ThreatQ v2
A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes.
Configure ThreatQ v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for ThreatQ v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- ThreatQ server URL (e.g. https://192.168.1.136)
- ThreatQ client ID
- Indicator threshold (minimum TQ score to consider the indicator malicious).
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- threatq-search-by-name: threatq-search-by-name
- Check an IP address: ip
- Check a URL: url
- Check a file: file
- Check an email: email
- Check a domain: domain
- Create an indicator: threatq-create-indicator
- Add an attribute: threatq-add-attribute
- Modify an attribute: threatq-modify-attribute
- Link two objects: threatq-link-objects
- Create an adversary: threatq-create-adversary
- Create an event: threatq-create-event
- Get related indicators: threatq-get-related-indicators
- Update an indicator status: threatq-update-status
- Get related events: threatq-get-related-events
- Get related adversaries: threatq-get-related-adversaries
- Upload a file: threatq-upload-file
- Search by Object type and ID: threatq-search-by-id
- Unlink two objects: threatq-unlink-objects
- Delete an object: threatq-delete-object
- Add a source to an object: threatq-add-source
- Delete a source from an object: threatq-delete-source
- Delete an attribute: threatq-delete-attribute
- Edit an adversary: threatq-edit-adversary
- Edit an indicator: threatq-edit-indicator
- Edit an event: threatq-edit-event
- Update a score of an indictor: threatq-update-score
- Download a file to Demisto: threatq-download-file
- Get all indicators: threatq-get-all-indicators:
- Get a list of events: threatq-get-all-events
- Get a list of all adversaries: threatq-get-all-adversaries
1. Search for object by name
Searches for objects by name in the ThreatQ repository.
Base Command
threatq-search-by-name
Input
Argument Name | Description | Required |
---|---|---|
name | Name of the object to search. | Required |
limit | The maximum number of records to retrieve. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | Number | The ID of the Indicator. |
ThreatQ.Indicator.Value | String | The value of the Indicator. |
ThreatQ.Event.ID | Number | The ID of the Event. |
ThreatQ.Event.Title | String | The title of the Event. |
ThreatQ.Adversary.ID | Number | The ID of the Adversary. |
ThreatQ.Adversary.Name | String | The name of the Adversary. |
Command Example
!threatq-search-by-name name=test limit=6
Human Readable Output
2. Check an IP address
Checks the reputation of an IP address in ThreatQ.
Base Command
ip
Input
Argument Name | Description | Required |
---|---|---|
ip | The IP address to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | String | The value of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor of the indicator. |
DBotScore.Score | Number | The DBot Score of the indicator. |
IP.Address | String | The IP Address. |
IP.Malicious.Vendor | String | The IP address of the Vendor. |
IP.Malicious.Description | String | The description of the Malicious IP address. |
ThreatQ.Indicator.ID | Number | The ID of the Indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!ip ip=91.140.64.113
Human Readable Output
3. Check a URL
Checks the reputation of a URL in ThreatQ.
Base Command
url
Input
Argument Name | Description | Required |
---|---|---|
url | The URL to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | String | The value of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor of the indicator. |
DBotScore.Score | Number | The DBot Score of the indicator. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | String | The vendor of the malicious URL. |
URL.Malicious.Description | String | The description of the malicious URL. |
ThreatQ.Indicator.ID | Number | The ID of the indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!url url=https://www.paloaltonetworks.com/
Human Readable Output
4. Check a file
Checks the reputation of a file in ThreatQ.
Base Command
file
Input
Argument Name | Description | Required |
---|---|---|
file | The MD5, SHA-1 or SHA-256 file to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | String | The value of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor of the indicator. |
DBotScore.Score | Number | The DBot Score of the indicator. |
File.Name | String | The name of the file. |
File.MD5 | String | The MD5 of the file. |
File.SHA1 | String | The SHA1 of the file. |
File.SHA256 | String | The SHA256 of the file. |
File.SHA512 | String | The SHA512 of the file. |
File.Path | String | The path of the file. |
File.Malicious.Vendor | String | The vendor of the malicious file. |
File.Malicious.Description | String | The description of the malicious file. |
ThreatQ.Indicator.ID | Number | The ID of the indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!file file=a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Human Readable Output
5. Check an email
Checks the reputation of an email in ThreatQ.
Base Command
email
Input
Argument Name | Description | Required |
---|---|---|
The email address to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | String | The value of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Vendor | String | The vendor of the indicator. |
DBotScore.Score | Number | The DBot Score of the indicator. |
Account.Email.Address | String | The Email Address. |
Account.Malicious.Vendor | String | The vendor of the malicious account. |
Account.Malicious.Description | String | The description of the malicious account. |
ThreatQ.Indicator.ID | Number | The ID of the indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!email email=example.gmail.com
Human Readable Output
6. Check a domain
Checks the reputation of a domain in ThreatQ.
Base Command
domain
Input
Argument Name | Description | Required |
---|---|---|
domain | The domain or FQDN to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | String | The value of the indicator. |
DBotScore.Vendor | String | The vendor of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Score | Number | The DBot Score of the indicator. |
Domain.Name | String | The name of the domain. |
Domain.Malicious.Vendor | String | The vendor of the malicious domain. |
Domain.Malicious.Description | String | The description of the malicious domain. |
ThreatQ.Indicator.ID | Number | The ID of the indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!domain domain=www.testdomain.com
Human Readable Output
7. Create an indicator
Creates a new indicator in ThreatQ.
Base Command
threatq-create-indicator
Input
Argument Name | Description | Required |
---|---|---|
type | The type of indicator, such as email address, IP address, Registry key, binary string, and so on. | Required |
status | The status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". | Required |
value | The value of the indicator. | Required |
sources | List of Sources names, separated by commas. | Optional |
attributes_names | Attributes names list, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
attributes_values | Attributes values list, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | Number | The ID of the indicator. |
ThreatQ.Indicator.Value | String | The value of the indicator. |
ThreatQ.Indicator.Source.ID | Number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | String | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | Number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Value | String | The attribute value of the indicator. |
ThreatQ.Indicator.Attribute.Name | String | The attribute name of the indicator. |
ThreatQ.Indicator.CreatedAt | Date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | Date | The last update date of the indicator. |
ThreatQ.Indicator.Status | String | The status of the indicator. |
ThreatQ.Indicator.TQScore | Number | The ThreatQ score of the indicator. |
ThreatQ.Indicator.Description | String | The description of the indicator. |
ThreatQ.Indicator.Type | String | The type of the indicator. |
Command Example
!threatq-create-indicator value=232.12.34.135 status=Review type="IP Address" attributes_names=TestAttr1,TestAttr2 attributes_values=Val1,Val2 sources=arian@demisto.com
Human Readable Output
8. Add an attribute
Adds an attribute to an object in ThreatQ.
Base Command
threatq-add-attribute
Input
Argument Name | Description | Required |
---|---|---|
name | The name of the attribute to add. | Required |
value | The value of the attribute to add. | Required |
obj_type | The type of the object to add. Can be: "indicator", "event", "adversary", or "attachment". | Required |
obj_id | The ID of the Object. | Required |
Context Output
There are no context output for this command.
Command Example
!threatq-add-attribute obj_type=indicator obj_id=173317 name=TestAttr3 value=Val3
Human Readable Output
9. Modify an attribute
Modifies an attribute for an object in ThreatQ.
Base Command
threatq-modify-attribute
Input
Argument Name | Description | Required |
---|---|---|
obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
obj_id | The ID of the object. | Required |
attribute_id | The ID of the attribute to modify. | Required |
attribute_value | The new value of the attribute. | Required |
Command Example
!threatq-modify-attribute attribute_id=996895 attribute_value=NewVal obj_id=173317 obj_type=indicator
Human Readable Output
10. Link two objects
Links two objects together in ThreatQ.
Base Command
threatq-link-objects
Input
Argument Name | Description | Required |
---|---|---|
obj1_id | The ID of the first object. | Required |
obj2_id | The ID of the second object. | Required |
obj1_type | The type of the first object. Can be: "indicator", "adversary", or "event". | Required |
obj2_type | The type of the second object. Can be: "indicator", "adversary", or "event". | Required |
Command Example
!threatq-link-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output
11. Create an adversary
Creates a new adversary in ThreatQ.
Base Command
threatq-create-adversary
Input
Argument Name | Description | Required |
---|---|---|
name | Name of the adversary to create. | Required |
sources | List of sources names, separated by commas. | Optional |
attributes_names | List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
attributes_values | List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Adversary.Name | string | The name of the adversary. |
ThreatQ.Adversary.ID | number | The ID of the adversary. |
ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
ThreatQ.Adversary.Attribute.ID | number | The ID of the adversary's attribute. |
ThreatQ.Adversary.Attribute.Name | string | The name of the adversary's attribute. |
ThreatQ.Adversary.Attribute.Value | string | The value of the adversary's attribute. |
ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-create-adversary name="Reut Shalem"
Human Readable Output
12. Create an event
Creates a new event in ThreatQ.
Base Command
threatq-create-event
Input
Argument Name | Description | Required |
---|---|---|
title | Title of the event. | Required |
type | The type of the event, such as malware, watchlist, command and control, and so on. | Required |
date | Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd | Required |
sources | List of sources names, separated by commas. | Optional |
attributes_names | List of attributes names, separated by commas. The i-th element in the attributes names list corresponds to the i-th element in the attributes values list. | Optional |
attributes_values | List of attributes values, separated by commas. The i-th element in the attributes values list corresponds to the i-th element in the attributes names list. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Event.ID | number | The ID of the event. |
ThreatQ.Event.Source.ID | number | The source ID of the event. |
ThreatQ.Event.Source.Name | string | The source name of the event. |
ThreatQ.Event.Attribute.ID | number | The ID of the event attribute. |
ThreatQ.Event.Attribute.Name | string | The name of the event attribute. |
ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
ThreatQ.Event.CreatedAt | date | The creation date of the event. |
ThreatQ.Event.Type | string | The type of the event. |
ThreatQ.Event.Description | string | The description of the event. |
ThreatQ.Event.Title | string | The title of the event. |
ThreatQ.Event.Occurred | date | The date of the event that happened. |
Command Example
!threatq-create-event date="2019-09-30 20:00:00" title="Offra Alta" type=Incident
Human Readable Output
13. Get related indicators
Retrieves related indicators for an object in ThreatQ.
Base Command
threatq-get-related-indicators
Input
Argument Name | Description | Required |
---|---|---|
obj_id | The ID of the object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.RelatedIndicator.ID | number | The ID of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Source.ID | number | The source ID of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Source.Name | string | The source name of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Attribute.ID | number | The attribute ID of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Attribute.Name | string | The attribute name of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Attribute.Value | string | The attribute value of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Type | string | The type of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Description | string | The description of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Value | string | The value of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.Status | string | The status of the related indicator. |
ThreatQ.Indicator.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
ThreatQ.Indicator.ID | number | The ID of the indicator. |
ThreatQ.Event.RelatedIndicator.ID | number | The ID of the related indicator. |
ThreatQ.Event.RelatedIndicator.Source.ID | number | The source ID of the related indicator. |
ThreatQ.Event.RelatedIndicator.Source.Name | string | The source name of the related indicator. |
ThreatQ.Event.RelatedIndicator.Attribute.ID | number | The attribute ID of the related indicator. |
ThreatQ.Event.RelatedIndicator.Attribute.Name | string | The attribute name of the related indicator. |
ThreatQ.Event.RelatedIndicator.Attribute.Value | string | The attribute value of the related indicator. |
ThreatQ.Event.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
ThreatQ.Event.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
ThreatQ.Event.RelatedIndicator.Type | string | The type of the related indicator. |
ThreatQ.Event.RelatedIndicator.Description | string | The description of the related indicator. |
ThreatQ.Event.RelatedIndicator.Value | string | The value of the related indicator. |
ThreatQ.Event.RelatedIndicator.Status | string | The status of the related indicator. |
ThreatQ.Event.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
ThreatQ.Event.ID | number | ID of the Event. |
ThreatQ.Adversary.RelatedIndicator.ID | number | ID of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Source.ID | number | Source ID of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Source.Name | string | Source name of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Attribute.ID | number | ID attribute of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Attribute.Name | string | Attribute name of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Attribute.Value | string | Attribute value of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.UpdatedAt | date | The last update date of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.CreatedAt | date | The creation date of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Type | string | The type of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Description | string | Description of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Value | string | The value of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.Status | string | The status of the related indicator. |
ThreatQ.Adversary.RelatedIndicator.TQScore | number | The ThreatQ score of the related indicator. |
ThreatQ.Adversary.ID | number | ID of the Adversary. |
Command Example
!threatq-get-related-indicators obj_id=1 obj_type=adversary
Human Readable Output
14. Update an indicator status
Updates an indicator status in ThreatQ.
Base Command
threatq-update-status
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the indicator. | Required |
status | The new status of the indicator. Can be: "Active", "Expired", "Indirect", "Review", or "Whitelisted". | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | Number | ID of the indicator. |
ThreatQ.Indicator.Status | String | Status of the indicator. |
Command Example
!threatq-update-status id=173317 status=Whitelisted
Human Readable Output
15. Get related events
Retrieves related events of an object in ThreatQ.
Base Command
threatq-get-related-events
Input
Argument Name | Description | Required |
---|---|---|
obj_id | ID of the object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.RelatedEvent.ID | number | ID of the related event. |
ThreatQ.Indicator.RelatedEvent.Source.ID | number | Source ID of the related event. |
ThreatQ.Indicator.RelatedEvent.Source.Name | string | Source name of the related event. |
ThreatQ.Indicator.RelatedEvent.Attribute.ID | number | The attribute ID of the related event. |
ThreatQ.Indicator.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
ThreatQ.Indicator.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
ThreatQ.Indicator.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
ThreatQ.Indicator.RelatedEvent.CreatedAt | date | The creation date of the related event. |
ThreatQ.Indicator.RelatedEvent.Description | string | Description of the related event. |
ThreatQ.Indicator.RelatedEvent.Title | string | The title of the related event. |
ThreatQ.Indicator.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
ThreatQ.Indicator.RelatedEvent.Type | string | The type of the related event. |
ThreatQ.Indicator.ID | number | The ID of the Indicator. |
ThreatQ.Event.RelatedEvent.ID | number | The ID of the related event. |
ThreatQ.Event.RelatedEvent.Source.ID | number | The source ID of the related event. |
ThreatQ.Event.RelatedEvent.Source.Name | string | The source name of the related event. |
ThreatQ.Event.RelatedEvent.Attribute.ID | number | The attribute ID of the related event. |
ThreatQ.Event.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
ThreatQ.Event.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
ThreatQ.Event.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
ThreatQ.Event.RelatedEvent.CreatedAt | date | The creation date of the related event. |
ThreatQ.Event.RelatedEvent.Description | string | The description of the related event. |
ThreatQ.Event.RelatedEvent.Title | string | The title of the related event. |
ThreatQ.Event.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
ThreatQ.Event.RelatedEvent.Type | string | The type of the related event. |
ThreatQ.Event.ID | number | The ID of the Event. |
ThreatQ.Adversary.RelatedEvent.ID | number | The ID of the related event. |
ThreatQ.Adversary.RelatedEvent.Source.ID | number | The source ID of the related event. |
ThreatQ.Adversary.RelatedEvent.Source.Name | string | The source name of the related event. |
ThreatQ.Adversary.RelatedEvent.Attribute.ID | number | The attribute ID of the of the related event. |
ThreatQ.Adversary.RelatedEvent.Attribute.Name | string | The attribute name of the related event. |
ThreatQ.Adversary.RelatedEvent.Attribute.Value | string | The attribute value of the related event. |
ThreatQ.Adversary.RelatedEvent.UpdatedAt | date | The last update date of the related event. |
ThreatQ.Adversary.RelatedEvent.CreatedAt | date | The creation date of the related event. |
ThreatQ.Adversary.RelatedEvent.Description | string | The description of the related event. |
ThreatQ.Adversary.RelatedEvent.Title | string | The title of the related event. |
ThreatQ.Adversary.RelatedEvent.Occurred | date | The date of occurrence of the related event. |
ThreatQ.Adversary.RelatedEvent.Type | string | The type of the related event. |
ThreatQ.Adversary.ID | number | ID of the Adversary. |
Command Example
!threatq-get-related-events obj_id=1 obj_type=adversary
Human Readable Output
16. Get related adversaries
Retrieve related adversaries from an object in ThreatQ.
Base Command
threatq-get-related-adversaries
Input
Argument Name | Description | Required |
---|---|---|
obj_id | ID of the object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", or "adversary". | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.RelatedAdversary.ID | number | ID of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Source.ID | number | Source ID of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Source.Name | string | The Source name of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Attribute.Name | string | The attribute name of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
ThreatQ.Indicator.RelatedAdversary.Name | string | The name of the related adversary. |
ThreatQ.Indicator.ID | number | The ID of the Indicator. |
ThreatQ.Event.RelatedAdversary.ID | number | The ID of the related adversary. |
ThreatQ.Event.RelatedAdversary.Source.ID | number | The source ID of the related adversary. |
ThreatQ.Event.RelatedAdversary.Source.Name | string | The source name of the related adversary. |
ThreatQ.Event.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
ThreatQ.Event.RelatedAdversary.Attribute.Name | string | The Attribute name of the related adversary. |
ThreatQ.Event.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
ThreatQ.Event.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
ThreatQ.Event.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
ThreatQ.Event.RelatedAdversary.Name | string | The name of the related adversary. |
ThreatQ.Event.ID | number | The ID of the Event. |
ThreatQ.Adversary.RelatedAdversary.ID | number | The ID of the Related adversary. |
ThreatQ.Adversary.RelatedAdversary.Source.ID | number | The source ID of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.Source.Name | string | The source name of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.Attribute.ID | number | The attribute ID of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.Attribute.Name | string | The attribute name of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.Attribute.Value | string | The attribute value of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.UpdatedAt | date | The last update date of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.CreatedAt | date | The creation date of the related adversary. |
ThreatQ.Adversary.RelatedAdversary.Name | string | The name of the related adversary. |
ThreatQ.Adversary.ID | number | The ID of the Adversary. |
Command Example
!threatq-get-related-adversaries obj_id=1 obj_type=adversary
Human Readable Output
17. Upload a-file
Uploads a file to ThreatQ.
Base Command
threatq-upload-file
Input
Argument Name | Description | Required |
---|---|---|
entry_id | The file entry ID in Demisto. | Required |
file_category | Category of the file, such as CrowdStrike Intelligence, FireEye Analysis, PDF, and so on. | Required |
malware_safety_lock | Zips malware files for safer downloading. Can be: "on", or "off". Default is off. | Optional |
title | Title of the File. Default is the file name. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.File.CreatedAt | Date | Date of the file upload. |
ThreatQ.File.Size | Number | Size (in bytes) of the file. |
ThreatQ.File.MD5 | String | The MD5 of the file. |
ThreatQ.File.ID | Number | The File ID in ThreatQ. |
ThreatQ.File.Name | String | The name of the File. |
ThreatQ.File.Title | String | The title of the file. |
ThreatQ.File.UpdatedAt | Date | The last update of the file. |
ThreatQ.File.MalwareLocked | Number | Whether malware files are zipped. |
ThreatQ.File.ContentType | String | The content type of the file. |
ThreatQ.File.Category | String | The type of the file. |
ThreatQ.File.Source.ID | Number | The source of the file. |
ThreatQ.File.Source.Name | String | The source name of the file. |
ThreatQ.File.Attribute.ID | Number | The attribute ID of the file. |
ThreatQ.File.Attribute.Name | String | The attribute name of the file. |
ThreatQ.File.Attribute.Value | String | The attribute value of the file. |
Command Example
!threatq-upload-file entry_id=5379@9da8d636-cf30-42c2-8263-d09f5268be8a file_category="Generic Text" title="File Title"
Human Readable Output
18. Search by Object type and ID
Searches for an object by object type and ID.
Base Command
threatq-search-by-id
Input
Argument Name | Description | Required |
---|---|---|
obj_type | The type of the object. Can be: "indicator", "event", "attachment" or "adversary". | Required |
obj_id | The ID of the Object. | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | number | ID of the indicator. |
ThreatQ.Indicator.Source.ID | number | Source ID of the indicator. |
ThreatQ.Indicator.Source.Name | string | Source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | number | Attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Name | string | Attribute name of the indicator. |
ThreatQ.Indicator.Attribute.Value | string | Attribute value of the indicator. |
ThreatQ.Indicator.CreatedAt | date | Creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | date | Last update date of the indicator. |
ThreatQ.Indicator.Description | string | Description of the indicator. |
ThreatQ.Indicator.Value | string | The value of the indicator. |
ThreatQ.Indicator.Status | string | The status of indicator. |
ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
ThreatQ.Event.ID | number | The ID of the indicator. |
ThreatQ.Event.Source.ID | number | The source ID of the indicator. |
ThreatQ.Event.Source.Name | string | The source name of the indicator. |
ThreatQ.Event.Attribute.ID | number | The attribute ID of the indicator. |
ThreatQ.Event.Attribute.Name | string | The attribute name of the indicator. |
ThreatQ.Event.Attribute.Value | string | The attribute value of the indicator. |
ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
ThreatQ.Event.CreatedAt | date | The creation date of the event. |
ThreatQ.Event.Type | string | The type of the event. |
ThreatQ.Event.Description | string | Description of the event. |
ThreatQ.Event.Title | string | The title of the event. |
ThreatQ.Event.Occurred | date | The date that the event happened. |
ThreatQ.Adversary.Name | string | The name of the adversary. |
ThreatQ.Adversary.ID | number | The ID of the adversary. |
ThreatQ.Adversary.Source.ID | number | The source of the adversary. |
ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
ThreatQ.Adversary.Attribute.Value | string | The attribute value of the adversary. |
ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
ThreatQ.File.CreatedAt | Date | Date of the file upload. |
ThreatQ.File.Size | Number | Size (in bytes) of the file. |
ThreatQ.File.MD5 | String | The MD5 hash of the file. |
ThreatQ.File.ID | Number | The File ID in ThreatQ. |
ThreatQ.File.Name | String | The name of the File. |
ThreatQ.File.Title | String | The title of the file. |
ThreatQ.File.UpdatedAt | Date | The last update of the file. |
ThreatQ.File.MalwareLocked | Number | Whether malware files are zipped. |
ThreatQ.File.ContentType | String | The content type of the file. |
ThreatQ.File.Category | String | The type of the file. |
ThreatQ.File.Source.ID | Number | The source of the file. |
ThreatQ.File.Source.Name | String | The source name of the file. |
ThreatQ.File.Attribute.ID | Number | The attribute ID of the file. |
ThreatQ.File.Attribute.Name | String | The attribute name of the file. |
ThreatQ.File.Attribute.Value | String | The attribute value of the file. |
Command Example
!threatq-search-by-id obj_id=173317 obj_type=indicator
Human Readable Output
19. Unlink two objects
Unlinks two objects in ThreatQ.
Base Command
threatq-unlink-objects
Input
Argument Name | Description | Required |
---|---|---|
obj1_id | The ID of the first object. | Required |
obj1_type | The type of the first object. Can be: "adversary", "indicator", or "event". | Required |
obj2_id | The ID of the second object. | Required |
obj2_type | The type of the second object. Can be: "adversary", "indicator", or "event". | Required |
Command Example
!threatq-unlink-objects obj1_id=173317 obj1_type=indicator obj2_id=1 obj2_type=adversary
Human Readable Output
20. Delete an object
Deletes an object in ThreatQ.
Base Command
threatq-delete-object
Input
Argument Name | Description | Required |
---|---|---|
obj_id | ID of the Object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", "adversary" or "attachment". | Required |
Command Example
!threatq-delete-object obj_id=104 obj_type=event
Human Readable Output
21. Add a source to an object
Adds a source to an object in ThreatQ.
Base Command
threatq-add-source
Input
Argument Name | Description | Required |
---|---|---|
obj_id | ID of an Object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
source | The source name. | Required |
Command Example
!threatq-add-source obj_id=173317 obj_type=indicator source="AlienVault OTX"
Human Readable Output
22. Delete a source from an object
Deletes a source from an object in ThreatQ.
Base Command
threatq-delete-source
Input
Argument Name | Description | Required |
---|---|---|
source_id | ID of the source. | Required |
obj_id | ID of the object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
Command Example
!threatq-delete-source obj_id=173317 obj_type=indicator source_id=3333819
Human Readable Output
23. Delete an attribute
Deletes an attribute from an object in ThreatQ.
Base Command
threatq-delete-attribute
Input
Argument Name | Description | Required |
---|---|---|
attribute_id | ID of the attribute. | Required |
obj_id | ID of the object. | Required |
obj_type | The type of the object. Can be: "indicator", "event", "adversary", or "attachment". | Required |
Command Example
!threatq-delete-attribute attribute_id=996896 obj_id=173317 obj_type=indicator
Human Readable Output
24. Edit an adversary
Updates an adversary name in ThreatQ.
Base Command
threatq-edit-adversary
Input
Argument Name | Description | Required |
---|---|---|
id | ID of the Adversary to update. | Required |
name | Name of the new adversary. | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Adversary.Name | string | The name of the adversary. |
ThreatQ.Adversary.ID | number | The ID of the adversary. |
ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
ThreatQ.Adversary.Attribute.Value | string | The value of the adversary. |
ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-edit-adversary id=23 name="New Adversary Name"
Human Readable Output
25. Edit an indicator
Updates an indicator in ThreatQ.
Base Command
threatq-edit-indicator
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the indicator. | Required |
value | The value of the new indicator. | Optional |
type | The type of the new indicator, such as email address, Filename, Binary string and so on. | Optional |
description | The description of the indicator. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | number | The ID of the indicator. |
ThreatQ.Indicator.Source.ID | number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | string | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Name | string | The attribute name of the indicator. |
ThreatQ.Indicator.Attribute.Value | string | The attribute value of the indicator. |
ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
ThreatQ.Indicator.Description | string | The description of the indicator. |
ThreatQ.Indicator.Value | string | The value of the indicator. |
ThreatQ.Indicator.Status | string | The status of the indicator. |
ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-edit-indicator id=173317 description="This is a new description" type="Email Address" value=goo@test.com
Human Readable Output
26. Edit an event
Updates an event in ThreatQ.
Base Command
threatq-edit-event
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the Event. | Required |
title | The title of the new event. | Optional |
date | Date that event happened. Can be: YYYY-mm-dd HH:MM:SS, YYYY-mm-dd | Optional |
type | Type of the event, such as DoS Attack, Malware, Watchlist, and so on. | Optional |
description | Description of the event. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Event.ID | number | The ID of the event. |
ThreatQ.Event.Source.ID | number | The source ID of the event. |
ThreatQ.Event.Source.Name | string | The source name of the event. |
ThreatQ.Event.Attribute.ID | number | The attribute ID of the event. |
ThreatQ.Event.Attribute.Name | string | The attribute name of the event. |
ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
ThreatQ.Event.CreatedAt | date | The creation date of the event. |
ThreatQ.Event.Type | string | The type of the event. |
ThreatQ.Event.Description | string | The description of the event. |
ThreatQ.Event.Title | string | The title of the event. |
ThreatQ.Event.Occurred | date | The date that the event happened. |
Command Example
!threatq-edit-event id=1 date="2019-09-30 21:00:00" description="The event will take place in Expo Tel Aviv" type="Command and Control"
Human Readable Output
27. Update a score of an indicator
Modifies an indicator's score in ThreatQ. The final indicator score is the highest of the manual and generated scores.
Base Command
threatq-update-score
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the indicator. | Required |
score | The manual indicator score. Can be: "Generated Score" or "1", "2", "3", "4", "5", "6", "7", "8", "9" or "10". | Required |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | number | The ID of the indicator. |
ThreatQ.Indicator.Source.ID | number | The source ID of the indicator. |
ThreatQ.Indicator.Source.Name | string | The source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | number | The attribute ID of the indicator. |
ThreatQ.Indicator.Attribute.Name | string | The attribute name of the indicator. |
ThreatQ.Indicator.Attribute.Value | string | The attribute value of the indicator. |
ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
ThreatQ.Indicator.Description | string | The description of the indicator. |
ThreatQ.Indicator.Value | string | The value of the indicator. |
ThreatQ.Indicator.Status | string | The status of the Indicator. |
ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-update-score id=173317 score=2
Human Readable Output
28. Download a file to Demisto
Downloads a file from ThreatQ to Demisto.
Base Command
threatq-download-file
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the file. | Required |
Command Example
!threatq-download-file id=88
Human Readable Output
29. Get all indicators
Retrieves all indicators in ThreatQ.
Base Command
threatq-get-all-indicators
Input
Argument Name | Description | Required |
---|---|---|
page | The result page number to return. Default is 0. | Optional |
limit | The maximum number of indicators return. Default is 50. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Indicator.ID | number | ID of the indicator. |
ThreatQ.Indicator.Source.ID | number | Source ID of the indicator. |
ThreatQ.Indicator.Source.Name | string | Source name of the indicator. |
ThreatQ.Indicator.Attribute.ID | number | Attribute ID of the of the indicator. |
ThreatQ.Indicator.Attribute.Name | string | Attribute name of the indicator. |
ThreatQ.Indicator.Attribute.Value | string | Attribute value of the indicator. |
ThreatQ.Indicator.CreatedAt | date | The creation date of the indicator. |
ThreatQ.Indicator.UpdatedAt | date | The last update date of the indicator. |
ThreatQ.Indicator.Description | string | The description of the indicator. |
ThreatQ.Indicator.Value | string | The value of the indicator. |
ThreatQ.Indicator.Status | string | The status of the indicator. |
ThreatQ.Indicator.Type | string | The type of the indicator. For example, IP Address. |
ThreatQ.Indicator.TQScore | number | The ThreatQ Score of the indicator. |
Command Example
!threatq-get-all-indicators limit=30 page=10
Human Readable Output
30. Get a list of events
Retrieves all events in ThreatQ.
Base Command
threatq-get-all-events
Input
Argument Name | Description | Required |
---|---|---|
page | The result page number to return. Default is 0. | Optional |
limit | The maximum number of events to return. Default is 50. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Event.ID | number | The ID of the event. |
ThreatQ.Event.Source.ID | number | The source ID of the event. |
ThreatQ.Event.Source.Name | string | The source name of the event. |
ThreatQ.Event.Attribute.ID | number | The attribute ID of the event. |
ThreatQ.Event.Attribute.Name | string | The attribute name of the event. |
ThreatQ.Event.Attribute.Value | string | The attribute value of the event. |
ThreatQ.Event.UpdatedAt | date | The last update date of the event. |
ThreatQ.Event.CreatedAt | date | The creation date of the event. |
ThreatQ.Event.Type | string | The type of the event. |
ThreatQ.Event.Description | string | The description of the event. |
ThreatQ.Event.Title | string | The title of the event. |
ThreatQ.Event.Occurred | date | The date the event happened. |
Command Example
!threatq-get-all-events limit=30 page=10
Human Readable Output
31. Get a list of all adversaries
Returns all adversaries in ThreatQ.
Base Command
threatq-get-all-adversaries
Input
Argument Name | Description | Required |
---|---|---|
page | The result page number to return. Default is 0. | Optional |
limit | The maximum number of objects to return in one response (maximum is 200). | Optional |
Context Output
Path | Type | Description |
---|---|---|
ThreatQ.Adversary.Name | string | The name of the adversary. |
ThreatQ.Adversary.ID | number | The ID of the of the adversary. |
ThreatQ.Adversary.Source.ID | number | The source ID of the adversary. |
ThreatQ.Adversary.Source.Name | string | The source name of the adversary. |
ThreatQ.Adversary.Attribute.ID | number | The attribute ID of the adversary. |
ThreatQ.Adversary.Attribute.Name | string | The attribute name of the adversary. |
ThreatQ.Adversary.Attribute.Value | string | The attribute value of the adversary. |
ThreatQ.Adversary.UpdatedAt | date | The creation date of the adversary. |
ThreatQ.Adversary.CreatedAt | date | The last update date of the adversary. |
Command Example
!threatq-get-all-events limit=30 page=10
Human Readable Output