Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.
This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Anomali ThreatStream API Version Tested on: v2
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Anomali ThreatStream
Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-threatstream
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Anomali ThreatStream connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations. |
Username | Registered username for ThreatStream. |
API Key | API key configured for your account for using the ThreatStream API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation of the specified domain based on the filter criteria such as the domain name and other input parameters that you have specified. | domain_reputation Investigation |
Get IP Reputation | Retrieves the reputation of the specified IP address based on the filter criteria such as the IP address and other input parameters that you have specified. | ip_reputation Investigation |
Get URL Reputation | Retrieves the reputation of the specified URL based on the filter criteria such as the URL and other input parameters that you have specified, | url_reputation Investigation |
Get Email ID Reputation | Retrieves the reputation of the specified Email address based on the filter criteria such as the email address and other input parameters that you have specified. | email_reputation Investigation |
Get File Reputation | Retrieves the reputation of the specified FileHash based on the filter criteria such as the filehash and other input parameters that you have specified. | file_reputation Investigation |
Get Whois Domain Information | Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name that you have specified. | whois_domain Investigation |
Get Whois IP Information | Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP address that you have specified. | whois_ip Investigation |
Run Filter Language Query | Runs a search query using ThreatStream’s Filter Language Query grammar. | search_query Investigation |
Run Advanced Search | Runs an advanced search query using ThreatStream’s Query grammar. | search_query Investigation |
Submit Observables | Imports threat data (indicators) into ThreatStream and requires the approval of the imported data through the ThreatStream UI. | submit_sample Investigation |
Get Submitted Observables Status by Import ID | Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. | get_import_job_status Investigation |
Get Import Job Details | Retrieves the details of import jobs from ThreatStream based on search query that you have specified. | get_import_job Investigation |
Create Incident | Creates an incident in ThreatStream based on the name, tags, and other input parameters that you have specified. | create_incidents Investigation |
Get Incidents List | Retrieves a list of all incidents or specific incidents based on the filter criteria such as the intelligence value to filter and other input parameters that you have specified. | get_incident_list Investigation |
Get Incident | Collects and retrieves generated incidents from ThreatStream based on the incident ID that you have specified. | get_incidents Investigation |
Update Incident | Updates an incident in ThreatStream based on the incident ID and other input parameters that you have specified. | update_incidents Investigation |
Delete Incident | Deletes an incident from ThreatStream based on the incident ID that you have specified. | delet_incidents Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Domain Name in this case.By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, IP Address in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, URL in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Email Address | Email ID for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Email ID in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
File Hash | FileHash for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, filehash in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve information from Whois. |
The output contains the following populated JSON schema:
{
"updated_date": [],
"status": [],
"contacts": {
"admin": "",
"billing": "",
"registrant": "",
"tech": ""
},
"creation_date": [],
"expiration_date": [],
"raw": [],
"registrar": [],
"nameservers": [],
"emails": []
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve information from Whois. |
The output contains the following populated JSON schema:
{
"updated_date": [],
"status": [],
"contacts": {
"admin": "",
"billing": "",
"registrant": "",
"tech": ""
},
"creation_date": [],
"expiration_date": [],
"raw": [],
"registrar": [],
"nameservers": [],
"emails": []
}
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar. |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar. |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
CyOPs Attachment IRI | (Optional) Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream. You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT. |
Observable data | (Optional) Enter the observable data that you want to import into Threatstream. |
Confidence | Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100. |
Source Confidence Weight | (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence. |
Severity | Severity value that you want to assign to the observables that you want to import into Threatstream. You can choose from the following options: Low, Medium, High, or Very High. |
Classification | Classification that you want to assign to the observables that you want to import into Threatstream. You can choose from the following options: Private or Public. |
Expiration Time Stamp | Duration after which the observables will expire on Threatstream. You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom. By default, it set to 90 days from the current date. |
Tags | (Optional) Tags that you want to assign to the observables that you want to import into Threatstream. |
IP Indicator Type | Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator. |
Domain Indicator Type | Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator. |
URL Indicator Type | Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator. |
Email Indicator Type | Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator. |
MD5 Indicator Type | Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator. |
Trusted Circle IDs | (Optional) IDs of the trusted circle. |
The output contains the following populated JSON schema:
{
"job_id": "",
"import_session_id": "",
"success": ""
}
Parameter | Description |
---|---|
Import Session ID | ID of the import session for which you want to retrieve the submitted observable status from ThreatStream. The import session ID is returned in the response of the Submit Observables operation. |
The output contains the following populated JSON schema:
{
"num_private": "",
"workgroups": [],
"tags": [],
"id": "",
"notes": "",
"visibleForReview": "",
"date": "",
"jobID": "",
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"default_comment": "",
"numIndicators": "",
"messages": "",
"approved_by": {
"must_change_password": "",
"avatar_s3_url": "",
"can_share_intelligence": "",
"id": "",
"nickname": "",
"name": "",
"email": "",
"is_active": "",
"resource_uri": "",
"organization": {
"name": "",
"id": "",
"resource_uri": ""
}
},
"trusted_circles": [],
"date_modified": "",
"numRejected": "",
"approved_by_id": "",
"resource_uri": "",
"intelligence_source": "",
"source_confidence_weight": "",
"num_public": "",
"status": "",
"fileName": "",
"is_public": "",
"sandbox_submit": "",
"orginal_intelligence": "",
"tlp": "",
"processed_ts": "",
"user_id": "",
"fileType": "",
"associations": {
"actors": [],
"ttps": [],
"incidents": [],
"tip_reports": [],
"campaigns": []
},
"is_anonymous": "",
"name": "",
"email": "",
"confidence": ""
}
Parameter | Description |
---|---|
Search Query | Valid query to be run on the ThreatStream server based on which you want to retrieve details of import jobs. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"meta": {
"offset": "",
"limit": "",
"total_count": "",
"next": "",
"previous": ""
},
"objects": [
{
"num_private": "",
"workgroups": [],
"tags": [
{
"name": "",
"id": "",
"tlp": "",
"org_id": ""
}
],
"id": "",
"notes": "",
"date": "",
"jobID": "",
"is_anonymous": "",
"organization": {
"name": "",
"resource_uri": "",
"id": ""
},
"is_public": "",
"sandbox_submit": "",
"approved_by": {
"must_change_password": "",
"avatar_s3_url": "",
"email": "",
"can_share_intelligence": "",
"nickname": "",
"name": "",
"id": "",
"is_active": "",
"resource_uri": "",
"organization": {
"name": "",
"resource_uri": "",
"id": ""
}
},
"trusted_circles": [],
"date_modified": "",
"numRejected": "",
"approved_by_id": "",
"messages": "",
"source_confidence_weight": "",
"num_public": "",
"status": "",
"fileName": "",
"resource_uri": "",
"numIndicators": "",
"orginal_intelligence": "",
"tlp": "",
"processed_ts": "",
"user_id": "",
"fileType": "",
"intelligence_source": "",
"default_comment": "",
"visibleForReview": "",
"name": "",
"email": "",
"confidence": ""
}
]
}
Parameter | Description |
---|---|
Name | Name of the incident that you want to create in ThreatStream. The incident name is associated with your organization. Therefore, the name that you specify must be unique within your organization. |
Is Incident Public or Private | Select whether the incident that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle). Select this option, i.e., set it to True, if you want to create the incident as a Public incident. This is the default value. Clear this option, i.e., set it to False, if you want to create the incident as a Private incident or an incident that belongs to a Trusted Circle. |
Tags | (Optional) Tags assigned to the incident that you want to create in ThreatStream. A tag is a meaningful name or any other string value assigned to identify the information. For example, spear phishing, exploitation. |
Intelligence | (Optional) Indicators that are associated with the incident on the ThreatStream platform. You can add multiple intelligence IDs using the comma separator. |
TLP | (Optional) Traffic Light Protocol (TLP) designation for the incident that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White. |
Fields to Include with The Incident | (Optional) Specify other fields that you want to include with the incident that you want to create in ThreatStream. |
The output contains the following populated JSON schema:
{
"logo_s3_url": "",
"is_public": "",
"tlp": "",
"modified_ts": "",
"watched_total_count": "",
"id": "",
"sandbox_reports": [],
"starred_by_me": "",
"external_references": [],
"votes": {
"total": "",
"me": ""
},
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"assignee_user": "",
"published_ts": "",
"organization_id": "",
"body_content_type": "",
"status": {
"display_name": "",
"id": "",
"resource_uri": ""
},
"name": "",
"end_date": "",
"status_desc": "",
"publication_status": "",
"intended_effects": [],
"start_date": "",
"resource_uri": "",
"created_ts": "",
"starred_total_count": "",
"circles": [],
"watched_by_me": "",
"description": "",
"activity_dates": [],
"is_cloneable": "",
"owner_user": {
"name": "",
"id": "",
"email": "",
"resource_uri": ""
},
"victims": [],
"is_anonymous": "",
"workgroups": [],
"feed_id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0 based index of the page that this operation should return. |
Intelligence value to filter | Intelligence value based on which you want to filter incidents to be retrieved from ThreatStream. For example, google.com returns all incidents that are associated with google.com. |
The output contains the following populated JSON schema:
{
"meta": {
"offset": "",
"limit": "",
"total_count": "",
"next": "",
"previous": ""
},
"objects": [
{
"modified_ts": "",
"is_cloneable": "",
"tags": [],
"id": "",
"starred_by_me": "",
"workgroups": [],
"tags_v2": [
{
"name": "",
"id": ""
}
],
"is_public": "",
"published_ts": "",
"organization_id": "",
"votes": {
"total": "",
"me": ""
},
"watched_total_count": "",
"status": {
"display_name": "",
"resource_uri": "",
"id": ""
},
"end_date": "",
"publication_status": "",
"created_ts": "",
"start_date": "",
"resource_uri": "",
"tlp": "",
"starred_total_count": "",
"circles": [
{
"name": "",
"resource_uri": "",
"id": ""
}
],
"watched_by_me": "",
"is_anonymous": "",
"name": "",
"feed_id": ""
}
]
}
Parameter | Description |
---|---|
Incident ID | ID of the generated incident whose details you want to retrieve from ThreatStream. |
The output contains the following populated JSON schema:
{
"intelligence": [],
"watched_total_count": "",
"created_ts": "",
"sandbox_reports": [],
"external_references": [
{
"r_type": "",
"s3_url": "",
"filename": "",
"id": "",
"url": "",
"resource_uri": "",
"title": ""
}
],
"tags_v2": [
{
"name": "",
"id": ""
}
],
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"published_ts": "",
"description": "",
"starred_total_count": "",
"end_date": "",
"is_cloneable": "",
"status": {
"display_name": "",
"resource_uri": "",
"id": ""
},
"intended_effects": [],
"start_date": "",
"status_desc": "",
"tlp": "",
"circles": [
{
"name": "",
"resource_uri": "",
"id": ""
}
],
"watched_by_me": "",
"activity_dates": [],
"is_anonymous": "",
"feed_id": "",
"starred_by_me": "",
"tipreports": [],
"logo_s3_url": "",
"victims": [],
"modified_ts": "",
"tags": [
""
],
"id": "",
"ttps": [],
"workgroups": [],
"is_public": "",
"actors": [],
"organization_id": "",
"votes": {
"total": "",
"me": ""
},
"campaigns": [],
"resource_uri": "",
"publication_status": "",
"body_content_type": "",
"signatures": [],
"owner_user": {
"name": "",
"email": "",
"resource_uri": "",
"id": ""
},
"name": "",
"incidents": []
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update on ThreatStream. |
Incident Name | Name of the incident that you want to update on ThreatStream. |
Status | (Optional) Select the status of the incident that you want to update on ThreatStream. You can choose from the following options: New, Open, Stalled, Containment Achieved, Restoration Achieved, Incident Reported, Closed, Rejected, or Deleted. Note: This parameter will make an API call named "get_status" to dynamically populate its dropdown selections. |
Status Description | (Optional) Description associated with the status of the incident that you want to update on ThreatStream. |
Intelligence | (Optional) Indicators associated with the Incident on the ThreatStream platform. Multiple intelligence IDs are comma separated. |
Fields to Update on Incident | (Optional) Specify other fields that you want to include with the incident that you want to update in ThreatStream. |
The output contains the following populated JSON schema:
{
"logo_s3_url": "",
"is_public": "",
"tlp": "",
"modified_ts": "",
"watched_total_count": "",
"id": "",
"sandbox_reports": [],
"starred_by_me": "",
"external_references": [],
"votes": {
"total": "",
"me": ""
},
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"assignee_user": "",
"published_ts": "",
"organization_id": "",
"body_content_type": "",
"status": {
"display_name": "",
"id": "",
"resource_uri": ""
},
"name": "",
"end_date": "",
"status_desc": "",
"publication_status": "",
"intended_effects": [],
"start_date": "",
"resource_uri": "",
"created_ts": "",
"starred_total_count": "",
"circles": [],
"watched_by_me": "",
"description": "",
"activity_dates": [],
"is_cloneable": "",
"owner_user": {
"name": "",
"id": "",
"email": "",
"resource_uri": ""
},
"victims": [],
"is_anonymous": "",
"workgroups": [],
"feed_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to delete from ThreatStream. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Anomali ThreatStream - 2.0.0
playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.
This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Anomali ThreatStream API Version Tested on: v2
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Anomali ThreatStream
Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-threatstream
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Anomali ThreatStream connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations. |
Username | Registered username for ThreatStream. |
API Key | API key configured for your account for using the ThreatStream API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation of the specified domain based on the filter criteria such as the domain name and other input parameters that you have specified. | domain_reputation Investigation |
Get IP Reputation | Retrieves the reputation of the specified IP address based on the filter criteria such as the IP address and other input parameters that you have specified. | ip_reputation Investigation |
Get URL Reputation | Retrieves the reputation of the specified URL based on the filter criteria such as the URL and other input parameters that you have specified, | url_reputation Investigation |
Get Email ID Reputation | Retrieves the reputation of the specified Email address based on the filter criteria such as the email address and other input parameters that you have specified. | email_reputation Investigation |
Get File Reputation | Retrieves the reputation of the specified FileHash based on the filter criteria such as the filehash and other input parameters that you have specified. | file_reputation Investigation |
Get Whois Domain Information | Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name that you have specified. | whois_domain Investigation |
Get Whois IP Information | Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP address that you have specified. | whois_ip Investigation |
Run Filter Language Query | Runs a search query using ThreatStream’s Filter Language Query grammar. | search_query Investigation |
Run Advanced Search | Runs an advanced search query using ThreatStream’s Query grammar. | search_query Investigation |
Submit Observables | Imports threat data (indicators) into ThreatStream and requires the approval of the imported data through the ThreatStream UI. | submit_sample Investigation |
Get Submitted Observables Status by Import ID | Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. | get_import_job_status Investigation |
Get Import Job Details | Retrieves the details of import jobs from ThreatStream based on search query that you have specified. | get_import_job Investigation |
Create Incident | Creates an incident in ThreatStream based on the name, tags, and other input parameters that you have specified. | create_incidents Investigation |
Get Incidents List | Retrieves a list of all incidents or specific incidents based on the filter criteria such as the intelligence value to filter and other input parameters that you have specified. | get_incident_list Investigation |
Get Incident | Collects and retrieves generated incidents from ThreatStream based on the incident ID that you have specified. | get_incidents Investigation |
Update Incident | Updates an incident in ThreatStream based on the incident ID and other input parameters that you have specified. | update_incidents Investigation |
Delete Incident | Deletes an incident from ThreatStream based on the incident ID that you have specified. | delet_incidents Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Domain Name in this case.By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, IP Address in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, URL in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Email Address | Email ID for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Email ID in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
File Hash | FileHash for which you want to retrieve reputation information. |
Filter Options | Filter options supported by ThreatStream. Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp. If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, filehash in this case. By default, this option is set as False . |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to retrieve information from Whois. |
The output contains the following populated JSON schema:
{
"updated_date": [],
"status": [],
"contacts": {
"admin": "",
"billing": "",
"registrant": "",
"tech": ""
},
"creation_date": [],
"expiration_date": [],
"raw": [],
"registrar": [],
"nameservers": [],
"emails": []
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve information from Whois. |
The output contains the following populated JSON schema:
{
"updated_date": [],
"status": [],
"contacts": {
"admin": "",
"billing": "",
"registrant": "",
"tech": ""
},
"creation_date": [],
"expiration_date": [],
"raw": [],
"registrar": [],
"nameservers": [],
"emails": []
}
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar. |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
Query | Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar. |
Number of Records to return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"objects": [
{
"threat_type": "",
"longitude": "",
"uuid": "",
"modified_ts": "",
"tags": [
{
"name": "",
"id": ""
}
],
"id": "",
"rdns": "",
"is_anonymous": "",
"is_public": "",
"type": "",
"resource_uri": "",
"workgroups": [],
"description": "",
"itype": "",
"country": "",
"trusted_circle_ids": [],
"value": "",
"update_id": "",
"status": "",
"created_ts": "",
"is_editable": "",
"expiration_ts": "",
"asn": "",
"tlp": "",
"org": "",
"threatscore": "",
"confidence": "",
"retina_confidence": "",
"ip": "",
"import_session_id": "",
"meta": {
"detail2": "",
"media_type": "",
"media": "",
"severity": "",
"detail": "",
"maltype": ""
},
"owner_organization_id": "",
"latitude": "",
"feed_id": "",
"source_reported_confidence": "",
"source": ""
}
],
"meta": {
"total_count": "",
"limit": "",
"next": "",
"took": "",
"offset": "",
"previous": ""
}
}
Parameter | Description |
---|---|
CyOPs Attachment IRI | (Optional) Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream. You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT. |
Observable data | (Optional) Enter the observable data that you want to import into Threatstream. |
Confidence | Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100. |
Source Confidence Weight | (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence. |
Severity | Severity value that you want to assign to the observables that you want to import into Threatstream. You can choose from the following options: Low, Medium, High, or Very High. |
Classification | Classification that you want to assign to the observables that you want to import into Threatstream. You can choose from the following options: Private or Public. |
Expiration Time Stamp | Duration after which the observables will expire on Threatstream. You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom. By default, it set to 90 days from the current date. |
Tags | (Optional) Tags that you want to assign to the observables that you want to import into Threatstream. |
IP Indicator Type | Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator. |
Domain Indicator Type | Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator. |
URL Indicator Type | Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator. |
Email Indicator Type | Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator. |
MD5 Indicator Type | Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator. |
Trusted Circle IDs | (Optional) IDs of the trusted circle. |
The output contains the following populated JSON schema:
{
"job_id": "",
"import_session_id": "",
"success": ""
}
Parameter | Description |
---|---|
Import Session ID | ID of the import session for which you want to retrieve the submitted observable status from ThreatStream. The import session ID is returned in the response of the Submit Observables operation. |
The output contains the following populated JSON schema:
{
"num_private": "",
"workgroups": [],
"tags": [],
"id": "",
"notes": "",
"visibleForReview": "",
"date": "",
"jobID": "",
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"default_comment": "",
"numIndicators": "",
"messages": "",
"approved_by": {
"must_change_password": "",
"avatar_s3_url": "",
"can_share_intelligence": "",
"id": "",
"nickname": "",
"name": "",
"email": "",
"is_active": "",
"resource_uri": "",
"organization": {
"name": "",
"id": "",
"resource_uri": ""
}
},
"trusted_circles": [],
"date_modified": "",
"numRejected": "",
"approved_by_id": "",
"resource_uri": "",
"intelligence_source": "",
"source_confidence_weight": "",
"num_public": "",
"status": "",
"fileName": "",
"is_public": "",
"sandbox_submit": "",
"orginal_intelligence": "",
"tlp": "",
"processed_ts": "",
"user_id": "",
"fileType": "",
"associations": {
"actors": [],
"ttps": [],
"incidents": [],
"tip_reports": [],
"campaigns": []
},
"is_anonymous": "",
"name": "",
"email": "",
"confidence": ""
}
Parameter | Description |
---|---|
Search Query | Valid query to be run on the ThreatStream server based on which you want to retrieve details of import jobs. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. If you select Fetch Limited Records, then you must specify the following additional parameters:
|
The output contains the following populated JSON schema:
{
"meta": {
"offset": "",
"limit": "",
"total_count": "",
"next": "",
"previous": ""
},
"objects": [
{
"num_private": "",
"workgroups": [],
"tags": [
{
"name": "",
"id": "",
"tlp": "",
"org_id": ""
}
],
"id": "",
"notes": "",
"date": "",
"jobID": "",
"is_anonymous": "",
"organization": {
"name": "",
"resource_uri": "",
"id": ""
},
"is_public": "",
"sandbox_submit": "",
"approved_by": {
"must_change_password": "",
"avatar_s3_url": "",
"email": "",
"can_share_intelligence": "",
"nickname": "",
"name": "",
"id": "",
"is_active": "",
"resource_uri": "",
"organization": {
"name": "",
"resource_uri": "",
"id": ""
}
},
"trusted_circles": [],
"date_modified": "",
"numRejected": "",
"approved_by_id": "",
"messages": "",
"source_confidence_weight": "",
"num_public": "",
"status": "",
"fileName": "",
"resource_uri": "",
"numIndicators": "",
"orginal_intelligence": "",
"tlp": "",
"processed_ts": "",
"user_id": "",
"fileType": "",
"intelligence_source": "",
"default_comment": "",
"visibleForReview": "",
"name": "",
"email": "",
"confidence": ""
}
]
}
Parameter | Description |
---|---|
Name | Name of the incident that you want to create in ThreatStream. The incident name is associated with your organization. Therefore, the name that you specify must be unique within your organization. |
Is Incident Public or Private | Select whether the incident that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle). Select this option, i.e., set it to True, if you want to create the incident as a Public incident. This is the default value. Clear this option, i.e., set it to False, if you want to create the incident as a Private incident or an incident that belongs to a Trusted Circle. |
Tags | (Optional) Tags assigned to the incident that you want to create in ThreatStream. A tag is a meaningful name or any other string value assigned to identify the information. For example, spear phishing, exploitation. |
Intelligence | (Optional) Indicators that are associated with the incident on the ThreatStream platform. You can add multiple intelligence IDs using the comma separator. |
TLP | (Optional) Traffic Light Protocol (TLP) designation for the incident that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White. |
Fields to Include with The Incident | (Optional) Specify other fields that you want to include with the incident that you want to create in ThreatStream. |
The output contains the following populated JSON schema:
{
"logo_s3_url": "",
"is_public": "",
"tlp": "",
"modified_ts": "",
"watched_total_count": "",
"id": "",
"sandbox_reports": [],
"starred_by_me": "",
"external_references": [],
"votes": {
"total": "",
"me": ""
},
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"assignee_user": "",
"published_ts": "",
"organization_id": "",
"body_content_type": "",
"status": {
"display_name": "",
"id": "",
"resource_uri": ""
},
"name": "",
"end_date": "",
"status_desc": "",
"publication_status": "",
"intended_effects": [],
"start_date": "",
"resource_uri": "",
"created_ts": "",
"starred_total_count": "",
"circles": [],
"watched_by_me": "",
"description": "",
"activity_dates": [],
"is_cloneable": "",
"owner_user": {
"name": "",
"id": "",
"email": "",
"resource_uri": ""
},
"victims": [],
"is_anonymous": "",
"workgroups": [],
"feed_id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0 based index of the page that this operation should return. |
Intelligence value to filter | Intelligence value based on which you want to filter incidents to be retrieved from ThreatStream. For example, google.com returns all incidents that are associated with google.com. |
The output contains the following populated JSON schema:
{
"meta": {
"offset": "",
"limit": "",
"total_count": "",
"next": "",
"previous": ""
},
"objects": [
{
"modified_ts": "",
"is_cloneable": "",
"tags": [],
"id": "",
"starred_by_me": "",
"workgroups": [],
"tags_v2": [
{
"name": "",
"id": ""
}
],
"is_public": "",
"published_ts": "",
"organization_id": "",
"votes": {
"total": "",
"me": ""
},
"watched_total_count": "",
"status": {
"display_name": "",
"resource_uri": "",
"id": ""
},
"end_date": "",
"publication_status": "",
"created_ts": "",
"start_date": "",
"resource_uri": "",
"tlp": "",
"starred_total_count": "",
"circles": [
{
"name": "",
"resource_uri": "",
"id": ""
}
],
"watched_by_me": "",
"is_anonymous": "",
"name": "",
"feed_id": ""
}
]
}
Parameter | Description |
---|---|
Incident ID | ID of the generated incident whose details you want to retrieve from ThreatStream. |
The output contains the following populated JSON schema:
{
"intelligence": [],
"watched_total_count": "",
"created_ts": "",
"sandbox_reports": [],
"external_references": [
{
"r_type": "",
"s3_url": "",
"filename": "",
"id": "",
"url": "",
"resource_uri": "",
"title": ""
}
],
"tags_v2": [
{
"name": "",
"id": ""
}
],
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"published_ts": "",
"description": "",
"starred_total_count": "",
"end_date": "",
"is_cloneable": "",
"status": {
"display_name": "",
"resource_uri": "",
"id": ""
},
"intended_effects": [],
"start_date": "",
"status_desc": "",
"tlp": "",
"circles": [
{
"name": "",
"resource_uri": "",
"id": ""
}
],
"watched_by_me": "",
"activity_dates": [],
"is_anonymous": "",
"feed_id": "",
"starred_by_me": "",
"tipreports": [],
"logo_s3_url": "",
"victims": [],
"modified_ts": "",
"tags": [
""
],
"id": "",
"ttps": [],
"workgroups": [],
"is_public": "",
"actors": [],
"organization_id": "",
"votes": {
"total": "",
"me": ""
},
"campaigns": [],
"resource_uri": "",
"publication_status": "",
"body_content_type": "",
"signatures": [],
"owner_user": {
"name": "",
"email": "",
"resource_uri": "",
"id": ""
},
"name": "",
"incidents": []
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update on ThreatStream. |
Incident Name | Name of the incident that you want to update on ThreatStream. |
Status | (Optional) Select the status of the incident that you want to update on ThreatStream. You can choose from the following options: New, Open, Stalled, Containment Achieved, Restoration Achieved, Incident Reported, Closed, Rejected, or Deleted. Note: This parameter will make an API call named "get_status" to dynamically populate its dropdown selections. |
Status Description | (Optional) Description associated with the status of the incident that you want to update on ThreatStream. |
Intelligence | (Optional) Indicators associated with the Incident on the ThreatStream platform. Multiple intelligence IDs are comma separated. |
Fields to Update on Incident | (Optional) Specify other fields that you want to include with the incident that you want to update in ThreatStream. |
The output contains the following populated JSON schema:
{
"logo_s3_url": "",
"is_public": "",
"tlp": "",
"modified_ts": "",
"watched_total_count": "",
"id": "",
"sandbox_reports": [],
"starred_by_me": "",
"external_references": [],
"votes": {
"total": "",
"me": ""
},
"organization": {
"name": "",
"id": "",
"resource_uri": ""
},
"parent": "",
"assignee_user": "",
"published_ts": "",
"organization_id": "",
"body_content_type": "",
"status": {
"display_name": "",
"id": "",
"resource_uri": ""
},
"name": "",
"end_date": "",
"status_desc": "",
"publication_status": "",
"intended_effects": [],
"start_date": "",
"resource_uri": "",
"created_ts": "",
"starred_total_count": "",
"circles": [],
"watched_by_me": "",
"description": "",
"activity_dates": [],
"is_cloneable": "",
"owner_user": {
"name": "",
"id": "",
"email": "",
"resource_uri": ""
},
"victims": [],
"is_anonymous": "",
"workgroups": [],
"feed_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to delete from ThreatStream. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Anomali ThreatStream - 2.0.0
playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.