To connect to Anomali ThreatStream from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server Url
The server URL of the Anomali instance.
https://api.threatstream.com
User Name
The user email address associated with your ThreatStream account.
username@example.com
API Key
The API key to authenticate the connection. You can reference your username and API Key on the My Profile tab within ThreatStream settings.
ed35****c16aefbb44953565adc17187****417b
API Version
The version of the API to use for the connection.
v1
Configuring D3 SOAR to Work with Anomali ThreatStream
Log in to D3 SOAR.
Find the Anomali ThreatStream integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Anomali ThreatStream in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Anomali ThreatStream.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System Reputation Check: Checking one or more reputation check tickboxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details.
For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL. The default value is https://api.threatstream.com. 2. Input your User Name. 3. Input your API Key. 4. Input your API Version. The default value is v2.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
Anomali ThreatStream includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.
The table below lists the possible output risk levels with the corresponding return key fields:
Return Data
Key Fields
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check Domain Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check Domain Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check Email Reputation
Retrieves the reputation of the specified email addresses that have been assigned to observables by ThreatStream's predictive analytics technology.
Reader Note
If the input email addresses are invalid, the command will run successfully with no returned results.
Input
Input Parameter
Required/Optional
Description
Example
Emails
Optional
The email addresses to perform the reputation check.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check Email Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check Email Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check File Reputation
Retrieves reputation of the specified files that have been assigned to observables by ThreatStream's predictive analytics technology.
Reader Note
If the input file hashes are invalid, the command will run successfully with no returned results. Note: Only SHA1 and MD5 hashes are supported.
Input
Input Parameter
Required/Optional
Description
Example
File Hashes
Optional
The file hashes to perform the reputation check. Note: SHA1 and MD5 hashes are supported.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.
The table below lists the possible output risk levels with the corresponding return Key Fields:
Return Data
Key Fields
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check File Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check File Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check IP Reputation
Retrieves reputation of the specified IP addresses that have been assigned to observables by ThreatStream's predictive analytics technology.
Reader Note
If the input IP addresses are invalid, the command will run successfully with no returned results.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $[*].objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.
The table below lists the possible output risk levels with the corresponding return Key Fields:
Return Data
Key Fields
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check IP Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check IP Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check URL Reputation
Retrieves the reputation of the specified URLs that have been assigned to observables by ThreatStream's predictive analytics technology.
Input
Input Parameter
Required/Optional
Description
Example
URLs
Required
The URLs to perform the reputation check.
["http://www.test.com/"]
Status
Optional
The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.
All
Confidence
Optional
The lower limit of the range of confidence scores, which can vary between 1 and 100, to filter the URLs to perform the reputation check. For instance, if you input 50, URLs with a confidence level between 50 and 100 will be checked, and if you input 30, URLs with a confidence level between 30 and 100 will be checked.
Confidence scores indicate the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
URL
TOTAL
POSITIVES
RISKLEVEL
RISKSCORE
RISKLEVELNAME
http://www.test.com/
1
1
1
1/1
High
D3-defined Risk Levels
The table below lists the possible output risk levels with the corresponding return Key Fields:
Return Data
Key Fields
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check URL Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check URL Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Get Indicators
Retrieves indicators and their corresponding information based on the given query conditions.
Input
Input Parameter
Required/Optional
Description
Example
URLs
Required
The URLs to perform the reputation check.
["http://www.test.com/"]
Query
Optional
The query statement to filter results.
status=active=suspicious_ip=created_ts
Status
Optional
The status (i.e. Active, Inactive, or All) assigned to the URL(s). If this parameter is not specified, the API will return only the URLs with the Active status.
Active
Limit
Optional
The maximum number of indicators to return.
20
Confidence
Optional
The confidence level (ranging from 1 to 100) indicating the likelihood that the URL(s) are of the reported indicator. These scores are assigned by ThreatStream based on several factors, and higher scores indicate greater confidence. By default, URLs with a confidence level of 50 or higher will be returned unless specified otherwise.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Indicators": [
"1.1.1.1",
"2.2.2.2"
]
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
SOURCE_CREATED
STATUS
ITYPE
EXPIRATION_TS
IP
IS_EDITABLE
FEED_ID
UPDATE_ID
VALUE
IS_PUBLIC
THREAT_TYPE
WORKGROUPS
RDNS
CONFIDENCE
UUID
RETINA_CONFIDENCE
TRUSTED_CIRCLE_IDS
ID
SOURCE
OWNER_ORGANIZATION_ID
IMPORT_SESSION_ID
SOURCE_MODIFIED
TYPE
SORT
DESCRIPTION
TAGS
THREATSCORE
LATITUDE
MODIFIED_TS
ORG
ASN
CREATED_TS
TLP
IS_ANONYMOUS
COUNTRY
SOURCE_REPORTED_CONFIDENCE
CAN_ADD_PUBLIC_TAGS
LONGITUDE
SUBTYPE
META
RESOURCE_URI
active
suspicious_ip
9/21/2020 4:21:27 PM
1.1.1.1
False
1.1.1.1
False
suspicious
[]
1
-***-***-***-***
1
[
,
]
InThreat
2
ip
[ { ";id";: ";gc0";, ";name";: ";cinsscore"; } ]
1
37.7353
6/23/2020 4:46:58 PM
Digital Ocean
6/23/2020 4:46:14 PM
False
US
10
False
-122.3732
{ ";detail2";: ";imported by user 668";, ";severity";: ";medium"; }
/api/v2/intelligence/***/
active
suspicious_ip
9/21/2020 4:21:27 PM
1.1.1.1
False
1.1.1.1
False
suspicious
[]
1
-***-***-***-***
**
[
,
]
InThreat
2
ip
[ { ";id";: ";1f8";, ";name";: ";cinsscore"; } ]
1
37.7353
6/23/2020 4:46:58 PM
Digital Ocean
2/28/2020 12:15:54 PM
False
US
10
False
-122.3732
{ ";detail2";: ";imported by user 668 Confirmed as false positive";, ";severity";: ";medium"; }
/api/v2/intelligence/***/
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Indicators failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Get Indicators failed.
Status Code: 400.
Message: One or more errors occurred.
Get Passive DNS
Returns enrichment data for the specified domain, IP, and URL observables available on ThreatStream.
Input
Input Parameter
Required/Optional
Description
Example
iocs
Optional
The IOCs to perform the reputation check. IOCs can be IP addresses or domains.
["1.1.1.1","2.2.2.2"]
Type
Optional
The type of IOCs entered. The avaiable types are ip or domain.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
DOMAIN
IP
RRTYPE
SOURCE
FIRST_SEEN
LAST_SEEN
domain1
1.1.1.1
A
VirusTotal
2019-04-04 23:03:09
2019-04-04 23:03:09
domain2
2.2.2.2
A
VirusTotal
2019-04-07 09:27:08
2019-04-07 09:27:08
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Passive DNS failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Anomali ThreatStream portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Get Passive DNS failed.
Status Code: 400.
Message: One or more errors occurred.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.