ThreatQ v2
A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes. This integration was integrated and tested with version xx of ThreatQ v2
Configure ThreatQ v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for ThreatQ v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- ThreatQ server URL (e.g. https://192.168.1.136)
- ThreatQ client ID
- Indicator threshold (minimum TQ score to consider the indicator malicious).
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- threatq-search-by-name: threatq-search-by-name
- Check an IP address: ip
- Check a URL: url
- Check a file: file
- Check an email: email
- Check a domain: domain
- Create an indicator: threatq-create-indicator
- Add an attribute: threatq-add-attribute
- Modify an attribute: threatq-modify-attribute
- Link two objects: threatq-link-objects
- Create an adversary: threatq-create-adversary
- Create an event: threatq-create-event
- Get related indicators: threatq-get-related-indicators
- Update an indicator status: threatq-update-status
- Get related events: threatq-get-related-events
- Get related adversaries: threatq-get-related-adversaries
- Upload a file: threatq-upload-file
- Search by Object type and ID: threatq-search-by-id
- Unlink two objects: threatq-unlink-objects
- Delete an object: threatq-delete-object
- Add a source to an object: threatq-add-source
- Delete a source from an object: threatq-delete-source
- Delete an attribute: threatq-delete-attribute
- Edit an adversary: threatq-edit-adversary
- Edit an indicator: threatq-edit-indicator
- Edit an event: threatq-edit-event
- Update a score of an indictor: threatq-update-score
- Download a file to Demisto: threatq-download-file
- Get all indicators: threatq-get-all-indicators:
- Get a list of events: threatq-get-all-events
- Get a list of all adversaries: threatq-get-all-adversaries
- Perform advanced search: threatq-advanced-search
1. Search for object by name
Searches for objects by name in the ThreatQ repository.
Base Command
threatq-search-by-name
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the object to search. | Required |
| limit | The maximum number of records to retrieve. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | Number | The ID of the Indicator. |
| ThreatQ.Indicator.Value | String | The value of the Indicator. |
| ThreatQ.Event.ID | Number | The ID of the Event. |
| ThreatQ.Event.Title | String | The title of the Event. |
| ThreatQ.Adversary.ID | Number | The ID of the Adversary. |
| ThreatQ.Adversary.Name | String | The name of the Adversary. |
Command Example
!threatq-search-by-name name=test limit=6
Human Readable Output
2. Check an IP address
Checks the reputation of an IP address in ThreatQ.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The value of the indicator. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The vendor of the indicator. |
| DBotScore.Score | Number | The DBot Score of the indicator. |
| IP.Address | String | The IP Address. |
| IP.Malicious.Vendor | String | The IP address of the Vendor. |
| IP.Malicious.Description | String | The description of the Malicious IP address. |
| ThreatQ.Indicator.ID | Number | The ID of the Indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!ip ip=91.140.64.113
Human Readable Output
3. Check a URL
Checks the reputation of a URL in ThreatQ.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The value of the indicator. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The vendor of the indicator. |
| DBotScore.Score | Number | The DBot Score of the indicator. |
| URL.Data | String | The URL. |
| URL.Malicious.Vendor | String | The vendor of the malicious URL. |
| URL.Malicious.Description | String | The description of the malicious URL. |
| ThreatQ.Indicator.ID | Number | The ID of the indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!url url=https://www.paloaltonetworks.com/
Human Readable Output
4. Check a file
Checks the reputation of a file in ThreatQ.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The MD5, SHA-1 or SHA-256 file to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The value of the indicator. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The vendor of the indicator. |
| DBotScore.Score | Number | The DBot Score of the indicator. |
| File.Name | String | The name of the file. |
| File.MD5 | String | The MD5 of the file. |
| File.SHA1 | String | The SHA1 of the file. |
| File.SHA256 | String | The SHA256 of the file. |
| File.SHA512 | String | The SHA512 of the file. |
| File.Path | String | The path of the file. |
| File.Malicious.Vendor | String | The vendor of the malicious file. |
| File.Malicious.Description | String | The description of the malicious file. |
| ThreatQ.Indicator.ID | Number | The ID of the indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!file file=a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Human Readable Output
5. Check an email
Checks the reputation of an email in ThreatQ.
Base Command
email
Input
| Argument Name | Description | Required |
|---|---|---|
| The email address to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The value of the indicator. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The vendor of the indicator. |
| DBotScore.Score | Number | The DBot Score of the indicator. |
| Account.Email.Address | String | The Email Address. |
| Account.Malicious.Vendor | String | The vendor of the malicious account. |
| Account.Malicious.Description | String | The description of the malicious account. |
| ThreatQ.Indicator.ID | Number | The ID of the indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!email email=example.gmail.com
Human Readable Output
6. Check a domain
Checks the reputation of a domain in ThreatQ.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain or FQDN to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | String | The value of the indicator. |
| DBotScore.Vendor | String | The vendor of the indicator. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Score | Number | The DBot Score of the indicator. |
| Domain.Name | String | The name of the domain. |
| Domain.Malicious.Vendor | String | The vendor of the malicious domain. |
| Domain.Malicious.Description | String | The description of the malicious domain. |
| ThreatQ.Indicator.ID | Number | The ID of the indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!domain domain=www.testdomain.com
Human Readable Output
7. Create an indicator
Creates a new indicator in ThreatQ.
Base Command
threatq-create-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of indicator, such as email address, IP address, Registry key, binary string, and so on. | Required |
| status | The status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". | Required |
| value | The value of the indicator. | Required |
| sources | List of Sources names, separated by commas. | Optional |
| attributes_names | Attributes names list, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
| attributes_values | Attributes values list, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | Number | The ID of the indicator. |
| ThreatQ.Indicator.Value | String | The value of the indicator. |
| ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
| ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
| ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
| ThreatQ.Indicator.Status | String | The status of the indicator. |
| ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
| ThreatQ.Indicator.Description | String | The description of the indicator. |
| ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!threatq-create-indicator value=232.12.34.135 status=Review type="IP Address" attributes_names=TestAttr1,TestAttr2 attributes_values=Val1,Val2 sources=arian@demisto.com
Human Readable Output
8. Add an attribute
Adds an attribute to an object in ThreatQ.
Base Command
threatq-add-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the attribute to add. | Required |
| value | The value of the attribute to add. | Required |
| obj_type | The type of the object to add. Can be: "indicator", "event", "adversary", or "attachment". | Required |
| obj_id | The ID of the Object. | Required |
Context Output
There are no context output for this command.
Command Example
!threatq-add-attribute obj_type=indicator obj_id=173317 name=TestAttr3 value=Val3
Human Readable Output
9. Modify an attribute
Modifies an attribute for an object in ThreatQ.
Base Command
threatq-modify-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
| obj_id | The ID of the object. | Required |
| attribute_id | The ID of the attribute to modify. | Required |
| attribute_value | The new value of the attribute. | Required |
Command Example
!threatq-modify-attribute attribute_id=996895 attribute_value=NewVal obj_id=173317 obj_type=indicator
Human Readable Output
10. Link two objects
Links two objects together in ThreatQ.
Base Command
threatq-link-objects
Input
| Argument Name | Description | Required |
|---|---|---|
| obj1_id | The ID of the first object. | Required |
| obj2_id | The ID of the second object. | Required |
| obj1_type | The type of the first object. Can be: "indicator", "adversary", or "event". | Required |
| obj2_type | The type of the second object. Can be: "indicator", "adversary", or "event". | Required |
Command Example
!threatq-link-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output
11. Create an adversary
Creates a new adversary in ThreatQ.
Base Command
threatq-create-adversary
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the adversary to create. | Required |
| sources | List of sources names, separated by commas. | Optional |
| attributes_names | List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
| attributes_values | List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Adversary.Name | string | The name of the adversary. |
| ThreatQ.Adversary.ID | number | The ID of the adversary. |
| ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
| ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
| ThreatQ.Adversary.Attribute.ID | number | The ID of the adversary's attribute. |
| ThreatQ.Adversary.Attribute.Name | string | The name of the adversary's attribute. |
| ThreatQ.Adversary.Attribute.Value | string | The value of the adversary's attribute. |
| ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
| ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-create-adversary name="Reut Shalem"
Human Readable Output
12. Create an event
Creates a new event in ThreatQ.
Base Command
threatq-create-event
Input
| Argument Name | Description | Required |
|---|---|---|
| title | Title of the event. | Required |
| type | The type of the event, such as malware, watchlist, command and control, and so on. | Required |
| date | Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd | Required |
| sources | List of sources names, separated by commas. | Optional |
| attributes_names | List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
| attributes_values | List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Event.ID | number | The ID of the event. |
| ThreatQ.Event.Source.ID | number | The source ID of the event. |
| ThreatQ.Event.Source.Name | string | The source name of the event. |
| ThreatQ.Event.Attribute.ID | number | The ID of the event attribute. |
| ThreatQ.Event.Attribute.Name | string | The name of the event attribute. |
| ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
| ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
| ThreatQ.Event.CreatedAt | date | The creation date of the event. |
| ThreatQ.Event.Type | string | The type of the event. |
| ThreatQ.Event.Description | string | The description of the event. |
| ThreatQ.Event.Title | string | The title of the event. |
| ThreatQ.Event.Occurred | date | The date of the event that happened. |
Command Example
!threatq-create-event date="2019-09-30 20:00:00" title="Offra Alta" type=Incident
Human Readable Output
13. Get related indicators
Retrieves related indicators for an object in ThreatQ.
Base Command
threatq-get-related-indicators
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_id | The ID of the object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.RelatedIndicator.ID | number | The ID of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Source.ID | number | The source ID of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Source.Name | string | The source name of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Attribute.ID | number | The attribute ID of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Attribute.Name | string | The attribute name of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Attribute.Value | string | The attribute value of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Type | string | The type of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Description | string | The description of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Value | string | The value of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.Status | string | The status of the related indicator. |
| ThreatQ.Indicator.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
| ThreatQ.Indicator.ID | number | The ID of the indicator. |
| ThreatQ.Event.RelatedIndicator.ID | number | The ID of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Source.ID | number | The source ID of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Source.Name | string | The source name of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Attribute.ID | number | The attribute ID of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Attribute.Name | string | The attribute name of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Attribute.Value | string | The attribute value of the related indicator. |
| ThreatQ.Event.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
| ThreatQ.Event.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Type | string | The type of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Description | string | The description of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Value | string | The value of the related indicator. |
| ThreatQ.Event.RelatedIndicator.Status | string | The status of the related indicator. |
| ThreatQ.Event.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
| ThreatQ.Event.ID | number | ID of the Event. |
| ThreatQ.Adversary.RelatedIndicator.ID | number | ID of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Source.ID | number | Source ID of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Source.Name | string | Source name of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Attribute.ID | number | ID attribute of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Attribute.Name | string | Attribute name of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Attribute.Value | string | Attribute value of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Type | string | The type of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Description | string | Description of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Value | string | The value of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.Status | string | The status of the related indicator. |
| ThreatQ.Adversary.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
| ThreatQ.Adversary.ID | number | ID of the Adversary. |
Command Example
!threatq-get-related-indicators obj_id=1 obj_type=adversary
Human Readable Output
14. Update an indicator status
Updates an indicator status in ThreatQ.
Base Command
threatq-update-status
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the indicator. | Required |
| status | The new status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | Number | ID of the indicator. |
| ThreatQ.Indicator.Status | String | Status of the indicator. |
Command Example
!threatq-update-status id=173317 status=Whitelisted
Human Readable Output
15. Get related events
Retrieves related events of an object in ThreatQ.
Base Command
threatq-get-related-events
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_id | ID of the object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.RelatedEvent.ID | number | ID of the related event. |
| ThreatQ.Indicator.RelatedEvent.Source.ID | number | Source ID of the related event. |
| ThreatQ.Indicator.RelatedEvent.Source.Name | string | Source name of the related event. |
| ThreatQ.Indicator.RelatedEvent.Attribute.ID | number | The attribute ID of the related event. |
| ThreatQ.Indicator.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
| ThreatQ.Indicator.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
| ThreatQ.Indicator.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
| ThreatQ.Indicator.RelatedEvent.CreatedAt | date | The creation date of the related event. |
| ThreatQ.Indicator.RelatedEvent.Description | string | Description of the related event. |
| ThreatQ.Indicator.RelatedEvent.Title | string | The title of the related event. |
| ThreatQ.Indicator.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
| ThreatQ.Indicator.RelatedEvent.Type | string | The type of the related event. |
| ThreatQ.Indicator.ID | number | The ID of the Indicator. |
| ThreatQ.Event.RelatedEvent.ID | number | The ID of the related event. |
| ThreatQ.Event.RelatedEvent.Source.ID | number | The source ID of the related event. |
| ThreatQ.Event.RelatedEvent.Source.Name | string | The source name of the related event. |
| ThreatQ.Event.RelatedEvent.Attribute.ID | number | The attribute ID of the related event. |
| ThreatQ.Event.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
| ThreatQ.Event.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
| ThreatQ.Event.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
| ThreatQ.Event.RelatedEvent.CreatedAt | date | The creation date of the related event. |
| ThreatQ.Event.RelatedEvent.Description | string | The description of the related event. |
| ThreatQ.Event.RelatedEvent.Title | string | The title of the related event. |
| ThreatQ.Event.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
| ThreatQ.Event.RelatedEvent.Type | string | The type of the related event. |
| ThreatQ.Event.ID | number | The ID of the Event. |
| ThreatQ.Adversary.RelatedEvent.ID | number | The ID of the related event. |
| ThreatQ.Adversary.RelatedEvent.Source.ID | number | The source ID of the related event. |
| ThreatQ.Adversary.RelatedEvent.Source.Name | string | The source name of the related event. |
| ThreatQ.Adversary.RelatedEvent.Attribute.ID | number | The attribute ID of the of the related event. |
| ThreatQ.Adversary.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
| ThreatQ.Adversary.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
| ThreatQ.Adversary.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
| ThreatQ.Adversary.RelatedEvent.CreatedAt | date | The creation date of the related event. |
| ThreatQ.Adversary.RelatedEvent.Description | string | The description of the related event. |
| ThreatQ.Adversary.RelatedEvent.Title | string | The title of the related event. |
| ThreatQ.Adversary.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
| ThreatQ.Adversary.RelatedEvent.Type | string | The type of the related event. |
| ThreatQ.Adversary.ID | number | ID of the Adversary. |
Command Example
!threatq-get-related-events obj_id=1 obj_type=adversary
Human Readable Output
16. Get related adversaries
Retrieve related adversaries from an object in ThreatQ.
Base Command
threatq-get-related-adversaries
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_id | ID of the object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.RelatedAdversary.ID | number | ID of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Source.ID | number | Source ID of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Source.Name | string | The Source name of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Attribute.Name | string | The attribute name of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
| ThreatQ.Indicator.RelatedAdversary.Name | string | The name of the related adversary. |
| ThreatQ.Indicator.ID | number | The ID of the Indicator. |
| ThreatQ.Event.RelatedAdversary.ID | number | The ID of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Source.ID | number | The source ID of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Source.Name | string | The source name of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Attribute.Name | string | The Attribute name of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
| ThreatQ.Event.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
| ThreatQ.Event.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
| ThreatQ.Event.RelatedAdversary.Name | string | The name of the related adversary. |
| ThreatQ.Event.ID | number | The ID of the Event. |
| ThreatQ.Adversary.RelatedAdversary.ID | number | The ID of the Related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Source.ID | number | The source ID of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Source.Name | string | The source name of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Attribute.Name | string | The attribute name of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
| ThreatQ.Adversary.RelatedAdversary.Name | string | The name of the related adversary. |
| ThreatQ.Adversary.ID | number | The ID of the Adversary. |
Command Example
!threatq-get-related-adversaries obj_id=1 obj_type=adversary
Human Readable Output
17. Upload a-file
Uploads a file to ThreatQ.
Base Command
threatq-upload-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entry_id | The file entry ID in Demisto. | Required |
| file_category | Category of the file, such as CrowdStrike Intelligence, FireEye Analysis, PDF, and so on. | Required |
| malware_safety_lock | Zips malware files for safer downloading. Can be: "on", or "off". Default is off. | Optional |
| title | Title of the File. Default is the file name. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.File.CreatedAt | Date | Date of the file upload. |
| ThreatQ.File.Size | Number | Size (in bytes) of the file. |
| ThreatQ.File.MD5 | String | The MD5 of the file. |
| ThreatQ.File.ID | Number | The File ID in ThreatQ. |
| ThreatQ.File.Name | String | The name of the File. |
| ThreatQ.File.Title | String | The title of the file. |
| ThreatQ.File.UpdatedAt | Date | The last update of the file. |
| ThreatQ.File.MalwareLocked | Number | Whether malware files are zipped. |
| ThreatQ.File.ContentType | String | The content type of the file. |
| ThreatQ.File.Category | String | The type of the file. |
| ThreatQ.File.Source.ID | Number | The source of the file. |
| ThreatQ.File.Source.Name | String | The source name of the file. |
| ThreatQ.File.Attribute.ID | Number | The attribute ID of the file. |
| ThreatQ.File.Attribute.Name | String | The attribute name of the file. |
| ThreatQ.File.Attribute.Value | String | The attribute value of the file. |
Command Example
!threatq-upload-file entry_id=5379@9da8d636-cf30-42c2-8263-d09f5268be8a file_category="Generic Text" title="File Title"
Human Readable Output
18. Search by Object type and ID
Searches for an object by object type and ID.
Base Command
threatq-search-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_type | The type of the object. Can be: "indicator", "event", "attachment" or "adversary". | Required |
| obj_id | The ID of the Object. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | number | ID of the indicator. |
| ThreatQ.Indicator.Source.ID | number | Source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | string | Source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | number | Attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Name | string | Attribute name of the indicator. |
| ThreatQ.Indicator.Attribute.Value | string | Attribute value of the indicator. |
| ThreatQ.Indicator.CreatedAt | date | Creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | date | Last update date of the indicator. |
| ThreatQ.Indicator.Description | string | Description of the indicator. |
| ThreatQ.Indicator.Value | string | The value of the indicator. |
| ThreatQ.Indicator.Status | string | The status of indicator. |
| ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
| ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
| ThreatQ.Event.ID | number | The ID of the indicator. |
| ThreatQ.Event.Source.ID | number | The source ID of the indicator. |
| ThreatQ.Event.Source.Name | string | The source name of the indicator. |
| ThreatQ.Event.Attribute.ID | number | The attribute ID of the indicator. |
| ThreatQ.Event.Attribute.Name | string | The attribute name of the indicator. |
| ThreatQ.Event.Attribute.Value | string | The attribute value of the indicator. |
| ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
| ThreatQ.Event.CreatedAt | date | The creation date of the event. |
| ThreatQ.Event.Type | string | The type of the event. |
| ThreatQ.Event.Description | string | Description of the event. |
| ThreatQ.Event.Title | string | The title of the event. |
| ThreatQ.Event.Occurred | date | The date that the event happened. |
| ThreatQ.Adversary.Name | string | The name of the adversary. |
| ThreatQ.Adversary.ID | number | The ID of the adversary. |
| ThreatQ.Adversary.Source.ID | number | The source of the adversary. |
| ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
| ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
| ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
| ThreatQ.Adversary.Attribute.Value | string | The attribute value of the adversary. |
| ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
| ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
| ThreatQ.File.CreatedAt | Date | Date of the file upload. |
| ThreatQ.File.Size | Number | Size (in bytes) of the file. |
| ThreatQ.File.MD5 | String | The MD5 hash of the file. |
| ThreatQ.File.ID | Number | The File ID in ThreatQ. |
| ThreatQ.File.Name | String | The name of the File. |
| ThreatQ.File.Title | String | The title of the file. |
| ThreatQ.File.UpdatedAt | Date | The last update of the file. |
| ThreatQ.File.MalwareLocked | Number | Whether malware files are zipped. |
| ThreatQ.File.ContentType | String | The content type of the file. |
| ThreatQ.File.Category | String | The type of the file. |
| ThreatQ.File.Source.ID | Number | The source of the file. |
| ThreatQ.File.Source.Name | String | The source name of the file. |
| ThreatQ.File.Attribute.ID | Number | The attribute ID of the file. |
| ThreatQ.File.Attribute.Name | String | The attribute name of the file. |
| ThreatQ.File.Attribute.Value | String | The attribute value of the file. |
Command Example
!threatq-search-by-id obj_id=173317 obj_type=indicator
Human Readable Output
19. Unlink two objects
Unlinks two objects in ThreatQ.
Base Command
threatq-unlink-objects
Input
| Argument Name | Description | Required |
|---|---|---|
| obj1_id | The ID of the first object. | Required |
| obj1_type | The type of the first object. Can be: "adversary", "indicator", or "event". | Required |
| obj2_id | The ID of the second object. | Required |
| obj2_type | The type of the second object. Can be: "adversary", "indicator", or "event". | Required |
Command Example
!threatq-unlink-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output
20. Delete an object
Deletes an object in ThreatQ.
Base Command
threatq-delete-object
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_id | ID of the Object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", "adversary" or "attachment". | Required |
Command Example
!threatq-delete-object obj_id=104 obj_type=event
Human Readable Output
21. Add a source to an object
Adds a source to an object in ThreatQ.
Base Command
threatq-add-source
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_id | ID of an Object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
| source | The source name. | Required |
Command Example
!threatq-add-source obj_id=173317 obj_type=indicator source="AlienVault OTX"
Human Readable Output
22. Delete a source from an object
Deletes a source from an object in ThreatQ.
Base Command
threatq-delete-source
Input
| Argument Name | Description | Required |
|---|---|---|
| source_id | ID of the source. | Required |
| obj_id | ID of the object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
Command Example
!threatq-delete-source obj_id=173317 obj_type=indicator source_id=3333819
Human Readable Output
23. Delete an attribute
Deletes an attribute from an object in ThreatQ.
Base Command
threatq-delete-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| attribute_id | ID of the attribute. | Required |
| obj_id | ID of the object. | Required |
| obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
Command Example
!threatq-delete-attribute attribute_id=996896 obj_id=173317 obj_type=indicator
Human Readable Output
24. Edit an adversary
Updates an adversary name in ThreatQ.
Base Command
threatq-edit-adversary
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the Adversary to update. | Required |
| name | Name of the new adversary. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Adversary.Name | string | The name of the adversary. |
| ThreatQ.Adversary.ID | number | The ID of the adversary. |
| ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
| ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
| ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
| ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
| ThreatQ.Adversary.Attribute.Value | string | The value of the adversary. |
| ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
| ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-edit-adversary id=23 name="New Adversary Name"
Human Readable Output
25. Edit an indicator
Updates an indicator in ThreatQ.
Base Command
threatq-edit-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the indicator. | Required |
| value | The value of the new indicator. | Optional |
| type | The type of the new indicator, such as email address, Filename, Binary string and so on. | Optional |
| description | The description of the indicator. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | number | The ID of the indicator. |
| ThreatQ.Indicator.Source.ID | number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | string | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Name | string | The attribute name of the indicator. |
| ThreatQ.Indicator.Attribute.Value | string | The attribute value of the indicator. |
| ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
| ThreatQ.Indicator.Description | string | The description of the indicator. |
| ThreatQ.Indicator.Value | string | The value of the indicator. |
| ThreatQ.Indicator.Status | string | The status of the indicator. |
| ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
| ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-edit-indicator id=173317 description="This is a new description" type="Email Address" value=goo@test.com
Human Readable Output
26. Edit an event
Updates an event in ThreatQ.
Base Command
threatq-edit-event
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the Event. | Required |
| title | The title of the new event. | Optional |
| date | Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd | Optional |
| type | Type of the event, such as DoS Attack, Malware, Watchlist, and so on. | Optional |
| description | Description of the event. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Event.ID | number | The ID of the event. |
| ThreatQ.Event.Source.ID | number | The source ID of the event. |
| ThreatQ.Event.Source.Name | string | The source name of the event. |
| ThreatQ.Event.Attribute.ID | number | The attribute ID of the event. |
| ThreatQ.Event.Attribute.Name | string | The attribute name of the event. |
| ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
| ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
| ThreatQ.Event.CreatedAt | date | The creation date of the event. |
| ThreatQ.Event.Type | string | The type of the event. |
| ThreatQ.Event.Description | string | The description of the event. |
| ThreatQ.Event.Title | string | The title of the event. |
| ThreatQ.Event.Occurred | date | The date that the event happened. |
Command Example
!threatq-edit-event id=1 date="2019-09-30 21:00:00" description="The event will take place in Expo Tel Aviv" type="Command and Control"
Human Readable Output
27. Update a score of an indicator
Modifies an indicator's score in ThreatQ. The final indicator score is the highest of the manual and generated scores.
Base Command
threatq-update-score
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the indicator. | Required |
| score | The manual indicator score. Can be: "Generated Score" or "1", "2", "3", "4", "5", "6", "7", "8", "9" or "10". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | number | The ID of the indicator. |
| ThreatQ.Indicator.Source.ID | number | The source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | string | The source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | number | The attribute ID of the indicator. |
| ThreatQ.Indicator.Attribute.Name | string | The attribute name of the indicator. |
| ThreatQ.Indicator.Attribute.Value | string | The attribute value of the indicator. |
| ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
| ThreatQ.Indicator.Description | string | The description of the indicator. |
| ThreatQ.Indicator.Value | string | The value of the indicator. |
| ThreatQ.Indicator.Status | string | The status of the Indicator. |
| ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
| ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-update-score id=173317 score=2
Human Readable Output
28. Download a file to Demisto
Downloads a file from ThreatQ to Demisto.
Base Command
threatq-download-file
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the file. | Required |
Command Example
!threatq-download-file id=88
Human Readable Output
29. Get all indicators
Retrieves all indicators in ThreatQ.
Base Command
threatq-get-all-indicators
Input
| Argument Name | Description | Required |
|---|---|---|
| page | The result page number to return. Default is 0. | Optional |
| limit | The maximum number of indicators return. Default is 50. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Indicator.ID | number | ID of the indicator. |
| ThreatQ.Indicator.Source.ID | number | Source ID of the indicator. |
| ThreatQ.Indicator.Source.Name | string | Source name of the indicator. |
| ThreatQ.Indicator.Attribute.ID | number | Attribute ID of the of the indicator. |
| ThreatQ.Indicator.Attribute.Name | string | Attribute name of the indicator. |
| ThreatQ.Indicator.Attribute.Value | string | Attribute value of the indicator. |
| ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
| ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
| ThreatQ.Indicator.Description | string | The description of the indicator. |
| ThreatQ.Indicator.Value | string | The value of the indicator. |
| ThreatQ.Indicator.Status | string | The status of the indicator. |
| ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
| ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-get-all-indicators limit=30 page=10
Human Readable Output
30. Get a list of events
Retrieves all events in ThreatQ.
Base Command
threatq-get-all-events
Input
| Argument Name | Description | Required |
|---|---|---|
| page | The result page number to return. Default is 0. | Optional |
| limit | The maximum number of events to return. Default is 50. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Event.ID | number | The ID of the event. |
| ThreatQ.Event.Source.ID | number | The source ID of the event. |
| ThreatQ.Event.Source.Name | string | The source name of the event. |
| ThreatQ.Event.Attribute.ID | number | The attribute ID of the event. |
| ThreatQ.Event.Attribute.Name | string | The attribute name of the event. |
| ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
| ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
| ThreatQ.Event.CreatedAt | date | The creation date of the event. |
| ThreatQ.Event.Type | string | The type of the event. |
| ThreatQ.Event.Description | string | The description of the event. |
| ThreatQ.Event.Title | string | The title of the event. |
| ThreatQ.Event.Occurred | date | The date the event happened. |
Command Example
!threatq-get-all-events limit=30 page=10
Human Readable Output
31. Get a list of all adversaries
Returns all adversaries in ThreatQ.
Base Command
threatq-get-all-adversaries
Input
| Argument Name | Description | Required |
|---|---|---|
| page | The result page number to return. Default is 0. | Optional |
| limit | The maximum number of objects to return in one response (maximum is 200). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ThreatQ.Adversary.Name | string | The name of the adversary. |
| ThreatQ.Adversary.ID | number | The ID of the of the adversary. |
| ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
| ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
| ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
| ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
| ThreatQ.Adversary.Attribute.Value | string | The attribute value of the adversary. |
| ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
| ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-get-all-events limit=30 page=10
Human Readable Output
32. Perform advanced search
Performs an advanced indicator search.
Base Command
threatq-advanced-search
| Argument Name | Description | Required |
|---|---|---|
| query | The search query. | Required |
| limit | The maximum number of results to return. The default is 10. | Required |
| Indicator Type | The indicator type by which to search. It can be either the name or the ID. Possible values: Binary String, CIDR Block, CVE, Email Address, Email Attachment, Email Subject, File Mapping, File Path, Filename, FQDN, Fuzzy Hash, GOST Hash, Hash ION, IP Address, IPv6 Address, MD5, Mutex, Password, Registry Key, Service Name, SHA-1, SHA-256, SHA-384, SHA-512, String, x509 Serial, x509 Subject, URL, URL Path, User-agent, Username, X-Mailer | Required |
Command Example
!threatq-advanced-search query= indicator_type= limit=8