Skip to main content
Skip table of contents

Anomali ThreatStream

LAST UPDATED: SEPTEMBER 18, 2025

Overview

Anomali ThreatStream automates the threat intelligence collection and management lifecycle to speed detection, streamline investigations and increase analyst productivity. Anomali ThreatStream integration enables organizations to expedite threat intelligence lifecycle management.

D3 SOAR is providing REST operations to function with Anomali ThreatStream.

Anomali ThreatStream is available for use in:

D3 SOAR

V12.7.83.0+

Category

Threat Intelligence

Deployment Options

Option II, Option IV

Connection

To connect to Anomali ThreatStream from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the Anomali instance.

https://api.threatstream.com

User Name

The user email address associated with the ThreatStream account.

username@example.com

API Key

The API key used to authenticate the connection. Obtain the username and API key from the My Profile tab in ThreatStream settings.

ed35*****417b

API Version

The version of the API to use for the connection.

v1

Configuring D3 SOAR to Work with Anomali ThreatStream

  1. Log in to D3 SOAR.

  2. Find the Anomali ThreatStream integration.

    Group 2 (2).png

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Anomali ThreatStream in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Anomali ThreatStream.

    Group 5 (3).png

    1. Connection Name: The desired name for the connection.

    2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

    4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): The description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

      kSebLkizxcRtcUby01imwYSAMqmnraUWOvfNrHDCXQGLSx-_TcDJObA7juhHTwDNcIsUOihkHfIlSswrA-k_raDgZSs-OzUq5-5YZCtwKNyGwFSmYpKQQDuxJ2dpbU01rcwkCLhDnaLpGsR3gfacdQ (1).png

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: The checkbox that enables the connection to be used when selected.

    9. System Reputation Check: Selecting one or more reputation checkboxes will run the corresponding check reputation commands under this integration connection to enrich the corresponding artifacts with reputation details.

      For example, an integration connection named "ConnectionA" is configured with the "Sandbox" site. All URL artifacts from the "Sandbox" site will undergo a reputation check using the Check URL Reputation command from that integration. The return data output from this command will then be used to update the risk level of artifacts, which may affect the risk level of incoming events.

    10. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      Group 7 (1).png

      1. Input the domain level Server URL. The default value is https://api.threatstream.com.
      2. Input the User Name.
      3. Input the API Key.
      4. Input the API Version. The default value is v2.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    12. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

  4. Test the connection.

    Group 13.png

    1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

    2. Click OK to close the alert window.

    3. Click Add to create and add the configured connection.

Commands

Anomali ThreatStream includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Anomali ThreatStream API, refer to the Anomali ThreatStream API reference.

Check Domain Reputation

Retrieves the reputation of the specified domains that have been assigned to observables by ThreatStream's predictive analytics technology.

READER NOTE

If the input domains are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

Domains

Required

The domains to perform the reputation check.

JSON 
[
  "coinrow.net"
]

Limit

Optional

The maximum number of items to return. The valid range is 1 to 1000. By default, 1000 items are returned. To return all items, enter -1.

2

Output

To view the sample output data for all commands, refer to this article.

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return key fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Domain Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check Domain Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check Email Reputation

Retrieves the reputation of the specified email addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

READER NOTE

If the input email addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

Emails

Required

The email addresses to perform the reputation check.

JSON 
[
  "user@example.com"
]

Limit

Optional

The maximum number of items to return. The valid range is 1 to 1000. By default, 1000 items are returned. To return all items, enter -1.

2

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Email Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check Email Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check File Reputation

Retrieves reputation of the specified files that have been assigned to observables by ThreatStream's predictive analytics technology.

READER NOTE

If the input file hashes are invalid, the command will run successfully with no returned results. Note: Only SHA1 and MD5 hashes are supported.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The file hashes to perform the reputation check. Note: SHA1 and MD5 hashes are supported.

JSON 
[
  "55d1*****b753"
]

Limit

Optional

The maximum number of items to return. The valid range is 1 to 1000. By default, 1000 items are returned. To return all items, enter -1.

2

Output

To view the sample output data for all commands, refer to this article.

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check File Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check File Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check IP Reputation

Retrieves reputation of the specified IP addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

READER NOTE

If the input IP addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

IP Addresses

Required

The IP addresses to perform the reputation check.

JSON 
[
  "***.***.***.***"
]

Limit

Optional

The maximum number of items to return. The valid range is 1 to 1000. By default, 1000 items are returned. To return all items, enter -1.

2

Output

To view the sample output data for all commands, refer to this article.

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check IP Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check IP Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check URL Reputation

Retrieves the reputation of the specified URLs that have been assigned to observables by ThreatStream's predictive analytics technology.

Input

Input Parameter

Required/Optional

Description

Example

URLs

Required

The URLs to perform the reputation check.

JSON 
[
  "http://www.test.com/"
]

Limit

Optional

The maximum number of items to return. The valid range is 1 to 1000. By default, 1000 items are returned. To return all items, enter -1.

2

Output

To view the sample output data for all commands, refer to this article.

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check URL Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check URL Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Get Indicators

Retrieves indicators and their corresponding information based on the given query conditions.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query statement to filter results.

status=active=suspicious_ip=created_ts

Limit

Optional

The maximum number of fields to return. The valid range is 1 to 1000. By default, 1000 fields are returned.

20

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Indicators failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Get Indicators failed.

Status Code: 400.

Message: One or more errors occurred.

Get Passive DNS

Returns enrichment data for the specified domain, IP, and URL observables available on ThreatStream.

Input

Input Parameter

Required/Optional

Description

Example

IOCs

Required

The values of the indicators to search. Indicators can be IP addresses or domains.

JSON 
[
  "***.***.***.***",
  "***.***.***.***"
]

Type

Required

The type of indicator to search. Available options are:

  • IP

  • Domain

Domain

Limit

Optional

This parameter is deprecated. The maximum number of items to return.

50

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Passive DNS failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Get Passive DNS failed.

Status Code: 400.

Message: One or more errors occurred.

Import Without Approval

Imports structured threat data (observables) into ThreatStream without requiring approval of the imported data through the ThreatStream UI.

READER NOTE

  • Users must have the Approve Intel user permission to import without approval. Organization admins can grant this permission from the ThreatStream UI.

  • All input parameters are meta settings.

File ID and File Source

It is not recommended to use the Test Command feature with the Import Without Approval command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  2. Click on Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Click on the Test tab.

  5. Input the required information for the parameters.

  6. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

    Frame 5.png

Input

Input Parameter

Required/Optional

Description

Example

Allow Unresolved Domain

Optional

Whether to accept unresolved domain observables in the imported file as valid when set to True.

True

Confidence

Optional

The level of certainty that an observable matches its reported indicator type. Confidence scores range from 0 to 100. ThreatStream assigns scores only to domain, IP, and URL observables. For all other observable types, a confidence value must be specified either globally or for each observable.

50

Source Confidence Weight

Optional

The weight assigned to source confidence. A value of 100 uses only the specified value from the Confidence parameter. When set to 100, the Confidence parameter must be specified. Observables with a weight of 100 are made private to the organization, regardless of classification settings.

100

Classification

Optional

Whether the observables are public or private to the organization. By default, the value is set to Public.

Public

Expiration Time

Optional

The expiration timestamp for the observable in ISO format (UTC). By default, the value is 90 days.

2022-01-01T00:00:00

Severity

Optional

The potential impact of the indicator type associated with the observable. Available options are:

  • Very High

  • High

  • Medium

  • Low

A default severity value is assigned to each imported observable based on its indicator type. Refer to the Severity field in the ThreatStream UI Help for a list of default values by indicator type.

Medium

Tags

Optional

The tags applied to imported observables. Tags can be made private to the organization by setting the tag’s tlp attribute to red. For example:

JSON 
[
  {
    "name": "my_private_tag",
    "tlp": "red"
  },
  {
    "name": "malware",
    "tlp": "white"
  }
]
JSON 
[
  "tag1",
  "tag2"
]

Trusted Circles

Optional

The IDs of trusted circles with which to share the threat data. Use comma-separated IDs for multiple circles.

Finding the ID of a Trusted Circle

To find the ID of a trusted circle, locate it in ThreatStream and click its name. The ID appears in the URL displayed in the address bar, for example: https://ui.threatstream.com/search?trustedcircles=13.

JSON 
[
  *****
]

Submission Type

Required

The method of providing data to import. File requires file IDs and file source. JSON Object requires the Objects parameter.

File

File IDs

Optional

The IDs of indicator JSON files to be imported. This parameter is used when the Submission Type is File, and the file path format depends on the File Source.

JSON 
[
  "*****"
]

File Source

Optional

The file source for the files to be imported. This parameter is used when the Submission Type is File. Available options are:

  • IR Attachment: Manually uploaded file from Incident

  • Playbook File: Output from another Task

  • Artifact File: Ingested Artifact in an Event

By default, the value is set to IR Attachment.

IR Attachment

Objects

Optional

The observables to be imported. This parameter is used when the Submission Type is JSON.

  • For domains, include domain and itype.

  • For emails, include email, itype, and confidence.

  • For hashes, include md5, itype, and confidence.

  • For IPs, include srcip and itype.

  • For URLs, include url and itype

JSON 
[
  {
    "srcip": "1.2.3.4",
    "Itype": "bot_ip",
    "Tags": [
      "Malware",
      "Windows-XP",
      "DSL"
    ],
    "severity": "high"
  },
  {
    "domain": "idfsdszqylwjzq.biz",
    "itype": "mal_domain",
    "Severity": "very-high"
  },
  {
    "url": "http://malicious.pl/wp-content/themes/credenza-wp/cr_mss3.exe",
    "itype": "mal_url",
    "severity": "high"
  },
  {
    "email": "email@domain.com",
    "itype": "compromised_email",
    "tags": [
      "Credential-Exposure",
      "Breach"
    ],
    "severity": "low"
  },
  {
    "md5": "1d37556b8aeb5cb5fbf08cd5b4790075",
    "itype": "apt_md5",
    "severity": "medium",
    "expiration_ts": "2017-01-26T00:00:00"
  }
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Import Without Approval failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Import Without Approval failed.

Status Code: 401.

Message: Unauthorized.

Submit to Sandbox

Submits files or URLs to the ThreatStream-hosted Sandbox.

Input

Input Parameter

Required/Optional

Description

Example

Submission Type

Required

The type of content to submit to the Sandbox. Available options are:

  • File

  • URL

File

Submission Content

Required

The File IDs or URLs to submit to the Sandbox. When Submission Type is File, the value must be File IDs. When Submission Type is URL, the value must be URLs. Separate multiple entries with commas.

JSON 
[
  "*****"
]

Report Classification

Optional

Whether the submissions are public or private to the organization. By default, the value is set to Private.

Public

Submission Platform

Required

The platform on which the submissions will run. Available options depend on the Sandbox configuration:

  • Default ThreatStream Sandbox

    • ALL

    • WINDOWSXP

    • WINDOWS7

  • ThreatStream Joe Sandbox

    • MACOSX

    • WINDOWS7

    • WINDOWS7OFFICE2010

    • WINDOWS10x64

  • Joe Sandbox (individual subscription)

    • ANDROID4.4

    • ANDROID5.1

    • ANDROID6.0

    • MACOSX

    • WINDOWSXP

    • WINDOWSXPNATIVE

    • WINDOWS7

    • WINDOWS7NATIVE

    • WINDOWS7OFFICE2010

    • WINDOWS7OFFICE2013

    • WINDOWS10

    • WINDOWS10x64

WINDOWS7

Use Premium Sandbox

Optional

Whether to use the premium Sandbox for detonation. Set to True if the organization has access to the premium Sandbox. If no value is set, the default Cuckoo Sandbox is used.

True

Notes

Optional

A comma-separated list providing additional details for imported observables. The information is displayed in the Tag column of the ThreatStream UI.

JSON 
[
  "Credential-Exposure",
  "compromised_email"
]

Trusted Circles

Optional

The IDs of trusted circles with which to share the Sandbox data. Use comma-separated IDs for multiple circles.

JSON 
[
  *****
]

File Source

Optional

The file source for the files to be submitted. This parameter is used when the Submission Type is File. Available options are:

  • IR Attachment: Manually uploaded file from Incident

  • Playbook File: Output from another Task

  • Artifact File: Ingested Artifact in an Event

By default, the value is set to IR Attachment.

IR Attachment

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Submit to Sandbox failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Submit to Sandbox failed.

Status Code: 401.

Message: Unauthorized.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: API access error.

Error Sample Data

Test Connection failed.

Status Code: 401.

Message: API access error.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close