Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.
This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Anomali ThreatStream API Version: v2
Following enhancements have been made to the Anomali ThreatStream
Connector in version 1.0.1:
Validate Input
parameter for all operations, except the Run Filter Language Query and Run Advance Query operations.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Anomali ThreatStream connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Host name URL of the ThreatStream server to which you will connect and perform the automated operations. |
Registered User Name | Registered username for ThreatStream. |
User API Key | API key configured for your account for using the ThreatStream API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation of the specified domain based on the filter criteria that you have specified. | domain_reputation Investigation |
Get IP Reputation | Retrieves the reputation of the specified IP address based on the filter criteria that you have specified. | ip_reputation Investigation |
Get URL Reputation | Retrieves the reputation of the specified URL based on the filter criteria that you have specified. | url_reputation Investigation |
Get Email Reputation | Retrieves the reputation of the specified Email address based on the filter criteria that you have specified. | email_reputation Investigation |
Get File Reputation | Retrieves the reputation of the specified FileHash based on the filter criteria that you have specified. | file_reputation Investigation |
Get Whois Domain Information | Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name and filter criteria that you have specified. | whois_domain Investigation |
Get Whois IP Information | Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP and filter criteria that you have specified. | whois_ip Investigation |
Run Filter Language Query | Runs a search query using ThreatStream’s Filter Language Query grammar. | search_query Investigation |
Run Advance Query | Runs an advanced search query using ThreatStream’s Query grammar. | search_query Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains a list of domains as per filter option and information of the specified domain such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [7]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, IP Address in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of IPs as per filter option and information of the specified IP such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, URL in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of URLs as per filter option and information of the specified URL such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp. The output also includes the total number of results returned.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Email Address | Email ID for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Email ID in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of email addresses as per filter option and information of the specified email address such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp. The output also includes the total number of results returned.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
File Hash | FileHash for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, FileHash in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of file hash as per filter option and information of the specified file hash such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [328]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve information from Whois. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of domains as per filter option and information of the specified domains such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp from Whois.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve information from Whois. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, IP Address in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of IP addresses as per filter option and information of the specified IP address such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp from Whois.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [6]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar. |
The JSON output depends on the query that you run on the ThreatStream server.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [4]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar. |
The JSON output depends on the query that you run on the ThreatStream server.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [18]
as shown in the following image, which displays a sample output:
The Sample-ThreatStream-1.0.1
playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.
This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Anomali ThreatStream API Version: v2
Following enhancements have been made to the Anomali ThreatStream
Connector in version 1.0.1:
Validate Input
parameter for all operations, except the Run Filter Language Query and Run Advance Query operations.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Anomali ThreatStream connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Host name URL of the ThreatStream server to which you will connect and perform the automated operations. |
Registered User Name | Registered username for ThreatStream. |
User API Key | API key configured for your account for using the ThreatStream API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation of the specified domain based on the filter criteria that you have specified. | domain_reputation Investigation |
Get IP Reputation | Retrieves the reputation of the specified IP address based on the filter criteria that you have specified. | ip_reputation Investigation |
Get URL Reputation | Retrieves the reputation of the specified URL based on the filter criteria that you have specified. | url_reputation Investigation |
Get Email Reputation | Retrieves the reputation of the specified Email address based on the filter criteria that you have specified. | email_reputation Investigation |
Get File Reputation | Retrieves the reputation of the specified FileHash based on the filter criteria that you have specified. | file_reputation Investigation |
Get Whois Domain Information | Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name and filter criteria that you have specified. | whois_domain Investigation |
Get Whois IP Information | Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP and filter criteria that you have specified. | whois_ip Investigation |
Run Filter Language Query | Runs a search query using ThreatStream’s Filter Language Query grammar. | search_query Investigation |
Run Advance Query | Runs an advanced search query using ThreatStream’s Query grammar. | search_query Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains a list of domains as per filter option and information of the specified domain such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [7]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, IP Address in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of IPs as per filter option and information of the specified IP such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, URL in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of URLs as per filter option and information of the specified URL such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp. The output also includes the total number of results returned.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Email Address | Email ID for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Email ID in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of email addresses as per filter option and information of the specified email address such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp. The output also includes the total number of results returned.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
File Hash | FileHash for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, FileHash in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of file hash as per filter option and information of the specified file hash such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [328]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve information from Whois. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of domains as per filter option and information of the specified domains such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp from Whois.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [1]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve information from Whois. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp. |
Validate Input | Select this checkbox, if you want to validate the input you have provided, IP Address in this case.Note: This option is effective only if you set the Filter Options to exact .By default, this option is set as False . |
The JSON output contains the list of IP addresses as per filter option and information of the specified IP address such as threatscore, country, type, feed id, IP, modified timestamp, and created timestamp from Whois.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [6]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar. |
The JSON output depends on the query that you run on the ThreatStream server.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [4]
as shown in the following image, which displays a sample output:
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar. |
The JSON output depends on the query that you run on the ThreatStream server.
The output also includes a message that includes the execution status of the playbook, for example, message: Executed Successfully
and the total number of results returned in the result item, for example, result [18]
as shown in the following image, which displays a sample output:
The Sample-ThreatStream-1.0.1
playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.