ThreatQ v2

A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes. This integration was integrated and tested with version xx of ThreatQ v2

Configure ThreatQ v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ThreatQ v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • ThreatQ server URL (e.g. https://192.168.1.136)
    • ThreatQ client ID
    • Email
    • Indicator threshold (minimum TQ score to consider the indicator malicious).
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. threatq-search-by-name: threatq-search-by-name
  2. Check an IP address: ip
  3. Check a URL: url
  4. Check a file: file
  5. Check an email: email
  6. Check a domain: domain
  7. Create an indicator: threatq-create-indicator
  8. Add an attribute: threatq-add-attribute
  9. Modify an attribute: threatq-modify-attribute
  10. Link two objects: threatq-link-objects
  11. Create an adversary: threatq-create-adversary
  12. Create an event: threatq-create-event
  13. Get related indicators: threatq-get-related-indicators
  14. Update an indicator status: threatq-update-status
  15. Get related events: threatq-get-related-events
  16. Get related adversaries: threatq-get-related-adversaries
  17. Upload a file: threatq-upload-file
  18. Search by Object type and ID: threatq-search-by-id
  19. Unlink two objects: threatq-unlink-objects
  20. Delete an object: threatq-delete-object
  21. Add a source to an object: threatq-add-source
  22. Delete a source from an object: threatq-delete-source
  23. Delete an attribute: threatq-delete-attribute
  24. Edit an adversary: threatq-edit-adversary
  25. Edit an indicator: threatq-edit-indicator
  26. Edit an event: threatq-edit-event
  27. Update a score of an indictor: threatq-update-score
  28. Download a file to Demisto: threatq-download-file
  29. Get all indicators: threatq-get-all-indicators:
  30. Get a list of events: threatq-get-all-events
  31. Get a list of all adversaries: threatq-get-all-adversaries
  32. Perform advanced search: threatq-advanced-search

1. Search for object by name


Searches for objects by name in the ThreatQ repository.

Base Command

threatq-search-by-name

Input
Argument Name Description Required
name Name of the object to search. Required
limit The maximum number of records to retrieve. Optional

Context Output
Path Type Description
ThreatQ.Indicator.ID Number The ID of the Indicator.
ThreatQ.Indicator.Value String The value of the Indicator.
ThreatQ.Event.ID Number The ID of the Event.
ThreatQ.Event.Title String The title of the Event.
ThreatQ.Adversary.ID Number The ID of the Adversary.
ThreatQ.Adversary.Name String The name of the Adversary.

Command Example
  !threatq-search-by-name name=test limit=6
Human Readable Output

search-by-name.png

2. Check an IP address


Checks the reputation of an IP address in ThreatQ.

Base Command

ip

Input
Argument Name Description Required
ip The IP address to check. Required

Context Output
Path Type Description
DBotScore.Indicator String The value of the indicator.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The vendor of the indicator.
DBotScore.Score Number The DBot Score of the indicator.
IP.Address String The IP Address.
IP.Malicious.Vendor String The IP address of the Vendor.
IP.Malicious.Description String The description of the Malicious IP address.
ThreatQ.Indicator.ID Number The ID of the Indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source ID of the indicator.
ThreatQ.Indicator.Source.Name String The source name of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
  !ip ip=91.140.64.113
Human Readable Output

ip.png

3. Check a URL


Checks the reputation of a URL in ThreatQ.

Base Command

url

Input
Argument Name Description Required
url The URL to check. Required

Context Output
Path Type Description
DBotScore.Indicator String The value of the indicator.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The vendor of the indicator.
DBotScore.Score Number The DBot Score of the indicator.
URL.Data String The URL.
URL.Malicious.Vendor String The vendor of the malicious URL.
URL.Malicious.Description String The description of the malicious URL.
ThreatQ.Indicator.ID Number The ID of the indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source of the indicator.
ThreatQ.Indicator.Source.Name String The source of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
  !url url=https://www.paloaltonetworks.com/
Human Readable Output

url.png

4. Check a file


Checks the reputation of a file in ThreatQ.

Base Command

file

Input
Argument Name Description Required
file The MD5, SHA-1 or SHA-256 file to check. Required

Context Output
Path Type Description
DBotScore.Indicator String The value of the indicator.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The vendor of the indicator.
DBotScore.Score Number The DBot Score of the indicator.
File.Name String The name of the file.
File.MD5 String The MD5 of the file.
File.SHA1 String The SHA1 of the file.
File.SHA256 String The SHA256 of the file.
File.SHA512 String The SHA512 of the file.
File.Path String The path of the file.
File.Malicious.Vendor String The vendor of the malicious file.
File.Malicious.Description String The description of the malicious file.
ThreatQ.Indicator.ID Number The ID of the indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source ID of the indicator.
ThreatQ.Indicator.Source.Name String The source name of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
  !file file=a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Human Readable Output

file.png

5. Check an email


Checks the reputation of an email in ThreatQ.

Base Command

email

Input
Argument Name Description Required
email The email address to check. Required

Context Output
Path Type Description
DBotScore.Indicator String The value of the indicator.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The vendor of the indicator.
DBotScore.Score Number The DBot Score of the indicator.
Account.Email.Address String The Email Address.
Account.Malicious.Vendor String The vendor of the malicious account.
Account.Malicious.Description String The description of the malicious account.
ThreatQ.Indicator.ID Number The ID of the indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source ID of the indicator.
ThreatQ.Indicator.Source.Name String The source name of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
  !email email=example.gmail.com
Human Readable Output

email.png

6. Check a domain


Checks the reputation of a domain in ThreatQ.

Base Command

domain

Input
Argument Name Description Required
domain The domain or FQDN to check. Required

Context Output
Path Type Description
DBotScore.Indicator String The value of the indicator.
DBotScore.Vendor String The vendor of the indicator.
DBotScore.Type String The type of the indicator.
DBotScore.Score Number The DBot Score of the indicator.
Domain.Name String The name of the domain.
Domain.Malicious.Vendor String The vendor of the malicious domain.
Domain.Malicious.Description String The description of the malicious domain.
ThreatQ.Indicator.ID Number The ID of the indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source ID of the indicator.
ThreatQ.Indicator.Source.Name String The source name of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
!domain domain=www.testdomain.com
Human Readable Output

domain.png

7. Create an indicator


Creates a new indicator in ThreatQ.

Base Command

threatq-create-indicator

Input
Argument Name Description Required
type The type of indicator, such as email address, IP address, Registry key, binary string, and so on. Required
status The status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". Required
value The value of the indicator. Required
sources List of Sources names, separated by commas. Optional
attributes_names Attributes names list, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. Optional
attributes_values Attributes values list, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. Optional

Context Output
Path Type Description
ThreatQ.Indicator.ID Number The ID of the indicator.
ThreatQ.Indicator.Value String The value of the indicator.
ThreatQ.Indicator.Source.ID Number The source ID of the indicator.
ThreatQ.Indicator.Source.Name String The source name of the indicator.
ThreatQ.Indicator.Attribute.ID Number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Value String The attribute value of the indicator.
ThreatQ.Indicator.Attribute.Name String The attribute name of the indicator.
ThreatQ.Indicator.CreatedAt Date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt Date The last update date of the indicator.
ThreatQ.Indicator.Status String The status of the indicator.
ThreatQ.Indicator.TQScore Number The ThreatQ score of the indicator.
ThreatQ.Indicator.Description String The description of the indicator.
ThreatQ.Indicator.Type String The type of the indicator.

Command Example
  !threatq-create-indicator value=232.12.34.135 status=Review type="IP Address" attributes_names=TestAttr1,TestAttr2 attributes_values=Val1,Val2 sources=arian@demisto.com
Human Readable Output

create-indicator.png

8. Add an attribute


Adds an attribute to an object in ThreatQ.

Base Command

threatq-add-attribute

Input
Argument Name Description Required
name The name of the attribute to add. Required
value The value of the attribute to add. Required
obj_type The type of the object to add. Can be: "indicator", "event", "adversary", or "attachment". Required
obj_id The ID of the Object. Required

Context Output

There are no context output for this command.

Command Example
  !threatq-add-attribute obj_type=indicator obj_id=173317 name=TestAttr3 value=Val3
Human Readable Output

add-attribute.png

9. Modify an attribute


Modifies an attribute for an object in ThreatQ.

Base Command

threatq-modify-attribute

Input
Argument Name Description Required
obj_type The type of the object. Can be: "indicator", "event", "adversary", or "attachment". Required
obj_id The ID of the object. Required
attribute_id The ID of the attribute to modify. Required
attribute_value The new value of the attribute. Required

Command Example
  !threatq-modify-attribute attribute_id=996895 attribute_value=NewVal obj_id=173317 obj_type=indicator
Human Readable Output

modify-attribute.png

10. Link two objects


Links two objects together in ThreatQ.

Base Command

threatq-link-objects

Input
Argument Name Description Required
obj1_id The ID of the first object. Required
obj2_id The ID of the second object. Required
obj1_type The type of the first object. Can be: "indicator", "adversary", or "event". Required
obj2_type The type of the second object. Can be: "indicator", "adversary", or "event". Required

Command Example
  !threatq-link-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output

link-objects.png

11. Create an adversary


Creates a new adversary in ThreatQ.

Base Command

threatq-create-adversary

Input
Argument Name Description Required
name Name of the adversary to create. Required
sources List of sources names, separated by commas. Optional
attributes_names List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. Optional
attributes_values List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. Optional

Context Output
Path Type Description
ThreatQ.Adversary.Name string The name of the adversary.
ThreatQ.Adversary.ID number The ID of the adversary.
ThreatQ.Adversary.Source.ID number The source ID of the adversary.
ThreatQ.Adversary.Source.Name string The source name of the adversary.
ThreatQ.Adversary.Attribute.ID number The ID of the adversary's attribute.
ThreatQ.Adversary.Attribute.Name string The name of the adversary's attribute.
ThreatQ.Adversary.Attribute.Value string The value of the adversary's attribute.
ThreatQ.Adversary.UpdatedAt date The creation date of the adversary.
ThreatQ.Adversary.CreatedAt date The last update date of the adversary.

Command Example
  !threatq-create-adversary name="Reut Shalem"
Human Readable Output

create-adversary.png

12. Create an event


Creates a new event in ThreatQ.

Base Command

threatq-create-event

Input
Argument Name Description Required
title Title of the event. Required
type The type of the event, such as malware, watchlist, command and control, and so on. Required
date Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd Required
sources List of sources names, separated by commas. Optional
attributes_names List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. Optional
attributes_values List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. Optional

Context Output
Path Type Description
ThreatQ.Event.ID number The ID of the event.
ThreatQ.Event.Source.ID number The source ID of the event.
ThreatQ.Event.Source.Name string The source name of the event.
ThreatQ.Event.Attribute.ID number The ID of the event attribute.
ThreatQ.Event.Attribute.Name string The name of the event attribute.
ThreatQ.Event.Attribute.Value string The attribute value of the event.
ThreatQ.Event.UpdatedAt date The last update date of the event.
ThreatQ.Event.CreatedAt date The creation date of the event.
ThreatQ.Event.Type string The type of the event.
ThreatQ.Event.Description string The description of the event.
ThreatQ.Event.Title string The title of the event.
ThreatQ.Event.Occurred date The date of the event that happened.

Command Example
  !threatq-create-event date="2019-09-30 20:00:00" title="Offra Alta" type=Incident
Human Readable Output

create-event.png

13. Get related indicators


Retrieves related indicators for an object in ThreatQ.

Base Command

threatq-get-related-indicators

Input
Argument Name Description Required
obj_id The ID of the object. Required
obj_type The type of the object. Can be: "indicator", "event", or "adversary". Required

Context Output
Path Type Description
ThreatQ.Indicator.RelatedIndicator.ID number The ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Source.ID number The source ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Source.Name string The source name of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.ID number The attribute ID of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.Name string The attribute name of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Attribute.Value string The attribute value of the related indicator.
ThreatQ.Indicator.RelatedIndicator.UpdatedAt date The last update date of the related indicator.
ThreatQ.Indicator.RelatedIndicator.CreatedAt date The creation date of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Type string The type of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Description string The description of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Value string The value of the related indicator.
ThreatQ.Indicator.RelatedIndicator.Status string The status of the related indicator.
ThreatQ.Indicator.RelatedIndicator.TQScore number The ThreatQ score of the related indicator.
ThreatQ.Indicator.ID number The ID of the indicator.
ThreatQ.Event.RelatedIndicator.ID number The ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Source.ID number The source ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Source.Name string The source name of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.ID number The attribute ID of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.Name string The attribute name of the related indicator.
ThreatQ.Event.RelatedIndicator.Attribute.Value string The attribute value of the related indicator.
ThreatQ.Event.RelatedIndicator.UpdatedAt date The last update date of the related indicator.
ThreatQ.Event.RelatedIndicator.CreatedAt date The creation date of the related indicator.
ThreatQ.Event.RelatedIndicator.Type string The type of the related indicator.
ThreatQ.Event.RelatedIndicator.Description string The description of the related indicator.
ThreatQ.Event.RelatedIndicator.Value string The value of the related indicator.
ThreatQ.Event.RelatedIndicator.Status string The status of the related indicator.
ThreatQ.Event.RelatedIndicator.TQScore number The ThreatQ score of the related indicator.
ThreatQ.Event.ID number ID of the Event.
ThreatQ.Adversary.RelatedIndicator.ID number ID of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Source.ID number Source ID of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Source.Name string Source name of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.ID number ID attribute of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.Name string Attribute name of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Attribute.Value string Attribute value of the related indicator.
ThreatQ.Adversary.RelatedIndicator.UpdatedAt date The last update date of the related indicator.
ThreatQ.Adversary.RelatedIndicator.CreatedAt date The creation date of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Type string The type of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Description string Description of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Value string The value of the related indicator.
ThreatQ.Adversary.RelatedIndicator.Status string The status of the related indicator.
ThreatQ.Adversary.RelatedIndicator.TQScore number The ThreatQ score of the related indicator.
ThreatQ.Adversary.ID number ID of the Adversary.

Command Example
  !threatq-get-related-indicators obj_id=1 obj_type=adversary
Human Readable Output

get-related-indicators.png

14. Update an indicator status


Updates an indicator status in ThreatQ.

Base Command

threatq-update-status

Input
Argument Name Description Required
id The ID of the indicator. Required
status The new status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". Required

Context Output
Path Type Description
ThreatQ.Indicator.ID Number ID of the indicator.
ThreatQ.Indicator.Status String Status of the indicator.

Command Example
  !threatq-update-status id=173317 status=Whitelisted
Human Readable Output

update-status.png

15. Get related events


Retrieves related events of an object in ThreatQ.

Base Command

threatq-get-related-events

Input
Argument Name Description Required
obj_id ID of the object. Required
obj_type The type of the object. Can be: "indicator", "event", or "adversary". Required

Context Output
Path Type Description
ThreatQ.Indicator.RelatedEvent.ID number ID of the related event.
ThreatQ.Indicator.RelatedEvent.Source.ID number Source ID of the related event.
ThreatQ.Indicator.RelatedEvent.Source.Name string Source name of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.ID number The attribute ID of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.Name string The attribute name of the related event.
ThreatQ.Indicator.RelatedEvent.Attribute.Value string The attribute value of the related event.
ThreatQ.Indicator.RelatedEvent.UpdatedAt date The last update date of the related event.
ThreatQ.Indicator.RelatedEvent.CreatedAt date The creation date of the related event.
ThreatQ.Indicator.RelatedEvent.Description string Description of the related event.
ThreatQ.Indicator.RelatedEvent.Title string The title of the related event.
ThreatQ.Indicator.RelatedEvent.Occurred date The date of occurrence of the related event.
ThreatQ.Indicator.RelatedEvent.Type string The type of the related event.
ThreatQ.Indicator.ID number The ID of the Indicator.
ThreatQ.Event.RelatedEvent.ID number The ID of the related event.
ThreatQ.Event.RelatedEvent.Source.ID number The source ID of the related event.
ThreatQ.Event.RelatedEvent.Source.Name string The source name of the related event.
ThreatQ.Event.RelatedEvent.Attribute.ID number The attribute ID of the related event.
ThreatQ.Event.RelatedEvent.Attribute.Name string The attribute name of the related event.
ThreatQ.Event.RelatedEvent.Attribute.Value string The attribute value of the related event.
ThreatQ.Event.RelatedEvent.UpdatedAt date The last update date of the related event.
ThreatQ.Event.RelatedEvent.CreatedAt date The creation date of the related event.
ThreatQ.Event.RelatedEvent.Description string The description of the related event.
ThreatQ.Event.RelatedEvent.Title string The title of the related event.
ThreatQ.Event.RelatedEvent.Occurred date The date of occurrence of the related event.
ThreatQ.Event.RelatedEvent.Type string The type of the related event.
ThreatQ.Event.ID number The ID of the Event.
ThreatQ.Adversary.RelatedEvent.ID number The ID of the related event.
ThreatQ.Adversary.RelatedEvent.Source.ID number The source ID of the related event.
ThreatQ.Adversary.RelatedEvent.Source.Name string The source name of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.ID number The attribute ID of the of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.Name string The attribute name of the related event.
ThreatQ.Adversary.RelatedEvent.Attribute.Value string The attribute value of the related event.
ThreatQ.Adversary.RelatedEvent.UpdatedAt date The last update date of the related event.
ThreatQ.Adversary.RelatedEvent.CreatedAt date The creation date of the related event.
ThreatQ.Adversary.RelatedEvent.Description string The description of the related event.
ThreatQ.Adversary.RelatedEvent.Title string The title of the related event.
ThreatQ.Adversary.RelatedEvent.Occurred date The date of occurrence of the related event.
ThreatQ.Adversary.RelatedEvent.Type string The type of the related event.
ThreatQ.Adversary.ID number ID of the Adversary.

Command Example
  !threatq-get-related-events obj_id=1 obj_type=adversary
Human Readable Output

get-related-events.png

16. Get related adversaries


Retrieve related adversaries from an object in ThreatQ.

Base Command

threatq-get-related-adversaries

Input
Argument Name Description Required
obj_id ID of the object. Required
obj_type The type of the object. Can be: "indicator", "event", or "adversary". Required

Context Output
Path Type Description
ThreatQ.Indicator.RelatedAdversary.ID number ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Source.ID number Source ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Source.Name string The Source name of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.ID number The attribute ID of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.Name string The attribute name of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Attribute.Value string The attribute value of the related adversary.
ThreatQ.Indicator.RelatedAdversary.UpdatedAt date The last update date of the related adversary.
ThreatQ.Indicator.RelatedAdversary.CreatedAt date The creation date of the related adversary.
ThreatQ.Indicator.RelatedAdversary.Name string The name of the related adversary.
ThreatQ.Indicator.ID number The ID of the Indicator.
ThreatQ.Event.RelatedAdversary.ID number The ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Source.ID number The source ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Source.Name string The source name of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.ID number The attribute ID of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.Name string The Attribute name of the related adversary.
ThreatQ.Event.RelatedAdversary.Attribute.Value string The attribute value of the related adversary.
ThreatQ.Event.RelatedAdversary.UpdatedAt date The last update date of the related adversary.
ThreatQ.Event.RelatedAdversary.CreatedAt date The creation date of the related adversary.
ThreatQ.Event.RelatedAdversary.Name string The name of the related adversary.
ThreatQ.Event.ID number The ID of the Event.
ThreatQ.Adversary.RelatedAdversary.ID number The ID of the Related adversary.
ThreatQ.Adversary.RelatedAdversary.Source.ID number The source ID of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Source.Name string The source name of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.ID number The attribute ID of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.Name string The attribute name of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Attribute.Value string The attribute value of the related adversary.
ThreatQ.Adversary.RelatedAdversary.UpdatedAt date The last update date of the related adversary.
ThreatQ.Adversary.RelatedAdversary.CreatedAt date The creation date of the related adversary.
ThreatQ.Adversary.RelatedAdversary.Name string The name of the related adversary.
ThreatQ.Adversary.ID number The ID of the Adversary.

Command Example
  !threatq-get-related-adversaries obj_id=1 obj_type=adversary
Human Readable Output

get-related-adversaries.png

17. Upload a-file


Uploads a file to ThreatQ.

Base Command

threatq-upload-file

Input
Argument Name Description Required
entry_id The file entry ID in Demisto. Required
file_category Category of the file, such as CrowdStrike Intelligence, FireEye Analysis, PDF, and so on. Required
malware_safety_lock Zips malware files for safer downloading. Can be: "on", or "off". Default is off. Optional
title Title of the File. Default is the file name. Optional

Context Output
Path Type Description
ThreatQ.File.CreatedAt Date Date of the file upload.
ThreatQ.File.Size Number Size (in bytes) of the file.
ThreatQ.File.MD5 String The MD5 of the file.
ThreatQ.File.ID Number The File ID in ThreatQ.
ThreatQ.File.Name String The name of the File.
ThreatQ.File.Title String The title of the file.
ThreatQ.File.UpdatedAt Date The last update of the file.
ThreatQ.File.MalwareLocked Number Whether malware files are zipped.
ThreatQ.File.ContentType String The content type of the file.
ThreatQ.File.Category String The type of the file.
ThreatQ.File.Source.ID Number The source of the file.
ThreatQ.File.Source.Name String The source name of the file.
ThreatQ.File.Attribute.ID Number The attribute ID of the file.
ThreatQ.File.Attribute.Name String The attribute name of the file.
ThreatQ.File.Attribute.Value String The attribute value of the file.

Command Example
  !threatq-upload-file entry_id=5379@9da8d636-cf30-42c2-8263-d09f5268be8a file_category="Generic Text" title="File Title"
Human Readable Output

upload-file.png

18. Search by Object type and ID


Searches for an object by object type and ID.

Base Command

threatq-search-by-id

Input
Argument Name Description Required
obj_type The type of the object. Can be: "indicator", "event", "attachment" or "adversary". Required
obj_id The ID of the Object. Required

Context Output
Path Type Description
ThreatQ.Indicator.ID number ID of the indicator.
ThreatQ.Indicator.Source.ID number Source ID of the indicator.
ThreatQ.Indicator.Source.Name string Source name of the indicator.
ThreatQ.Indicator.Attribute.ID number Attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name string Attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value string Attribute value of the indicator.
ThreatQ.Indicator.CreatedAt date Creation date of the indicator.
ThreatQ.Indicator.UpdatedAt date Last update date of the indicator.
ThreatQ.Indicator.Description string Description of the indicator.
ThreatQ.Indicator.Value string The value of the indicator.
ThreatQ.Indicator.Status string The status of indicator.
ThreatQ.Indicator.Type string The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore number The ThreatQ Score of the indicator.
ThreatQ.Event.ID number The ID of the indicator.
ThreatQ.Event.Source.ID number The source ID of the indicator.
ThreatQ.Event.Source.Name string The source name of the indicator.
ThreatQ.Event.Attribute.ID number The attribute ID of the indicator.
ThreatQ.Event.Attribute.Name string The attribute name of the indicator.
ThreatQ.Event.Attribute.Value string The attribute value of the indicator.
ThreatQ.Event.UpdatedAt date The last update date of the event.
ThreatQ.Event.CreatedAt date The creation date of the event.
ThreatQ.Event.Type string The type of the event.
ThreatQ.Event.Description string Description of the event.
ThreatQ.Event.Title string The title of the event.
ThreatQ.Event.Occurred date The date that the event happened.
ThreatQ.Adversary.Name string The name of the adversary.
ThreatQ.Adversary.ID number The ID of the adversary.
ThreatQ.Adversary.Source.ID number The source of the adversary.
ThreatQ.Adversary.Source.Name string The source name of the adversary.
ThreatQ.Adversary.Attribute.ID number The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name string The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value string The attribute value of the adversary.
ThreatQ.Adversary.UpdatedAt date The creation date of the adversary.
ThreatQ.Adversary.CreatedAt date The last update date of the adversary.
ThreatQ.File.CreatedAt Date Date of the file upload.
ThreatQ.File.Size Number Size (in bytes) of the file.
ThreatQ.File.MD5 String The MD5 hash of the file.
ThreatQ.File.ID Number The File ID in ThreatQ.
ThreatQ.File.Name String The name of the File.
ThreatQ.File.Title String The title of the file.
ThreatQ.File.UpdatedAt Date The last update of the file.
ThreatQ.File.MalwareLocked Number Whether malware files are zipped.
ThreatQ.File.ContentType String The content type of the file.
ThreatQ.File.Category String The type of the file.
ThreatQ.File.Source.ID Number The source of the file.
ThreatQ.File.Source.Name String The source name of the file.
ThreatQ.File.Attribute.ID Number The attribute ID of the file.
ThreatQ.File.Attribute.Name String The attribute name of the file.
ThreatQ.File.Attribute.Value String The attribute value of the file.

Command Example
  !threatq-search-by-id obj_id=173317 obj_type=indicator
Human Readable Output

search-by-id.png

19. Unlink two objects


Unlinks two objects in ThreatQ.

Base Command

threatq-unlink-objects

Input
Argument Name Description Required
obj1_id The ID of the first object. Required
obj1_type The type of the first object. Can be: "adversary", "indicator", or "event". Required
obj2_id The ID of the second object. Required
obj2_type The type of the second object. Can be: "adversary", "indicator", or "event". Required

Command Example
  !threatq-unlink-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output

unlink-objects.png

20. Delete an object


Deletes an object in ThreatQ.

Base Command

threatq-delete-object

Input
Argument Name Description Required
obj_id ID of the Object. Required
obj_type The type of the object. Can be: "indicator", "event", "adversary" or "attachment". Required

Command Example
  !threatq-delete-object obj_id=104 obj_type=event
Human Readable Output

delete-object.png

21. Add a source to an object


Adds a source to an object in ThreatQ.

Base Command

threatq-add-source

Input
Argument Name Description Required
obj_id ID of an Object. Required
obj_type The type of the object. Can be: "indicator", "event", "adversary", or "attachment". Required
source The source name. Required

Command Example
  !threatq-add-source obj_id=173317 obj_type=indicator source="AlienVault OTX"
Human Readable Output

add-source.png

22. Delete a source from an object


Deletes a source from an object in ThreatQ.

Base Command

threatq-delete-source

Input
Argument Name Description Required
source_id ID of the source. Required
obj_id ID of the object. Required
obj_type The type of the object. Can be: "indicator", "event", "adversary", or "attachment". Required

Command Example
  !threatq-delete-source obj_id=173317 obj_type=indicator source_id=3333819
Human Readable Output

delete-source.png

23. Delete an attribute


Deletes an attribute from an object in ThreatQ.

Base Command

threatq-delete-attribute

Input
Argument Name Description Required
attribute_id ID of the attribute. Required
obj_id ID of the object. Required
obj_type The type of the object. Can be: "indicator", "event", "adversary", or "attachment". Required

Command Example
  !threatq-delete-attribute attribute_id=996896 obj_id=173317 obj_type=indicator
Human Readable Output

delete-attribute.png

24. Edit an adversary


Updates an adversary name in ThreatQ.

Base Command

threatq-edit-adversary

Input
Argument Name Description Required
id ID of the Adversary to update. Required
name Name of the new adversary. Required

Context Output
Path Type Description
ThreatQ.Adversary.Name string The name of the adversary.
ThreatQ.Adversary.ID number The ID of the adversary.
ThreatQ.Adversary.Source.ID number The source ID of the adversary.
ThreatQ.Adversary.Source.Name string The source name of the adversary.
ThreatQ.Adversary.Attribute.ID number The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name string The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value string The value of the adversary.
ThreatQ.Adversary.UpdatedAt date The creation date of the adversary.
ThreatQ.Adversary.CreatedAt date The last update date of the adversary.

Command Example
  !threatq-edit-adversary id=23 name="New Adversary Name"
Human Readable Output

edit-adversary.png

25. Edit an indicator


Updates an indicator in ThreatQ.

Base Command

threatq-edit-indicator

Input
Argument Name Description Required
id The ID of the indicator. Required
value The value of the new indicator. Optional
type The type of the new indicator, such as email address, Filename, Binary string and so on. Optional
description The description of the indicator. Optional

Context Output
Path Type Description
ThreatQ.Indicator.ID number The ID of the indicator.
ThreatQ.Indicator.Source.ID number The source ID of the indicator.
ThreatQ.Indicator.Source.Name string The source name of the indicator.
ThreatQ.Indicator.Attribute.ID number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name string The attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value string The attribute value of the indicator.
ThreatQ.Indicator.CreatedAt date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt date The last update date of the indicator.
ThreatQ.Indicator.Description string The description of the indicator.
ThreatQ.Indicator.Value string The value of the indicator.
ThreatQ.Indicator.Status string The status of the indicator.
ThreatQ.Indicator.Type string The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore number The ThreatQ Score of the indicator.

Command Example
  !threatq-edit-indicator id=173317 description="This is a new description" type="Email Address" value=goo@test.com
Human Readable Output

edit-indicator.png

26. Edit an event


Updates an event in ThreatQ.

Base Command

threatq-edit-event

Input
Argument Name Description Required
id The ID of the Event. Required
title The title of the new event. Optional
date Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd Optional
type Type of the event, such as DoS Attack, Malware, Watchlist, and so on. Optional
description Description of the event. Optional

Context Output
Path Type Description
ThreatQ.Event.ID number The ID of the event.
ThreatQ.Event.Source.ID number The source ID of the event.
ThreatQ.Event.Source.Name string The source name of the event.
ThreatQ.Event.Attribute.ID number The attribute ID of the event.
ThreatQ.Event.Attribute.Name string The attribute name of the event.
ThreatQ.Event.Attribute.Value string The attribute value of the event.
ThreatQ.Event.UpdatedAt date The last update date of the event.
ThreatQ.Event.CreatedAt date The creation date of the event.
ThreatQ.Event.Type string The type of the event.
ThreatQ.Event.Description string The description of the event.
ThreatQ.Event.Title string The title of the event.
ThreatQ.Event.Occurred date The date that the event happened.

Command Example
  !threatq-edit-event id=1 date="2019-09-30 21:00:00" description="The event will take place in Expo Tel Aviv" type="Command and Control"
Human Readable Output

edit-event.png

27. Update a score of an indicator


Modifies an indicator's score in ThreatQ. The final indicator score is the highest of the manual and generated scores.

Base Command

threatq-update-score

Input
Argument Name Description Required
id The ID of the indicator. Required
score The manual indicator score. Can be: "Generated Score" or "1", "2", "3", "4", "5", "6", "7", "8", "9" or "10". Required

Context Output
Path Type Description
ThreatQ.Indicator.ID number The ID of the indicator.
ThreatQ.Indicator.Source.ID number The source ID of the indicator.
ThreatQ.Indicator.Source.Name string The source name of the indicator.
ThreatQ.Indicator.Attribute.ID number The attribute ID of the indicator.
ThreatQ.Indicator.Attribute.Name string The attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value string The attribute value of the indicator.
ThreatQ.Indicator.CreatedAt date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt date The last update date of the indicator.
ThreatQ.Indicator.Description string The description of the indicator.
ThreatQ.Indicator.Value string The value of the indicator.
ThreatQ.Indicator.Status string The status of the Indicator.
ThreatQ.Indicator.Type string The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore number The ThreatQ Score of the indicator.

Command Example
  !threatq-update-score id=173317 score=2
Human Readable Output

update-score.png

28. Download a file to Demisto


Downloads a file from ThreatQ to Demisto.

Base Command

threatq-download-file

Input
Argument Name Description Required
id The ID of the file. Required

Command Example
  !threatq-download-file id=88
Human Readable Output

download-file.png

29. Get all indicators


Retrieves all indicators in ThreatQ.

Base Command

threatq-get-all-indicators

Input
Argument Name Description Required
page The result page number to return. Default is 0. Optional
limit The maximum number of indicators return. Default is 50. Optional

Context Output
Path Type Description
ThreatQ.Indicator.ID number ID of the indicator.
ThreatQ.Indicator.Source.ID number Source ID of the indicator.
ThreatQ.Indicator.Source.Name string Source name of the indicator.
ThreatQ.Indicator.Attribute.ID number Attribute ID of the of the indicator.
ThreatQ.Indicator.Attribute.Name string Attribute name of the indicator.
ThreatQ.Indicator.Attribute.Value string Attribute value of the indicator.
ThreatQ.Indicator.CreatedAt date The creation date of the indicator.
ThreatQ.Indicator.UpdatedAt date The last update date of the indicator.
ThreatQ.Indicator.Description string The description of the indicator.
ThreatQ.Indicator.Value string The value of the indicator.
ThreatQ.Indicator.Status string The status of the indicator.
ThreatQ.Indicator.Type string The type of the indicator. For example, IP Address.
ThreatQ.Indicator.TQScore number The ThreatQ Score of the indicator.

Command Example
  
  !threatq-get-all-indicators limit=30 page=10
Human Readable Output

get-all-indicators.png

30. Get a list of events


Retrieves all events in ThreatQ.

Base Command

threatq-get-all-events

Input
Argument Name Description Required
page The result page number to return. Default is 0. Optional
limit The maximum number of events to return. Default is 50. Optional

Context Output
Path Type Description
ThreatQ.Event.ID number The ID of the event.
ThreatQ.Event.Source.ID number The source ID of the event.
ThreatQ.Event.Source.Name string The source name of the event.
ThreatQ.Event.Attribute.ID number The attribute ID of the event.
ThreatQ.Event.Attribute.Name string The attribute name of the event.
ThreatQ.Event.Attribute.Value string The attribute value of the event.
ThreatQ.Event.UpdatedAt date The last update date of the event.
ThreatQ.Event.CreatedAt date The creation date of the event.
ThreatQ.Event.Type string The type of the event.
ThreatQ.Event.Description string The description of the event.
ThreatQ.Event.Title string The title of the event.
ThreatQ.Event.Occurred date The date the event happened.

Command Example
  !threatq-get-all-events limit=30 page=10
Human Readable Output

get-all-events.png

31. Get a list of all adversaries


Returns all adversaries in ThreatQ.

Base Command

threatq-get-all-adversaries

Input
Argument Name Description Required
page The result page number to return. Default is 0. Optional
limit The maximum number of objects to return in one response (maximum is 200). Optional

Context Output
Path Type Description
ThreatQ.Adversary.Name string The name of the adversary.
ThreatQ.Adversary.ID number The ID of the of the adversary.
ThreatQ.Adversary.Source.ID number The source ID of the adversary.
ThreatQ.Adversary.Source.Name string The source name of the adversary.
ThreatQ.Adversary.Attribute.ID number The attribute ID of the adversary.
ThreatQ.Adversary.Attribute.Name string The attribute name of the adversary.
ThreatQ.Adversary.Attribute.Value string The attribute value of the adversary.
ThreatQ.Adversary.UpdatedAt date The creation date of the adversary.
ThreatQ.Adversary.CreatedAt date The last update date of the adversary.

Command Example
  !threatq-get-all-events limit=30 page=10
Human Readable Output

get-all-adversaries.png

32. Perform advanced search


Performs an advanced indicator search.

Base Command

threatq-advanced-search

Argument Name Description Required
query The search query. Required
limit The maximum number of results to return. The default is 10. Required
Indicator Type The indicator type by which to search. It can be either the name or the ID. Possible values: Binary String, CIDR Block, CVE, Email Address, Email Attachment, Email Subject, File Mapping, File Path, Filename, FQDN, Fuzzy Hash, GOST Hash, Hash ION, IP Address, IPv6 Address, MD5, Mutex, Password, Registry Key, Service Name, SHA-1, SHA-256, SHA-384, SHA-512, String, x509 Serial, x509 Subject, URL, URL Path, User-agent, Username, X-Mailer Required

Command Example
  !threatq-advanced-search query= indicator_type= limit=8