Fortinet Document Library

Version:

Version:


Table of Contents

Anomali ThreatStream

Copy Link

About the connector

Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.

This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Anomali ThreatStream API Version Tested on: v2

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Anomali ThreatStream Connector in version 1.1.0:

  • Added the following operations and playbooks:
    • Submit Observables
    • Get Submitted Observables Status by Import ID
  • Renamed the following playbooks:
    • Perform Whois lookup on given Domain renamed to Get Whois Domain Information
    • Perform Whois lookup on given IP renamed to Get Whois IP Information
    • Perform Advance ThreatStream Query renamed to Run Advance Search
    • Perform Filter Language Query renamed to Run Filter Language Query
  • Renamed the following operations:
    • Get Email Reputation renamed to Get Email ID Reputation
    • Run Advance Query renamed to Run Advanced Search

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of ThreatStream server to which you will connect and perform the automated operations and the credentials to access that server.
  • You must have a registered username for the ThreatStream server and the API key for the ThreatStream API integration.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Anomali ThreatStream connector, and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations.
Registered User Name Registered username for ThreatStream.
User API Key API key configured for your account for using the ThreatStream API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation of the specified domain based on the filter criteria that you have specified. domain_reputation
Investigation
Get IP Reputation Retrieves the reputation of the specified IP address based on the filter criteria that you have specified. ip_reputation
Investigation
Get URL Reputation Retrieves the reputation of the specified URL based on the filter criteria that you have specified. url_reputation
Investigation
Get Email ID Reputation Retrieves the reputation of the specified Email address based on the filter criteria that you have specified. email_reputation
Investigation
Get File Reputation Retrieves the reputation of the specified FileHash based on the filter criteria that you have specified. file_reputation
Investigation
Get Whois Domain Information Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name and filter criteria that you have specified. whois_domain
Investigation
Get Whois IP Information Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP and filter criteria that you have specified. whois_ip
Investigation
Run Filter Language Query Runs a search query using ThreatStream’s Filter Language Query grammar. search_query
Investigation
Run Advanced Search Runs an advanced search query using ThreatStream’s Query grammar. search_query
Investigation
Submit Observables Imports threat data (indicators) into ThreatStream and require the approval of the imported data through the ThreatStream UI. submit_sample
Investigation
Get Submitted Observables Status by Import ID Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. get_import_job_status
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, IP Address in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, URL in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Email ID Reputation

Input parameters

Parameter Description
Email Address Email ID for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Email ID in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get File Reputation

Input parameters

Parameter Description
File Hash FileHash for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, FileHash in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Whois Domain Information

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve information from Whois.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Whois IP Information

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve information from Whois.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, IP Address in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Run Filter Language Query

Input parameters

Parameter Description
Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Run Advanced Search

Input parameters

Parameter Description
Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Submit Observables

Input parameters

Parameter Description
File Name (Optional) Name of the file (including the file extension) from which you want to import observables into Threatstream. You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT.
File Reference (Optional) Type of file reference that you will be providing for the file from which you want to import observables into Threatstream.  
You can choose from the following options: Attachment IRI or File IRI.
Reference ID (Optional) Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream.
In the playbook, this defaults to the `{{vars.attachment_id}}` if you have selected Attachment IRI as the file reference or the `{{vars.file_iri}}` value if you have selected File IRI as the file reference.
Observable data (Optional) Enter the observable data that you want to import into Threatstream.
Confidence Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100.
Source Confidence Weight (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence.
Severity Severity value that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Low, Medium, High, or Very High.
Classification Classification that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Private or Public.
Expiration Time Stamp Duration after which the observables will expire on Threatstream.
You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom.
By default, it set to 90 days from the current date.
Tags (Optional) Tags that you want to assign to the observables that you want to import into Threatstream.
IP Indicator Type Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator.
Domain Indicator Type Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator.
URL Indicator Type Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator.
Email Indicator Type Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator.
MD5 Indicator Type Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator.
Trusted Circle IDs (Optional) IDs of the trusted circle.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "job_id": "",
     "import_session_id": ""
}

operation: Get Submitted Observables Status by Import ID

Input parameters

Parameter Description
Import Session ID ID of the import session for which you want to retrieve the submitted observable status from ThreatStream.
The import session ID is returned in the response of the Submit Observables operation.

Output

The output contains the following populated JSON schema:
{
     "trusted_circles": [],
     "approved_by_id": "",
     "name": "",
     "orginal_intelligence": "[]",
     "workgroups": [],
     "is_public": "",
     "jobID": null,
     "associations": {
         "actors": [],
         "incidents": [],
         "tip_reports": [],
         "ttps": [],
         "campaigns": []
     },
     "processed_ts": "",
     "resource_uri": "/",
     "confidence": "",
     "intelligence_source": "",
     "id": "",
     "sandbox_submit": "",
     "tags": [
         {
             "id": "",
             "org_id": "",
             "name": "",
             "tlp": ""
         }
     ],
     "visibleForReview": "",
     "date_modified": "",
     "date": "",
     "num_private": "",
     "source_confidence_weight": "",
     "numRejected": "",
     "user_id": "",
     "email": "",
     "default_comment": "",
     "fileName": "",
     "notes": "",
     "messages": "",
     "fileType": "",
     "numIndicators": "",
     "num_public": "",
     "organization": {
         "id": "",
         "name": "",
         "resource_uri": ""
     },
     "status": ""
}

Included playbooks

The Sample - Anomali ThreatStream - 1.1.0 playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.

  • Get Domain Reputation
  • Get Email ID Reputation
  • Get File Reputation
  • Get IP Reputation
  • Get Submitted Observables Status by Import ID
  • Get Whois Domain Information
  • Get Whois IP Information
  • Get URL Reputation
  • Run Advanced Search
  • Run Filter Language Query
  • Submit Observables

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.

This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Anomali ThreatStream API Version Tested on: v2

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Anomali ThreatStream Connector in version 1.1.0:

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Anomali ThreatStream connector, and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations.
Registered User Name Registered username for ThreatStream.
User API Key API key configured for your account for using the ThreatStream API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation of the specified domain based on the filter criteria that you have specified. domain_reputation
Investigation
Get IP Reputation Retrieves the reputation of the specified IP address based on the filter criteria that you have specified. ip_reputation
Investigation
Get URL Reputation Retrieves the reputation of the specified URL based on the filter criteria that you have specified. url_reputation
Investigation
Get Email ID Reputation Retrieves the reputation of the specified Email address based on the filter criteria that you have specified. email_reputation
Investigation
Get File Reputation Retrieves the reputation of the specified FileHash based on the filter criteria that you have specified. file_reputation
Investigation
Get Whois Domain Information Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name and filter criteria that you have specified. whois_domain
Investigation
Get Whois IP Information Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP and filter criteria that you have specified. whois_ip
Investigation
Run Filter Language Query Runs a search query using ThreatStream’s Filter Language Query grammar. search_query
Investigation
Run Advanced Search Runs an advanced search query using ThreatStream’s Query grammar. search_query
Investigation
Submit Observables Imports threat data (indicators) into ThreatStream and require the approval of the imported data through the ThreatStream UI. submit_sample
Investigation
Get Submitted Observables Status by Import ID Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. get_import_job_status
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, IP Address in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, URL in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Email ID Reputation

Input parameters

Parameter Description
Email Address Email ID for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Email ID in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get File Reputation

Input parameters

Parameter Description
File Hash FileHash for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, FileHash in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Whois Domain Information

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve information from Whois.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, Domain Name in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Get Whois IP Information

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve information from Whois.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are exact, startswith, contains, regex, and regexp.
Validate Input Select this checkbox, if you want to validate the input you have provided, IP Address in this case.
Note: This option is effective only if you set the Filter Options to exact.
By default, this option is set as False.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Run Filter Language Query

Input parameters

Parameter Description
Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Run Advanced Search

Input parameters

Parameter Description
Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "total_count": "",
     "result": [
         {
             "resource_uri": "",
             "is_public": "",
             "modified_ts": "",
             "feed_id": "",
             "itype": "",
             "owner_organization_id": "",
             "meta": {
                 "severity": "",
                 "maltype": "",
                 "media": "",
                 "detail2": "",
                 "media_type": "",
                 "detail": ""
             },
             "threat_type": "",
             "retina_confidence": "",
             "description": "",
             "confidence": "",
             "source": "",
             "id": "",
             "ip": "",
             "threatscore": "",
             "tags": "",
             "country": "",
             "org": "",
             "longitude": "",
             "type": "",
             "update_id": "",
             "expiration_ts": "",
             "import_session_id": "",
             "source_reported_confidence": "",
             "trusted_circle_ids": "",
             "latitude": "",
             "created_ts": "",
             "asn": "",
             "status": "",
             "value": "",
             "rdns": ""
         }
     ]
}

operation: Submit Observables

Input parameters

Parameter Description
File Name (Optional) Name of the file (including the file extension) from which you want to import observables into Threatstream. You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT.
File Reference (Optional) Type of file reference that you will be providing for the file from which you want to import observables into Threatstream.  
You can choose from the following options: Attachment IRI or File IRI.
Reference ID (Optional) Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream.
In the playbook, this defaults to the `{{vars.attachment_id}}` if you have selected Attachment IRI as the file reference or the `{{vars.file_iri}}` value if you have selected File IRI as the file reference.
Observable data (Optional) Enter the observable data that you want to import into Threatstream.
Confidence Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100.
Source Confidence Weight (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence.
Severity Severity value that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Low, Medium, High, or Very High.
Classification Classification that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Private or Public.
Expiration Time Stamp Duration after which the observables will expire on Threatstream.
You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom.
By default, it set to 90 days from the current date.
Tags (Optional) Tags that you want to assign to the observables that you want to import into Threatstream.
IP Indicator Type Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator.
Domain Indicator Type Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator.
URL Indicator Type Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator.
Email Indicator Type Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator.
MD5 Indicator Type Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator.
Trusted Circle IDs (Optional) IDs of the trusted circle.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "job_id": "",
     "import_session_id": ""
}

operation: Get Submitted Observables Status by Import ID

Input parameters

Parameter Description
Import Session ID ID of the import session for which you want to retrieve the submitted observable status from ThreatStream.
The import session ID is returned in the response of the Submit Observables operation.

Output

The output contains the following populated JSON schema:
{
     "trusted_circles": [],
     "approved_by_id": "",
     "name": "",
     "orginal_intelligence": "[]",
     "workgroups": [],
     "is_public": "",
     "jobID": null,
     "associations": {
         "actors": [],
         "incidents": [],
         "tip_reports": [],
         "ttps": [],
         "campaigns": []
     },
     "processed_ts": "",
     "resource_uri": "/",
     "confidence": "",
     "intelligence_source": "",
     "id": "",
     "sandbox_submit": "",
     "tags": [
         {
             "id": "",
             "org_id": "",
             "name": "",
             "tlp": ""
         }
     ],
     "visibleForReview": "",
     "date_modified": "",
     "date": "",
     "num_private": "",
     "source_confidence_weight": "",
     "numRejected": "",
     "user_id": "",
     "email": "",
     "default_comment": "",
     "fileName": "",
     "notes": "",
     "messages": "",
     "fileType": "",
     "numIndicators": "",
     "num_public": "",
     "organization": {
         "id": "",
         "name": "",
         "resource_uri": ""
     },
     "status": ""
}

Included playbooks

The Sample - Anomali ThreatStream - 1.1.0 playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.