Anomali Threat Stream v1

the anomali threat stream v1 connector allows users to integrate threat intelligence capabilities into their security operations, enabling automated actions such as report retrieval, threat model management, and sandbox submissions anomali threat stream v1 is a comprehensive threat intelligence platform that enables security professionals to detect, investigate, and respond to emerging threats this connector allows swimlane turbine users to integrate real time threat intelligence into their security workflows, enhancing their ability to tag, create, and manage threat models, as well as analyze and submit files or urls for sandbox analysis by leveraging anomali's rich intelligence data, users can automate threat detection and response, streamline investigations, and improve their overall security posture prerequisites to effectively utilize the anomali threat stream v1 connector with turbine, ensure you have the following prerequisites api key authentication with the following parameters url the endpoint url for the anomali threat stream api api key your unique identifier to authenticate with the anomali threat stream api api user the username associated with your anomali threat stream account capabilities the anomali threatstream connector has the following capabilities add tag to model create model get analysis report get analysis status get indicators by model get model description get model list get passive dns submit to sandbox update model task setup submit to sandbox report radio platform platform on which the submitted url or file will be detonated the following platforms are supported for organizations using the default threat stream sandbox (cuckoo) windows7 for organizations using the threat stream joesandbox offering macosx, windows7, windows7office2010, windows10x64 for organizations using joe sandbox via an individual subscription android4 4, android5 1, android6 0, macosx, windowsxp, windowsxpnative, windows7, windows7native, windows7office2010, windows7office2013, windows10, windows10x64, macosxvm, linux, android9 0 indicator types the following table lists all available indicator types in threatstream the severity values listed in the table below represent the default severity values that anomali assigns to observables of a given indicator types however, default values are not displayed in the following cases when severity value assigned to observable by the source are used when users modify the assigned value while editing observables that belong to their organizations on threatstream indicator type name type severity description actor ip actor ip ip low ip address associated with a system involved in malicious activity example itype="actor ip" actor ipv6 actor ipv6 ip low ipv6 address associated with a system involved in malicious activity example itype="actor ipv6" actor subject actor subject line string high subject from an email associated with a threat actor example itype="actor subject" adware domain adware domain domain low a domain name associated with adware or other potentially unwanted applications (pua) example itype="adware domain" adware registry key adware registry key string low a registry key associated with adware or other potentially unwanted applications (pua) example itype="adware registry key" anon proxy anonymous proxy ip ip low ip address of the system on which anonymous proxy software is hosted example itype="anon proxy" anon proxy ipv6 anonymous proxy ipv6 ip low ipv6 address of the system on which anonymous proxy software is hosted example itype="anon proxy ipv6" anon vpn anonymous vpn ip ip low ip address associated with commercial or free virtual private networks (vpn) example itype="anon vpn" anon vpn ipv6 anonymous ip low ipv6 address associated with commercial or free virtual private networks (vpn) example itype "anon vpn ipv6" apt domain apt domain domain very high domain name associated with a known advanced persistent threat (apt) actor used for command and control, launching exploits, or data exfiltration example itype=" apt domain" apt email apt email email high email address used by a known advanced persistent threat (apt) actor for sending targeted, spear phishing emails example itype="apt email" apt email subject line apt email subject line string high subject from an email associated with an advanced persistent threat (apt) actor example itype="apt email subject line" apt file name apt file name string very high name of a file used by a known advanced persistent threat (apt) actor example itype="apt file name" apt file path apt file path string very high file path used by a known advanced persistent threat (apt) actor example itype="apt file path" apt ip apt ip ip very high ip address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ip" apt ipv6 apt ipv6 ip very high ipv6 address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ipv6" apt md5 apt file hash hash very high md5 or sha hash of a malware sample used by a known advanced persistent threat (apt) actor example itype="apt md5" apt mta apt mail transfer agent string very high mail transfer agent used by a known advanced persistent threat (apt) actor example itype="apt mta" apt mutex apt mutex string very high mutex used by a known advanced persistent threat (apt) actor example itype="apt mutex" apt registry key apt registry string very high registry key used by a known advanced persistent threat (apt) actor example itype="apt registry key" apt service description apt service description string very high description used by a known advanced persistent threat (apt) actor example itype="apt service description" apt service displayname apt service display name string very high service display name used by a known advanced persistent threat (apt) actor example itype="apt service displayname" apt service name apt service name string very high service name used by a known advanced persistent threat (apt) actor example itype="apt service name" apt ssdeep apt ssdeep hash string very high ssdeep hash used by a known advanced persistent threat (apt) actor example itype="apt ssdeep" apt subject apt subject line string high email subject line used by a known advanced persistent threat (apt) actor example itype="apt subject" threat type during the import process, threatstream uses machine learning to assign indicator types to imported observables based on the threat type you select the following table lists all available threat types in threatstream, in addition to the indicator types with which they are associated threat type name example associated indicator types adware adware threat type="adware" adware domain anomalous anomalous threat type="anomalous" geolocation url,ipcheck url,speedtest url anonymization anonymization threat type="anonymization" anon proxy, anon proxy ipv6, anon vpn, anon vpn ipv6,proxy ip, proxy ipv6,vpn domain apt apt threat type="apt" apt domain, apt email, apt email subject, apt file name, apt file path,apt ip, apt ipv6, apt md5, apt mta, apt mutex, apt registry key, apt service description, apt service displayname, apt service name, apt ssdeep, apt subject,apt ua apt url bot bot threat type="bot" bot ip, bot ipv6 brute brute threat type="brute" brute ip , brute ipv6, ssh ip, ssh ipv6 c2 c2 threat type="c2" c2 domain, c2 ip,c2 ipv6, c2 url compromised compromised threat type="compromised" compromised domain,compromised email,compromised email subject,compromised ip,compromised ipv6,compromised url crypto crypto threat type="crypto" crypto hash, crypto ip, crypto pool,crypto url, crypto wallet data leakage data leakage threat type="data leakage" pastesite url ddos ddos threat type="ddos" ddos ip, ddos ipv6 dyn dns dynamic dns threat type="dyn dns" dyn dns exfil exfil threat type="exfil" exfil domain, exfil ip, exfil ipv6, exfil url exploit exploit threat type="exploit" exploit domain,exploit ip, exploit ipv6, exploit url fraud fraud threat type="fraud" fraud domain, fraud email, fraud email subject, fraud ip,fraud md5, fraud url hack tool hacking tool threat type="hack tool" hack tool i2p i2p threat type="i2p" i2p ip, i2p ipv6 informational informational threat type="informational" comm proxy domain, comm proxy ip,disposable email domain, free email domain, passphrase,ssl cert serial number, whois bulk reg email, whois privacy domain,whois privacy email malware malware threat type="malware" mal domain, mal email, mal email subject, email attachment subject,mal file name, mal file path, mal ip,mal ipv6, mal md5,mal mutex, mal registry key, mal service description,mal service displayname, mal service name, mal ssdeep, mal sslcert sha1, mal ua, mal url p2p p2p threat type="p2p" actor ip actor ipv6,actor subject,p2pcnc, p2pcnc ipv6, torrent tracker url parked parked threat type="parked" parked domain,parked ip, parked ipv6, parked url phish phish threat type="phish" phish domain,phish email, phish email subject,phish ip, phish ipv6,phish url scan scan threat type="scan" scan ip, scan ipv6 sinkhole sinkhole threat type="sinkhole" sinkhole domain,sinkhole ip,sinkhole ipv6 spam spam threat type="spam" adware registry key,spam domain,spam email, spam email subject,spam ip, spam ipv6,spam mta spam url configurations anomali threatstream v1 api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional api user api user used for authentication string required actions add tag to model adds tags to a specific intelligence model in anomali threat stream v1, aiding in filtering for related entities endpoint url /api/v1/{{model}}/{{model id}}/tag method post input argument name type required description model string required model is the type of threat model entity on which you are adding the tag(actor, campaign, incident, intelligence(observables), signature, tipreport, ttp, or vulnerability) model id number required model id is the id of the threat model entity or tag data body object required response data ids number optional unique ids of the threat model entities or observables to which you are adding tags tags array required tags applied to the specified threat model entities or observables name string required the value of the tag you want to add tlp string required the visibility setting for the tag possible values include red(visible to your organization only) and white(visible to all threatstream users with access to the data) output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] create model creates a threat model in anomali threat stream v1 using specified path parameters and json body content endpoint url /api/v1/{{model}} method post input argument name type required description model string required the type of threat model to update can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, ttp, vulnerability, tipreport data body object optional response data name string required the name of the threat model to create is public boolean optional whether the scope of threat model is visible possible values are true, false default is false tlp string optional the traffic light protocol designation for the threat model can be "red", "amber", "green", or "white" possible values are red, amber, green, white default is red tags array optional a comma separated list of tags name string optional the value of the tag you want to add tlp string optional the visibility setting for the tag possible values include red(visible to your organization only) and white (visible to all threatstream users with access to the data) description string optional the description of the threat model intelligence number optional a comma separated list of indicators ids associated with the threat model on the threatstream platform output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream model object output field model indicators array output field indicators asn string output field asn confidence number unique identifier country object output field country id number unique identifier itype string type of the resource modified string output field modified organization string output field organization severity string output field severity source string output field source status string status value tags object output field tags type string type of the resource value string value for the parameter modelid string unique identifier modeltype string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] get analysis report retrieves the analysis report for a submitted file or url in anomali threat stream using the specified report id endpoint url /api/v1/submit/{{report id}}/report method get input argument name type required description report id number required the report id to return output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream analysis object output field analysis category string output field category completed string output field completed duration number output field duration network array output field network udpdestinaton string output field udpdestinaton udpport number output field udpport udpsource string output field udpsource hosts string output field hosts reportid string unique identifier started string output field started verdict string output field verdict vmid string unique identifier vmname string name of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] get analysis status retrieve the current status of a sandbox report in anomali threat stream using the report id endpoint url /api/v1/submit/{{report id}} method get input argument name type required description report id number required the report id to check the status output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream analysis object output field analysis platform string output field platform reportid string unique identifier status string status value verdict string output field verdict example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] get indicators by model retrieve a list of indicators linked to a specific model and its id in anomali threat stream v1 endpoint url /api/v1/{{model}}/{{id}}/intelligence method get input argument name type required description model string required the threat model of the returned list possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern id string required the threat model id output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream model object output field model indicators array output field indicators asn string output field asn confidence number unique identifier country object output field country id number unique identifier itype string type of the resource modified string output field modified organization string output field organization severity string output field severity source string output field source status string status value tags string output field tags type string type of the resource value string value for the parameter modelid string unique identifier modeltype string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] get model description retrieve an html file detailing the threat model from anomali threat stream, requiring specific model and id path parameters endpoint url /api/v1/{{model}}/{{id}} method get input argument name type required description model string required the threat model can be "actor", "campaign", "incident", "signature", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport id string required the threat model id output parameter type description status code number http status code of the response reason string response reason phrase file object output field file entryid string unique identifier extension string output field extension info string output field info md5 string output field md5 name string name of the resource sha1 string output field sha1 sha256 string output field sha256 sha512 string output field sha512 ssdeep string output field ssdeep size number output field size type string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "file" {} } } ] get model list retrieves a list of threat models from anomali threat stream v1 based on the specified model path parameter endpoint url /api/v1/{{model}} method get input argument name type required description model string required the threat model of the returned list possible values are actor, campaign, incident, signature, ttp, vulnerability, tipreport, malware, attack pattern output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream list array output field list createdtime string time value id number unique identifier name string name of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] get passive dns retrieve enrichment data for domains, ips, and urls from anomali threat stream v1 using specified observables endpoint url /api/v1/pdns/{{domain}}/{{observable value}} method get input argument name type required description domain string required the type of passive dns search ("ip", "domain") possible values are ip, domain default is ip observable value string required the values that can be sent to the api should correspond to the type that is chosen for example, if ip is chosen in the type argument, then a valid ip address should be sent in the value argument output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream passivedns array output field passivedns domain string output field domain firstseen string output field firstseen ip string output field ip lastseen string output field lastseen rrtype string type of the resource source string output field source example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] submit to sandbox submit a file or url to the anomali threat stream hosted sandbox for analysis and detonation endpoint url /api/v1/submit/new method post input argument name type required description form data object optional response data file has password boolean optional if using joe sandbox to detonate a file, set this attribute to true if the file is password protected you must specify the password using the file password attribute do not specify a value for the attribute if using cuckoo or vmray for detonation file password string optional if detonating a password protected file on joe sandbox, use this attribute to specify the value of the password you must set file has password to true if using this attribute import indicators boolean optional if you want to initiate an import job for observables discovered during detonation, set this value to true report radio classification string optional classification of the sandbox submission—public or private report radio notes string optional a comma separated list that provides additional details for imported observables this information is displayed in the tag column of the threatstream ui for example, "credential exposure,compromised email" report radio platform string optional platform on which the submitted url or file will be detonated report radio url string optional specify the url that you want to detonate report radio file object optional specify the file that you want to detonate file string required parameter for submit to sandbox file name string required name of the resource trusted circles string optional id of the trusted circle to which the sandbox data should be associated if you want to specify multiple trusted circles, enter the list of comma separated ids use premium sandbox boolean optional if you want to use the joe sandbox service for detonation, set this attribute to true if no value is set for use premium sandbox, the default cuckoo sandbox is used cuckoo and threatstream joe sandbox services are limited to 150 submissions per day use vmray sandbox boolean optional if you want to use the vmray sandbox service for detonation, set this attribute to true if no value is set for use premium sandbox or use vmray sandbox, the default cuckoo sandbox is used you must have an active vmray integration on threatstream in order to use the vmray sandbox service vmray max jobs number optional specify the number of detonations you want vmray to perform for the submission if you specify a number greater than 1, vmray performs the detonations on different platforms a sandbox report is created on threatstream for each detonation that returns results only specify a value for this attribute if use vmray sandbox is set to true output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream analysis object output field analysis platform string output field platform reportid number unique identifier status string status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] update model updates a specific threat model in anomali threat stream v1 using model and model id path parameters, with the option to override previous data endpoint url /api/v1/{{model}}/{{model id}} method patch input argument name type required description model string required the type of threat model to update can be "actor", "campaign", "incident", "ttp", "vulnerability", or "tipreport" possible values are actor, campaign, incident, ttp, vulnerability, tipreport model id number required the id of the threat model to update data body object required response data name string optional the name of the threat model to update is public boolean optional whether the scope of threat model is visible possible values are true, false default is false tlp string optional the traffic light protocol designation for the threat model can be "red", "amber", "green", or "white" possible values are red, amber, green, white default is red tags array optional a comma separated list of tags name string optional name of the resource tlp string optional parameter for update model description string optional the description of the threat model intelligence number optional a comma separated list of indicator ids associated with the threat model on the threatstream platform output parameter type description status code number http status code of the response reason string response reason phrase threatstream object output field threatstream model object output field model indicators array output field indicators asn string output field asn confidence number unique identifier country object output field country id number unique identifier itype string type of the resource modified string output field modified organization string output field organization severity string output field severity source string output field source status string status value tags object output field tags type string type of the resource value string value for the parameter modelid string unique identifier modeltype string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "threatstream" {} } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt