Anomali ThreatStream

Overview

Anomali ThreatStream automates the threat intelligence collection and management lifecycle to speed detection, streamline investigations and increase analyst productivity. Anomali ThreatStream integration enables organizations to expedite threat intelligence lifecycle management.

D3 SOAR is providing REST operations to function with Anomali ThreatStream.

Anomali ThreatStream is available for use in:

D3 SOAR	V12.7.83.0+
Category	Threat Intelligence
Deployment Options	Option II, Option IV

Connection

To connect to Anomali ThreatStream from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server Url	The server URL of the Anomali instance.	https://api.threatstream.com
User Name	The user email address associated with your ThreatStream account.	username@example.com
API Key	The API key to authenticate the connection. You can reference your username and API Key on the My Profile tab within ThreatStream settings.	ed35**c16aefbb44953565adc17187**417b
API Version	The version of the API to use for the connection.	v1

Configuring D3 SOAR to Work with Anomali ThreatStream

Log in to D3 SOAR.
Find the Anomali ThreatStream integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Anomali ThreatStream in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Anomali ThreatStream.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Configure User Permissions: Defines which users have access to the connection.
7. Active: Check the tick box to ensure the connection is available for use.
8. System Reputation Check: Checking one or more reputation check tickboxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details.
  For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input your domain level Server URL. The default value is https://api.threatstream.com.
  2. Input your User Name.
  3. Input your API Key.
  4. Input your API Version. The default value is v2.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click Add to create and add the configured connection.

Commands

Anomali ThreatStream includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Anomali ThreatStream API, please refer to the Anomali ThreatStream API reference.

Check Domain Reputation

Retrieves the reputation of the specified domains that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input domains are invalid, the command will run successfully with no returned results.

Input

Input Parameter	Required/Optional	Description	Example
Domains	Optional	The domains to perform the reputation check.	["domian.net"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "objects": [
            {
                "status": "falsepos",
                "itype": "suspicious_url",
                "expiration_ts": "2020-05-20T03:22:40Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "longitude": -97.822,
                "org": "Google",
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 0,
                "uuid": "***-***-***-***-***",
                "subtype": null,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "URLScan - CertStream",
                "owner_organization_id": 2,
                "import_session_id": null,
                "latitude": 37.751,
                "type": "url",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "1",
                        "name": "name1"
                    },
                    {
                        "id": "2",
                        "name": "name2"
                    },
                    {
                        "id": "3",
                        "name": "name3"
                    }
                ],
                "threatscore": 0,
                "source_reported_confidence": 50,
                "modified_ts": "2020-02-20T03:35:56.57Z",
                "is_public": false,
                "asn": "***",
                "created_ts": "2020-02-20T03:35:56.57Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "can_add_public_tags": false,
                "value": "https://www.google.com/",
                "retina_confidence": 0,
                "meta": {
                    "registrant_address": "CA, UNITED STATES",
                    "severity": "medium",
                    "registration_created": "1997-09-14T21:00:00-07:00",
                    "registration_updated": "2019-09-09T08:39:04-07:00",
                    "detail2": "imported by user 668 Confirmed as false positive",
                    "registrant_org": "Google LLC"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "status": "falsepos",
                "itype": "mal_url",
                "expiration_ts": "2020-03-05T19:57:02.952Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "https://www.google.com/",
                "is_public": true,
                "threat_type": "malware",
                "workgroups": [],
                "rdns": null,
                "confidence": 0,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 0,
                "trusted_circle_ids": null,
                "id": ***,
                "source": "Emotet Scraper",
                "owner_organization_id": ***,
                "import_session_id": null,
                "latitude": 37.751,
                "type": "url",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 0,
                "source_reported_confidence": 14,
                "modified_ts": "2019-12-07T19:57:08.053Z",
                "org": "Google",
                "asn": "***",
                "created_ts": "2019-12-07T19:57:08.053Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "can_add_public_tags": false,
                "longitude": -97.822,
                "subtype": null,
                "meta": {
                    "registrant_address": "CA, UNITED STATES",
                    "severity": "very-high",
                    "registration_created": "1997-09-14T21:00:00-07:00",
                    "registration_updated": "2019-09-09T08:39:04-07:00",
                    "detail2": "imported by user 17997 Confirmed as false positive",
                    "registrant_org": "Google LLC"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 2,
            "offset": 0,
            "limit": 1000,
            "took": 32,
            "next": null
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "Confidence": 0,
        "Severity": "medium",
        "Created": "2020-02-20T03:35:56.57Z",
        "Modified": "2020-02-20T03:35:56.57Z",
        "itype": "suspicious_url",
        "Source": "URLScan - CertStream",
        "Status": "falsepos",
        "RiskScore": 0,
        "Reputation": 0,
        "ASN": "***",
        "Country": "US",
        "Latitude": 37.751,
        "Longitude": -97.822,
        "Organization": "Google",
        "IPAddress": "1.1.1.1",
        "Details": "imported by user 668 Confirmed as false positive",
        "url": "https://www.google.com/",
        "riskLevel": "2"
    },
    {
        "Confidence": 0,
        "Severity": "very-high",
        "Created": "2019-12-07T19:57:08.053Z",
        "Modified": "2019-12-07T19:57:08.053Z",
        "itype": "mal_url",
        "Source": "Emotet Scraper",
        "Status": "falsepos",
        "RiskScore": 0,
        "Reputation": 0,
        "ASN": "***",
        "Country": "US",
        "Latitude": 37.751,
        "Longitude": -97.822,
        "Organization": "Google",
        "IPAddress": "1.1.1.1",
        "Details": "imported by user 17997 Confirmed as false positive",
        "url": "https://www.google.com/",
        "riskLevel": "1"
    },
    {
        "Confidence": 92,
        "Severity": "medium",
        "Created": "2020-06-23T09:35:13.455Z",
        "Modified": "2020-10-10T07:44:16.287Z",
        "itype": "phish_url",
        "Source": "URLScan - CertStream",
        "Status": "inactive",
        "RiskScore": 74,
        "Reputation": 0.74,
        "ASN": "",
        "Country": null,
        "Latitude": null,
        "Longitude": null,
        "Organization": "",
        "IPAddress": null,
        "Details": "bifocals_deactivated_on_2020-10-10_07:40:00.071859",
        "url": "https://whatsapp18plus.kozow.com/",
        "riskLevel": "2"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URLs": [
        "https://www.google.com/",
        "https://whatsapp18plus.kozow.com/"
    ],
    "RiskLevels": [
        "High",
        "Medium"
    ]
}

Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE

[
    {
        "url": "https://www.google.com/",
        "total": "2",
        "positives": "2",
        "riskLevel": 1,
        "riskScore": "2/2"
    },
    {
        "url": "https://whatsapp18plus.kozow.com/",
        "total": "1",
        "positives": "1",
        "riskLevel": 2,
        "riskScore": "1/1"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE	SEVERITY	CREATED	MODIFIED	ITYPE	SOURCE	STATUS	RISKSCORE	REPUTATION	COUNTRY	LATITUDE	LONGITUDE	ORGANIZATION	IPADDRESS	DETAILS	URL	RISKLEVEL
0	medium	2/20/2020 3:35:56 AM	2/20/2020 3:35:56 AM	suspicious_url	URLScan - CertStream	falsepos	0	0	US	37.751	-97.822	Google	172.217.29.164	imported by user 668 Confirmed as false positive	https://www.google.com/	2
0	very-high	12/7/2019 7:57:08 PM	12/7/2019 7:57:08 PM	mal_url	Emotet Scraper	falsepos	0	0	US	37.751	-97.822	Google	64.233.185.99	imported by user 17997 Confirmed as false positive	https://www.google.com/	1
92	medium	6/23/2020 9:35:13 AM	10/10/2020 7:44:16 AM	phish_url	URLScan - CertStream	inactive	74	0.74						bifocals_deactivated_on_2020-10-10_07:40:00.071859	https://whatsapp18plus.kozow.com/	2

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return key fields:

Return Data	Key Fields
1	High
2	Medium
3	Low
4	Default
5	ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check Domain Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Check Domain Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check Email Reputation

Retrieves the reputation of the specified email addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input email addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter	Required/Optional	Description	Example
Emails	Optional	The email addresses to perform the reputation check.	["user@example.com"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "compromised_email",
                "expiration_ts": "2020-06-21T19:10:52.408Z",
                "ip": null,
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "***",
                "is_public": false,
                "threat_type": "compromised",
                "workgroups": [],
                "rdns": null,
                "confidence": 100,
                "uuid": "***-***-***-***-***",
                "retina_confidence": -1,
                "trusted_circle_ids": [
                    ***
                ],
                "id": 55703048722,
                "source": "Anomali Labs Compromised Credentials",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "email",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "pmo",
                        "name": "***"
                    }
                ],
                "threatscore": 20,
                "latitude": null,
                "modified_ts": "2020-06-23T18:51:15.503Z",
                "org": "",
                "asn": "",
                "created_ts": "2020-06-07T19:11:01.126Z",
                "tlp": null,
                "is_anonymous": false,
                "country": null,
                "source_reported_confidence": 100,
                "can_add_public_tags": false,
                "longitude": null,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
                    "severity": "low"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 1,
            "offset": 0,
            "limit": 1000,
            "took": 19,
            "next": null
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "Confidence": 100,
        "Severity": "low",
        "Created": "2020-06-07T19:11:01.126Z",
        "Modified": "2020-06-23T18:51:15.503Z",
        "itype": "compromised_email",
        "Source": "Anomali Labs Compromised Credentials",
        "Status": "inactive",
        "RiskScore": 20,
        "Reputation": 0.2,
        "Details": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
        "emailAddress": "user@example.com",
        "riskLevel": "3"
    },
    {
        "Confidence": 100,
        "Severity": "high",
        "Created": "2019-09-02T17:43:51.872Z",
        "Modified": "2020-06-23T18:51:59.642Z",
        "itype": "compromised_email",
        "Source": "FirstEnergy",
        "Status": "inactive",
        "RiskScore": 20,
        "Reputation": 0.2,
        "Details": "bifocals_deactivated_on_2020-06-23_18:50:00.042873",
        "emailAddress": "user@example.com",
        "riskLevel": "1"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "EmailAddresses": [
        "user@example.com",
        "user@example.com"
    ],
    "RiskLevels": [
        "Low",
        "High"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

[
    {
        "emailAddress": "user@example.com",
        "total": "1",
        "positives": "0",
        "riskLevel": 3,
        "riskScore": "0/1"
    },
    {
        "emailAddress": "user@example.com",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE	SEVERITY	CREATED	MODIFIED	ITYPE	SOURCE	STATUS	RISKSCORE	REPUTATION	DETAILS	EMAILADDRESS	RISKLEVEL
100	low	6/7/2020 7:11:01 PM	6/23/2020 6:51:15 PM	compromised_email	Anomali Labs Compromised Credentials	inactive	20	0.2	bifocals_deactivated_on_2020-06-23_18:50:00.042873	user@example.com	3
100	high	9/2/2019 5:43:51 PM	6/23/2020 6:51:59 PM	compromised_email	FirstEnergy	inactive	20	0.2	bifocals_deactivated_on_2020-06-23_18:50:00.042873	user@example.com	1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check Email Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Check Email Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check File Reputation

Retrieves reputation of the specified files that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input file hashes are invalid, the command will run successfully with no returned results. Note: Only SHA1 and MD5 hashes are supported.

Input

Input Parameter	Required/Optional	Description	Example
File Hashes	Optional	The file hashes to perform the reputation check. Note: SHA1 and MD5 hashes are supported.	["55d1224bce61e06d06b38192ae12004b07adb753"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "mal_md5",
                "expiration_ts": "2020-06-22T02:27:04.972Z",
                "ip": null,
                "is_editable": false,
                "feed_id": 0,
                "update_id": ***,
                "value": "***",
                "is_public": false,
                "threat_type": "malware",
                "workgroups": [],
                "rdns": null,
                "confidence": 100,
                "uuid": "***-***-***-***-***",
                "retina_confidence": -1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "FirstEnergy",
                "owner_organization_id": ***,
                "import_session_id": ***,
                "source_modified": null,
                "type": "md5",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": [
                    {
                        "id": "***",
                        "name": "Advisory 2019-131a: Emotet malware campaign"
                    },
                    {
                        "id": "***",
                        "name": "Australian Cyber Security Centre"
                    },
                    {
                        "id": "***",
                        "name": "emotet malware threat"
                    }
                ],
                "threatscore": ***,
                "latitude": null,
                "modified_ts": "2020-06-23T21:32:02.723Z",
                "org": "",
                "asn": "",
                "created_ts": "2020-03-24T02:27:19.172Z",
                "tlp": null,
                "is_anonymous": false,
                "country": null,
                "source_reported_confidence": 100,
                "can_add_public_tags": true,
                "longitude": null,
                "subtype": "MD5",
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-23_21:30:00.067265",
                    "severity": "high"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 1,
            "offset": 0,
            "limit": 1000,
            "took": 5,
            "next": null
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "Confidence": 100,
        "Severity": "high",
        "Created": "2020-03-24T02:27:19.172Z",
        "Modified": "2020-06-23T21:32:02.723Z",
        "itype": "mal_md5",
        "Source": "FirstEnergy",
        "Status": "inactive",
        "RiskScore": 90,
        "Reputation": 0.9,
        "Details": "bifocals_deactivated_on_2020-06-23_21:30:00.067265",
        "fileHash": "***",
        "riskLevel": "1"
    },
    {
        "Confidence": 75,
        "Severity": "medium",
        "Created": "2020-06-23T18:37:02.757Z",
        "Modified": "2020-09-22T22:08:49.513Z",
        "itype": "mal_md5",
        "Source": "URLHaus Hashes",
        "Status": "inactive",
        "RiskScore": 68,
        "Reputation": 0.68,
        "Details": "bifocals_deactivated_on_2020-09-22_22:04:17.609308",
        "fileHash": "***",
        "riskLevel": "2"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FileHashes": [
        "***",
        "***"
    ],
    "RiskLevels": [
        "High",
        "Medium"
    ]
}

Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE

[
    {
        "fileHash": "***",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    },
    {
        "fileHash": "***",
        "total": "1",
        "positives": "1",
        "riskLevel": 2,
        "riskScore": "1/1"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE	SEVERITY	CREATED	MODIFIED	ITYPE	SOURCE	STATUS	RISKSCORE	REPUTATION	DETAILS	FILEHASH	RISKLEVEL
100	high	3/24/2020 2:27:19 AM	6/23/2020 9:32:02 PM	mal_md5	FirstEnergy	inactive	90	0.9	bifocals_deactivated_on_2020-06-23_21:30:00.067265		1
75	medium	6/23/2020 6:37:02 PM	9/22/2020 10:08:49 PM	mal_md5	URLHaus Hashes	inactive	68	0.68	bifocals_deactivated_on_2020-09-22_22:04:17.609308		2

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data	Key Fields
1	High
2	Medium
3	Low
4	Default
5	ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check File Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Check File Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check IP Reputation

Retrieves reputation of the specified IP addresses that have been assigned to observables by ThreatStream's predictive analytics technology.

Reader Note

If the input IP addresses are invalid, the command will run successfully with no returned results.

Input

Input Parameter	Required/Optional	Description	Example
IP Addresses	Optional	The IP addresses to perform the reputation check.	["1.1.1.1"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "objects": [
            {
                "source_created": null,
                "status": "inactive",
                "itype": "spam_ip",
                "expiration_ts": "2020-06-27T01:21:29Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "spam",
                "workgroups": [],
                "rdns": null,
                "confidence": 72,
                "uuid": "***-***-***-***-***",
                "retina_confidence": ***,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "DNS Blacklist NIX Spam OSINT",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 18,
                "latitude": 39.336,
                "modified_ts": "2020-06-30T21:29:24.378Z",
                "org": "Comcast Business",
                "asn": "***",
                "created_ts": "2020-04-29T23:23:51.852Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": ***,
                "can_add_public_tags": false,
                "longitude": -76.7877,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-30_21:10:00.059127",
                    "severity": "high"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "inactive",
                "itype": "spam_ip",
                "expiration_ts": "2020-06-23T03:20:43.901Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "spam",
                "workgroups": [],
                "rdns": null,
                "confidence": 72,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 72,
                "trusted_circle_ids": [
                    146,
                    266
                ],
                "id": ***,
                "source": "NixSpam",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": [
                    ***,
                    "***"
                ],
                "description": null,
                "tags": null,
                "threatscore": 18,
                "latitude": 39.336,
                "modified_ts": "2020-06-24T12:01:10.122Z",
                "org": "Comcast Business",
                "asn": "7922",
                "created_ts": "2020-04-30T01:20:00.932Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 60,
                "can_add_public_tags": false,
                "longitude": -76.7877,
                "subtype": null,
                "meta": {
                    "detail2": "bifocals_deactivated_on_2020-06-24_12:00:00.091444",
                    "severity": "low"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            }
        ],
        "meta": {
            "total_count": 2,
            "offset": 0,
            "limit": 1000,
            "took": 25,
            "next": null
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "Confidence": 72,
        "Severity": "high",
        "Created": "2020-04-29T23:23:51.852Z",
        "Modified": "2020-06-30T21:29:24.378Z",
        "itype": "spam_ip",
        "Source": "DNS Blacklist NIX Spam OSINT",
        "Status": "inactive",
        "RiskScore": 18,
        "Reputation": 0.18,
        "ASN": "7922",
        "Country": "US",
        "Latitude": 39.336,
        "Longitude": -76.7877,
        "Organization": "Comcast Business",
        "IPAddress": "1.1.1.1",
        "Hostname": null,
        "Details": "bifocals_deactivated_on_2020-06-30_21:10:00.059127",
        "ipAddress": "1.1.1.1",
        "riskLevel": "1"
    },
    {
        "Confidence": 72,
        "Severity": "low",
        "Created": "2020-04-30T01:20:00.932Z",
        "Modified": "2020-06-24T12:01:10.122Z",
        "itype": "spam_ip",
        "Source": "NixSpam",
        "Status": "inactive",
        "RiskScore": 18,
        "Reputation": 0.18,
        "ASN": "***",
        "Country": "US",
        "Latitude": 39.336,
        "Longitude": -76.7877,
        "Organization": "Comcast Business",
        "IPAddress": "1.1.1.1",
        "Hostname": null,
        "Details": "bifocals_deactivated_on_2020-06-24_12:00:00.091444",
        "ipAddress": "1.1.1.1",
        "riskLevel": "3"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IPs": [
        "1.1.1.1",
        "2.2.2.2"
    ],
    "RiskLevels": [
        "Low",
        "High"
    ]
}

Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE

[
    {
        "ipAddress": "1.1.1.1",
        "total": "2",
        "positives": "1",
        "riskLevel": 3,
        "riskScore": "1/2"
    },
    {
        "ipAddress": "2.2.2.2",
        "total": "5",
        "positives": "3",
        "riskLevel": 1,
        "riskScore": "3/5"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CONFIDENCE	SEVERITY	CREATED	MODIFIED	ITYPE	SOURCE	STATUS	RISKSCORE	REPUTATION	ASN	COUNTRY	LATITUDE	LONGITUDE	ORGANIZATION	IPADDRESS	HOSTNAME	DETAILS
72	high	4/29/2020 11:23:51 PM	6/23/2020 6:43:00 PM	spam_ip	DNS Blacklist NIX Spam OSINT	inactive	18	0.18		US	39.336	-76.7877	Comcast Business	1.1.1.1		bifocals_deactivated_on_2020-06-23_18:40:00.076253
72	low	4/30/2020 1:20:00 AM	6/22/2020 3:22:40 AM	spam_ip	NixSpam	active	18	0.18		US	39.336	-76.7877	Comcast Business	2.2.2.2		bifocals_deactivated_on_2020-06-19_05:40:00.042847

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data	Key Fields
1	High
2	Medium
3	Low
4	Default
5	ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check IP Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Check IP Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check URL Reputation

Retrieves the reputation of the specified URLs that have been assigned to observables by ThreatStream's predictive analytics technology.

Input

Input Parameter	Required/Optional	Description	Example
URLs	Required	The URLs to perform the reputation check.	["http://www.test.com/"]
Status	Optional	The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.	All
Confidence	Optional	The lower limit of the range of confidence scores, which can vary between 1 and 100, to filter the URLs to perform the reputation check. For instance, if you input 50, URLs with a confidence level between 50 and 100 will be checked, and if you input 30, URLs with a confidence level between 30 and 100 will be checked. Confidence scores indicate the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.	70

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "results": [
        {
            "objects": [
                {
                    "source_created": null,
                    "status": "active",
                    "itype": "apt_url",
                    "expiration_ts": "9999-12-31T00:00:00.000Z",
                    "ip": null,
                    "is_editable": false,
                    "feed_id": 0,
                    "update_id": ***,
                    "value": "http://www.test.com/",
                    "is_public": true,
                    "threat_type": "apt",
                    "workgroups": [],
                    "rdns": null,
                    "confidence": 100,
                    "uuid": "***-***-***-***-***",
                    "retina_confidence": -1,
                    "trusted_circle_ids": null,
                    "id": ***,
                    "source": "Analyst",
                    "owner_organization_id": ***,
                    "import_session_id": null,
                    "source_modified": null,
                    "type": "url",
                    "sort": [
                        ***,
                        "***"
                    ],
                    "description": null,
                    "tags": null,
                    "threatscore": 80,
                    "latitude": null,
                    "modified_ts": "2021-05-20T15:32:16.773Z",
                    "org": "",
                    "asn": "",
                    "created_ts": "2021-05-20T15:32:16.773Z",
                    "tlp": null,
                    "is_anonymous": false,
                    "country": null,
                    "source_reported_confidence": ***,
                    "can_add_public_tags": true,
                    "longitude": null,
                    "subtype": null,
                    "meta": {
                        "detail2": "imported by user 136",
                        "severity": "very-high"
                    },
                    "resource_uri": "/api/v2/intelligence/***/"
                }
            ],
            "meta": {
                "total_count": 1,
                "offset": 0,
                "limit": 1000,
                "took": 9,
                "next": null
            },
            "D3URLReputation": {
                "url": "http://www.test.com/",
                "total": "1",
                "positives": "1",
                "riskLevel": 1,
                "riskScore": "1/1"
            }
        }
    ],
    "errors": []
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URLs": [
        "http://www.test.com/"
    ],
    "Severities": [
        "very-high"
    ]
}

Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE

[
    {
        "url": "http://www.test.com/",
        "total": "1",
        "positives": "1",
        "riskLevel": 1,
        "riskScore": "1/1"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

URL	TOTAL	POSITIVES	RISKLEVEL	RISKSCORE	RISKLEVELNAME
http://www.test.com/	1	1	1	1/1	High

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data	Key Fields
1	High
2	Medium
3	Low
4	Default
5	ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check URL Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Check URL Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Get Indicators

Retrieves indicators and their corresponding information based on the given query conditions.

Input

Input Parameter	Required/Optional	Description	Example
URLs	Required	The URLs to perform the reputation check.	["http://www.test.com/"]
Query	Optional	The query statement to filter results.	status=active=suspicious_ip=created_ts
Status	Optional	The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.	Active
Limit	Optional	The maximum number of indicators to return.	20
Confidence	Optional	The confidence level (ranging from 1 to 100) indicating the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.	NOT AVAILABLE

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "objects": [
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 1,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "gc0",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 19,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.273Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-06-23T16:46:14.821Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 77,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "1f8",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 1,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.205Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-02-28T12:15:54.328Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668 Confirmed as false positive",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
            },
            {
                "source_created": null,
                "status": "active",
                "itype": "suspicious_ip",
                "expiration_ts": "2020-09-21T16:21:27Z",
                "ip": "1.1.1.1",
                "is_editable": false,
                "feed_id": ***,
                "update_id": ***,
                "value": "1.1.1.1",
                "is_public": false,
                "threat_type": "suspicious",
                "workgroups": [],
                "rdns": null,
                "confidence": 1,
                "uuid": "***-***-***-***-***",
                "retina_confidence": 1,
                "trusted_circle_ids": [
                    ***,
                    ***
                ],
                "id": ***,
                "source": "InThreat",
                "owner_organization_id": 2,
                "import_session_id": null,
                "source_modified": null,
                "type": "ip",
                "sort": "***",
                "description": null,
                "tags": [
                    {
                        "id": "adc",
                        "name": "cinsscore"
                    }
                ],
                "threatscore": 1,
                "latitude": 37.7353,
                "modified_ts": "2020-06-23T16:46:58.132Z",
                "org": "Digital Ocean",
                "asn": "***",
                "created_ts": "2020-06-23T16:46:14.844Z",
                "tlp": null,
                "is_anonymous": false,
                "country": "US",
                "source_reported_confidence": 10,
                "can_add_public_tags": false,
                "longitude": -122.3732,
                "subtype": null,
                "meta": {
                    "detail2": "imported by user 668",
                    "severity": "medium"
                },
                "resource_uri": "/api/v2/intelligence/***/"
              }
            }
        ]
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
  {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 1,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "gc0",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 19,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.273Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-06-23T16:46:14.821Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          },
          {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 77,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "1f8",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 1,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.205Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-02-28T12:15:54.328Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668 Confirmed as false positive",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          },
          {
              "source_created": null,
              "status": "active",
              "itype": "suspicious_ip",
              "expiration_ts": "2020-09-21T16:21:27Z",
              "ip": "1.1.1.1",
              "is_editable": false,
              "feed_id": ***,
              "update_id": ***,
              "value": "1.1.1.1",
              "is_public": false,
              "threat_type": "suspicious",
              "workgroups": [],
              "rdns": null,
              "confidence": 1,
              "uuid": "***-***-***-***-***",
              "retina_confidence": 1,
              "trusted_circle_ids": [
                  ***,
                  ***
              ],
              "id": ***,
              "source": "InThreat",
              "owner_organization_id": 2,
              "import_session_id": null,
              "source_modified": null,
              "type": "ip",
              "sort": "***",
              "description": null,
              "tags": [
                  {
                      "id": "adc",
                      "name": "cinsscore"
                  }
              ],
              "threatscore": 1,
              "latitude": 37.7353,
              "modified_ts": "2020-06-23T16:46:58.132Z",
              "org": "Digital Ocean",
              "asn": "***",
              "created_ts": "2020-06-23T16:46:14.844Z",
              "tlp": null,
              "is_anonymous": false,
              "country": "US",
              "source_reported_confidence": 10,
              "can_add_public_tags": false,
              "longitude": -122.3732,
              "subtype": null,
              "meta": {
                  "detail2": "imported by user 668",
                  "severity": "medium"
              },
              "resource_uri": "/api/v2/intelligence/***/"
          }
      }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Indicators": [
        "1.1.1.1",
        "2.2.2.2"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE_CREATED

STATUS

ITYPE

EXPIRATION_TS

IP

IS_EDITABLE

FEED_ID

UPDATE_ID

VALUE

IS_PUBLIC

THREAT_TYPE

WORKGROUPS

RDNS

CONFIDENCE

UUID

RETINA_CONFIDENCE

TRUSTED_CIRCLE_IDS

ID

SOURCE

OWNER_ORGANIZATION_ID

IMPORT_SESSION_ID

SOURCE_MODIFIED

TYPE

SORT

DESCRIPTION

Get Passive DNS

Returns enrichment data for the specified domain, IP, and URL observables available on ThreatStream.

Input

Input Parameter	Required/Optional	Description	Example
iocs	Optional	The IOCs to perform the reputation check. IOCs can be IP addresses or domains.	["1.1.1.1","2.2.2.2"]
Type	Optional	The type of IOCs entered. The avaiable types are ip or domain.	ip
Limit	Optional	The maximum number of results to return.	50

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "cached": true,
        "results": [
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2019-04-04 23:03:09",
                "last_seen": "2019-04-04 23:03:09"
            },
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2019-04-07 09:27:08",
                "last_seen": "2019-04-07 09:27:08"
            }
        ],
        "success": true
    },
    {
        "cached": true,
        "results": [
            {
                "domain": "domain,
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "Anomali Labs",
                "first_seen": "2017-07-06 23:48:45",
                "last_seen": "2017-08-25 14:27:15"
            },
            {
                "domain": "domain",
                "ip": "1.1.1.1",
                "rrtype": "A",
                "source": "VirusTotal",
                "first_seen": "2018-08-17 21:01:55",
                "last_seen": "2018-08-17 21:01:55"
            }
        ],
        "success": true
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "domain": "domain",
        "ip": "1.1.1.1",
        "rrtype": "A",
        "source": "VirusTotal",
        "first_seen": "2019-04-04 23:03:09",
        "last_seen": "2019-04-04 23:03:09"
    },
    {
        "domain": "domain",
        "ip": "1.1.1.1",
        "rrtype": "A",
        "source": "VirusTotal",
        "first_seen": "2019-04-07 09:27:08",
        "last_seen": "2019-04-07 09:27:08"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "PassiveDNS": [
        {
            "IOC": "1.1.1.1",
            "PassiveDNS": [
                {
                    "domain": "domain",
                    "ip": "1.1.1.1"
                },
                {
                    "domain": "domain2",
                    "ip": "1.1.1"
                }
            ]
        },
        {
            "IOC": "1.1.1.1",
            "PassiveDNS": [
                {
                    "domain": "domain",
                    "ip": "1.1.1.1"
                },
                {
                    "domain": "domain2",
                    "ip": "2.2.2.2"
                }
            ]
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

DOMAIN	IP	RRTYPE	SOURCE	FIRST_SEEN	LAST_SEEN
domain1	1.1.1.1	A	VirusTotal	2019-04-04 23:03:09	2019-04-04 23:03:09
domain2	2.2.2.2	A	VirusTotal	2019-04-07 09:27:08	2019-04-07 09:27:08

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Passive DNS failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more errors occurred.

Error Sample Data

Get Passive DNS failed.

Status Code: 400.

Message: One or more errors occurred.