Skip to main content
Skip table of contents

Anomali ThreatStream

LAST UPDATED: 05/30/2024

Overview

Anomali ThreatStream automates the threat intelligence collection and management lifecycle to speed detection, streamline investigations and increase analyst productivity. Anomali ThreatStream integration enables organizations to expedite threat intelligence lifecycle management.

D3 SOAR is providing REST operations to function with Anomali ThreatStream.

Anomali ThreatStream is available for use in:

D3 SOAR

V12.7.83.0+

Category

Threat Intelligence

Deployment Options

Option II, Option IV

Connection

To connect to Anomali ThreatStream from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server Url

The server URL of the Anomali instance.

https://api.threatstream.com

User Name

The user email address associated with your ThreatStream account.

username@example.com

API Key

The API key to authenticate the connection. You can reference your username and API Key on the My Profile tab within ThreatStream settings.

ed35****c16aefbb44953565adc17187****417b

API Version

The version of the API to use for the connection.

v1

Configuring D3 SOAR to Work with Anomali ThreatStream

  1. Log in to D3 SOAR.

  2. Find the Anomali ThreatStream integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Anomali ThreatStream in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Anomali ThreatStream.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the tick box to ensure the connection is available for use.

    8. System Reputation Check: Checking one or more reputation check tickboxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details. 

      For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input your domain level Server URL. The default value is https://api.threatstream.com.
      2. Input your User Name.
      3. Input your API Key.
      4. Input your API Version. The default value is v2.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click Add to create and add the configured connection.

Commands

Anomali ThreatStream includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Anomali ThreatStream API, please refer to the Anomali ThreatStream API reference.

Check Domain Reputation

Retrieves the reputation of the specified domains that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input domains are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

Domains

Optional

The domains to perform the reputation check.

["domian.net"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "objects": [
            {
                "status": "falsepos",
                "itype": "suspicious_url",
                "expiration_ts": "2020-05-20T03:22:40Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "longitude": -97.822,
                "org": "Google",
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 0,
                "uuid": "***-***-***-***-***",
                "subtype": null,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "URLScan - CertStream",
                "owner_organization_id": 2,
                "import_session_id": null,
                "latitude": 37.751,
                "type": "url",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "1",
                        "name": "name1"
                    },
                    {
                        "id": "2",
                        "name": "name2"
                    },
                    {
                        "id": "3",
                        "name": "name3"
                    }
                ],
                "threatscore": 0,
                "source_reported_confidence": 50,
                "modified_ts": "2020-02-20T03:35:56.57Z",
                "is_public": false,
                "asn": "***",
                "created_ts": "2020-02-20T03:35:56.57Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "can_add_public_tags": false,
                "value": "https://www.google.com/",
                "retina_confidence": 0,
                "meta": {
                    "registrant_address": "CA, UNITED STATES",
                    "severity": "medium",
                    "registration_created": "1997-09-14T21:00:00-07:00",
                    "registration_updated": "2019-09-09T08:39:04-07:00",
                    "detail2": "imported by user 668 Confirmed as false positive",
                    "registrant_org": "Google LLC"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "status": "falsepos",
                "itype": "mal_url",
                "expiration_ts": "2020-03-05T19:57:02.952Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "https://www.google.com/",
                "is_public": true,
                "threat_type": "malware",
                "workgroups": [],
                "rdns": null,
                "confidence": 0,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 0,
                "trusted_circle_ids": null,
                "id": ***,
                "source": "Emotet Scraper",
                "owner_organization_id": ***,
                "import_session_id": null,
                "latitude": 37.751,
                "type": "url",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 0,
                "source_reported_confidence": 14,
                "modified_ts": "2019-12-07T19:57:08.053Z",
                "org": "Google",
                "asn": "***",
                "created_ts": "2019-12-07T19:57:08.053Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "can_add_public_tags": false,
                "longitude": -97.822,
                "subtype": null,
                "meta": {
                    "registrant_address": "CA, UNITED STATES",
                    "severity": "very-high",
                    "registration_created": "1997-09-14T21:00:00-07:00",
                    "registration_updated": "2019-09-09T08:39:04-07:00",
                    "detail2": "imported by user 17997 Confirmed as false positive",
                    "registrant_org": "Google LLC"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 2,
            "offset": 0,
            "limit": 1000,
            "took": 32,
            "next": null
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Confidence": 0,
        "Severity": "medium",
        "Created": "2020-02-20T03:35:56.57Z",
        "Modified": "2020-02-20T03:35:56.57Z",
        "itype": "suspicious_url",
        "Source": "URLScan - CertStream",
        "Status": "falsepos",
        "RiskScore": 0,
        "Reputation": 0,
        "ASN": "***",
        "Country": "US",
        "Latitude": 37.751,
        "Longitude": -97.822,
        "Organization": "Google",
        "IPAddress": "1.1.1.1",
        "Details": "imported by user 668 Confirmed as false positive",
        "url": "https://www.google.com/",
        "riskLevel": "2"
    },
    {
        "Confidence": 0,
        "Severity": "very-high",
        "Created": "2019-12-07T19:57:08.053Z",
        "Modified": "2019-12-07T19:57:08.053Z",
        "itype": "mal_url",
        "Source": "Emotet Scraper",
        "Status": "falsepos",
        "RiskScore": 0,
        "Reputation": 0,
        "ASN": "***",
        "Country": "US",
        "Latitude": 37.751,
        "Longitude": -97.822,
        "Organization": "Google",
        "IPAddress": "1.1.1.1",
        "Details": "imported by user 17997 Confirmed as false positive",
        "url": "https://www.google.com/",
        "riskLevel": "1"
    },
    {
        "Confidence": 92,
        "Severity": "medium",
        "Created": "2020-06-23T09:35:13.455Z",
        "Modified": "2020-10-10T07:44:16.287Z",
        "itype": "phish_url",
        "Source": "URLScan - CertStream",
        "Status": "inactive",
        "RiskScore": 74,
        "Reputation": 0.74,
        "ASN": "",
        "Country": null,
        "Latitude": null,
        "Longitude": null,
        "Organization": "",
        "IPAddress": null,
        "Details": "bifocals_deactivated_on_2020-10-10_07:40:00.071859",
        "url": "https://whatsapp18plus.kozow.com/",
        "riskLevel": "2"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "URLs": [
        "https://www.google.com/",
        "https://whatsapp18plus.kozow.com/"
    ],
    "RiskLevels": [
        "High",
        "Medium"
    ]
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "url": "https://www.google.com/",
        "total": "2",
        "positives": "2",
        "riskLevel": 1,
        "riskScore": "2/2"
    },
    {
        "url": "https://whatsapp18plus.kozow.com/",
        "total": "1",
        "positives": "1",
        "riskLevel": 2,
        "riskScore": "1/1"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE

SEVERITY

CREATED

MODIFIED

ITYPE

SOURCE

STATUS

RISKSCORE

REPUTATION

ASN

COUNTRY

LATITUDE

LONGITUDE

ORGANIZATION

IPADDRESS

DETAILS

URL

RISKLEVEL

0

medium

2/20/2020 3:35:56 AM

2/20/2020 3:35:56 AM

suspicious_url

URLScan - CertStream

falsepos

0

0


US

37.751

-97.822

Google

172.217.29.164

imported by user 668 Confirmed as false positive

https://www.google.com/

2

0

very-high

12/7/2019 7:57:08 PM

12/7/2019 7:57:08 PM

mal_url

Emotet Scraper

falsepos

0

0


US

37.751

-97.822

Google

64.233.185.99

imported by user 17997 Confirmed as false positive

https://www.google.com/

1

92

medium

6/23/2020 9:35:13 AM

10/10/2020 7:44:16 AM

phish_url

URLScan - CertStream

inactive

74

0.74

bifocals_deactivated_on_2020-10-10_07:40:00.071859

https://whatsapp18plus.kozow.com/

2

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return key fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Domain Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check Domain Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check Email Reputation

Retrieves the reputation of the specified email addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input email addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

Emails

Optional

The email addresses to perform the reputation check.

["user@example.com"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "compromised_email",
                "expiration_ts": "2020-06-21T19:10:52.408Z",
                "ip": null,
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "***",
                "is_public": false,
                "threat_type": "compromised",
                "workgroups": [],
                "rdns": null,
                "confidence": 100,
                "uuid": "***-***-***-***-***",
                "retina_confidence": -1,
                "trusted_circle_ids": [
                    ***
                ],
                "id": 55703048722,
                "source": "Anomali Labs Compromised Credentials",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "email",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "pmo",
                        "name": "***"
                    }
                ],
                "threatscore": 20,
                "latitude": null,
                "modified_ts": "2020-06-23T18:51:15.503Z",
                "org": "",
                "asn": "",
                "created_ts": "2020-06-07T19:11:01.126Z",
                "tlp": null,
                "is_anonymous": false,
                "country": null,
                "source_reported_confidence": 100,
                "can_add_public_tags": false,
                "longitude": null,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
                    "severity": "low"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 1,
            "offset": 0,
            "limit": 1000,
            "took": 19,
            "next": null
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Confidence": 100,
        "Severity": "low",
        "Created": "2020-06-07T19:11:01.126Z",
        "Modified": "2020-06-23T18:51:15.503Z",
        "itype": "compromised_email",
        "Source": "Anomali Labs Compromised Credentials",
        "Status": "inactive",
        "RiskScore": 20,
        "Reputation": 0.2,
        "Details": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
        "emailAddress": "user@example.com",
        "riskLevel": "3"
    },
    {
        "Confidence": 100,
        "Severity": "high",
        "Created": "2019-09-02T17:43:51.872Z",
        "Modified": "2020-06-23T18:51:59.642Z",
        "itype": "compromised_email",
        "Source": "FirstEnergy",
        "Status": "inactive",
        "RiskScore": 20,
        "Reputation": 0.2,
        "Details": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
        "emailAddress": "user@example.com",
        "riskLevel": "1"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EmailAddresses": [
        "user@example.com",
        "user@example.com"
    ],
    "RiskLevels": [
        "Low",
        "High"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
[
    {
        "emailAddress": "user@example.com",
        "total": "1",
        "positives": "0",
        "riskLevel": 3,
        "riskScore": "0/1"
    },
    {
        "emailAddress": "user@example.com",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE

SEVERITY

CREATED

MODIFIED

ITYPE

SOURCE

STATUS

RISKSCORE

REPUTATION

DETAILS

EMAILADDRESS

RISKLEVEL

100

low

6/7/2020 7:11:01 PM

6/23/2020 6:51:15 PM

compromised_email

Anomali Labs Compromised Credentials

inactive

20

0.2

bifocals_deactivated_on_2020-06-23_18:50:00.042873

user@example.com

3

100

high

9/2/2019 5:43:51 PM

6/23/2020 6:51:59 PM

compromised_email

FirstEnergy

inactive

20

0.2

bifocals_deactivated_on_2020-06-23_18:50:00.042873

user@example.com

1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Email Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check Email Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check File Reputation

Retrieves reputation of the specified files that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input file hashes are invalid, the command will run successfully with no returned results. Note: Only SHA1 and MD5 hashes are supported.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Optional

The file hashes to perform the reputation check. Note: SHA1 and MD5 hashes are supported.

["55d1224bce61e06d06b38192ae12004b07adb753"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "mal_md5",
                "expiration_ts": "2020-06-22T02:27:04.972Z",
                "ip": null,
                "is_editable": false,
                "feed_id": 0,
                "update_id": ***,
                "value": "***",
                "is_public": false,
                "threat_type": "malware",
                "workgroups": [],
                "rdns": null,
                "confidence": 100,
                "uuid": "***-***-***-***-***",
                "retina_confidence": -1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "FirstEnergy",
                "owner_organization_id": ***,
                "import_session_id": ***,
                "source_modified": null,
                "type": "md5",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "***",
                        "name": "Advisory 2019-131a: Emotet malware campaign"
                    },
                    {
                        "id": "***",
                        "name": "Australian Cyber Security Centre"
                    },
                    {
                        "id": "***",
                        "name": "emotet malware threat"
                    }
                ],
                "threatscore": ***,
                "latitude": null,
                "modified_ts": "2020-06-23T21:32:02.723Z",
                "org": "",
                "asn": "",
                "created_ts": "2020-03-24T02:27:19.172Z",
                "tlp": null,
                "is_anonymous": false,
                "country": null,
                "source_reported_confidence": 100,
                "can_add_public_tags": true,
                "longitude": null,
                "subtype": "MD5",
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-23_21:30:00.067265",
                    "severity": "high"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 1,
            "offset": 0,
            "limit": 1000,
            "took": 5,
            "next": null
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Confidence": 100,
        "Severity": "high",
        "Created": "2020-03-24T02:27:19.172Z",
        "Modified": "2020-06-23T21:32:02.723Z",
        "itype": "mal_md5",
        "Source": "FirstEnergy",
        "Status": "inactive",
        "RiskScore": 90,
        "Reputation": 0.9,
        "Details": "bifocals_deactivated_on_2020-06-23_21:30:00.067265",
        "fileHash": "***",
        "riskLevel": "1"
    },
    {
        "Confidence": 75,
        "Severity": "medium",
        "Created": "2020-06-23T18:37:02.757Z",
        "Modified": "2020-09-22T22:08:49.513Z",
        "itype": "mal_md5",
        "Source": "URLHaus Hashes",
        "Status": "inactive",
        "RiskScore": 68,
        "Reputation": 0.68,
        "Details": "bifocals_deactivated_on_2020-09-22_22:04:17.609308",
        "fileHash": "***",
        "riskLevel": "2"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "FileHashes": [
        "***",
        "***"
    ],
    "RiskLevels": [
        "High",
        "Medium"
    ]
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "fileHash": "***",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    },
    {
        "fileHash": "***",
        "total": "1",
        "positives": "1",
        "riskLevel": 2,
        "riskScore": "1/1"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE

SEVERITY

CREATED

MODIFIED

ITYPE

SOURCE

STATUS

RISKSCORE

REPUTATION

DETAILS

FILEHASH

RISKLEVEL

100

high

3/24/2020 2:27:19 AM

6/23/2020 9:32:02 PM

mal_md5

FirstEnergy

inactive

90

0.9

bifocals_deactivated_on_2020-06-23_21:30:00.067265


1

75

medium

6/23/2020 6:37:02 PM

9/22/2020 10:08:49 PM

mal_md5

URLHaus Hashes

inactive

68

0.68

bifocals_deactivated_on_2020-09-22_22:04:17.609308


2

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check File Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check File Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check IP Reputation

Retrieves reputation of the specified IP addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input IP addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

IP Addresses

Optional

The IP addresses to perform the reputation check.

["1.1.1.1"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "spam_ip",
                "expiration_ts": "2020-06-27T01:21:29Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "spam",
                "workgroups": [],
                "rdns": null,
                "confidence": 72,
                "uuid": "***-***-***-***-***",
                "retina_confidence": ***,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "DNS Blacklist NIX Spam OSINT",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 18,
                "latitude": 39.336,
                "modified_ts": "2020-06-30T21:29:24.378Z",
                "org": "Comcast Business",
                "asn": "***",
                "created_ts": "2020-04-29T23:23:51.852Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": ***,
                "can_add_public_tags": false,
                "longitude": -76.7877,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-30_21:10:00.059127",
                    "severity": "high"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "inactive",
                "itype": "spam_ip",
                "expiration_ts": "2020-06-23T03:20:43.901Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "spam",
                "workgroups": [],
                "rdns": null,
                "confidence": 72,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 72,
                "trusted_circle_ids": [
                    146,
                    266
                ],
                "id": ***,
                "source": "NixSpam",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 18,
                "latitude": 39.336,
                "modified_ts": "2020-06-24T12:01:10.122Z",
                "org": "Comcast Business",
                "asn": "7922",
                "created_ts": "2020-04-30T01:20:00.932Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 60,
                "can_add_public_tags": false,
                "longitude": -76.7877,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-24_12:00:00.091444",
                    "severity": "low"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 2,
            "offset": 0,
            "limit": 1000,
            "took": 25,
            "next": null
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Confidence": 72,
        "Severity": "high",
        "Created": "2020-04-29T23:23:51.852Z",
        "Modified": "2020-06-30T21:29:24.378Z",
        "itype": "spam_ip",
        "Source": "DNS Blacklist NIX Spam OSINT",
        "Status": "inactive",
        "RiskScore": 18,
        "Reputation": 0.18,
        "ASN": "7922",
        "Country": "US",
        "Latitude": 39.336,
        "Longitude": -76.7877,
        "Organization": "Comcast Business",
        "IPAddress": "1.1.1.1",
        "Hostname": null,
        "Details": "bifocals_deactivated_on_2020-06-30_21:10:00.059127",
        "ipAddress": "1.1.1.1",
        "riskLevel": "1"
    },
    {
        "Confidence": 72,
        "Severity": "low",
        "Created": "2020-04-30T01:20:00.932Z",
        "Modified": "2020-06-24T12:01:10.122Z",
        "itype": "spam_ip",
        "Source": "NixSpam",
        "Status": "inactive",
        "RiskScore": 18,
        "Reputation": 0.18,
        "ASN": "***",
        "Country": "US",
        "Latitude": 39.336,
        "Longitude": -76.7877,
        "Organization": "Comcast Business",
        "IPAddress": "1.1.1.1",
        "Hostname": null,
        "Details": "bifocals_deactivated_on_2020-06-24_12:00:00.091444",
        "ipAddress": "1.1.1.1",
        "riskLevel": "3"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IPs": [
        "1.1.1.1",
        "2.2.2.2"
    ],
    "RiskLevels": [
        "Low",
        "High"
    ]
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "ipAddress": "1.1.1.1",
        "total": "2",
        "positives": "1",
        "riskLevel": 3,
        "riskScore": "1/2"
    },
    {
        "ipAddress": "2.2.2.2",
        "total": "5",
        "positives": "3",
        "riskLevel": 1,
        "riskScore": "3/5"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE

SEVERITY

CREATED

MODIFIED

ITYPE

SOURCE

STATUS

RISKSCORE

REPUTATION

ASN

COUNTRY

LATITUDE

LONGITUDE

ORGANIZATION

IPADDRESS

HOSTNAME

DETAILS

72

high

4/29/2020 11:23:51 PM

6/23/2020 6:43:00 PM

spam_ip

DNS Blacklist NIX Spam OSINT

inactive

18

0.18


US

39.336

-76.7877

Comcast Business

1.1.1.1

bifocals_deactivated_on_2020-06-23_18:40:00.076253

72

low

4/30/2020 1:20:00 AM

6/22/2020 3:22:40 AM

spam_ip

NixSpam

active

18

0.18


US

39.336

-76.7877

Comcast Business

2.2.2.2

bifocals_deactivated_on_2020-06-19_05:40:00.042847

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check IP Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check IP Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check URL Reputation

Retrieves the reputation of the specified URLs that have been assigned to observables by ThreatStream's predictive analytics technology.

Input

Input Parameter

Required/Optional

Description

Example

URLs

Required

The URLs to perform the reputation check.

["http://www.test.com/"]

Status

Optional

The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.

All

Confidence

Optional

The lower limit of the range of confidence scores, which can vary between 1 and 100, to filter the URLs to perform the reputation check. For instance, if you input 50, URLs with a confidence level between 50 and 100 will be checked, and if you input 30, URLs with a confidence level between 30 and 100 will be checked.

Confidence scores indicate the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.

70

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "objects": [
                {
                    "source_created": null,
                    "status": "active",
                    "itype": "apt_url",
                    "expiration_ts": "9999-12-31T00:00:00.000Z",
                    "ip": null,
                    "is_editable": false,
                    "feed_id": 0,
                    "update_id": ***,
                    "value": "http://www.test.com/",
                    "is_public": true,
                    "threat_type": "apt",
                    "workgroups": [],
                    "rdns": null,
                    "confidence": 100,
                    "uuid": "***-***-***-***-***",
                    "retina_confidence": -1,
                    "trusted_circle_ids": null,
                    "id": ***,
                    "source": "Analyst",
                    "owner_organization_id": ***,
                    "import_session_id": null,
                    "source_modified": null,
                    "type": "url",
                    "sort": [
                        ***,
                        "***"
                    ],
                    "description": null,
                    "tags": null,
                    "threatscore": 80,
                    "latitude": null,
                    "modified_ts": "2021-05-20T15:32:16.773Z",
                    "org": "",
                    "asn": "",
                    "created_ts": "2021-05-20T15:32:16.773Z",
                    "tlp": null,
                    "is_anonymous": false,
                    "country": null,
                    "source_reported_confidence": ***,
                    "can_add_public_tags": true,
                    "longitude": null,
                    "subtype": null,
                    "meta": {
                        "detail2": "imported by user 136",
                        "severity": "very-high"
                    },
                    "resource_uri": "/api/v2/intelligence/***/"
                }
            ],
            "meta": {
                "total_count": 1,
                "offset": 0,
                "limit": 1000,
                "took": 9,
                "next": null
            },
            "D3URLReputation": {
                "url": "http://www.test.com/",
                "total": "1",
                "positives": "1",
                "riskLevel": 1,
                "riskScore": "1/1"
            }
        }
    ],
    "errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "URLs": [
        "http://www.test.com/"
    ],
    "Severities": [
        "very-high"
    ]
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "url": "http://www.test.com/",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

URL

TOTAL

POSITIVES

RISKLEVEL

RISKSCORE

RISKLEVELNAME

http://www.test.com/

1

1

1

1/1

High

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check URL Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check URL Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Get Indicators

Retrieves indicators and their corresponding information based on the given query conditions.

Input

Input Parameter

Required/Optional

Description

Example

URLs

Required

The URLs to perform the reputation check.

["http://www.test.com/"]

Query

Optional

The query statement to filter results.

status=active=suspicious_ip=created_ts

Status

Optional

The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.

Active

Limit

Optional

The maximum number of indicators to return.

20

Confidence

Optional

The confidence level (ranging from 1 to 100) indicating the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.

NOT AVAILABLE

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "objects": [
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 1,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "gc0",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 19,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.273Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-06-23T16:46:14.821Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 77,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "1f8",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 1,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.205Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-02-28T12:15:54.328Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668 Confirmed as false positive",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 1,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "adc",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 1,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.132Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-06-23T16:46:14.844Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
              }
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
  {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 1,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "gc0",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 19,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.273Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-06-23T16:46:14.821Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          },
          {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 77,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "1f8",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 1,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.205Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-02-28T12:15:54.328Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668 Confirmed as false positive",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          },
          {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 1,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "adc",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 1,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.132Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-06-23T16:46:14.844Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          }
      }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Indicators": [
        "1.1.1.1",
        "2.2.2.2"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE_CREATED

STATUS

ITYPE

EXPIRATION_TS

IP

IS_EDITABLE

FEED_ID

UPDATE_ID

VALUE

IS_PUBLIC

THREAT_TYPE

WORKGROUPS

RDNS

CONFIDENCE

UUID

RETINA_CONFIDENCE

TRUSTED_CIRCLE_IDS

ID

SOURCE

OWNER_ORGANIZATION_ID

IMPORT_SESSION_ID

SOURCE_MODIFIED

TYPE

SORT

DESCRIPTION

TAGS

THREATSCORE

LATITUDE

MODIFIED_TS

ORG

ASN

CREATED_TS

TLP

IS_ANONYMOUS

COUNTRY

SOURCE_REPORTED_CONFIDENCE

CAN_ADD_PUBLIC_TAGS

LONGITUDE

SUBTYPE

META

RESOURCE_URI

active

suspicious_ip

9/21/2020 4:21:27 PM

1.1.1.1

False



1.1.1.1

False

suspicious

[]

1


-***-***-***-***

1

[


,



]


InThreat

2

ip


[
{
";id";: ";gc0";,
";name";: ";cinsscore";
}
]

1

37.7353

6/23/2020 4:46:58 PM

Digital Ocean


6/23/2020 4:46:14 PM

False

US

10

False

-122.3732

{
";detail2";: ";imported by user 668";,
";severity";: ";medium";
}

/api/v2/intelligence/***/

active

suspicious_ip

9/21/2020 4:21:27 PM

1.1.1.1

False



1.1.1.1

False

suspicious

[]

1


-***-***-***-***

**

[


,



]


InThreat

2

ip


[
{
";id";: ";1f8";,
";name";: ";cinsscore";
}
]

1

37.7353

6/23/2020 4:46:58 PM

Digital Ocean


2/28/2020 12:15:54 PM

False

US

10

False

-122.3732

{
";detail2";: ";imported by user 668 Confirmed as false positive";,
";severity";: ";medium";
}

/api/v2/intelligence/***/

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Indicators failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Get Indicators failed.

Status Code: 400.

Message: One or more errors occurred.

Get Passive DNS

Returns enrichment data for the specified domain, IP, and URL observables available on ThreatStream.

Input

Input Parameter

Required/Optional

Description

Example

iocs

Optional

The IOCs to perform the reputation check. IOCs can be IP addresses or domains.

["1.1.1.1","2.2.2.2"]

Type

Optional

The type of IOCs entered. The avaiable types are ip or domain.

ip

Limit

Optional

The maximum number of results to return.

50

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "cached": true,
        "results": [
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2019-04-04 23:03:09",
                "last_seen": "2019-04-04 23:03:09"
            },
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2019-04-07 09:27:08",
                "last_seen": "2019-04-07 09:27:08"
            }
        ],
        "success": true
    },
    {
        "cached": true,
        "results": [
            {
                "domain": "domain,
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "Anomali Labs",
                "first_seen": "2017-07-06 23:48:45",
                "last_seen": "2017-08-25 14:27:15"
            },
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2018-08-17 21:01:55",
                "last_seen": "2018-08-17 21:01:55"
            }
        ],
        "success": true
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "domain": "domain",
        "ip": "1.1.1.1",
        "rrtype": "A",
        "source": "VirusTotal",
        "first_seen": "2019-04-04 23:03:09",
        "last_seen": "2019-04-04 23:03:09"
    },
    {
        "domain": "domain",
        "ip": "1.1.1.1",
        "rrtype": "A",
        "source": "VirusTotal",
        "first_seen": "2019-04-07 09:27:08",
        "last_seen": "2019-04-07 09:27:08"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PassiveDNS": [
        {
            "IOC": "1.1.1.1",
            "PassiveDNS": [
                {
                    "domain": "domain",
                    "ip": "1.1.1.1"
                },
                {
                    "domain": "domain2",
                    "ip": "1.1.1"
                }
            ]
        },
        {
            "IOC": "1.1.1.1",
            "PassiveDNS": [
                {
                    "domain": "domain",
                    "ip": "1.1.1.1"
                },
                {
                    "domain": "domain2",
                    "ip": "2.2.2.2"
                }
            ]
        }
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

DOMAIN

IP

RRTYPE

SOURCE

FIRST_SEEN

LAST_SEEN

domain1

1.1.1.1

A

VirusTotal

2019-04-04 23:03:09

2019-04-04 23:03:09

domain2

2.2.2.2

A

VirusTotal

2019-04-07 09:27:08

2019-04-07 09:27:08

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Passive DNS failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Get Passive DNS failed.

Status Code: 400.

Message: One or more errors occurred.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.