Anomali ThreatStream

the anomali threatstream connector allows users to integrate threat intelligence capabilities into their security workflow, enhancing threat analysis and response anomali threatstream is a comprehensive threat intelligence platform that enables security teams to access a global repository of threat indicators this connector allows swimlane turbine users to automate the retrieval of email reputation scores, import observables for threat analysis, and search for detailed threat intelligence data by integrating with anomali threatstream, users can enhance their security playbooks with rich, actionable intelligence, streamline threat investigations, and bolster their overall security posture with minimal manual intervention prerequisites to effectively utilize the anomali threatstream connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the anomali threatstream api api key your unique identifier to authenticate with the anomali threatstream api api user the username associated with your anomali threatstream account capabilities the anomali threatstream connector has the following capabilities search indicator import indicator get email reputation search observable expiration ts is in iso format for example, 2017 01 26t00 00 00 by default, utc time is used you can specify your local time by appending your timezone to the value for example, to specify pst 2019 04 28t14 00 00 08 00 if a global or a local value is not specified for this attribute, by default 90 days is configured to avoid long run time, use the limit input to limit the number of records returned import observable fields that must contain data vary based on the type of observable the following table lists the mandatory fields for each observable type observable type required fields domain domain, indicator type email email, indicator type, confidence hash md5, indicator type, confidence ip source ip, indicator type url url, indicator type indicator types the following table lists all available indicator types in threatstream the severity values listed in the table below represent the default severity values that anomali assigns to observables of a given indicator types however, default values are not displayed in the following cases when severity value assigned to observable by the source are used when users modify the assigned value while editing observables that belong to their organizations on threatstream indicator type name type severity description actor ip actor ip ip low ip address associated with a system involved in malicious activity example itype="actor ip" actor ipv6 actor ipv6 ip low ipv6 address associated with a system involved in malicious activity example itype="actor ipv6" actor subject actor subject line string high subject from an email associated with a threat actor example itype="actor subject" adware domain adware domain domain low a domain name associated with adware or other potentially unwanted applications (pua) example itype="adware domain" adware registry key adware registry key string low a registry key associated with adware or other potentially unwanted applications (pua) example itype="adware registry key" anon proxy anonymous proxy ip ip low ip address of the system on which anonymous proxy software is hosted example itype="anon proxy" anon proxy ipv6 anonymous proxy ipv6 ip low ipv6 address of the system on which anonymous proxy software is hosted example itype="anon proxy ipv6" anon vpn anonymous vpn ip ip low ip address associated with commercial or free virtual private networks (vpn) example itype="anon vpn" anon vpn ipv6 anonymous ip low ipv6 address associated with commercial or free virtual private networks (vpn) example itype "anon vpn ipv6" apt domain apt domain domain very high domain name associated with a known advanced persistent threat (apt) actor used for command and control, launching exploits, or data exfiltration example itype=" apt domain" apt email apt email email high email address used by a known advanced persistent threat (apt) actor for sending targeted, spear phishing emails example itype="apt email" apt email subject line apt email subject line string high subject from an email associated with an advanced persistent threat (apt) actor example itype="apt email subject line" apt file name apt file name string very high name of a file used by a known advanced persistent threat (apt) actor example itype="apt file name" apt file path apt file path string very high file path used by a known advanced persistent threat (apt) actor example itype="apt file path" apt ip apt ip ip very high ip address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ip" apt ipv6 apt ipv6 ip very high ipv6 address associated with known advanced persistent threat (apt) actor for command and control, data exfiltration, or targeted exploitation example itype="apt ipv6" apt md5 apt file hash hash very high md5 or sha hash of a malware sample used by a known advanced persistent threat (apt) actor example itype="apt md5" apt mta apt mail transfer agent string very high mail transfer agent used by a known advanced persistent threat (apt) actor example itype="apt mta" apt mutex apt mutex string very high mutex used by a known advanced persistent threat (apt) actor example itype="apt mutex" apt registry key apt registry string very high registry key used by a known advanced persistent threat (apt) actor example itype="apt registry key" apt service description apt service description string very high description used by a known advanced persistent threat (apt) actor example itype="apt service description" apt service displayname apt service display name string very high service display name used by a known advanced persistent threat (apt) actor example itype="apt service displayname" apt service name apt service name string very high service name used by a known advanced persistent threat (apt) actor example itype="apt service name" apt ssdeep apt ssdeep hash string very high ssdeep hash used by a known advanced persistent threat (apt) actor example itype="apt ssdeep" apt subject apt subject line string high email subject line used by a known advanced persistent threat (apt) actor example itype="apt subject" apt ua apt user agent string high user agent string used by a known advanced persistent threat (apt) actor example itype="apt ua" apt url apt url url very high url used by a known advanced persistent threat (apt) actor for command and control, launching web based exploits, or data exfiltration example itype=" apt url" bot ip infected bot ip ip low ip address of an infected machine acting as an autonomous bot example itype="bot ip" bot ipv6 infected bot ipv6 ip low ipv6 address of an infected machine acting as an autonomous bot example itype="bot ipv6" brute ip brute force ip ip low ip address associated with password brute force activity example itype="brute ip" brute ipv6 brute force ipv6 ip low ipv6 address associated with password brute force activity example itype="brute ipv6" c2 domain malware c\&c domain name domain high domain name used by malware for command and control communication example itype="c2 domain" c2 ip malware c\&c ip address ip high ip address used by malware for command and control communication example itype="c2 ip" c2 ipv6 malw are c\&c ipv6 address ip high ipv6 address used by malware for command and control communication example itype="c2 ipv6" c2 url malware c\&c url url high url used by malware for command and control communication example itype="c2 url" comm proxy domain commercial webproxy domain domain low domain of the system on which commercial proxy software is hosted example itype="comm proxy domain" comm proxy ip commercial webproxy ip ip low ip address of the system on which commercial proxy software is hosted example itype="comm proxy ip" compromised domain compromised domain domain low domain name of website or server that has been compromised example itype="compromised domain" compromised email compromised account email email low email address that has been compromised and/or taken over by a threat actor example itype="compromised email" compromised email subject compromised email subject string low email subject from a known compromised email address example itype="compromised email subject" compromised ip compromised ip ip low ip address of website or server that has been compromised example itype="compromised ip" compromised ipv6 compromised ipv6 ip low ipv6 address of website or server that has been compromised example itype="compromised ipv6" compromised serv account compromised service account string low account information associated with a service account that has been compromised and/or taken over by a threat actor example itype="compromised serv account" compromised url compromised url url medium url of the website or server that has been compromised example itype="compromised url" crypto hash cryptocurrency mining software hash high file hash for cryptocurrency mining software example itype="crypto hash" crypto ip cryptocurrency ip ip high ip address associated with cryptocurrency mining software example itype="crypto ip" crypto pool cryptocurrency pool domain domain high domain for cryptocurrency pool example itype="crypto pool" crypto url cryptocurrency url url high url where cryptocurrency mining software is hosted example itype="crypto url" crypto wallet cryptocurrency wallet address string very high public or private cryptocurrency wallet key example itype="crypto wallet" ddos ip ddos ip ip low ip address associated with distributed denial of service (ddos) attacks example itype="ddos ip" ddos ipv6 ddos ipv6 ip low ipv6 address associated with distributed denial of service (ddos) attacks example itype="ddos ipv6" disposable email domain disposable email domain domain low domain associated with disposable email activity example itype="disposable email domain" dyn dns dynamic dns domain low domain name used for hosting dynamic dns services example itype="dyn dns" email attachment subject email attachment subject string low email subject from a known compromised email attachment example itype="email attachment subject" exfil domain data exfiltration domain domain high domain name associated with the infrastructure used for data exfiltration example itype="exfil domain" exfil ip data exfiltration ip ip high ip address used for data exfiltration example itype="exfil ip" exfil ipv6 data exfiltration ip ip high ipv6 address used for data exfiltration example itype="exfil ipv6" exfil url data exfiltration url url high url used for data exfiltration example itype="exfil url" exploit domain exploit kit domain domain very high domain name associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit domain" exploit ip exploit kit ip ip high ip address associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit ip" exploit ipv6 exploit kit ipv6 ip high ipv6 address associated with the web server hosting an exploit kit or launching web based exploits example itype="exploit ipv6" exploit url exploit kit url url very high url used for launching web based exploits example itype="exploit url" fraud domain fraud hash domain high domain associated with fraudulent activity example itype="fraud domain" fraud email fraud email email low email address associated with fraudulent activity example itype="fraud email" fraud email subject fraud email subject string medium subject from an email associated with fraud activity example itype="fraud ip" fraud ip fraud ip address ip high ip address associated with fraudulent activity example itype="fraud email subject" fraud md5 fraud hash hash very high hash associated with fraudulent activity example itype="fraud md5" fraud url fraud url url medium url associated with fraudulent activity example itype="fraud url" free email domain free email domain domain low domain associated with free email service activity example itype="free email domain" geolocation url ip geolocation url url low url that can be used to provide ip geo location services example itype="geolocation url" hack tool hacking tool string high name of general hacking software tools used by threat actors example itype="hack tool" hack tool md5 hack tool file hash hash very high md5 or sha hash of general hacking software tools used by threat actors example itype="hack tool md5" i2p ip i2p ip address ip low ip address observed to be connecting to the i2p (invisible internet project) network example itype="i2p ip" i2p ipv6 i2p ipv6 address ip low ipv6 address observed to be connecting to the i2p (invisible internet project) network example itype="i2p ipv6" ipcheck url ip check url url low url that can be used to provide ip checking services, such as echoing the internet facing ip address of the client example itype="ipcheck url" mal domain malware domain domain very high domain contacted by malware sample, could be for command and control commands, or to check if the client is online example itype="mal domain" mal email malware email email low email address used to send malware through malicious links or attachments example itype="mal email" mal email subject malware email subject string medium subject from an email associated with malware activity example itype="mal email subject" mal file name malware file name string very high file name of malware sample example itype="mal file name" mal file path malware file path string very high file path of malware sample example itype="mal file path" mal ip malware c\&c ip ip very high ip address contacted by malware sample, could be for command and control commands, or to check if the client is online example itype="mal ip" mal ipv6 malware c\&c ipv6 ip very high ipv6 address contacted by malware sample command and control commands, or to check if the client is online example itype="mal ipv6" mal md5 malware file hash hash very high md5 or sha hash of malware sample example itype="mal md5" mal mutex malware mutex string very high mutex of malware sample example itype="mal mutex" mal registry key malware registry key string high registry key of malware sample example itype="mal registry key" mal service description malware service description string very high service description associated with the malware sample example itype="mal service description" mal service displayname malware service display name string very high service display name associated with the malware sample example itype="mal service displayname" mal service name malware service name string very high service name associated with the malware sample example itype="mal service name" mal ssdeep malware ssdeep hash string very high ssdeep hash associated with the malware sample example itype="mal ssdeep" mal sslcert sh1 ssl certificate hash hash high md5 or sha hash of ssl certificate associated with malware or botnet activities example itype="mal sslcert sh1" mal ua malware user agent string low user agent string used by malware sample when communicating via http example itype="mal ua" mal url malware url url very high url contacted by malware sample when run on an infected host example itype="mal url" p2pcnc peer to peer c\&c ip address ip medium ip addressed associated with a peer to peer command and control infrastructure example itype="p2pcnc" p2pcnc ipv6 peer to peer c\&c ipv6 address ip medium ipv6 addressed associated with a peer to peer command and control infrastructure example itype="p2pcnc ipv6" parked domain parked domain domain low a domain name of a website which is currently parked example itype="parked domain" parked ip domain parking ip ip low an ip addressed used for parking newly registered or inactive domain names example itype="parked ip" parked ipv6 domain parking ipv6 ip low an ipv6 addressed used for parking newly registered or inactive domain names example itype="parked ipv6" parked url parked url url low a url of a website that is currently parked example itype="parked url" pastesite url paste site url url low a url that can be used for sharing pastes or text content anonymously example itype="pastesite url" phish domain phishing domain domain very high a domain used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish domain" phish email phishing email address email very high an email address associated with sending phishing or spear phishing emails to victims example itype="phish email" phish email subject phishing email subject string high subject from an email associated with phishing activity example itype="phish email subject" phish ip phishing ip address ip very high ip address that has been used to perform phishing or spear phishing or is contained in a phishing email example itype="phish ip" phish ipv6 phishing ipv6 address ip very high ipv6 address that has been used to perform phishing or spear phishing or is contained in a phishing email example itype="phish ipv6" phish md5 phishing file hash hash very high hash related to a file used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish md5" phish url phishing url url very high a url used to perform phishing or spear phishing attacks or contained in a phishing email example itype="phish url" proxy ip open proxy ip ip low ip address hosting open or anonymous proxy software allows user to hide their ip address from target example itype="proxy ip" proxy ipv6 open proxy ipv6 ip low ipv6 address hosting open or anonymous proxy software allows user to hide their ip address from target example itype="proxy ipv6" scan ip scanning ip ip medium ip address observed to perform port scanning and vulnerability scanning activities example itype="scan ip" scan ipv6 scanning ipv6 ip medium ipv6 address observed to perform port scanning and vulnerability scanning activities example itype="scan ipv6" sinkhole domain sinkhole domain domain low a domain name that researchers or security companies typically sinkhole example itype="sinkhole domain" sinkhole ip sinkhole ip ip low an ip address that is known to be used to sinkhole malicious domain names example itype="sinkhole ip" sinkhole ipv6 sinkhole ipv6 ip low an ipv6 address that is known to be used to sinkhole malicious domain names example itype="sinkhole ipv6" social media url social media url url medium url related to social media activity this indicator type is provided by select feeds and cannot be imported through the threatstream user interface example itype="social media url" spam domain spam domain domain low a malicious domain name contained in the spam email messages example itype="spam domain" spam email spammer email address email low email address that has been observed sending spam emails example itype="spam email" spam email subject spam email subject string low subject from an email associated with spam activity example itype="spam email subject" spam ip spammer ip ip low an ip address that is known to send spam emails example itype="spam ip" spam ipv6 spammer ipv6 ip low an ipv6 address that is known to send spam emails example itype="spam ipv6" spam mta spam mail transfer agent string low mail transfer agent known to be associated with spam emails example itype="spam mta" spam url spam url url low a malicious url contained in the spam email messages example itype="spam url" speedtest url speed test url url low a url that can be used to run internet speed tests or bandwidth measurements of the client's network connection example itype="speedtest url" ssh ip ssh brute force ip ip low ip addresses associated with ssh brute force attempts example itype="ssh ip" ssh ipv6 ssh brute force ipv6 ip low ipv6 addresses associated with ssh brute force attempts example itype="ssh ipv6" ssl cert serial number ssl certificate serial number string low serial number unique to the tls certificate issuer that identifies the entity being signed example itype="ssl cert serial number" suppress suppress n/a n/a not a true indicator type used by arcsight for suppressing false positives default severity n/a example itype="suppress" suspicious domain suspicious domain domain medium a domain name that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious domain" suspicious email suspicious email email low an email address that appears to be used for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious email" suspicious email subject suspicious email subject string low email subject from a suspicious email address suspicious ip suspicious ip ip medium an ip address that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious ip" suspicious reg email suspicious registrant email email low a registrant email address that appears to be used for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious reg email" suspicious url suspicious url url medium a url that appears to be registered for suspect reasons, but may not be associated with known malicious activity yet example itype="suspicious url" tor ip tor node ip ip low an ip address operating as part of the onion router (tor) network, also know as a tor exit node example itype="tor ip" tor ipv6 tor node ipv6 ip low an ipv6 address operating as part of the onion router (tor) network, also know as a tor exit node example itype="tor ipv6" torrent tracker url torrent tracker url url low a url used for tracking bittorrent file transfer activity example itype="torrent tracker url" vpn domain anonymous vpn domain domain low a domain name associated with commercial or free virtual private networks (vpn) example itype="vpn domain" vps ip cloud server ip ip low an ip address that is used for hosting virtual private servers (vps) or other server rentals example itype="vps ip" vps ipv6 cloud server ipv6 ip low an ipv6 address that is used for hosting virtual private servers (vps) or other server rentals example itype="vps ipv6" whois bulk reg email whois bulk registrant email email low a registrant email address associated with privacy domain purchased from whois example itype="whois bulk reg email" whois privacy domain whois privacy email domain domain low privacy domain purchased from whois example itype="whois privacy domain" whois privacy email whois privacy email email low email address associated with privacy domain purchased from whois example itype="whois privacy email" threat type during the import process, threatstream uses machine learning to assign indicator types to imported observables based on the threat type you select the following table lists all available threat types in threatstream, in addition to the indicator types with which they are associated threat type name example associated indicator types adware adware threat type="adware" adware domain anomalous anomalous threat type="anomalous" geolocation url,ipcheck url,speedtest url anonymization anonymization threat type="anonymization" anon proxy, anon proxy ipv6, anon vpn, anon vpn ipv6,proxy ip, proxy ipv6,vpn domain apt apt threat type="apt" apt domain, apt email, apt email subject, apt file name, apt file path,apt ip, apt ipv6, apt md5, apt mta, apt mutex, apt registry key, apt service description, apt service displayname, apt service name, apt ssdeep, apt subject,apt ua apt url bot bot threat type="bot" bot ip, bot ipv6 brute brute threat type="brute" brute ip , brute ipv6, ssh ip, ssh ipv6 c2 c2 threat type="c2" c2 domain, c2 ip,c2 ipv6, c2 url compromised compromised threat type="compromised" compromised domain,compromised email,compromised email subject,compromised ip,compromised ipv6,compromised url crypto crypto threat type="crypto" crypto hash, crypto ip, crypto pool,crypto url, crypto wallet data leakage data leakage threat type="data leakage" pastesite url ddos ddos threat type="ddos" ddos ip, ddos ipv6 dyn dns dynamic dns threat type="dyn dns" dyn dns exfil exfil threat type="exfil" exfil domain, exfil ip, exfil ipv6, exfil url exploit exploit threat type="exploit" exploit domain,exploit ip, exploit ipv6, exploit url fraud fraud threat type="fraud" fraud domain, fraud email, fraud email subject, fraud ip,fraud md5, fraud url hack tool hacking tool threat type="hack tool" hack tool i2p i2p threat type="i2p" i2p ip, i2p ipv6 informational informational threat type="informational" comm proxy domain, comm proxy ip,disposable email domain, free email domain, passphrase,ssl cert serial number, whois bulk reg email, whois privacy domain,whois privacy email malware malware threat type="malware" mal domain, mal email, mal email subject, email attachment subject,mal file name, mal file path, mal ip,mal ipv6, mal md5,mal mutex, mal registry key, mal service description,mal service displayname, mal service name, mal ssdeep, mal sslcert sha1, mal ua, mal url p2p p2p threat type="p2p" actor ip actor ipv6,actor subject,p2pcnc, p2pcnc ipv6, torrent tracker url parked parked threat type="parked" parked domain,parked ip, parked ipv6, parked url phish phish threat type="phish" phish domain,phish email, phish email subject,phish ip, phish ipv6,phish url scan scan threat type="scan" scan ip, scan ipv6 sinkhole sinkhole threat type="sinkhole" sinkhole domain,sinkhole ip,sinkhole ipv6 spam spam threat type="spam" adware registry key,spam domain,spam email, spam email subject,spam ip, spam ipv6,spam mta spam url suppress suppress threat type="suppress" suppress suspicious suspicious threat type="suspicious" suspicious domain, suspicious email,suspicious email subject, suspicious ip, suspicious reg email, suspicious url tor tor threat type="tor" tor ip, tor ipv6 vps vps threat type="vps" vps ip, vps ipv6 configurations anomali threatstream api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional api user api user used for authentication string required actions get email reputation retrieves the highest confidence score indicator for an email's reputation from anomali threatstream, requiring a specific value parameter endpoint url /api/v2/intelligence method get input argument name type required description parameters value string required the email address to check parameters threshold string optional if the confidence is greater than the threshold the email address is considered malicious, otherwise it is considered good this argument overrides the default email threshold defined as a parameter parameters include inactive boolean optional whether to include results with an inactive status possible values are true, false parameters status string optional parameters for the get email reputation action parameters limit number optional parameters for the get email reputation action input example {"parameters" {"value" "example\@gmail com","threshold" "none","include inactive"\ true,"status" "status","limit" 0}} output parameter type description status code number http status code of the response reason string response reason phrase dbotscore object score value dbotscore indicator string output field dbotscore indicator dbotscore reliability string output field dbotscore reliability dbotscore score number score value dbotscore type string type of the resource dbotscore vendor string output field dbotscore vendor email object output field email email address string output field email address threatstream object output field threatstream threatstream emailreputation object output field threatstream emailreputation threatstream emailreputation confidence number unique identifier threatstream emailreputation email string output field threatstream emailreputation email threatstream emailreputation modified string output field threatstream emailreputation modified threatstream emailreputation severity string output field threatstream emailreputation severity threatstream emailreputation source string output field threatstream emailreputation source threatstream emailreputation status string status value threatstream emailreputation tags array output field threatstream emailreputation tags threatstream emailreputation type string type of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"dbotscore" {"indicator" "egov\@ac in","reliability" "b usually reliable","score" 3,"type" "email","vendor" "anomali threatstream v3"},"email" {"address" "egov\@ac in"},"threatstream" {"emailreputation" {}}}} import observable imports observables into anomali threatstream with a specified json body, structuring the data for effective threat analysis endpoint url /api/v1/intelligence method patch input argument name type required description meta object optional parameter for import observable meta allow unresolved boolean optional parameter for import observable objects object optional parameter for import observable objects classification string optional parameter for import observable objects confidence number optional unique identifier objects source confidence weight number optional unique identifier objects expiration ts string optional parameter for import observable objects severity string optional parameter for import observable objects tags array optional parameter for import observable objects trustedcircles array optional parameter for import observable objects srcip string optional parameter for import observable objects itype string required type of the resource objects domain string optional parameter for import observable objects url string optional url endpoint for the request objects email string optional parameter for import observable objects md5 string optional parameter for import observable input example {"json body" {"meta" {"allow unresolved"\ true},"objects" {"classification" "private","confidence" 60,"source confidence weight" 100,"expiration ts" "2023 07 30 22 00 00","severity" "medium","tags" \["malware","windows xp","dsl"],"trustedcircles" \[13],"srcip" "1 2 3 4","itype" "bot ip","domain" "idfsdszqylwjzq biz","url" "http //malicious pl/wp content/themes/credenza wp/cr mss3 exe","email" "email\@domain com","md5" "1d37556b8aeb5cb5fbf08cd5b4790075"}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} search observable retrieve threat intelligence data on observables from anomali threatstream to enhance security analysis endpoint url /api/v2/intelligence method get input argument name type required description parameters limit number optional parameters for the search observable action parameters asn string optional autonomous system (as) number associated with the indicator parameters asn exact string optional autonomous system (as) number associated with the indicator parameters asn startswith string optional autonomous system (as) number associated with the indicator parameters asn contains string optional autonomous system (as) number associated with the indicator parameters confidence number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters confidence exact number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters confidence lt number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters confidence gt number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters confidence lte number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters confidence gte number optional level of certainty that an observable is of the reported indicator type confidence scores range from 0 100, in increasing order of confidence, and is assigned by threatstream based on several factors parameters country string optional country associated with the indicator parameters country exact string optional country associated with the indicator parameters country startswith string optional country associated with the indicator parameters country contains string optional country associated with the indicator parameters created ts string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters created ts exact string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters created ts lt string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters created ts lte string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters created ts gte string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters created ts gt string optional when the indicator was first seen on the threatstream cloud platform date must be specified in this format yyyymmddthhmmss where t denotes the start of the value for time, in utc time for example, 2014 10 02t20 44 35 parameters expiration ts string optional time stamp of when intelligence will expire on threatstream, in utc time parameters expiration ts exact string optional time stamp of when intelligence will expire on threatstream, in utc time parameters expiration ts lt string optional time stamp of when intelligence will expire on threatstream, in utc time parameters expiration ts lte string optional time stamp of when intelligence will expire on threatstream, in utc time input example {"parameters" {"limit" 123,"asn" "string","asn exact" "string","asn startswith" "string","asn contains" "string","confidence" 123,"confidence exact" 123,"confidence lt" 123,"confidence gt" 123,"confidence lte" 123,"confidence gte" 123,"country" "string","country exact" "string","country startswith" "string","country contains" "string","created ts" "string","created ts exact" "string","created ts lt" "string","created ts lte" "string","created ts gte" "string","created ts gt" "string","expiration ts" "string","expiration ts exact" "string","expiration ts lt" "string","expiration ts lte" "string","expiration ts gte" "string","expiration ts gt" "string","feed id" 123,"feed id exact" 123,"id" "12345678 1234 1234 1234 123456789abc","import session id" 123,"import session id exact" 123,"ip" "string","ip exact" "string","ip startswith" "string","ip contains" "string","is anonymous"\ true,"is anonymous exact"\ true,"is public"\ true,"is public exact"\ true,"itype" "string","itype exact" "string","itype startswith" "string","itype contains" "string","latitude" 123,"latitude exact" 123,"latitude lt" 123,"latitude lte" 123,"latitude gte" 123,"latitude gt" 123}} output parameter type description status code number http status code of the response reason string response reason phrase objects array output field objects objects target industry array output field objects target industry objects source string output field objects source objects threatscore number score value objects threat type string type of the resource objects trusted circle ids array unique identifier objects description object output field objects description objects workgroups array output field objects workgroups objects sort array output field objects sort objects resource uri string output field objects resource uri objects update id number unique identifier objects country string output field objects country objects type string type of the resource objects uuid string unique identifier objects feed id number unique identifier objects created ts string output field objects created ts objects id number unique identifier objects longitude number output field objects longitude objects ip string output field objects ip objects expiration ts string output field objects expiration ts objects owner organization id number unique identifier objects meta object output field objects meta objects meta severity string output field objects meta severity output example {"objects" \[{"target industry" \[],"source" "string","threatscore" 123,"threat type" "string","trusted circle ids" \[],"description" {},"workgroups" \[],"sort" \[],"resource uri" "string","update id" 123,"country" "string","type" "string","uuid" "12345678 1234 1234 1234 123456789abc","feed id" 123,"created ts" "string"}],"meta" {"offset" 123,"limit" 123,"total count" 123,"next" {},"took" 123}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt