ThreatQuotient is a threat intelligence platform that centrally manages and correlates unlimited external sources. This connector facilitates automated operation such as collects and interprets intelligence data from open sources and manages indicators.
This document provides information about the ThreatQ Connector, which facilitates automated interactions, with a ThreatQ server using FortiSOAR™ playbooks. Add the ThreatQ Connector as a step in FortiSOAR™ playbooks and perform automated operations with ThreatQ.
Connector Version: 2.1.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the ThreatQ Connector in version 2.1.0:
These parameters have now been modified to fetch the IDs dynamically through a REST API call.
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-threatq
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ThreatQ connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Hostname | Specify the IP or Hostname of the ThreatQ server from where the connector gets notifications and on which you want to connect and perform automated operations. |
| Username | Specify the username to access the ThreatQ server to which you will connect and perform automated operations. |
| Password | Specify the password to access the ThreatQ server to which you will connect and perform automated operations. |
| ThreatQ Client ID | Specify the client ID using which you can access the ThreatQ server to which you will connect and perform automated operations. You can find the client id on the OAuth Management page. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Event | Creates a new event in ThreatQ based on the event type and event source that you specify. | create_event Investigation |
| Create Adversary | Creates a new adversary in ThreatQ based on the adversary name and source that you specify. | create_adversary Investigation |
| Create IOC | Creates a new IOC in ThreatQ based on the indicator name, source, type, and status that you specify. | create_ioc Investigation |
| Get Indicator Types | Retrieves a list containing all available indicator types from ThreatQ. | get_indicator_types Investigation |
| Get Indicator Statuses | Retrieves a list containing all available indicator statuses and their id values from ThreatQ. You can use these IDs to create new indicators. |
get_indicator_status Investigation |
| Get Reputation | Retrieves the reputation for the indicator from ThreatQ, based on the indicator name and type that you specify. | get_reputation Investigation |
| Search Indicator | Queries ThreatQ for an indicator that you specify using the name of the indicator and this operation retrieves details for the specified indicator. | search_indicator Investigation |
| Get IP Reputation | Retrieves the reputation for an IP from ThreatQ, based on the IP address that you specify. | get_ip_reputation Investigation |
| Get Domain Reputation | Retrieves the reputation for a domain from ThreatQ, based on the domain name that you specify. | get_domain_reputation Investigation |
| Get URL Reputation | Retrieves the reputation for a URL from ThreatQ, based on the URL type (either URL or URL path) and URL value that you specify. | get_url_reputation Investigation |
| Get File Reputation | Retrieves the reputation of a specific file from ThreatQ based on the filehash type and filehash value that you specify. | get_file_reputation Investigation |
| Get List of Indicators | Retrieves a list of available indicators from ThreatQ, based on the parameters that you have specified. | get_iocs Investigation |
| Get Related IOCs | Retrieves details for IOCs related to an indicator from ThreatQ, based on the name of the indicator that you specify. | get_iocs Investigation |
| Get Event Types | Retrieves a list containing all available event types from ThreatQ. | get_event_types Investigation |
| Search Event | Queries ThreatQ for an event that you specify using the name of the indicator and this operation retrieves details for the specified event. | search_event Investigation |
| Get List of Events | Retrieves a list containing all the events from ThreatQ. | get_event Investigation |
| Update Indicator | Updates the status of the indicator, in ThreatQ, based on the name of the indicator that you specify. | update_ioc Investigation |
| Link IOCs | Links two IOCs in ThreatQ, based on the names of the indicators that you specify. | link_ioc Investigation |
| Get List of Adversaries | Retrieves a list containing all the adversaries or specific adversaries from ThreatQ based on the input parameters you have specified. | get_list_of_adversaries Investigation |
| Get Saved Searches | Retrieves a list containing a list of all saved searches filter queries or specific saved searches filter queries from ThreatQ based on the input parameters you have specified. | get_saved_searches Investigation |
| Run Search Query | Executes a saved search query in ThreatQ based on the object type, query, and input parameters you have specified. | run_search_query Investigation |
| Add Attribute | Adds a specific attribute to a specific object in ThreatQ based on the object type and ID, and the attribute name and value you have specified. | add_attribute Investigation |
| Remove Attribute | Removes a specific attribute from a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | remove_attribute Investigation |
| Add Source | Adds a source to a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | add_source Investigation |
| Remove Source | Removes a specific source from a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | remove_attribute Investigation |
| Get Related Objects | Retrieves details for objects related to a specific object from ThreatQ based on the object type and ID, and the related object type you have specified. | get_related_objects Investigation |
| Link Two Objects | Links two specific objects in ThreatQ based on the object type and object ID you have specified. | link_two_objects Investigation |
| Unlink Two Objects | Unlinks two specific objects in ThreatQ based on the object type and object ID you have specified. | unlink_two_objects Investigation |
| Parameter | Description |
|---|---|
| Event Type | Specify the type of the event that you want to create in ThreatQ. Event types are defined in ThreatQ and you can choose from the following: Spearphish, Watering Hole, SQL Injection Attack, DoS Attack, Malware, Watchlist, Command and Control, Anonymization Exfiltration, Host Characteristics, Compromised PKI Certificate, Login Compromise, and Incident. You can fetch the event types using the Get Event Types operation. |
| Title | Specify the name to be given to the newly created event in ThreatQ. |
| Source | Specify the name of the source from where you are creating this event. |
| Description | (Optional) Specify the description to be added to the newly created event in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"description": "",
"created_at": "",
"sources": [],
"type_id": "",
"title": "",
"happened_at": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Adversary Name | Specify the name to be given to the newly created adversary in ThreatQ. |
| Source | Specify the name of the source from where you are creating this adversary. |
| Description | (Optional) Specify the description to be added to the newly created adversary in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"name": "",
"sources": [],
"created_at": "",
"updated_at": "",
"description": ""
}
}
| Parameter | Description |
|---|---|
| Indicator Value | Specify the name of the indicator to be created in ThreatQ. |
| Indicator Type | Specify the type of the indicator that you want to create in ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following: Email Address, Email Attachment, Email Subject, X-Mailer, FQDN, IP Address, Mutex, Username, Password, File Path, Filename, MD5, SHA-1, SHA-256, SHA-384, SHA-512, String, Fuzzy Hash, GOST Hash, URL, URL Path, User-agent, Registry Key, CVE, and CIDR Block. You can fetch the indicator types using the Get Indicator Types operation. |
| Indicator Status | Select the status of the indicator that you want to create in ThreatQ. Indicator statuses are defined in ThreatQ and you can choose from the following:
Get Indicator Statuses operation. |
| Source | Specify the name of the source from where you are creating this IOC. |
The JSON output retrieves the details of the newly created indicator from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"expires_at": "",
"expires_calculated_at": "",
"last_detected_at": "",
"type_id": "",
"created_at": "",
"sources": [
{
"name": "",
"type": "",
"expire_days": "",
"id": "",
"created_at": "",
"score": "",
"updated_at": ""
}
],
"value": "",
"existing": "",
"updated_at": "",
"type": {
"name": "",
"id": "",
"created_at": "",
"score": "",
"wildcard_matching": "",
"updated_at": "",
"class": ""
},
"hash": "",
"id": "",
"touched_at": "",
"status_id": "",
"expired_at": "",
"description": "",
"class": ""
}
]
}
None.
The JSON retrieves a list of all available indicator types from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"name": "",
"wildcard_matching": "",
"score": "",
"created_at": "",
"updated_at": "",
"class": ""
}
]
}
None. Include this operation in the ThreatQ playbook and you will get a list containing all available indicator statuses and their id values. You can use these IDs to create new indicators.
The JSON retrieves a list of all available indicator statuses and their id values from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"name": "",
"user_editable": "",
"description": "",
"visible": "",
"include_in_export": "",
"protected": "",
"created_at": "",
"updated_at": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of the indicator for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator | Specify the name of the indicator for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the indicator from ThreatQ, based on the indicator name and type that you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator that which you want to search for in ThreatQ and whose details you want to retrieve from ThreatQ. |
The JSON output retrieves the details for the indicator from ThreatQ, based on the indicator name that you have specified.
The output contains the following populated JSON schema:
{
"score": {},
"indicator_id": "",
"indicator_type": "",
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": ""
}
| Parameter | Description |
|---|---|
| IP Address | Specify the IP address for which you want to retrieve the reputation from ThreatQ. |
The JSON output retrieves the reputation for the IP from ThreatQ, based on the IP address you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Domain | Specify the name of the domain for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the domain from ThreatQ, based on the domain name you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of indicator (URL in this case) for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator Value | Specify the value of the URL for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the URL from ThreatQ, based on the URL type and value you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of indicator (File in this case) for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator Value | Specify the value of the file for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the file from ThreatQ, based on the file type and value you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Record Count | (Optional) Specify the maximum number of indicators that the operation should return. By default, this is set to 100. |
| Sort By | (Optional) Select the sorting criteria to sort the indicators either by the indicator create date or the indicator update date. You can choose from the following options:
|
| Indicator Class | (Optional) Specify the class of indicator for which you want to retrieve the list of indicators. Indicator classes are defined in ThreatQ and you can choose from the following: Network or Host. |
The JSON retrieves a list of available indicators from ThreatQ, based on the parameters that you have specified.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"created_at": "",
"value": "",
"touched_at": "",
"updated_at": "",
"last_detected_at": "",
"sources": [
{
"id": "",
"type": "",
"published_at": "",
"updated_at": "",
"tlp_id": "",
"created_at": "",
"name": "",
"pivot": {
"id": "",
"indicator_id": "",
"source_id": "",
"creator_source_id": ""
}
}
],
"id": "",
"expires_at": "",
"hash": "",
"status": {
"id": "",
"name": "",
"user_editable": "",
"description": "",
"visible": "",
"include_in_export": "",
"protected": "",
"created_at": "",
"updated_at": ""
},
"status_id": "",
"type": {
"id": "",
"name": "",
"wildcard_matching": "",
"score": "",
"created_at": "",
"updated_at": "",
"class": ""
},
"score": {
"indicator_id": "",
"created_at": "",
"score_config_hash": "",
"manual_score": "",
"generated_score": "",
"updated_at": ""
},
"expires_calculated_at": "",
"type_id": "",
"expired_at": "",
"class": "",
"description": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator for which you want to fetch the related IOCs. |
The JSON output retrieves the details for the related indicator(s) from ThreatQ, based on the indicator name you have specified.
The output contains the following populated JSON schema:
{
"related_indicators": {
"count": "",
"details": [
{
"id": "",
"value": "",
"class": "",
"hash": ""
}
]
}
}
You do not need to provide any input parameters for this operation. Include this operation in the ThreatQ playbook and you will get a list containing all available event types and their ID values.
The JSON retrieves a list of all available event types from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"updated_at": "",
"name": "",
"user_editable": "",
"created_at": ""
}
]
}
| Parameter | Description |
|---|---|
| Event Name | Specify the name of the event that which you want to search for in ThreatQ and whose details you want to retrieve from ThreatQ. |
The JSON output retrieves the details for the specified event from ThreatQ, based on the event name you have specified. If the event that you have specified is not found, an error message is displayed.
The output contains the following populated JSON schema:
{
"data": {
"title": "",
"created_at": "",
"watchlist": [],
"sources": [],
"signatures": [],
"id": "",
"updated_at": "",
"attachments": [],
"description": "",
"adversaries": [],
"recipients": [],
"type": {},
"hash": "",
"comments": [],
"events": [],
"type_id": "",
"attributes": [],
"happened_at": "",
"spearphish": ""
}
}
| Parameter | Description |
|---|---|
| Offset | (Optional) Specify the index of the first item to return. By default, this is set to 0. |
| Record Count | (Optional) The maximum number of events that the operation should return. By default, this is set to 10. |
| Event Type | (Optional) Select the type of event for which you want to retrieve the list of events from ThreatQ. Event types are defined in ThreatQ and you can choose from the following:
Get Event Types operation. |
| Event Sources | (Optional) Specify the name of the event sources for which you want to retrieve the list of events from ThreatQ. |
The JSON retrieves a list of all available events from ThreatQ that match the parameters that you have specified.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"hash": "",
"description": "",
"happened_at": "",
"title": "",
"created_at": "",
"updated_at": "",
"touched_at": "",
"type_id": "",
"sources": [
{
"id": "",
"name": ""
}
],
"total_indicators": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator whose status you want to update. |
| Indicator Status | Select the status of the indicator that you want to update in ThreatQ. Indicator statuses are defined in ThreatQ and you can choose from the following: Active, Expired, Indirect, Review, White Listed, and Black Listed. You can fetch the indicator statuses using the Get Indicator Statuses operation. |
| Indicator Class | (Optional) Specify the class of indicator that contains the indicator you want to update. Indicator classes are defined in ThreatQ and you can choose from the following: Network or Host. |
The JSON output retrieves the details for the indicator from ThreatQ whose status you want to update.
The output contains the following populated JSON schema:
{
"data": {
"status_id": "",
"class": "",
"type_id": "",
"value": "",
"expires_at": "",
"id": "",
"description": "",
"created_at": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator that you want to relate to another indicator in ThreatQ. |
| Link Indicator | Specify the name of the indicator which you want to relate to the first indicator in ThreatQ. |
The JSON output retrieves the details for the indicator (first) from ThreatQ to which you want to create a link containing the second indicator.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"created_at": "",
"value": "",
"touched_at": "",
"updated_at": "",
"last_detected_at": "",
"id": "",
"expires_at": "",
"hash": "",
"status_id": "",
"expires_calculated_at": "",
"pivot": {
"id": "",
"created_at": "",
"updated_at": ""
},
"type_id": "",
"expired_at": "",
"class": "",
"description": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list of all ThreatQ adversaries is returned.
| Parameter | Description |
|---|---|
| Offset | Specify the index of the first item to return. By default, this is set to 0. |
| Record Count | Specify the maximum number of adversaries that the operation should return. By default, this is set to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"hash": "",
"description": "",
"happened_at": "",
"title": "",
"created_at": "",
"updated_at": "",
"touched_at": "",
"type_id": "",
"sources": [
{
"id": "",
"name": ""
}
],
"total_indicators": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list of all saved searches filter queries is returned.
| Parameter | Description |
|---|---|
| Limit | Specify the maximum number of records that the operation should return. By default, this is set to 10. |
| Offset | Specify the index of the first item to return. By default, this is set to 0. |
| Sort By | Specify the name of the fields, in a list of comma-separated values, using which you want to sort the result retrieved from ThreatQ. You can prepend each field with a minus sign (-) to reverse the sorting order. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"hash": "",
"json": {
"ui_query": {
"columns": [],
"criteria": {
"matchType": [],
"items": []
},
"filters": {
"sources": {
"matchType": [],
"filterRange": {
"set-0": ""
},
"values": [
{
"source_name": "",
"set_id": ""
}
]
}
},
"objects": {
"current": "",
"selected": []
},
"filter_sets": [
{
"id": "",
"operator": "",
"isNegated": "",
"expanded": ""
}
]
},
"api_query": {
"criteria": [],
"filters": {
"+and": [
{
"+or": [
{
"source_name": {
"name": ""
}
}
]
}
]
}
}
},
"created_at": "",
"updated_at": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the object type for which you want to execute the search query in ThreatQ. You can choose between Adversaries, Attachments, Events, Incident, or Indicators. |
| Query | Specify the api_query which you can retrieve from the response of the 'Get Saved Searches' action. |
| Limit | (Optional) Specify the maximum number of records that the operation should return. By default, this is set to 10. |
| Offset | (Optional) Specify the index of the first item to return. By default, this is set to 0. |
| Sort By | (Optional) Specify the name of the fields, in a list of comma-separated values, using which you want to sort the result retrieved from ThreatQ. You can prepend each field with a minus sign (-) to reverse the sorting order |
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"class": "",
"score": "",
"value": "",
"touched_at": "",
"id": "",
"updated_at": "",
"published_at": "",
"created_at": "",
"status_id": "",
"hash": "",
"type_id": "",
"adversaries": [],
"type": {
"name": "",
"id": "",
"class": ""
},
"status": {
"name": "",
"id": "",
"description": ""
},
"sources": [
{
"indicator_id": "",
"indicator_status_id": "",
"published_at": "",
"source_id": "",
"id": "",
"created_at": "",
"source_type": "",
"creator_source_id": "",
"indicator_type_id": "",
"reference_id": "",
"updated_at": "",
"name": ""
}
]
}
],
"offset": "",
"limit": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object to which you want to add the specified attribute. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object to which you want to add the specified attribute. |
| Attribute Name | Specify the name of the attribute you want to add to the specified object in ThreatQ. |
| Attribute Value | Specify the value of the attribute you want to add to the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"total": "",
"data": {
"status": "",
"result": ""
}
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object from which you want to remove the specified attribute. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object from which you want to remove the specified attribute. |
| ID | Specify the ID of the attribute you want to remove from the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object to which you want to add the specified source. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object to which you want to add the specified source. |
| Source Value | Specify the value of the source you want to add to the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object from which you want to remove the specified source. You can choose between Adversaries, Attachments, Events, or Indicators. NOTE: Currently, this operation works on Adversaries and Indicators only. Therefore, you must not select Attachments or Events. |
| Object ID | Specify the ID of the object from which you want to remove the specified source. |
| Source ID | Specify the ID of the source you want to remove from the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object for which you want to retrieve relationships from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object for which you want to retrieve relationships from ThreatQ. |
| Related Object Type | Select the type of related object whose relationship details you want to retrieve from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"hash": "",
"class": "",
"pivot": {
"id": "",
"src_type": "",
"dest_type": "",
"created_at": "",
"updated_at": "",
"src_object_id": "",
"dest_object_id": ""
},
"score": "",
"value": "",
"sources": [
{
"name": ""
}
],
"type_id": "",
"status_id": "",
"sync_hash": "",
"created_at": "",
"deleted_at": "",
"expired_at": "",
"expires_at": "",
"touched_at": "",
"updated_at": "",
"description": "",
"last_detected_at": "",
"expires_needs_calc": "",
"expires_calculated_at": ""
}
],
"limit": "",
"total": "",
"offset": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of the first object that you want to link in ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the first object that you want to link in ThreatQ. |
| Object Type | Select the type of the second object that you want to link in ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the second object that you want to link in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"pivot": {
"id": "",
"created_at": "",
"updated_at": ""
},
"created_at": "",
"touched_at": "",
"updated_at": ""
}
],
"total": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of the first object that you want to unlink from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the first object that you want to unlink from ThreatQ. |
| Object Type | Select the type of the second object that you want to unlink from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the second object that you want to unlink from ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - ThreatQ - 2.1.0 playbook collection comes bundled with the ThreatQ connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatQ connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
ThreatQuotient is a threat intelligence platform that centrally manages and correlates unlimited external sources. This connector facilitates automated operation such as collects and interprets intelligence data from open sources and manages indicators.
This document provides information about the ThreatQ Connector, which facilitates automated interactions, with a ThreatQ server using FortiSOAR™ playbooks. Add the ThreatQ Connector as a step in FortiSOAR™ playbooks and perform automated operations with ThreatQ.
Connector Version: 2.1.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the ThreatQ Connector in version 2.1.0:
These parameters have now been modified to fetch the IDs dynamically through a REST API call.
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-threatq
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ThreatQ connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Hostname | Specify the IP or Hostname of the ThreatQ server from where the connector gets notifications and on which you want to connect and perform automated operations. |
| Username | Specify the username to access the ThreatQ server to which you will connect and perform automated operations. |
| Password | Specify the password to access the ThreatQ server to which you will connect and perform automated operations. |
| ThreatQ Client ID | Specify the client ID using which you can access the ThreatQ server to which you will connect and perform automated operations. You can find the client id on the OAuth Management page. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Event | Creates a new event in ThreatQ based on the event type and event source that you specify. | create_event Investigation |
| Create Adversary | Creates a new adversary in ThreatQ based on the adversary name and source that you specify. | create_adversary Investigation |
| Create IOC | Creates a new IOC in ThreatQ based on the indicator name, source, type, and status that you specify. | create_ioc Investigation |
| Get Indicator Types | Retrieves a list containing all available indicator types from ThreatQ. | get_indicator_types Investigation |
| Get Indicator Statuses | Retrieves a list containing all available indicator statuses and their id values from ThreatQ. You can use these IDs to create new indicators. |
get_indicator_status Investigation |
| Get Reputation | Retrieves the reputation for the indicator from ThreatQ, based on the indicator name and type that you specify. | get_reputation Investigation |
| Search Indicator | Queries ThreatQ for an indicator that you specify using the name of the indicator and this operation retrieves details for the specified indicator. | search_indicator Investigation |
| Get IP Reputation | Retrieves the reputation for an IP from ThreatQ, based on the IP address that you specify. | get_ip_reputation Investigation |
| Get Domain Reputation | Retrieves the reputation for a domain from ThreatQ, based on the domain name that you specify. | get_domain_reputation Investigation |
| Get URL Reputation | Retrieves the reputation for a URL from ThreatQ, based on the URL type (either URL or URL path) and URL value that you specify. | get_url_reputation Investigation |
| Get File Reputation | Retrieves the reputation of a specific file from ThreatQ based on the filehash type and filehash value that you specify. | get_file_reputation Investigation |
| Get List of Indicators | Retrieves a list of available indicators from ThreatQ, based on the parameters that you have specified. | get_iocs Investigation |
| Get Related IOCs | Retrieves details for IOCs related to an indicator from ThreatQ, based on the name of the indicator that you specify. | get_iocs Investigation |
| Get Event Types | Retrieves a list containing all available event types from ThreatQ. | get_event_types Investigation |
| Search Event | Queries ThreatQ for an event that you specify using the name of the indicator and this operation retrieves details for the specified event. | search_event Investigation |
| Get List of Events | Retrieves a list containing all the events from ThreatQ. | get_event Investigation |
| Update Indicator | Updates the status of the indicator, in ThreatQ, based on the name of the indicator that you specify. | update_ioc Investigation |
| Link IOCs | Links two IOCs in ThreatQ, based on the names of the indicators that you specify. | link_ioc Investigation |
| Get List of Adversaries | Retrieves a list containing all the adversaries or specific adversaries from ThreatQ based on the input parameters you have specified. | get_list_of_adversaries Investigation |
| Get Saved Searches | Retrieves a list containing a list of all saved searches filter queries or specific saved searches filter queries from ThreatQ based on the input parameters you have specified. | get_saved_searches Investigation |
| Run Search Query | Executes a saved search query in ThreatQ based on the object type, query, and input parameters you have specified. | run_search_query Investigation |
| Add Attribute | Adds a specific attribute to a specific object in ThreatQ based on the object type and ID, and the attribute name and value you have specified. | add_attribute Investigation |
| Remove Attribute | Removes a specific attribute from a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | remove_attribute Investigation |
| Add Source | Adds a source to a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | add_source Investigation |
| Remove Source | Removes a specific source from a specific object in ThreatQ based on the object type and ID, and the attribute ID you have specified. | remove_attribute Investigation |
| Get Related Objects | Retrieves details for objects related to a specific object from ThreatQ based on the object type and ID, and the related object type you have specified. | get_related_objects Investigation |
| Link Two Objects | Links two specific objects in ThreatQ based on the object type and object ID you have specified. | link_two_objects Investigation |
| Unlink Two Objects | Unlinks two specific objects in ThreatQ based on the object type and object ID you have specified. | unlink_two_objects Investigation |
| Parameter | Description |
|---|---|
| Event Type | Specify the type of the event that you want to create in ThreatQ. Event types are defined in ThreatQ and you can choose from the following: Spearphish, Watering Hole, SQL Injection Attack, DoS Attack, Malware, Watchlist, Command and Control, Anonymization Exfiltration, Host Characteristics, Compromised PKI Certificate, Login Compromise, and Incident. You can fetch the event types using the Get Event Types operation. |
| Title | Specify the name to be given to the newly created event in ThreatQ. |
| Source | Specify the name of the source from where you are creating this event. |
| Description | (Optional) Specify the description to be added to the newly created event in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"description": "",
"created_at": "",
"sources": [],
"type_id": "",
"title": "",
"happened_at": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Adversary Name | Specify the name to be given to the newly created adversary in ThreatQ. |
| Source | Specify the name of the source from where you are creating this adversary. |
| Description | (Optional) Specify the description to be added to the newly created adversary in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"name": "",
"sources": [],
"created_at": "",
"updated_at": "",
"description": ""
}
}
| Parameter | Description |
|---|---|
| Indicator Value | Specify the name of the indicator to be created in ThreatQ. |
| Indicator Type | Specify the type of the indicator that you want to create in ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following: Email Address, Email Attachment, Email Subject, X-Mailer, FQDN, IP Address, Mutex, Username, Password, File Path, Filename, MD5, SHA-1, SHA-256, SHA-384, SHA-512, String, Fuzzy Hash, GOST Hash, URL, URL Path, User-agent, Registry Key, CVE, and CIDR Block. You can fetch the indicator types using the Get Indicator Types operation. |
| Indicator Status | Select the status of the indicator that you want to create in ThreatQ. Indicator statuses are defined in ThreatQ and you can choose from the following:
Get Indicator Statuses operation. |
| Source | Specify the name of the source from where you are creating this IOC. |
The JSON output retrieves the details of the newly created indicator from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"expires_at": "",
"expires_calculated_at": "",
"last_detected_at": "",
"type_id": "",
"created_at": "",
"sources": [
{
"name": "",
"type": "",
"expire_days": "",
"id": "",
"created_at": "",
"score": "",
"updated_at": ""
}
],
"value": "",
"existing": "",
"updated_at": "",
"type": {
"name": "",
"id": "",
"created_at": "",
"score": "",
"wildcard_matching": "",
"updated_at": "",
"class": ""
},
"hash": "",
"id": "",
"touched_at": "",
"status_id": "",
"expired_at": "",
"description": "",
"class": ""
}
]
}
None.
The JSON retrieves a list of all available indicator types from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"name": "",
"wildcard_matching": "",
"score": "",
"created_at": "",
"updated_at": "",
"class": ""
}
]
}
None. Include this operation in the ThreatQ playbook and you will get a list containing all available indicator statuses and their id values. You can use these IDs to create new indicators.
The JSON retrieves a list of all available indicator statuses and their id values from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"name": "",
"user_editable": "",
"description": "",
"visible": "",
"include_in_export": "",
"protected": "",
"created_at": "",
"updated_at": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of the indicator for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator | Specify the name of the indicator for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the indicator from ThreatQ, based on the indicator name and type that you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator that which you want to search for in ThreatQ and whose details you want to retrieve from ThreatQ. |
The JSON output retrieves the details for the indicator from ThreatQ, based on the indicator name that you have specified.
The output contains the following populated JSON schema:
{
"score": {},
"indicator_id": "",
"indicator_type": "",
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": ""
}
| Parameter | Description |
|---|---|
| IP Address | Specify the IP address for which you want to retrieve the reputation from ThreatQ. |
The JSON output retrieves the reputation for the IP from ThreatQ, based on the IP address you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Domain | Specify the name of the domain for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the domain from ThreatQ, based on the domain name you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of indicator (URL in this case) for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator Value | Specify the value of the URL for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the URL from ThreatQ, based on the URL type and value you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Indicator Type | Select the type of indicator (File in this case) for which you want to retrieve reputation from ThreatQ. Indicator types are defined in ThreatQ and you can choose from the following:
Get Indicator Types operation. |
| Indicator Value | Specify the value of the file for which you want to retrieve reputation from ThreatQ. |
The JSON output retrieves the reputation for the file from ThreatQ, based on the file type and value you have specified.
The output contains the following populated JSON schema:
{
"indicator_id": "",
"indicator_type": "",
"class": "",
"score": {
"indicator_id": "",
"score_config_hash": "",
"created_at": "",
"updated_at": "",
"manual_score": "",
"generated_score": ""
},
"created_at": "",
"related_adversaries": {
"count": "",
"details": []
},
"indicator_value": "",
"indicator_status": "",
"tq_link": "",
"related_indicators": {
"count": "",
"details": []
},
"attributes": {
"count": "",
"details": []
},
"sources": "",
"related_attachments": "",
"related_signatures": "",
"related_events": "",
"description": "",
"hash": ""
}
| Parameter | Description |
|---|---|
| Record Count | (Optional) Specify the maximum number of indicators that the operation should return. By default, this is set to 100. |
| Sort By | (Optional) Select the sorting criteria to sort the indicators either by the indicator create date or the indicator update date. You can choose from the following options:
|
| Indicator Class | (Optional) Specify the class of indicator for which you want to retrieve the list of indicators. Indicator classes are defined in ThreatQ and you can choose from the following: Network or Host. |
The JSON retrieves a list of available indicators from ThreatQ, based on the parameters that you have specified.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"created_at": "",
"value": "",
"touched_at": "",
"updated_at": "",
"last_detected_at": "",
"sources": [
{
"id": "",
"type": "",
"published_at": "",
"updated_at": "",
"tlp_id": "",
"created_at": "",
"name": "",
"pivot": {
"id": "",
"indicator_id": "",
"source_id": "",
"creator_source_id": ""
}
}
],
"id": "",
"expires_at": "",
"hash": "",
"status": {
"id": "",
"name": "",
"user_editable": "",
"description": "",
"visible": "",
"include_in_export": "",
"protected": "",
"created_at": "",
"updated_at": ""
},
"status_id": "",
"type": {
"id": "",
"name": "",
"wildcard_matching": "",
"score": "",
"created_at": "",
"updated_at": "",
"class": ""
},
"score": {
"indicator_id": "",
"created_at": "",
"score_config_hash": "",
"manual_score": "",
"generated_score": "",
"updated_at": ""
},
"expires_calculated_at": "",
"type_id": "",
"expired_at": "",
"class": "",
"description": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator for which you want to fetch the related IOCs. |
The JSON output retrieves the details for the related indicator(s) from ThreatQ, based on the indicator name you have specified.
The output contains the following populated JSON schema:
{
"related_indicators": {
"count": "",
"details": [
{
"id": "",
"value": "",
"class": "",
"hash": ""
}
]
}
}
You do not need to provide any input parameters for this operation. Include this operation in the ThreatQ playbook and you will get a list containing all available event types and their ID values.
The JSON retrieves a list of all available event types from ThreatQ.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"updated_at": "",
"name": "",
"user_editable": "",
"created_at": ""
}
]
}
| Parameter | Description |
|---|---|
| Event Name | Specify the name of the event that which you want to search for in ThreatQ and whose details you want to retrieve from ThreatQ. |
The JSON output retrieves the details for the specified event from ThreatQ, based on the event name you have specified. If the event that you have specified is not found, an error message is displayed.
The output contains the following populated JSON schema:
{
"data": {
"title": "",
"created_at": "",
"watchlist": [],
"sources": [],
"signatures": [],
"id": "",
"updated_at": "",
"attachments": [],
"description": "",
"adversaries": [],
"recipients": [],
"type": {},
"hash": "",
"comments": [],
"events": [],
"type_id": "",
"attributes": [],
"happened_at": "",
"spearphish": ""
}
}
| Parameter | Description |
|---|---|
| Offset | (Optional) Specify the index of the first item to return. By default, this is set to 0. |
| Record Count | (Optional) The maximum number of events that the operation should return. By default, this is set to 10. |
| Event Type | (Optional) Select the type of event for which you want to retrieve the list of events from ThreatQ. Event types are defined in ThreatQ and you can choose from the following:
Get Event Types operation. |
| Event Sources | (Optional) Specify the name of the event sources for which you want to retrieve the list of events from ThreatQ. |
The JSON retrieves a list of all available events from ThreatQ that match the parameters that you have specified.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"hash": "",
"description": "",
"happened_at": "",
"title": "",
"created_at": "",
"updated_at": "",
"touched_at": "",
"type_id": "",
"sources": [
{
"id": "",
"name": ""
}
],
"total_indicators": ""
}
]
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator whose status you want to update. |
| Indicator Status | Select the status of the indicator that you want to update in ThreatQ. Indicator statuses are defined in ThreatQ and you can choose from the following: Active, Expired, Indirect, Review, White Listed, and Black Listed. You can fetch the indicator statuses using the Get Indicator Statuses operation. |
| Indicator Class | (Optional) Specify the class of indicator that contains the indicator you want to update. Indicator classes are defined in ThreatQ and you can choose from the following: Network or Host. |
The JSON output retrieves the details for the indicator from ThreatQ whose status you want to update.
The output contains the following populated JSON schema:
{
"data": {
"status_id": "",
"class": "",
"type_id": "",
"value": "",
"expires_at": "",
"id": "",
"description": "",
"created_at": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Indicator | Specify the name of the indicator that you want to relate to another indicator in ThreatQ. |
| Link Indicator | Specify the name of the indicator which you want to relate to the first indicator in ThreatQ. |
The JSON output retrieves the details for the indicator (first) from ThreatQ to which you want to create a link containing the second indicator.
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"created_at": "",
"value": "",
"touched_at": "",
"updated_at": "",
"last_detected_at": "",
"id": "",
"expires_at": "",
"hash": "",
"status_id": "",
"expires_calculated_at": "",
"pivot": {
"id": "",
"created_at": "",
"updated_at": ""
},
"type_id": "",
"expired_at": "",
"class": "",
"description": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list of all ThreatQ adversaries is returned.
| Parameter | Description |
|---|---|
| Offset | Specify the index of the first item to return. By default, this is set to 0. |
| Record Count | Specify the maximum number of adversaries that the operation should return. By default, this is set to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"id": "",
"hash": "",
"description": "",
"happened_at": "",
"title": "",
"created_at": "",
"updated_at": "",
"touched_at": "",
"type_id": "",
"sources": [
{
"id": "",
"name": ""
}
],
"total_indicators": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list of all saved searches filter queries is returned.
| Parameter | Description |
|---|---|
| Limit | Specify the maximum number of records that the operation should return. By default, this is set to 10. |
| Offset | Specify the index of the first item to return. By default, this is set to 0. |
| Sort By | Specify the name of the fields, in a list of comma-separated values, using which you want to sort the result retrieved from ThreatQ. You can prepend each field with a minus sign (-) to reverse the sorting order. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"hash": "",
"json": {
"ui_query": {
"columns": [],
"criteria": {
"matchType": [],
"items": []
},
"filters": {
"sources": {
"matchType": [],
"filterRange": {
"set-0": ""
},
"values": [
{
"source_name": "",
"set_id": ""
}
]
}
},
"objects": {
"current": "",
"selected": []
},
"filter_sets": [
{
"id": "",
"operator": "",
"isNegated": "",
"expanded": ""
}
]
},
"api_query": {
"criteria": [],
"filters": {
"+and": [
{
"+or": [
{
"source_name": {
"name": ""
}
}
]
}
]
}
}
},
"created_at": "",
"updated_at": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the object type for which you want to execute the search query in ThreatQ. You can choose between Adversaries, Attachments, Events, Incident, or Indicators. |
| Query | Specify the api_query which you can retrieve from the response of the 'Get Saved Searches' action. |
| Limit | (Optional) Specify the maximum number of records that the operation should return. By default, this is set to 10. |
| Offset | (Optional) Specify the index of the first item to return. By default, this is set to 0. |
| Sort By | (Optional) Specify the name of the fields, in a list of comma-separated values, using which you want to sort the result retrieved from ThreatQ. You can prepend each field with a minus sign (-) to reverse the sorting order |
The output contains the following populated JSON schema:
{
"total": "",
"data": [
{
"class": "",
"score": "",
"value": "",
"touched_at": "",
"id": "",
"updated_at": "",
"published_at": "",
"created_at": "",
"status_id": "",
"hash": "",
"type_id": "",
"adversaries": [],
"type": {
"name": "",
"id": "",
"class": ""
},
"status": {
"name": "",
"id": "",
"description": ""
},
"sources": [
{
"indicator_id": "",
"indicator_status_id": "",
"published_at": "",
"source_id": "",
"id": "",
"created_at": "",
"source_type": "",
"creator_source_id": "",
"indicator_type_id": "",
"reference_id": "",
"updated_at": "",
"name": ""
}
]
}
],
"offset": "",
"limit": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object to which you want to add the specified attribute. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object to which you want to add the specified attribute. |
| Attribute Name | Specify the name of the attribute you want to add to the specified object in ThreatQ. |
| Attribute Value | Specify the value of the attribute you want to add to the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"total": "",
"data": {
"status": "",
"result": ""
}
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object from which you want to remove the specified attribute. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object from which you want to remove the specified attribute. |
| ID | Specify the ID of the attribute you want to remove from the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object to which you want to add the specified source. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object to which you want to add the specified source. |
| Source Value | Specify the value of the source you want to add to the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object from which you want to remove the specified source. You can choose between Adversaries, Attachments, Events, or Indicators. NOTE: Currently, this operation works on Adversaries and Indicators only. Therefore, you must not select Attachments or Events. |
| Object ID | Specify the ID of the object from which you want to remove the specified source. |
| Source ID | Specify the ID of the source you want to remove from the specified object in ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of object for which you want to retrieve relationships from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the object for which you want to retrieve relationships from ThreatQ. |
| Related Object Type | Select the type of related object whose relationship details you want to retrieve from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"hash": "",
"class": "",
"pivot": {
"id": "",
"src_type": "",
"dest_type": "",
"created_at": "",
"updated_at": "",
"src_object_id": "",
"dest_object_id": ""
},
"score": "",
"value": "",
"sources": [
{
"name": ""
}
],
"type_id": "",
"status_id": "",
"sync_hash": "",
"created_at": "",
"deleted_at": "",
"expired_at": "",
"expires_at": "",
"touched_at": "",
"updated_at": "",
"description": "",
"last_detected_at": "",
"expires_needs_calc": "",
"expires_calculated_at": ""
}
],
"limit": "",
"total": "",
"offset": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of the first object that you want to link in ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the first object that you want to link in ThreatQ. |
| Object Type | Select the type of the second object that you want to link in ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the second object that you want to link in ThreatQ. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"pivot": {
"id": "",
"created_at": "",
"updated_at": ""
},
"created_at": "",
"touched_at": "",
"updated_at": ""
}
],
"total": ""
}
| Parameter | Description |
|---|---|
| Object Type | Select the type of the first object that you want to unlink from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the first object that you want to unlink from ThreatQ. |
| Object Type | Select the type of the second object that you want to unlink from ThreatQ. You can choose between Adversaries, Attachments, Events, or Indicators. |
| Object ID | Specify the ID of the second object that you want to unlink from ThreatQ. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - ThreatQ - 2.1.0 playbook collection comes bundled with the ThreatQ connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatQ connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.