Anomali ThreatStream

the anomali threatstream connector allows users to integrate threat intelligence capabilities into their security workflow, enhancing threat analysis and response anomali threatstream is a comprehensive threat intelligence platform that enables security teams to access a global repository of threat indicators this connector allows swimlane turbine users to automate the retrieval of email reputation scores, import observables for threat analysis, and search for detailed threat intelligence data by integrating with anomali threatstream, users can enhance their security playbooks with rich, actionable intelligence, streamline threat investigations, and bolster their overall security posture with minimal manual intervention prerequisites to effectively utilize the anomali threatstream connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the anomali threatstream api api key your unique identifier to authenticate with the anomali threatstream api api user the username associated with your anomali threatstream account capabilities the anomali threatstream connector has the following capabilities search indicator import indicator get email reputation search observable expiration ts is in iso format for example, 2017 01 26t00 00 00 by default, utc time is used you can specify your local time by appending your timezone to the value for example, to specify pst 2019 04 28t14 00 00 08 00 if a global or a local value is not specified for this attribute, by default 90 days is configured to avoid long run time, use the limit input to limit the number of records returned import observable fields that must contain data vary based on the type of observable the following table lists the mandatory fields for each observable type observable type required fields domain domain, indicator type email email, indicator type, confidence hash md5, indicator type, confidence ip source ip, indicator type url url, indicator type indicator types the following table lists all available indicator types in threatstream the severity values listed in the table below represent the default severity values that anomali assigns to observables of a given indicator types however, default values are not displayed in the following cases when severity value assigned to observable by the source are used when users modify the assigned value while editing observables that belong to their organizations on threatstream indicator type name type severity description actor ip actor ip ip low ip address associated with a system involved in malicious activity example itype="actor ip" actor ipv6 actor ipv6 ip low ipv6 address associated with a system involved in malicious activity example itype="actor ipv6" actor subject actor subject line string high subject from an email associated with a threat actor example itype="actor subject" adware domain adware domain domain low a domain name associated with adware or other potentially unwanted applications (pua) example itype="adware domain" adware registry key adware registry key string low a registry key associated with adware or other potentially unwanted applications (pua) example itype="adware registry key" anon proxy anonymous proxy ip ip low ip address of the system on which anonymous proxy software is hosted example itype="anon proxy" anon proxy ipv6 anonymous proxy ipv6 ip low ipv6 address of the system on which anonymous proxy software is hosted example itype="anon proxy ipv6" anon vpn anonymous vpn ip ip low ip address associated with commercial or free virtual private networks (vpn) example itype="anon vpn" anon vpn ipv6 anonymous ip low ipv6 address associated with commercial or free virtual private networks (vpn) example itype "anon vpn ipv6" apt domain apt domain domain very high domain name associated with a known advanced persistent threat (apt) actor used for command and control, launching exploits, or data exfiltration example itype=" apt domain" apt email apt email email high email address used by a known advanced persistent threat (apt) actor for sending targeted, spear phishing emails example itype="apt email" apt email subject line apt email subject line string high subject from an email associated with an advanced persistent threat (apt) actor example itype="apt email subject line" apt file name apt file name string very high name of a file used by a known advanced persistent threat (apt) actor example itype="apt file name" apt file path apt file path string very high file path used by a known advanced persistent threat (apt) actor example itype="apt file path" apt ip apt ip ip very high ip address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ip" apt ipv6 apt ipv6 ip very high ipv6 address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ipv6" apt md5 apt file hash hash very high md5 or sha hash of a malware sample used by a known advanced persistent threat (apt) actor example itype="apt md5" apt mta apt mail transfer agent string very high mail transfer agent used by a known advanced persistent threat (apt) actor example itype="apt mta" apt mutex apt mutex string very high mutex used by a known advanced persistent threat (apt) actor example itype="apt mutex" apt registry key apt registry string very high registry key used by a known advanced persistent threat (apt) actor example itype="apt registry key" apt service description apt service description string very high description used by a known advanced persistent threat (apt) actor example itype="apt service description" apt service displayname apt service display name string very high service display name used by a known advanced persistent threat (apt) actor example itype="apt service displayname" apt service name apt service name string very high service name used by a known advanced persistent threat (apt) actor example itype="apt service name" apt ssdeep apt ssdeep hash string very high ssdeep hash used by a known advanced persistent threat (apt) actor example itype="apt ssdeep" apt subject apt subject line string high email subject line used by a known advanced persistent threat (apt) actor example itype="apt subject" threat type during the import process, threatstream uses machine learning to assign indicator types to imported observables based on the threat type you select the following table lists all available threat types in threatstream, in addition to the indicator types with which they are associated threat type name example associated indicator types adware adware threat type="adware" adware domain anomalous anomalous threat type="anomalous" geolocation url,ipcheck url,speedtest url anonymization anonymization threat type="anonymization" anon proxy, anon proxy ipv6, anon vpn, anon vpn ipv6,proxy ip, proxy ipv6,vpn domain apt apt threat type="apt" apt domain, apt email, apt email subject, apt file name, apt file path,apt ip, apt ipv6, apt md5, apt mta, apt mutex, apt registry key, apt service description, apt service displayname, apt service name, apt ssdeep, apt subject,apt ua apt url bot bot threat type="bot" bot ip, bot ipv6 brute brute threat type="brute" brute ip , brute ipv6, ssh ip, ssh ipv6 c2 c2 threat type="c2" c2 domain, c2 ip,c2 ipv6, c2 url compromised compromised threat type="compromised" compromised domain,compromised email,compromised email subject,compromised ip,compromised ipv6,compromised url crypto crypto threat type="crypto" crypto hash, crypto ip, crypto pool,crypto url, crypto wallet data leakage data leakage threat type="data leakage" pastesite url ddos ddos threat type="ddos" ddos ip, ddos ipv6 dyn dns dynamic dns threat type="dyn dns" dyn dns exfil exfil threat type="exfil" exfil domain, exfil ip, exfil ipv6, exfil url exploit exploit threat type="exploit" exploit domain,exploit ip, exploit ipv6, exploit url fraud fraud threat type="fraud" fraud domain, fraud email, fraud email subject, fraud ip,fraud md5, fraud url hack tool hacking tool threat type="hack tool" hack tool i2p i2p threat type="i2p" i2p ip, i2p ipv6 informational informational threat type="informational" comm proxy domain, comm proxy ip,disposable email domain, free email domain, passphrase,ssl cert serial number, whois bulk reg email, whois privacy domain,whois privacy email malware malware threat type="malware" mal domain, mal email, mal email subject, email attachment subject,mal file name, mal file path, mal ip,mal ipv6, mal md5,mal mutex, mal registry key, mal service description,mal service displayname, mal service name, mal ssdeep, mal sslcert sha1, mal ua, mal url p2p p2p threat type="p2p" actor ip actor ipv6,actor subject,p2pcnc, p2pcnc ipv6, torrent tracker url parked parked threat type="parked" parked domain,parked ip, parked ipv6, parked url phish phish threat type="phish" phish domain,phish email, phish email subject,phish ip, phish ipv6,phish url scan scan threat type="scan" scan ip, scan ipv6 sinkhole sinkhole threat type="sinkhole" sinkhole domain,sinkhole ip,sinkhole ipv6 spam spam threat type="spam" adware registry key,spam domain,spam email, spam email subject,spam ip, spam ipv6,spam mta spam url configurations anomali threatstream api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional api user api user used for authentication string required actions get email reputation retrieves the highest confidence score indicator for an email's reputation from anomali threatstream, requiring a specific value parameter endpoint url /api/v2/intelligence method get input argument name type required description value string required the email address to check threshold string optional if the confidence is greater than the threshold the email address is considered malicious, otherwise it is considered good this argument overrides the default email threshold defined as a parameter include inactive boolean optional whether to include results with an inactive status possible values are true, false status string optional status value limit number optional parameter for get email reputation output parameter type description status code number http status code of the response reason string response reason phrase dbotscore object score value indicator string output field indicator reliability string output field reliability score number score value type string type of the resource vendor string output field vendor email object output field email address string output field address threatstream object output field threatstream emailreputation object output field emailreputation confidence number unique identifier email string output field email modified string output field modified severity string output field severity source string output field source status string status value tags array output field tags type string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 19 dec 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "dbotscore" {}, "email" {}, "threatstream" {} } } ] import observable imports observables into anomali threatstream with a specified json body, structuring the data for effective threat analysis endpoint url /api/v1/intelligence method patch input argument name type required description meta object optional parameter for import observable allow unresolved boolean optional parameter for import observable objects object optional parameter for import observable classification string optional parameter for import observable confidence number optional unique identifier source confidence weight number optional unique identifier expiration ts string optional parameter for import observable severity string optional parameter for import observable tags array optional parameter for import observable trustedcircles array optional parameter for import observable srcip string optional parameter for import observable itype string required type of the resource domain string optional parameter for import observable url string optional url endpoint for the request email string optional parameter for import observable md5 string optional parameter for import observable output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] search observable retrieve threat intelligence data on observables from anomali threatstream to enhance security analysis endpoint url /api/v2/intelligence method get input argument name type required description limit number optional parameter for search observable asn string optional autonomous system (as) number associated with the indicator asn exact string optional autonomous system (as) number associated with the indicator asn startswith string optional autonomous system (as) number associated with the indicator asn contains string optional autonomous system (as) number associated with the indicator confidence number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors confidence exact number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors confidence lt number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors confidence gt number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors confidence lte number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors confidence gte number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors country string optional country associated with the indicator country exact string optional country associated with the indicator country startswith string optional country associated with the indicator country contains string optional country associated with the indicator created ts string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 created ts exact string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 created ts lt string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 created ts lte string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 created ts gte string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 created ts gt string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 expiration ts string optional time stamp of when intelligence will expire on threatstream, in utc time expiration ts exact string optional time stamp of when intelligence will expire on threatstream, in utc time expiration ts lt string optional time stamp of when intelligence will expire on threatstream, in utc time expiration ts lte string optional time stamp of when intelligence will expire on threatstream, in utc time output parameter type description status code number http status code of the response reason string response reason phrase objects array output field objects target industry array output field target industry source string output field source threatscore number score value threat type string type of the resource trusted circle ids array unique identifier description object output field description workgroups array output field workgroups sort array output field sort resource uri string output field resource uri update id number unique identifier country string output field country type string type of the resource uuid string unique identifier feed id number unique identifier created ts string output field created ts id number unique identifier longitude number output field longitude ip string output field ip expiration ts string output field expiration ts owner organization id number unique identifier meta object output field meta severity string output field severity example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "objects" \[], "meta" {} } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt