Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Anomali STAXX provides you with an easy way to access any STIX/TAXII feed. The STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform.

This document provides information about the Anomali STAXX Connector, which facilitates automated interactions, with a Anomali STAXX Service server using FortiSOAR™ playbooks. Add the Anomali STAXX Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, importing indicators and getting indicators.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Anomali STAXX server Version: 3.4 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Anomali STAXX server to which you will connect and perform the automated operations.
  • You must have the username and password with appropriate permissions to connect to the Anomali STAXX server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In CyOPs™, on the Connectors page, select the Anomali STAXX connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Anomali STAXX Service server to which you will connect and perform the automated operations.
Server Port Port number used to connect to Anomali STAXX server.
Username Username used to access the Anomali STAXX Service server to which you will connect and perform the automated operations.
Password Password used to access the Anomali STAXX Service server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Import Indicators Imports Indicators of Compromise (IOCs) into Anomali STAXX. import_indicators
Investigation
Get indicators Exports search results from Anomali STAXX based on the search query you have specified. get_indicators
Investigation

 

operation: Import Indicators

Input parameters

Important: You must specify observables using either the File Details parameters or the Intelligence parameter. File Details has the following parameters: File Name and Attachment IRI. You can use both the File Details parameters and Intelligence parameter together.

 

Parameter Description
File Name Filename of the file that contains the observables, which require to be imported into Anomali STAXX.
Attachment IRI Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to import into Anomali STAXX.
In the playbook, this defaults to the {{vars.attachment_id}} .
Intelligence Comma-separated list of observables that you want to import into Anomali STAXX.
Threat Type Type of threat to be assigned to the observables that you want to import into Anomali STAXX.
You can choose from the following options: adware, anomalous, anonymization, apt, bot, brute, c2, compromised, data_leakage, ddos, dyn_dns, exfile, exploit, hack_tool, i2p, informational, malware, p2p, parked, phish, scan, sinkhole, spam, suppress, suspicious, tor, or vps.
Confidence Confidence value you want to assign to the observables that you want to import into Anomali STAXX. You can specify values between 0 to 100.
Severity Severity value you want to assign to the observables that you want to import into Anomali STAXX.
You can choose from the following options: Low, Medium, High,or Very High. By default, this is set as Low.
TLP Traffic Light Protocol (TLP) value you want to assign to the observables that you want to import into Anomali STAXX.
You can choose from the following options: White, Green, Amber, or Red. By default, this is set as White.
Tags Comma-separated list of tags you want to assign to the observables that you want to import into Anomali STAXX. For example, suspicious-domain, victim-finance.
Auto Approve Select this option to automatically approve the observables for import into Anomali STAXX. By default this is set as false, i.e., a require a manual approval through the user interface is required before the observables can be imported into Anomali STAXX.

 

Output

The JSON output returns a Success message if the observables that you have specified are successfully imported into Anomali STAXX, and it also contains the import job ID.

Following image displays a sample output:

 

Sample output of the Import Indicators operation

 

operation: Get Indicators

Input parameters

 

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve results from Anomali STAXX. You can specify a keyword or a field-based query.
Examples of queries that you can specify:
- confidence>50 
- confidence>50 AND severity=high 
- confidence>80 AND itype=c2_domain AND date_last>-14d 
- confidence>80 AND itype=c2_domain AND date_last>=2016-12-14T01:57:51 AND date_last<=2016-12-21T01:57:51 
- confidence>=50 and date_last >= '2016-11-22T00:21:01' and date_last <='2016- 12-22T00:21:01' and (itype = 'apt_url' OR itype = 'phish_url' OR itype = 'c2_ip') 
confidence>60 AND (itype contains apt OR itype contains domain) AND severity=very-high
File Type File type in which you want to export the search results returned from Anomali STAXX. You can choose between csv or json.
Size (Optional) Maximum number of search results this operation should export.
Add as Attachment Select this checkbox (set to true) if you want to save the result of this operation as an attachment in the FortiSOAR™ Attachment module.

 

Output

The JSON output contains the list of observables with details like severity, confidence, indicator, classification, source, itype, feed name, retrieved from Anomali STAXX, based on the query you have specified.

Following image displays a sample output:

 

Sample output of the Get Indicators operation

 

Included playbooks

The Sample - Anomali-STAXX - 1.0.0 playbook collection comes bundled with the Anomali STAXX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali STAXX connector.

  • Get Indicators
  • Import Indicators

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Anomali STAXX provides you with an easy way to access any STIX/TAXII feed. The STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform.

This document provides information about the Anomali STAXX Connector, which facilitates automated interactions, with a Anomali STAXX Service server using FortiSOAR™ playbooks. Add the Anomali STAXX Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, importing indicators and getting indicators.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Anomali STAXX server Version: 3.4 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In CyOPs™, on the Connectors page, select the Anomali STAXX connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Anomali STAXX Service server to which you will connect and perform the automated operations.
Server Port Port number used to connect to Anomali STAXX server.
Username Username used to access the Anomali STAXX Service server to which you will connect and perform the automated operations.
Password Password used to access the Anomali STAXX Service server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Import Indicators Imports Indicators of Compromise (IOCs) into Anomali STAXX. import_indicators
Investigation
Get indicators Exports search results from Anomali STAXX based on the search query you have specified. get_indicators
Investigation

 

operation: Import Indicators

Input parameters

Important: You must specify observables using either the File Details parameters or the Intelligence parameter. File Details has the following parameters: File Name and Attachment IRI. You can use both the File Details parameters and Intelligence parameter together.

 

Parameter Description
File Name Filename of the file that contains the observables, which require to be imported into Anomali STAXX.
Attachment IRI Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to import into Anomali STAXX.
In the playbook, this defaults to the {{vars.attachment_id}} .
Intelligence Comma-separated list of observables that you want to import into Anomali STAXX.
Threat Type Type of threat to be assigned to the observables that you want to import into Anomali STAXX.
You can choose from the following options: adware, anomalous, anonymization, apt, bot, brute, c2, compromised, data_leakage, ddos, dyn_dns, exfile, exploit, hack_tool, i2p, informational, malware, p2p, parked, phish, scan, sinkhole, spam, suppress, suspicious, tor, or vps.
Confidence Confidence value you want to assign to the observables that you want to import into Anomali STAXX. You can specify values between 0 to 100.
Severity Severity value you want to assign to the observables that you want to import into Anomali STAXX.
You can choose from the following options: Low, Medium, High,or Very High. By default, this is set as Low.
TLP Traffic Light Protocol (TLP) value you want to assign to the observables that you want to import into Anomali STAXX.
You can choose from the following options: White, Green, Amber, or Red. By default, this is set as White.
Tags Comma-separated list of tags you want to assign to the observables that you want to import into Anomali STAXX. For example, suspicious-domain, victim-finance.
Auto Approve Select this option to automatically approve the observables for import into Anomali STAXX. By default this is set as false, i.e., a require a manual approval through the user interface is required before the observables can be imported into Anomali STAXX.

 

Output

The JSON output returns a Success message if the observables that you have specified are successfully imported into Anomali STAXX, and it also contains the import job ID.

Following image displays a sample output:

 

Sample output of the Import Indicators operation

 

operation: Get Indicators

Input parameters

 

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve results from Anomali STAXX. You can specify a keyword or a field-based query.
Examples of queries that you can specify:
- confidence>50 
- confidence>50 AND severity=high 
- confidence>80 AND itype=c2_domain AND date_last>-14d 
- confidence>80 AND itype=c2_domain AND date_last>=2016-12-14T01:57:51 AND date_last<=2016-12-21T01:57:51 
- confidence>=50 and date_last >= '2016-11-22T00:21:01' and date_last <='2016- 12-22T00:21:01' and (itype = 'apt_url' OR itype = 'phish_url' OR itype = 'c2_ip') 
confidence>60 AND (itype contains apt OR itype contains domain) AND severity=very-high
File Type File type in which you want to export the search results returned from Anomali STAXX. You can choose between csv or json.
Size (Optional) Maximum number of search results this operation should export.
Add as Attachment Select this checkbox (set to true) if you want to save the result of this operation as an attachment in the FortiSOAR™ Attachment module.

 

Output

The JSON output contains the list of observables with details like severity, confidence, indicator, classification, source, itype, feed name, retrieved from Anomali STAXX, based on the query you have specified.

Following image displays a sample output:

 

Sample output of the Get Indicators operation

 

Included playbooks

The Sample - Anomali-STAXX - 1.0.0 playbook collection comes bundled with the Anomali STAXX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali STAXX connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.