Anomali Threat Stream v1

the anomali threat stream v1 connector allows users to integrate threat intelligence capabilities into their security operations, enabling automated actions such as report retrieval, threat model management, and sandbox submissions anomali threat stream v1 is a comprehensive threat intelligence platform that enables security professionals to detect, investigate, and respond to emerging threats this connector allows swimlane turbine users to integrate real time threat intelligence into their security workflows, enhancing their ability to tag, create, and manage threat models, as well as analyze and submit files or urls for sandbox analysis by leveraging anomali's rich intelligence data, users can automate threat detection and response, streamline investigations, and improve their overall security posture prerequisites to effectively utilize the anomali threat stream v1 connector with turbine, ensure you have the following prerequisites api key authentication with the following parameters url the endpoint url for the anomali threat stream api api key your unique identifier to authenticate with the anomali threat stream api api user the username associated with your anomali threat stream account capabilities the anomali threatstream connector has the following capabilities add tag to model create model get analysis report get analysis status get indicators by model get model description get model list get passive dns submit to sandbox update model task setup submit to sandbox report radio platform platform on which the submitted url or file will be detonated the following platforms are supported for organizations using the default threat stream sandbox (cuckoo) windows7 for organizations using the threat stream joesandbox offering macosx, windows7, windows7office2010, windows10x64 for organizations using joe sandbox via an individual subscription android4 4, android5 1, android6 0, macosx, windowsxp, windowsxpnative, windows7, windows7native, windows7office2010, windows7office2013, windows10, windows10x64, macosxvm, linux, android9 0 indicator types the following table lists all available indicator types in threatstream the severity values listed in the table below represent the default severity values that anomali assigns to observables of a given indicator types however, default values are not displayed in the following cases when severity value assigned to observable by the source are used when users modify the assigned value while editing observables that belong to their organizations on threatstream indicator type name type severity description actor ip actor ip ip low ip address associated with a system involved in malicious activity example itype="actor ip" actor ipv6 actor ipv6 ip low ipv6 address associated with a system involved in malicious activity example itype="actor ipv6" actor subject actor subject line string high subject from an email associated with a threat actor example itype="actor subject" adware domain adware domain domain low a domain name associated with adware or other potentially unwanted applications (pua) example itype="adware domain" adware registry key adware registry key string low a registry key associated with adware or other potentially unwanted applications (pua) example itype="adware registry key" anon proxy anonymous proxy ip ip low ip address of the system on which anonymous proxy software is hosted example itype="anon proxy" anon proxy ipv6 anonymous proxy ipv6 ip low ipv6 address of the system on which anonymous proxy software is hosted example itype="anon proxy ipv6" anon vpn anonymous vpn ip ip low ip address associated with commercial or free virtual private networks (vpn) example itype="anon vpn" anon vpn ipv6 anonymous ip low ipv6 address associated with commercial or free virtual private networks (vpn) example itype "anon vpn ipv6" apt domain apt domain domain very high domain name associated with a known advanced persistent threat (apt) actor used for command and control, launching exploits, or data exfiltration example itype=" apt domain" apt email apt email email high email address used by a known advanced persistent threat (apt) actor for sending targeted, spear phishing emails example itype="apt email" apt email subject line apt email subject line string high subject from an email associated with an advanced persistent threat (apt) actor example itype="apt email subject line" apt file name apt file name string very high name of a file used by a known advanced persistent threat (apt) actor example itype="apt file name" apt file path apt file path string very high file path used by a known advanced persistent threat (apt) actor example itype="apt file path" apt ip apt ip ip very high ip address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ip" apt ipv6 apt ipv6 ip very high ipv6 address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ipv6" apt md5 apt file hash hash very high md5 or sha hash of a malware sample used by a known advanced persistent threat (apt) actor example itype="apt md5" apt mta apt mail transfer agent string very high mail transfer agent used by a known advanced persistent threat (apt) actor example itype="apt mta" apt mutex apt mutex string very high mutex used by a known advanced persistent threat (apt) actor example itype="apt mutex" apt registry key apt registry string very high registry key used by a known advanced persistent threat (apt) actor example itype="apt registry key" apt service description apt service description string very high description used by a known advanced persistent threat (apt) actor example itype="apt service description" apt service displayname apt service display name string very high service display name used by a known advanced persistent threat (apt) actor example itype="apt service displayname" apt service name apt service name string very high service name used by a known advanced persistent threat (apt) actor example itype="apt service name" apt ssdeep apt ssdeep hash string very high ssdeep hash used by a known advanced persistent threat (apt) actor example itype="apt ssdeep" apt subject apt subject line string high email subject line used by a known advanced persistent threat (apt) actor example itype="apt subject" apt ua apt user agent string high user agent string used by a known advanced persistent threat (apt) actor example itype="apt ua" apt url apt url url very high url used by a known advanced persistent threat (apt) actor for command and control, launching web based exploits, or data exfiltration example itype=" apt url" bot ip infected bot ip ip low ip address of an infected machine acting as an autonomous bot example itype="bot ip" bot ipv6 infected bot ipv6 ip low ipv6 address of an infected machine acting as an autonomous bot example itype="bot ipv6" brute ip brute force ip ip low ip address associated with password brute force activity example itype="brute ip" brute ipv6 brute force ipv6 ip low ipv6 address associated with password brute force activity example itype="brute ipv6" c2 domain malware c\&c domain name domain high domain name used by malware for command and control communication example itype="c2 domain" c2 ip malware c\&c ip address ip high ip address used by malware for command and control communication example itype="c2 ip" c2 ipv6 malw are c\&c ipv6 address ip high ipv6 address used by malware for command and control communication example itype="c2 ipv6" c2 url malware c\&c url url high url used by malware for command and control communication example itype="c2 url" comm proxy domain commercial webproxy domain domain low domain of the system on which commercial proxy software is hosted example itype="comm proxy domain" comm proxy ip commercial webproxy ip ip low ip address of the system on which commercial proxy software is hosted example itype="comm proxy ip" compromised domain compromised domain domain low domain name of website or server that has been compromised example itype="compromised domain" compromised email compromised account email email low email address that has been compromised and/or taken over by a threat actor example itype="compromised email" compromised email subject compromised email subject string low email subject from a known compromised email address example itype="compromised email subject" compromised ip compromised ip ip low ip address of website or server that has been compromised example itype="compromised ip" compromised ipv6 compromised ipv6 ip low ipv6 address of website or server that has been compromised example itype="compromised ipv6" compromised serv account compromised service account string low account information associated with a service account that has been compromised and/or taken over by a threat actor example itype="compromised serv account" compromised url compromised url url medium url of the website or server that has been compromised example itype="compromised url" crypto hash cryptocurrency mining software hash high file hash for cryptocurrency mining software example itype="crypto hash" crypto ip cryptocurrency ip ip high ip address associated with cryptocurrency mining software example itype="crypto ip" crypto pool cryptocurrency pool domain domain high domain for cryptocurrency pool example itype="crypto pool" crypto url cryptocurrency url url high url where cryptocurrency mining software is hosted example itype="crypto url" crypto wallet cryptocurrency wallet address string very high public or private cryptocurrency wallet key example itype="crypto wallet" ddos ip ddos ip ip low ip address associated with distributed denial of service (ddos) attacks example itype="ddos ip" ddos ipv6 ddos ipv6 ip low ipv6 address associated with distributed denial of service (ddos) attacks example itype="ddos ipv6" disposable email domain disposable email domain domain low domain associated with disposable email activity example itype="disposable email domain" dyn dns dynamic dns domain low domain name used for hosting dynamic dns services example itype="dyn dns" email attachment subject email attachment subject string low email subject from a known compromised email attachment example itype="email attachment subject" exfil domain data exfiltration domain domain high domain name associated with the infrastructure used for data exfiltration example itype="exfil domain" exfil ip data exfiltration ip ip high ip address used for data exfiltration example itype="exfil ip" exfil ipv6 data exfiltration ip ip high ipv6 address used for data exfiltration example itype="exfil ipv6" exfil url data exfiltration url url high url used for data exfiltration example itype="exfil url" exploit domain exploit kit domain domain very high domain name associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit domain" exploit ip exploit kit ip ip high ip address associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit ip" exploit ipv6 exploit kit ipv6 ip high ipv6 address associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit ipv6" exploit url exploit kit url url very high url used for launching web based exploits example itype="exploit url" fraud domain fraud hash domain high domain associated with fraudulent activity example itype="fraud domain" fraud email fraud email email low email address associated with fraudulent activity example itype="fraud email" fraud email subject fraud email subject string medium subject from an email associated with fraud activity example itype="fraud ip" fraud ip fraud ip address ip high ip address associated with fraudulent activity example itype="fraud email subject" fraud md5 fraud hash hash very high hash associated with fraudulent activity example itype="fraud md5" fraud url fraud url url medium url associated with fraudulent activity example itype="fraud url" free email domain free email domain domain low domain associated with free email service activity example itype="free email domain" geolocation url ip geolocation url url low url that can be used to provide ip geo location services example itype="geolocation url" hack tool hacking tool string high name of general hacking software tools used by threat actors example itype="hack tool" hack tool md5 hack tool file hash hash very high md5 or sha hash of general hacking software tools used by threat actors example itype="hack tool md5" i2p ip i2p ip address ip low ip address observed to be connecting to the i2p (invisible internet project) network example itype="i2p ip" i2p ipv6 i2p ipv6 address ip low ipv6 address observed to be connecting to the i2p (invisible internet project) network example itype="i2p ipv6" ipcheck url ip check url url low url that can be used to provide ip checking services, such as echoing the internet facing ip address of the client example itype="ipcheck url" mal domain malware domain domain very high domain contacted by malware sample, could be for command and control commands, or to check if the client is online example itype="mal domain" mal email malware email email low email address used to send malware through malicious links or attachments example itype="mal email" mal email subject malware email subject string medium subject from an email associated with malware activity example itype="mal email subject" mal file name malware file name string very high file name of malware sample example itype="mal file name" mal file path malware file path string very high file path of malware sample example itype="mal file path" mal ip malware c\&c ip ip very high ip address contacted by malware sample, could be for command and control commands, or to check if the client is online example itype="mal ip" mal ipv6 malware c\&c ipv6 ip very high ipv6 address contacted by malware sample command and control commands, or to check if the client is online example itype="mal ipv6" mal md5 malware file hash hash very high md5 or sha hash of malware sample example itype="mal md5" mal mutex malware mutex string very high mutex of malware sample example itype="mal mutex" mal registry key malware registry key string high registry key of malware sample example itype="mal registry key" mal service description malware service description string very high service description associated with the malware sample example itype="mal service description" mal service displayname malware service display name string very high service display name associated with the malware sample example itype="mal service displayname" mal service name malware service name string very high service name associated with the malware sample example itype="mal service name" mal ssdeep malware ssdeep hash string very high ssdeep hash associated with the malware sample example itype="mal ssdeep" mal sslcert sh1 ssl certificate hash hash high md5 or sha hash of ssl certificate associated with malware or botnet activities example itype="mal sslcert sh1" mal ua malware user agent string low user agent string used by malware sample when communicating via http example itype="mal ua" mal url malware url url very high url contacted by malware sample when run on an infected host example itype="mal url" p2pcnc peer to peer c\&c ip address ip medium ip addressed associated with a peer to peer command and control infrastructure example itype="p2pcnc" p2pcnc ipv6 peer to peer c\&c ipv6 address ip medium ipv6 addressed associated with a peer to peer command and control infrastructure example itype="p2pcnc ipv6" parked domain parked domain domain low a domain name of a website which is currently parked example itype="parked domain" parked ip domain parking ip ip low an ip addressed used for parking newly registered or inactive domain names example itype="parked ip" parked ipv6 domain parking ipv6 ip low an ipv6 addressed used for parking newly registered or inactive domain names example itype="parked ipv6" parked url parked url url low a url of a website that is currently parked example itype="parked url" pastesite url paste site url url low a url that can be used for sharing pastes or text content anonymously example itype="pastesite url" phish domain phishing domain domain very high a domain used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish domain" phish email phishing email address email very high an email address associated with sending phishing or spear phishing emails to victims example itype="phish email" phish email subject phishing email subject string high subject from an email associated with phishing activity example itype="phish email subject" phish ip phishing ip address ip very high ip address that has been used to perform phishing or spear phishing or is contained in a phishing email example itype="phish ip" phish ipv6 phishing ipv6 address ip very high ipv6 address that has been used to perform phishing or spear phishing or is contained in a phishing email example itype="phish ipv6" phish md5 phishing file hash hash very high hash related to a file used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish md5" phish url phishing url url very high a url used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish url" proxy ip open proxy ip ip low ip address hosting open or anonymous proxy software allows user to hide their ip address from target example itype="proxy ip" proxy ipv6 open proxy ipv6 ip low ipv6 address hosting open or anonymous proxy software allows user to hide their ip address from target example itype="proxy ipv6" scan ip scanning ip ip medium ip address observed to perform port scanning and vulnerability scanning activities example itype="scan ip" scan ipv6 scanning ipv6 ip medium ipv6 address observed to perform port scanning and vulnerability scanning activities example itype="scan ipv6" sinkhole domain sinkhole domain domain low a domain name that researchers or security companies typically sinkhole example itype="sinkhole domain" sinkhole ip sinkhole ip ip low an ip address that is known to be used to sinkhole malicious domain names example itype="sinkhole ip" sinkhole ipv6 sinkhole ipv6 ip low an ipv6 address that is known to be used to sinkhole malicious domain names example itype="sinkhole ipv6" social media url social media url url medium url related to social media activity this indicator type is provided by select feeds and cannot be imported through the threatstream user interface example itype="social media url" spam domain spam domain domain low a malicious domain name contained in the spam email messages example itype="spam domain" spam email spammer email address email low email address that has been observed sending spam emails example itype="spam email" spam email subject spam email subject string low subject from an email associated with spam activity example itype="spam email subject" spam ip spammer ip ip low an ip address that is known to send spam emails example itype="spam ip" spam ipv6 spammer ipv6 ip low an ipv6 address that is known to send spam emails example itype="spam ipv6" spam mta spam mail transfer agent string low mail transfer agent known to be associated with spam emails example itype="spam mta" spam url spam url url low a malicious url contained in the spam email messages example itype="spam url" speedtest url speed test url url low a url that can be used to run internet speed tests or bandwidth measurements of the client's network connection example itype="speedtest url" ssh ip ssh brute force ip ip low ip addresses associated with ssh brute force attempts example itype="ssh ip" ssh ipv6 ssh brute force ipv6 ip low ipv6 addresses associated with ssh brute force attempts example itype="ssh ipv6" ssl cert serial number ssl certificate serial number string low serial number unique to the tls certificate issuer that identifies the entity being signed example itype="ssl cert serial number" suppress suppress n/a n/a not a true indicator type used by arcsight for suppressing false positives default severity n/a example itype="suppress" suspicious domain suspicious domain domain medium a domain name that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious domain" suspicious email suspicious email email low an email address that appears to be used for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious email" suspicious email subject suspicious email subject string low email subject from a suspicious email address suspicious ip suspicious ip ip medium an ip address that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious ip" suspicious reg email suspicious registrant email email low a registrant email address that appears to be used for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious reg email" suspicious url suspicious url url medium a url that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious url" tor ip tor node ip ip low an ip address operating as part of the onion router (tor) network, also know as a tor exit node example itype="tor ip" tor ipv6 tor node ipv6 ip low an ipv6 address operating as part of the onion router (tor) network, also know as a tor exit node example itype="tor ipv6" torrent tracker url torrent tracker url url low a url used for tracking bittorrent file transfer activity example itype="torrent tracker url" vpn domain anonymous vpn domain domain low a domain name associated with commercial or free virtual private networks (vpn) example itype="vpn domain" vps ip cloud server ip ip low an ip address that is used for hosting virtual private servers (vps) or other server rentals example itype="vps ip" vps ipv6 cloud server ipv6 ip low an ipv6 address that is used for hosting virtual private servers (vps) or other server rentals example itype="vps ipv6" whois bulk reg email whois bulk registrant email email low a registrant email address associated with privacy domain purchased from whois example itype="whois bulk reg email" whois privacy domain whois privacy email domain domain low privacy domain purchased from whois example itype="whois privacy domain" whois privacy email whois privacy email email low email address associated with privacy domain purchased from whois example itype="whois privacy email" threat type during the import process, threatstream uses machine learning to assign indicator types to imported observables based on the threat type you select the following table lists all available threat types in threatstream, in addition to the indicator types with which they are associated threat type name example associated indicator types adware adware threat type="adware" adware domain anomalous anomalous threat type="anomalous" geolocation url,ipcheck url,speedtest url anonymization anonymization threat type="anonymization" anon proxy, anon proxy ipv6, anon vpn, anon vpn ipv6,proxy ip, proxy ipv6,vpn domain apt apt threat type="apt" apt domain, apt email, apt email subject, apt file name, apt file path,apt ip, apt ipv6, apt md5, apt mta, apt mutex, apt registry key, apt service description, apt service displayname, apt service name, apt ssdeep, apt subject,apt ua apt url bot bot threat type="bot" bot ip, bot ipv6 brute brute threat type="brute" brute ip , brute ipv6, ssh ip, ssh ipv6 c2 c2 threat type="c2" c2 domain, c2 ip,c2 ipv6, c2 url compromised compromised threat type="compromised" compromised domain,compromised email,compromised email subject,compromised ip,compromised ipv6,compromised url crypto crypto threat type="crypto" crypto hash, crypto ip, crypto pool,crypto url, crypto wallet data leakage data leakage threat type="data leakage" pastesite url ddos ddos threat type="ddos" ddos ip, ddos ipv6 dyn dns dynamic dns threat type="dyn dns" dyn dns exfil exfil threat type="exfil" exfil domain, exfil ip, exfil ipv6, exfil url exploit exploit threat type="exploit" exploit domain,exploit ip, exploit ipv6, exploit url fraud fraud threat type="fraud" fraud domain, fraud email, fraud email subject, fraud ip,fraud md5, fraud url hack tool hacking tool threat type="hack tool" hack tool i2p i2p threat type="i2p" i2p ip, i2p ipv6 informational informational threat type="informational" comm proxy domain, comm proxy ip,disposable email domain, free email domain, passphrase,ssl cert serial number, whois bulk reg email, whois privacy domain,whois privacy email malware malware threat type="malware" mal domain, mal email, mal email subject, email attachment subject,mal file name, mal file path, mal ip,mal ipv6, mal md5,mal mutex, mal registry key, mal service description,mal service displayname, mal service name, mal ssdeep, mal sslcert sha1, mal ua, mal url p2p p2p threat type="p2p" actor ip actor ipv6,actor subject,p2pcnc, p2pcnc ipv6, torrent tracker url parked parked threat type="parked" parked domain,parked ip, parked ipv6, parked url phish phish threat type="phish" phish domain,phish email, phish email subject,phish ip, phish ipv6,phish url scan scan threat type="scan" scan ip, scan ipv6 sinkhole sinkhole threat type="sinkhole" sinkhole domain,sinkhole ip,sinkhole ipv6 spam spam threat type="spam" adware registry key,spam domain,spam email, spam email subject,spam ip, spam ipv6,spam mta spam url suppress suppress threat type="suppress" suppress suspicious suspicious threat type="suspicious" suspicious domain, suspicious email,suspicious email subject, suspicious ip, suspicious reg email, suspicious url tor tor threat type="tor" tor ip, tor ipv6 vps vps threat type="vps" vps ip, vps ipv6 configurations anomali threatstream v1 api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional api user api user used for authentication string required actions add tag to model adds tags to a specific intelligence model in anomali threat stream v1, aiding in filtering for related entities endpoint url /api/v1/{{model}}/{{model id}}/tag method post input argument name type required description path parameters model string required model is the type of threat model entity on which you are adding the tag(actor, campaign, incident, intelligence(observables), signature, tipreport, ttp, or vulnerability) path parameters model id number required model id is the id of the threat model entity or tag data body object required response data data body ids number optional unique ids of the threat model entities or observables to which you are adding tags data body tags array required tags applied to the specified threat model entities or observables data body tags name string required the value of the tag you want to add data body tags tlp string required the visibility setting for the tag possible values include red(visible to your organization only) and white(visible to all threatstream users with access to the data) input example {"path parameters" {"model" "incident","model id" 130},"data body" {"ids" 34,"tags" \[{"name" "test","tlp" "red"}]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} create model creates a threat model in anomali threat stream v1 using specified path parameters and json body content endpoint url /api/v1/{{model}} method post input argument name type required description path parameters model string required the type of threat model to update can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, ttp, vulnerability, tipreport data body object optional response data data body name string required the name of the threat model to create data body is public boolean optional whether the scope of threat model is visible possible values are true, false default is false data body tlp string optional the traffic light protocol designation for the threat model can be "red", "amber", "green", or "white" possible values are red, amber, green, white default is red data body tags array optional a comma separated list of tags data body tags name string optional the value of the tag you want to add data body tags tlp string optional the visibility setting for the tag possible values include red(visible to your organization only) and white (visible to all threatstream users with access to the data) data body description string optional the description of the threat model data body intelligence number optional a comma separated list of indicators ids associated with the threat model on the threatstream platform input example {"path parameters" {"model" "incident"},"data body" {"name" "new created actor 1","is public"\ false,"tlp" "red","tags" \[{"name" "test","tlp" "red"}],"description" "description of the actor threat model","intelligence" 191431508}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream model object output field threatstream model threatstream model indicators array output field threatstream model indicators threatstream model indicators asn string output field threatstream model indicators asn threatstream model indicators confidence number unique identifier threatstream model indicators country object output field threatstream model indicators country threatstream model indicators id number unique identifier threatstream model indicators itype string type of the resource threatstream model indicators modified string output field threatstream model indicators modified threatstream model indicators organization string output field threatstream model indicators organization threatstream model indicators severity string output field threatstream model indicators severity threatstream model indicators source string output field threatstream model indicators source threatstream model indicators status string status value threatstream model indicators tags object output field threatstream model indicators tags threatstream model indicators type string type of the resource threatstream model indicators value string value for the parameter threatstream model modelid string unique identifier threatstream model modeltype string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"model" {}}}} get analysis report retrieves the analysis report for a submitted file or url in anomali threat stream using the specified report id endpoint url /api/v1/submit/{{report id}}/report method get input argument name type required description path parameters report id number required the report id to return input example {"path parameters" {"report id" 12414}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream analysis object output field threatstream analysis threatstream analysis category string output field threatstream analysis category threatstream analysis completed string output field threatstream analysis completed threatstream analysis duration number output field threatstream analysis duration threatstream analysis network array output field threatstream analysis network threatstream analysis network udpdestinaton string output field threatstream analysis network udpdestinaton threatstream analysis network udpport number output field threatstream analysis network udpport threatstream analysis network udpsource string output field threatstream analysis network udpsource threatstream analysis network hosts string output field threatstream analysis network hosts threatstream analysis reportid string unique identifier threatstream analysis started string output field threatstream analysis started threatstream analysis verdict string output field threatstream analysis verdict threatstream analysis vmid string unique identifier threatstream analysis vmname string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"analysis" {}}}} get analysis status retrieve the current status of a sandbox report in anomali threat stream using the report id endpoint url /api/v1/submit/{{report id}} method get input argument name type required description path parameters report id number required the report id to check the status input example {"path parameters" {"report id" 12414}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream analysis object output field threatstream analysis threatstream analysis platform string output field threatstream analysis platform threatstream analysis reportid string unique identifier threatstream analysis status string status value threatstream analysis verdict string output field threatstream analysis verdict output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"analysis" {}}}} get indicators by model retrieve a list of indicators linked to a specific model and its id in anomali threat stream v1 endpoint url /api/v1/{{model}}/{{id}}/intelligence method get input argument name type required description path parameters model string required the threat model of the returned list possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern path parameters id string required the threat model id input example {"path parameters" {"model" "actor","id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream model object output field threatstream model threatstream model indicators array output field threatstream model indicators threatstream model indicators asn string output field threatstream model indicators asn threatstream model indicators confidence number unique identifier threatstream model indicators country object output field threatstream model indicators country threatstream model indicators id number unique identifier threatstream model indicators itype string type of the resource threatstream model indicators modified string output field threatstream model indicators modified threatstream model indicators organization string output field threatstream model indicators organization threatstream model indicators severity string output field threatstream model indicators severity threatstream model indicators source string output field threatstream model indicators source threatstream model indicators status string status value threatstream model indicators tags string output field threatstream model indicators tags threatstream model indicators type string type of the resource threatstream model indicators value string value for the parameter threatstream model modelid string unique identifier threatstream model modeltype string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"model" {}}}} get model description retrieve an html file detailing the threat model from anomali threat stream, requiring specific model and id path parameters endpoint url /api/v1/{{model}}/{{id}} method get input argument name type required description path parameters model string required the threat model can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport path parameters id string required the threat model id input example {"path parameters" {"model" "actor","id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file entryid string unique identifier file extension string output field file extension file info string output field file info file md5 string output field file md5 file name string name of the resource file sha1 string output field file sha1 file sha256 string output field file sha256 file sha512 string output field file sha512 file ssdeep string output field file ssdeep file size number output field file size file type string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"file" {"entryid" "3171\@3c9bd2a0 9eac 465b 8799 459df4997b2d","extension" "html","info" "text/html; charset=utf 8","md5" "18d7610f85c1216e78c59cbde5c470d9","name" "actor 1 html","sha1" "c778f72fd7799108db427f632ca6b2bb07c9bde4","sha256" "6d06bdc613490216373e2b189c8d41143974c7a128da26e8fc4ba4f45a7e718b","sha512" "989b0ae32b61b3b5a7ea1c3 get model list retrieves a list of threat models from anomali threat stream v1 based on the specified model path parameter endpoint url /api/v1/{{model}} method get input argument name type required description path parameters model string required the threat model of the returned list possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern input example {"path parameters" {"model" "actor"}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream list array output field threatstream list threatstream list createdtime string time value threatstream list id number unique identifier threatstream list name string name of the resource threatstream list type string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"list" \[]}}} get passive dns retrieve enrichment data for domains, ips, and urls from anomali threat stream v1 using specified observables endpoint url /api/v1/pdns/{{domain}}/{{observable value}} method get input argument name type required description path parameters domain string required the type of passive dns search ("ip", "domain") possible values are ip, domain default is ip path parameters observable value string required the values that can be sent to the api should correspond to the type that is chosen for example, if ip is chosen in the type argument, then a valid ip address should be sent in the value argument input example {"path parameters" {"domain" "ip","observable value" "observable value"}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream passivedns array output field threatstream passivedns threatstream passivedns domain string output field threatstream passivedns domain threatstream passivedns firstseen string output field threatstream passivedns firstseen threatstream passivedns ip string output field threatstream passivedns ip threatstream passivedns lastseen string output field threatstream passivedns lastseen threatstream passivedns rrtype string type of the resource threatstream passivedns source string output field threatstream passivedns source output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"passivedns" \[]}}} submit to sandbox submit a file or url to the anomali threat stream hosted sandbox for analysis and detonation endpoint url /api/v1/submit/new method post input argument name type required description form data object optional response data form data file has password boolean optional if using joe sandbox to detonate a file, set this attribute to true if the file is password protected you must specify the password using the file password attribute do not specify a value for the attribute if using cuckoo or vmray for detonation form data file password string optional if detonating a password protected file on joe sandbox, use this attribute to specify the value of the password you must set file has password to true if using this attribute form data import indicators boolean optional if you want to initiate an import job for observables discovered during detonation, set this value to true form data report radio classification string optional classification of the sandbox submission—public or private form data report radio notes string optional a comma separated list that provides additional details for imported observables this information is displayed in the tag column of the threatstream ui for example, "credential exposure,compromised email" form data report radio platform string optional platform on which the submitted url or file will be detonated form data report radio url string optional specify the url that you want to detonate form data report radio file object optional specify the file that you want to detonate form data report radio file file string required response data form data report radio file file name string required response data form data trusted circles string optional id of the trusted circle to which the sandbox data should be associated if you want to specify multiple trusted circles, enter the list of comma separated ids form data use premium sandbox boolean optional if you want to use the joe sandbox service for detonation, set this attribute to true if no value is set for use premium sandbox, the default cuckoo sandbox is used cuckoo and threatstream joe sandbox services are limited to 150 submissions per day form data use vmray sandbox boolean optional if you want to use the vmray sandbox service for detonation, set this attribute to true if no value is set for use premium sandbox or use vmray sandbox, the default cuckoo sandbox is used you must have an active vmray integration on threatstream in order to use the vmray sandbox service form data vmray max jobs number optional specify the number of detonations you want vmray to perform for the submission if you specify a number greater than 1, vmray performs the detonations on different platforms a sandbox report is created on threatstream for each detonation that returns results only specify a value for this attribute if use vmray sandbox is set to true input example {"form data" {"file has password"\ false,"file password" "password","import indicators"\ true,"report radio classification" "public","report radio notes" "credential exposure","report radio platform" "windows7","report radio url" "https //example com","report radio file" \[],"trusted circles" "13","use premium sandbox"\ true,"use vmray sandbox"\ true,"vmray max jobs" 3}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream analysis object output field threatstream analysis threatstream analysis platform string output field threatstream analysis platform threatstream analysis reportid number unique identifier threatstream analysis status string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"analysis" {}}}} update model updates a specific threat model in anomali threat stream v1 using model and model id path parameters, with the option to override previous data endpoint url /api/v1/{{model}}/{{model id}} method patch input argument name type required description path parameters model string required the type of threat model to update can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, ttp, vulnerability, tipreport path parameters model id number required the id of the threat model to update data body object required response data data body name string optional the name of the threat model to update data body is public boolean optional whether the scope of threat model is visible possible values are true, false default is false data body tlp string optional the traffic light protocol designation for the threat model can be "red", "amber", "green", or "white" possible values are red, amber, green, white default is red data body tags array optional a comma separated list of tags data body tags name string optional response data data body tags tlp string optional response data data body description string optional the description of the threat model data body intelligence number optional a comma separated list of indicator ids associated with the threat model on the threatstream platform input example {"path parameters" {"model" "incident","model id" 26769},"data body" {"name" "new created actor 1","is public"\ false,"tlp" "red","tags" \[{"name" "test","tlp" "red"}],"description" "description of the actor threat model ","intelligence" 191431508}} output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream threatstream model object output field threatstream model threatstream model indicators array output field threatstream model indicators threatstream model indicators asn string output field threatstream model indicators asn threatstream model indicators confidence number unique identifier threatstream model indicators country object output field threatstream model indicators country threatstream model indicators id number unique identifier threatstream model indicators itype string type of the resource threatstream model indicators modified string output field threatstream model indicators modified threatstream model indicators organization string output field threatstream model indicators organization threatstream model indicators severity string output field threatstream model indicators severity threatstream model indicators source string output field threatstream model indicators source threatstream model indicators status string status value threatstream model indicators tags object output field threatstream model indicators tags threatstream model indicators type string type of the resource threatstream model indicators value string value for the parameter threatstream model modelid string unique identifier threatstream model modeltype string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"threatstream" {"model" {}}}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt