximum of 1,000 models. In case  limit=0 the output won't be set in the context. Optional

Context Output
Path Type Description
ThreatStream.List.Type String The type of threat model.
ThreatStream.List.Name String The name of the threat model.
ThreatStream.List.ID String The ID of the threat model.
ThreatStream.List.CreatedTime String Date and time of threat model creation. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.

Command Example
threatstream-get-model-list model=actor limit=10
Context Example
{
    "ThreatStream.List": [
        {
            "CreatedTime": "2015-06-29T17:02:01.885011", 
            "Type": "Actor", 
            "ID": 2, 
            "Name": "Pirpi"
        }, 
        {
            "CreatedTime": "2015-06-30T19:20:05.930697", 
            "Type": "Actor", 
            "ID": 3, 
            "Name": "TeamCyberGhost"
        }, 
        {
            "CreatedTime": "2015-07-01T18:10:53.241301", 
            "Type": "Actor", 
            "ID": 4, 
            "Name": "Wekby"
        }, 
        {
            "CreatedTime": "2015-07-01T19:27:06.180602", 
            "Type": "Actor", 
            "ID": 5, 
            "Name": "Axiom"
        }, 
        {
            "CreatedTime": "2015-07-01T19:52:56.019862", 
            "Type": "Actor", 
            "ID": 7, 
            "Name": "Peace (Group) a/k/a C0d0s0"
        }, 
        {
            "CreatedTime": "2015-07-01T19:58:50.741202", 
            "Type": "Actor", 
            "ID": 8, 
            "Name": "Nitro"
        }, 
        {
            "CreatedTime": "2015-07-06T16:06:12.123839", 
            "Type": "Actor", 
            "ID": 9, 
            "Name": "Comment Crew"
        }, 
        {
            "CreatedTime": "2015-07-07T17:40:04.920012", 
            "Type": "Actor", 
            "ID": 10, 
            "Name": "Comfoo"
        }, 
        {
            "CreatedTime": "2015-07-07T18:53:12.331221", 
            "Type": "Actor", 
            "ID": 11, 
            "Name": "Syrian Electronic Army"
        }, 
        {
            "CreatedTime": "2015-07-08T20:59:29.751919", 
            "Type": "Actor", 
            "ID": 12, 
            "Name": "DD4BC"
        }
    ]
}
Human Readable Output

List of Actors

CreatedTime ID Name Type
2015-06-29T17:02:01.885011 2 Pirpi Actor
2015-06-30T19:20:05.930697 3 TeamCyberGhost Actor
2015-07-01T18:10:53.241301 4 Wekby Actor
2015-07-01T19:27:06.180602 5 Axiom Actor
2015-07-01T19:52:56.019862 7 Peace (Group) a/k/a C0d0s0 Actor
2015-07-01T19:58:50.741202 8 Nitro Actor
2015-07-06T16:06:12.123839 9 Comment Crew Actor
2015-07-07T17:40:04.920012 10 Comfoo Actor
2015-07-07T18:53:12.331221 11 Syrian Electronic Army Actor
2015-07-08T20:59:29.751919 12 DD4BC Actor

9. Get a description of a threat model


Returns an HTML file with a description of the threat model.

Base Command

threatstream-get-model-description

Input
Argument Name Description Required
model The threat model. Required
id The ID of the threat model. Required

Context Output
Path Type Description
File.Name String The file name of the model description.
File.EntryID String The entry ID of the model description.

Command Example
threatstream-get-model-description model=campaign id=1406
Context Example
{
    "File": {
        "EntryID": "5384@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
        "Extension": "html",
        "Info": "text/html; charset=utf-8",
        "MD5": "66eabc1c704fdac429939eb09bc5346f",
        "Name": "campaign_1406.html",
        "SHA1": "69f3dfe8ae037253e782dd201904aa583d83bcd7",
        "SHA256": "49635483962b38a2fd5d50ebbb51b7002ecab3fd23e0f9f99e915f7b33d3f739",
        "SSDeep": "96:XZcBqz4xqHC2AwALc+nvJN7GBoBGK1IW7h:XC40W/tixmoLTh",
        "Size": 3686,
        "Type": "HTML document text, ASCII text, with very long lines, with no line terminators\n"
    }
}

10. Get a list of indicators for a threat model


Returns a list of indicators associated with the specified model and ID of the model.

Base Command

threatstream-get-indicators-by-model

Input
Argument Name Description Required
model The threat model. Required
id The ID of the model. Required
limit Maximum number of results to return. Default is 20. Optional

Context Output
Path Type Description
ThreatStream.Model.ModelType String The type of the threat model.
ThreatStream.Model.ModelID String The ID of the threat model.
ThreatStream.Model.Indicators.Value String The value of indicator associated with the specified model.
ThreatStream.Model.Indicators.ID String The ID of indicator associated with the specified model.
ThreatStream.Model.Indicators.IType String The iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Severity String The severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Confidence String The confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Country String The country of the indicator associated with the specified model
ThreatStream.Model.Indicators.Organization String The organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASN String The ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Status String The status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Tags String The tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Modified String The date and time the indicator was last modified.
ThreatStream.Model.Indicators.Source String The source of the indicator.
ThreatStream.Model.Indicators.Type String The type of the indicator.

Command Example
threatstream-get-indicators-by-model id=11885 model=incident
Context Example
{
    "ThreatStream.Model": {
        "Indicators": [
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.446", 
                "Value": "417072b246af74647897978902f7d903562e0f6f", 
                "ID": "50117813617", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.455", 
                "Value": "d3c65377d39e97ab019f7f00458036ee0c7509a7", 
                "ID": "50117813616", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.462", 
                "Value": "5f51084a4b81b40a8fcf485b0808f97ba3b0f6af", 
                "ID": "50117813615", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.469", 
                "Value": "220a8eacd212ecc5a55d538cb964e742acf039c6", 
                "ID": "50117813614", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.477", 
                "Value": "a16ef7d96a72a24e2a645d5e3758c7d8e6469a55", 
                "ID": "50117813612", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.485", 
                "Value": "275e76fc462b865fe1af32f5f15b41a37496dd97", 
                "ID": "50117813611", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.493", 
                "Value": "df4b8c4b485d916c3cadd963f91f7fa9f509723f", 
                "ID": "50117813610", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.500", 
                "Value": "66eccea3e8901f6d5151b49bca53c126f086e437", 
                "ID": "50117813609", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.507", 
                "Value": "3d90630ff6c151fc2659a579de8d204d1c2f841a", 
                "ID": "50117813608", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.513", 
                "Value": "a6d14b104744188f80c6c6b368b589e0bd361607", 
                "ID": "50117813607", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.520", 
                "Value": "e3f183e67c818f4e693b69748962eecda53f7f88", 
                "ID": "50117813606", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.527", 
                "Value": "f326479a4aacc2aaf86b364b78ed5b1b0def1fbe", 
                "ID": "50117813605", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.534", 
                "Value": "c4d1fb784fcd252d13058dbb947645a902fc8935", 
                "ID": "50117813604", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.541", 
                "Value": "fb4a4143d4f32b0af4c2f6f59c8d91504d670b41", 
                "ID": "50117813603", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.548", 
                "Value": "400e4f843ff93df95145554b2d574a9abf24653f", 
                "ID": "50117813602", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.555", 
                "Value": "f82d18656341793c0a6b9204a68605232f0c39e7", 
                "ID": "50117813601", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.562", 
                "Value": "c33fe4c286845a175ee0d83db6d234fe24dd2864", 
                "ID": "50117813600", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.569", 
                "Value": "d9294b86b3976ddf89b66b8051ccf98cfae2e312", 
                "ID": "50117813599", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.576", 
                "Value": "9fc71853d3e6ac843bd36ce9297e398507e5b2bd", 
                "ID": "50117813597", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }, 
            {
                "Status": "active", 
                "Confidence": 100, 
                "IType": "mal_md5", 
                "Severity": "very-high", 
                "Tags": "FINSPY,FinSpy,community-threat-briefing,Weaponization", 
                "Country": null, 
                "Modified": "2017-09-25T11:43:54.583", 
                "Value": "c0ad9c242c533effd50b51e94874514a5b9f2219", 
                "ID": "50117813596", 
                "Source": "ThreatStream", 
                "Organization": "", 
                "Type": "md5", 
                "ASN": ""
            }
        ], 
        "ModelType": "Incident", 
        "ModelID": "11885"
    }
}
Human Readable Output

Indicators list for Threat Model Incident with id 11885

IType Value ID Confidence Source Type Status Tags Modified Organization ASN Country Severity
mal_md5 417072b246af74647897978902f7d903562e0f6f 50117813617 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.446 very-high
mal_md5 d3c65377d39e97ab019f7f00458036ee0c7509a7 50117813616 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.455 very-high
mal_md5 5f51084a4b81b40a8fcf485b0808f97ba3b0f6af 50117813615 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.462 very-high
mal_md5 220a8eacd212ecc5a55d538cb964e742acf039c6 50117813614 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.469 very-high
mal_md5 a16ef7d96a72a24e2a645d5e3758c7d8e6469a55 50117813612 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.477 very-high
mal_md5 275e76fc462b865fe1af32f5f15b41a37496dd97 50117813611 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.485 very-high
mal_md5 df4b8c4b485d916c3cadd963f91f7fa9f509723f 50117813610 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.493 very-high
mal_md5 66eccea3e8901f6d5151b49bca53c126f086e437 50117813609 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.500 very-high
mal_md5 3d90630ff6c151fc2659a579de8d204d1c2f841a 50117813608 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.507 very-high
mal_md5 a6d14b104744188f80c6c6b368b589e0bd361607 50117813607 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.513 very-high
mal_md5 e3f183e67c818f4e693b69748962eecda53f7f88 50117813606 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.520 very-high
mal_md5 f326479a4aacc2aaf86b364b78ed5b1b0def1fbe 50117813605 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.527 very-high
mal_md5 c4d1fb784fcd252d13058dbb947645a902fc8935 50117813604 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.534 very-high
mal_md5 fb4a4143d4f32b0af4c2f6f59c8d91504d670b41 50117813603 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.541 very-high
mal_md5 400e4f843ff93df95145554b2d574a9abf24653f 50117813602 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.548 very-high
mal_md5 f82d18656341793c0a6b9204a68605232f0c39e7 50117813601 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.555 very-high
mal_md5 c33fe4c286845a175ee0d83db6d234fe24dd2864 50117813600 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.562 very-high
mal_md5 d9294b86b3976ddf89b66b8051ccf98cfae2e312 50117813599 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.569 very-high
mal_md5 9fc71853d3e6ac843bd36ce9297e398507e5b2bd 50117813597 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.576 very-high
mal_md5 c0ad9c242c533effd50b51e94874514a5b9f2219 50117813596 100 ThreatStream md5 active FINSPY,FinSpy,community-threat-briefing,Weaponization 2017-09-25T11:43:54.583 very-high

11. Submit a file or URL for detonation


Submits a file or URL to the ThreatStream-hosted Sandbox for detonation.

Base Command

threatstream-submit-to-sandbox

Input
Argument Name Description Required
submission_classification Classification of the sandbox submission. Optional
report_platform Platform on which the submitted URL or file will be run. To obtain a list supported platforms run the threatstream-get-sandbox-platforms command. Optional
submission_type The detonation type ("file" or "url"). Required
submission_value The submission value. Possible values are a valid URL or a file ID that was uploaded to the War Room to detonate. Required
premium_sandbox Specifies whether the premium sandbox should be used for detonation. Default is "false". Optional
detail A CSV list of additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. Optional

Context Output
Path Type Description
ThreatStream.Analysis.ReportID String The report ID that was submitted to the sandbox.
ThreatStream.Analysis.Status String The analysis status.
ThreatStream.Analysis.Platform String The platform of the submission submitted to the sandbox.

Command Example
threatstream-submit-to-sandbox submission_type=file submission_value=5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0 premium_sandbox=false report_platform=WINDOWS7
Context Example
{
    "File": {
        "EntryID": "5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0",
        "Extension": "png",
        "Info": "image/png",
        "MD5": "a36544c75d1253d8dd32070908adebd0",
        "Name": "input_file.png",
        "SHA1": "15868fbe28e34f601b4e07b0f356ecb1f3a14876",
        "SHA256": "5126eb938b3c2dc53837d4805df01c8522a3bd4e5e77e9bc4f825b9ee178e6ab",
        "SSDeep": "98304:pKOjdLh3d35gcNMjnN+FOLEdhVb2t6lLPP9nuyxJ4iQzxKxOduLT/GzxS3UvtT:pHhhvglN+F+GwUlLPP9PxnQzxKxOdEUR",
        "Size": 4938234,
        "Type": "PNG image data, 2572 x 1309, 8-bit/color RGBA, non-interlaced\n"
    },
    "ThreatStream": {
        "Analysis": {
            "Platform": "WINDOWS7",
            "ReportID": 422662,
            "Status": "processing"
        }
    }
}
Human Readable Output

The submission info for 5358@6cf3881e-1cfd-48b5-8fc3-0b9fcfb791f0

ReportID Status Platform
422662 processing WINDOWS7

12. Get the status of a report


Returns the current status of the report that was submitted to the sandbox. The report ID is returned from the threatstream-submit-to-sandbox command.

Base Command

threatstream-get-analysis-status

Input
Argument Name Description Required
report_id Report ID for which to check the status. Required

Context Output
Path Type Description
ThreatStream.Analysis.ReportID String The report ID of the file or URL that was detonated to sandbox.
ThreatStream.Analysis.Status String The report status of the file or URL that was detonated in the sandbox.
ThreatStream.Analysis.Platform String The platform that was used for detonation.
ThreatStream.Analysis.Verdict String The report verdict of the file or URL that was detonated in the sandbox. The verdict will remain "benign" until detonation is complete.

Command Example
threatstream-get-analysis-status report_id=422662
Context Example
{
    "ThreatStream": {
        "Analysis": {
            "Platform": "WINDOWS7",
            "ReportID": "422662",
            "Status": "processing",
            "Verdict": "Benign"
        }
    }
}
Human Readable Output

The analysis status for id 422662

ReportID Status Platform Verdict
422662 processing WINDOWS7 Benign

13. Get the report of a submitted file or URL


Returns the report of a file or URL that was submitted to the sandbox.

Base Command

threatstream-analysis-report

Input
Argument Name Description Required
report_id Report ID to return. Required

Context Output
Path Type Description
ThreatStream.Analysis.ReportID String The ID of the report submitted to the sandbox.
ThreatStream.Analysis.Category String The report category.
ThreatStream.Analysis.Started String Detonation start time.
ThreatStream.Analysis.Completed String Detonation completion time.
ThreatStream.Analysis.Duration Number Duration of the detonation (in seconds).
ThreatStream.Analysis.VmName String The name of the VM.
ThreatStream.Analysis.VmID String The ID of the VM.
ThreatStream.Analysis.Network.UdpSource String The source of UDP.
ThreatStream.Analysis.Network.UdpDestination String The destination of UDP.
ThreatStream.Analysis.Network.UdpPort String The port of the UDP.
ThreatStream.Analysis.Network.IcmpSource String The ICMP source.
ThreatStream.Analysis.Network.IcmpDestination String The destination of ICMP.
ThreatStream.Analysis.Network.IcmpPort String The port of the ICMP.
ThreatStream.Analysis.Network.TcpSource String The source of TCP.
ThreatStream.Analysis.Network.TcpDestination String The destination of TCP.
ThreatStream.Analysis.Network.TcpPort String The port of TCP.
ThreatStream.Analysis.Network.HttpSource String The source of HTTP.
ThreatStream.Analysis.Network.HttpDestinaton String The destination of HTTP.
ThreatStream.Analysis.Network.HttpPort String The port of HTTP.
ThreatStream.Analysis.Network.HttpsSource String The source of HTTPS.
ThreatStream.Analysis.Network.HttpsDestinaton String The destination of HTTPS.
ThreatStream.Analysis.Network.HttpsPort String The port of HTTPS.
ThreatStream.Analysis.Network.Hosts String The hosts of network analysis.
ThreatStream.Analysis.Verdict String The verdict of the sandbox detonation.

Command Example
threatstream-analysis-report report_id=413336
Context Example
{
    "ThreatStream": {
        "Analysis": {
            "Category": "File",
            "Completed": "2019-05-30 14:06:33",
            "Duration": 68,
            "Network": [
                {
                    "UdpDestination": "8.8.8.8",
                    "UdpPort": 53,
                    "UdpSource": "192.168.2.4"
                },
                {
                    "UdpDestination": "192.168.2.4",
                    "UdpPort": 65324,
                    "UdpSource": "8.8.8.8"
                },
                {
                    "UdpDestination": "192.168.2.4",
                    "UdpPort": 54896,
                    "UdpSource": "8.8.8.8"
                }
            ],
            "ReportID": "413336",
            "Started": "2019-05-30 14:05:25",
            "Verdict": "Benign",
            "VmID": "",
            "VmName": ""
        }
    }
}
Human Readable Output

Report 413336 analysis results

Category Started Completed Duration VmName VmID ReportID Verdict
File 2019-05-30 14:05:25 2019-05-30 14:06:33 68 413336 Benign

14. Get a list of filtered indicators


Return filtered indicators from ThreatStream. If a query is defined, it overrides all of the arguments that were passed to the command.

Base Command

threatstream-get-indicators

Input
Argument Name Description Required
query Anomali Observable Search Filter Language query to filter indicators results. If a query is passed as an argument, it overrides all other arguments. Optional
asn Autonomous System (AS) number associated with the indicator. Optional
confidence Level of certainty that an observable
is of the reported indicator type. Confidence scores range from 0-100, in increasing order of confidence, and is assigned by ThreatStream based on several factors.
Optional
country Country associated with the indicator. Optional
created_ts When the indicator was first seen on
the ThreatStream cloud platform. Date must be specified in this format:
YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.
For example, 2014-10-02T20:44:35.
Optional
id Unique ID for the indicator. Optional
is_public Classification of the indicator. Optional
indicator_severity Severity assigned to the indicator by ThreatStream. Optional
org Registered owner (organization) of the IP address associated with the indicator. Optional
status Status assigned to the indicator. Optional
tags_name Tag assigned to the indicator. Optional
type Type of indicator. Optional
indicator_value Value of the indicator. Optional
limit Maximum number of results to return from ThreatStream. Default is 20. Optional

Context Output
Path Type Description
ThreatStream.Indicators.IType String The indicator type.
ThreatStream.Indicators.Modified String Date and time when the indicator was last updated on the ThreatStream. Format: YYYYMMDDThhmmss, where T denotes the start of the value
for time, in UTC time.
ThreatStream.Indicators.Confidence String Level of certainty that an observable is of the reported indicator type.
ThreatStream.Indicators.Value String The indicator value.
ThreatStream.Indicators.Status String The indicator status.
ThreatStream.Indicators.Organization String Registered owner (organization) of the IP address associated with the indicator.
ThreatStream.Indicators.Country String Country associated with the indicator.
ThreatStream.Indicators.Tags String Tag assigned to the indicator.
ThreatStream.Indicators.Source String The source of the indicator.
ThreatStream.Indicators.ID String The ID of the indicator.
ThreatStream.Indicators.ASN String Autonomous System (AS) number associated with the indicator.
ThreatStream.Indicators.Severity String The severity assigned to the indicator.

Command Example
threatstream-get-indicators type=ip status=active asn=4837 country=CN confidence=84 indicator_severity=medium org="China Unicom Guangxi" limit=5
Context Example
{
    "ThreatStream.Indicators": [
        {
            "Status": "active", 
            "Confidence": 84, 
            "IType": "scan_ip", 
            "Severity": "medium", 
            "Tags": null, 
            "Country": "CN", 
            "Modified": "2019-06-24T10:19:52.077Z", 
            "Value": "121.31.166.99", 
            "ID": 53042398831, 
            "Source": "Anomali Labs MHN", 
            "Organization": "China Unicom Guangxi", 
            "Type": "ip", 
            "ASN": "4837"
        }, 
        {
            "Status": "active", 
            "Confidence": 84, 
            "IType": "scan_ip", 
            "Severity": "medium", 
            "Tags": "port-1433,suricata,TCP", 
            "Country": "CN", 
            "Modified": "2019-06-24T09:51:04.804Z", 
            "Value": "121.31.166.99", 
            "ID": 53042253345, 
            "Source": "Anomali Labs MHN Tagged", 
            "Organization": "China Unicom Guangxi", 
            "Type": "ip", 
            "ASN": "4837"
        }, 
        {
            "Status": "active", 
            "Confidence": 84, 
            "IType": "scan_ip", 
            "Severity": "medium", 
            "Tags": null, 
            "Country": "CN", 
            "Modified": "2019-06-24T06:08:12.585Z", 
            "Value": "182.88.27.168", 
            "ID": 53016547378, 
            "Source": "DShield Scanning IPs", 
            "Organization": "China Unicom Guangxi", 
            "Type": "ip", 
            "ASN": "4837"
        }, 
        {
            "Status": "active", 
            "Confidence": 84, 
            "IType": "scan_ip", 
            "Severity": "medium", 
            "Tags": "AlienVault,OTX", 
            "Country": "CN", 
            "Modified": "2019-06-23T19:38:05.782Z", 
            "Value": "182.91.129.165", 
            "ID": 53038621037, 
            "Source": "Alien Vault OTX Malicious IPs", 
            "Organization": "China Unicom Guangxi", 
            "Type": "ip", 
            "ASN": "4837"
        }, 
        {
            "Status": "active", 
            "Confidence": 84, 
            "IType": "scan_ip", 
            "Severity": "medium", 
            "Tags": null, 
            "Country": "CN", 
            "Modified": "2019-06-23T17:52:51.165Z", 
            "Value": "182.91.129.207", 
            "ID": 52970998522, 
            "Source": "DShield Scanning IPs", 
            "Organization": "China Unicom Guangxi", 
            "Type": "ip", 
            "ASN": "4837"
        }
    ]
}
Human Readable Output

The indicators results

IType Value Confidence ID Source Type Status Tags Modified Organization ASN Country Severity
scan_ip 121.31.166.99 84 53042398831 Anomali Labs MHN ip active 2019-06-24T10:19:52.077Z China Unicom Guangxi 4837 CN medium
scan_ip 121.31.166.99 84 53042253345 Anomali Labs MHN Tagged ip active port-1433,suricata,TCP 2019-06-24T09:51:04.804Z China Unicom Guangxi 4837 CN medium
scan_ip 182.88.27.168 84 53016547378 DShield Scanning IPs ip active 2019-06-24T06:08:12.585Z China Unicom Guangxi 4837 CN medium
scan_ip 182.91.129.165 84 53038621037 Alien Vault OTX Malicious IPs ip active AlienVault,OTX 2019-06-23T19:38:05.782Z China Unicom Guangxi 4837 CN medium
scan_ip 182.91.129.207 84 52970998522 DShield Scanning IPs ip active 2019-06-23T17:52:51.165Z China Unicom Guangxi 4837 CN medium

15. Add tags to a threat model


Add tags to intelligence for purposes of filtering for related entities.

Base Command

threatstream-add-tag-to-model

Input
Argument Name Description Required
model The type of threat model entity on which to add the tag. Default is "intelligence" (indicator). Optional
tags A CSV list of tags applied to the specified threat model entities or observable. Required
model_id The ID of the model on which to add the tag. Required

Context Output

There is no context output for this command.

Command Example
threatstream-add-tag-to-model model=intelligence model_id=51375607503 tags="suspicious,not valid"
Human Readable Output

Added successfully tags: ['suspicious', 'not valid'] to intelligence with 51375607503

16. Create a threat model


Creates a threat model with the specified parameters.

Base Command

threatstream-create-model

Input
Argument Name Description Required
model The type of threat model to create. Required
name The name of the threat model to create. Required
is_public The scope of threat model visibility. Optional
tlp Traffic Light Protocol designation for the threat model. Optional
tags A CSV list of tags. Optional
intelligence A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. Optional
description The description of the threat model. Optional

Context Output
Path Type Description
ThreatStream.Model.ModelType String The type of the threat model.
ThreatStream.Model.ModelID String The ID of the threat model.
ThreatStream.Model.Indicators.Value String The value of indicator associated with the specified model.
ThreatStream.Model.Indicators.ID String The ID of indicator associated with the specified model.
ThreatStream.Model.Indicators.IType String The iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Severity String The severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Confidence String The confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Country String The country of the indicator associated with the specified model
ThreatStream.Model.Indicators.Organization String The organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASN String The ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Status String The status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Tags String The tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Modified String The date and time the indicator was last modified.
ThreatStream.Model.Indicators.Source String The source of the indicator.
ThreatStream.Model.Indicators.Type String The indicator type.

Command Example
threatstream-create-model model=actor name="New_Created_Actor" description="Description of the actor threat model" intelligence=53042425466,53042425532,53042425520 tags="new actor,test" tlp=red
Context Example
{
    "ThreatStream.Model": {
        "Indicators": [
            {
                "Status": "active", 
                "Confidence": 86, 
                "IType": "suspicious_domain", 
                "Severity": "high", 
                "Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech", 
                "Country": "US", 
                "Modified": "2019-06-24T10:51:16.384", 
                "Value": "chatbotshq.com", 
                "ID": "53042425532", 
                "Source": "Analyst", 
                "Organization": "Hostinger International Limited", 
                "Type": "domain", 
                "ASN": "12769"
            }, 
            {
                "Status": "active", 
                "Confidence": 85, 
                "IType": "suspicious_domain", 
                "Severity": "high", 
                "Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech", 
                "Country": "US", 
                "Modified": "2019-06-24T10:51:16.589", 
                "Value": "marketshq.com", 
                "ID": "53042425520", 
                "Source": "Analyst", 
                "Organization": "GoDaddy.com, LLC", 
                "Type": "domain", 
                "ASN": "26496"
            }, 
            {
                "Status": "active", 
                "Confidence": 77, 
                "IType": "suspicious_domain", 
                "Severity": "high", 
                "Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech", 
                "Country": "US", 
                "Modified": "2019-06-24T10:54:31.318", 
                "Value": "leanomalie.com", 
                "ID": "53042425466", 
                "Source": "Analyst", 
                "Organization": "GoDaddy.com, LLC", 
                "Type": "domain", 
                "ASN": "26496"
            }
        ], 
        "ModelType": "Actor", 
        "ModelID": 26697
    }
}
Human Readable Output

Indicators list for Threat Model Actor with id 26697

IType Value ID Confidence Source Type Status Tags Modified Organization ASN Country Severity
suspicious_domain chatbotshq.com 53042425532 86 Analyst domain active Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech 2019-06-24T10:51:16.384 Hostinger International Limited 12769 US high
suspicious_domain marketshq.com 53042425520 85 Analyst domain active Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech 2019-06-24T10:51:16.589 GoDaddy.com, LLC 26496 US high
suspicious_domain leanomalie.com 53042425466 77 Analyst domain active Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech 2019-06-24T10:54:31.318 GoDaddy.com, LLC 26496 US high

17. Update a threat model


Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.

Base Command

threatstream-update-model

Input
Argument Name Description Required
model The type of threat model to update. Required
model_id The ID of the threat model to update. Required
name The name of the threat model to update. Optional
is_public The scope of threat model visibility. Optional
tlp Traffic Light Protocol designation for the threat model. Optional
tags A CSV list of tags. Optional
intelligence A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. Optional
description The description of the threat model. Optional

Context Output
Path Type Description
ThreatStream.Model.ModelType String The type of threat model.
ThreatStream.Model.ModelID String The ID of the threat model.
ThreatStream.Model.Indicators.Value String The value of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ID String The ID of indicator associated with the specified model.
ThreatStream.Model.Indicators.IType String The iType of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Severity String The severity of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Confidence String The confidence of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Country String The country of the indicator associated with the specified model
ThreatStream.Model.Indicators.Organization String The organization of the indicator associated with the specified model.
ThreatStream.Model.Indicators.ASN String The ASN of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Status String The status of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Tags String The tags of the indicator associated with the specified model.
ThreatStream.Model.Indicators.Modified String The date and time the indicator was last modified.
ThreatStream.Model.Indicators.Source String The source of the inidicator.
ThreatStream.Model.Indicators.Type String The type of the inidicator.

Command Example
threatstream-update-model model=actor model_id=26697 intelligence=53042694591 tags="updated tag,gone"
Context Example
{
    "ThreatStream": {
        "Model": {
            "Indicators": [
                {
                    "ASN": "",
                    "Confidence": 36,
                    "Country": "CA",
                    "ID": "53042694591",
                    "IType": "exploit_ip",
                    "Modified": "2019-06-24T11:28:31.185",
                    "Organization": "OVH Hosting",
                    "Severity": "high",
                    "Source": "Analyst",
                    "Status": "active",
                    "Tags": "HoneyDB",
                    "Type": "ip",
                    "Value": "54.39.20.14"
                }
            ],
            "ModelID": "26697",
            "ModelType": "Actor"
        }
    }
}
Human Readable Output

Indicators list for Threat Model Actor with id 26697

IType Value ID Confidence Source Type Status Tags Modified Organization ASN Country Severity
exploit_ip 54.39.20.14 53042694591 36 Analyst ip active HoneyDB 2019-06-24T11:28:31.185 OVH Hosting CA high

18. Get a list of supported platforms


Returns list of supported platforms for default or premium sandbox

Base Command

threatstream-supported-platforms

Input
Argument Name Description Required
sandbox_type The type of sandbox ("default" or "premium"). Optional

Context Output
Path Type Description
ThreatStream.PremiumPlatforms.Name String Name of the supported platform for premium sandbox.
ThreatStream.PremiumPlatforms.Types String Type of supported submissions for premium sandbox.
ThreatStream.PremiumPlatforms.Label String The display name of the supported platform of premium sandbox.
ThreatStream.DefaultPlatforms.Name String Name of the supported platform for standard sandbox.
ThreatStream.DefaultPlatforms.Types String Type of supported submissions for standard sandbox.
ThreatStream.DefaultPlatforms.Label String The display name of the supported platform of standard sandbox.

Command Example
threatstream-supported-platforms sandbox_type=default
Context Example
{
    "ThreatStream.DefaultPlatforms": [
        {
            "Name": "WINDOWSXP", 
            "Types": [
                "file", 
                "url"
            ], 
            "Label": "Windows XP"
        }, 
        {
            "Name": "WINDOWS7", 
            "Types": [
                "file", 
                "url"
            ], 
            "Label": "Windows 7"
        }, 
        {
            "Name": "ALL", 
            "Types": [
                "file", 
                "url"
            ], 
            "Label": "All"
        }
    ]
}
Human Readable Output

Supported platforms for default sandbox

Name Types Label
WINDOWSXP file,
url
Windows XP
WINDOWS7 file,
url
Windows 7
ALL file,
url
All