Fortinet Document Library

Version:


Table of Contents

Anomali ThreatStream

2.2.1
Copy Link

About the connector

Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.

This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with a ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 2.2.1

FortiSOAR™ Version Tested on: 6.4.1

Anomali ThreatStream API Version Tested on: v2

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.2.1

Following enhancements have been made to the Anomali ThreatStream connector in version 2.2.1:

  • Updated the Anomali ThreatStream data ingestion playbooks to make them compatible with version 6.0.0 of the Data Ingestion Wizard. Also, removed the > Anomali ThreatStream > Create playbook to accommodate this change.
  • Updated the tags associated with the playbooks

Important: The output schema for Anomali Threatstream changed in version 2.0.0 and later of the connector. Therefore to maintain backward compatibility issues both the older version of the connector and the current version gets retained. For example, if you already had installed version 1.1.0 and then you installed version 2.2.0, then both versions 1.1.0 and 2.2.0 will be retained. However, if you had installed version 2.0.0 or 2.1.0, and you upgrade to version 2.2.0, then only version 2.2.0 of the connector will be retained.

Data Ingestion support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Anomali ThreatStream. The Data Ingestion Wizard pulls "incidents" from Anomali ThreatStream and creates "alerts" in FortiSOAR™.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks to support data ingestion:

  • > Anomali ThreatStream > Fetch
  • >> Anomali ThreatStream > Handle Macros
  • Anomali ThreatStream > Ingest

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-threatstream

Prerequisites to configuring the connector

  • You must have the URL of the ThreatStream server to which you will connect and perform the automated operations.
  • You must have a registered username for the ThreatStream server and the API key for the ThreatStream API integration.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Anomali ThreatStream connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations.
Username Registered username for ThreatStream.
API Key API key configured for your account for using the ThreatStream API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards: 

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation of the specified domain based on the filter criteria such as the domain name and other input parameters that you have specified. domain_reputation
Investigation
Get IP Reputation Retrieves the reputation of the specified IP address based on the filter criteria such as the IP address and other input parameters that you have specified. ip_reputation
Investigation
Get URL Reputation Retrieves the reputation of the specified URL based on the filter criteria such as the URL and other input parameters that you have specified, url_reputation
Investigation
Get Email ID Reputation Retrieves the reputation of the specified Email address based on the filter criteria such as the email address and other input parameters that you have specified. email_reputation
Investigation
Get File Reputation Retrieves the reputation of the specified FileHash based on the filter criteria such as the filehash and other input parameters that you have specified. file_reputation
Investigation
Get Whois Domain Information Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name that you have specified. whois_domain
Investigation
Get Whois IP Information Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP address that you have specified. whois_ip
Investigation
Run Filter Language Query Runs a search query using ThreatStream’s Filter Language Query grammar. search_query
Investigation
Run Advanced Search Runs an advanced search query using ThreatStream’s Query grammar. search_query
Investigation
Submit Observables Imports threat data (indicators) into ThreatStream and requires the approval of the imported data through the ThreatStream UI. submit_sample
Investigation
Get Submitted Observables Status by Import ID Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. get_import_job_status
Investigation
Get Import Job Details Retrieves the details of import jobs from ThreatStream based on the search query that you have specified.  get_import_job
Investigation
Create Incident Creates an incident in ThreatStream based on the name, tags, and other input parameters that you have specified. create_incidents
Investigation
Get Incident List Retrieves a list of all incidents based on the search query and other input parameters that you have specified. get_incident_list
Investigation
Get Incident List By Indicator Retrieves a list of incidents based on specific intelligence value and other input parameters that you have specified. get_incident_list
Investigation
Get Incident Collects and retrieves generated incidents from ThreatStream based on the incident ID that you have specified. get_incidents
Investigation
Update Incident Updates an incident in ThreatStream based on the incident ID and other input parameters that you have specified. update_incidents
Investigation
Delete Incident Deletes an incident from ThreatStream based on the incident ID that you have specified. delet_incidents
Investigation
Create Threat Bulletin Creates a threat bulletin in ThreatStream based on the name, tags, and other input parameters that you have specified. create_threat_bulletin
Investigation
Update Threat Bulletin Updates a threat bulletin in ThreatStream based on the incident ID and other input parameters that you have specified. update_threat_bulletin
Investigation
Get Threat Bulletin List Retrieves a list of all threat bulletins or specific threat bulletins based on the search query and other input parameters that you have specified. get_threat_bulletin_list
Investigation
Get Threat Bulletin Entities Retrieves a list of all threat model entities associated with a specific threat bulletin based on the threat bulletin ID and other input parameters that you have specified. get_threat_model
Investigation
Get Threat Bulletin Observables Retrieves a list of all observables associated with a specific threat bulletin based on the threat bulletin ID and other input parameters that you have specified. get_observables_associated_threat_bulletin
Investigation
Submit URLs or Files to Sandbox Submit files or URLs to a specific ThreatStream-hosted sandbox based on the sandbox name, URLs/files, tags, and other input parameters that you have specified. submit_sample
Investigation
Get Sandbox Status of Submitted URL/File Retrieves the sandbox status of files or URLs that you have submitted to ThreatStream based on the report ID that you have specified. get_import_job_status
Investigation
Get Sandbox Report of Submitted URL/File Retrieves the sandbox analysis report of files or URLs that you have submitted to ThreatStream based on the report ID that you have specified. get_report
Investigation
Get Intelligence Enrichments Retrieves the enrichment data using third-party Threat Intelligence (TI) tools, such as Recorded Future, Risk IQ, etc. for a specific observable. get_intelligence_enrichments
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Domain Name in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, IP Address in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, URL in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get Email ID Reputation

Input parameters

Parameter Description
Email ID Email ID for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Email ID in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get File Reputation

Input parameters

Parameter Description
Filehash FileHash for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, filehash in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get Whois Domain Information

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve information from Whois.

Output

The output contains the following populated JSON schema:
{
     "contacts": {
         "billing": "",
         "tech": "",
         "registrant": "",
         "admin": ""
     },
     "registrar": [],
     "status": [],
     "updated_date": [],
     "creation_date": [],
     "nameservers": [],
     "emails": [],
     "raw": [],
     "expiration_date": []
}

operation: Get Whois IP Information

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve information from Whois.

Output

The output contains the following populated JSON schema:
{
     "contacts": {
         "billing": "",
         "tech": "",
         "registrant": "",
         "admin": ""
     },
     "registrar": [],
     "status": [],
     "updated_date": [],
     "creation_date": [],
     "nameservers": [],
     "emails": [],
     "raw": [],
     "expiration_date": []
}

operation: Run Filter Language Query

Input parameters

Parameter Description
Filter Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Run Advanced Search

Input parameters

Parameter Description
Advanced Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Submit Observables

Input parameters

Parameter Description
CyOPs Attachment IRI (Optional) Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream.
You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT.
Observable data (Optional) Enter the observable data that you want to import into Threatstream.
Confidence Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100.
Source Confidence Weight (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence.
Severity Severity value that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Low, Medium, High, or Very High.
Classification Classification that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Private or Public.
Expiration Time Stamp Duration after which the observables will expire on Threatstream.
You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom.
By default, it set to 90 days from the current date.
Tags (Optional) Tags that you want to assign to the observables that you want to import into Threatstream.
IP Indicator Type Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator.
Domain Indicator Type Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator.
URL Indicator Type Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator.
Email Indicator Type Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator.
MD5 Indicator Type Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator.
Trusted Circle IDs (Optional) IDs of the trusted circle.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "success": "",
     "import_session_id": ""
}

operation: Get Submitted Observables Status by Import ID

Input parameters

Parameter Description
Import Session ID ID of the import session for which you want to retrieve the submitted observable status from ThreatStream.
The import session ID is returned in the response of the Submit Observables operation.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "messages": "",
     "user_id": "",
     "numRejected": "",
     "is_public": "",
     "associations": {
         "tip_reports": [],
         "actors": [],
         "incidents": [],
         "ttps": [],
         "campaigns": []
     },
     "id": "",
     "numIndicators": "",
     "fileType": "",
     "source_confidence_weight": "",
     "notes": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": "",
     "num_public": "",
     "email": "",
     "fileName": "",
     "num_private": "",
     "jobID": "",
     "default_comment": "",
     "resource_uri": "",
     "intelligence_source": "",
     "date_modified": "",
     "tags": [],
     "sandbox_submit": "",
     "approved_by_id": "",
     "processed_ts": "",
     "confidence": "",
     "orginal_intelligence": "",
     "date": "",
     "visibleForReview": "",
     "tlp": "",
     "trusted_circles": [],
     "approved_by": {
         "name": "",
         "must_change_password": "",
         "avatar_s3_url": "",
         "organization": {
             "name": "",
             "resource_uri": "",
             "id": ""
         },
         "is_active": "",
         "id": "",
         "email": "",
         "can_share_intelligence": "",
         "resource_uri": "",
         "nickname": ""
     }
}

operation: Get Import Job Details

Input parameters

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve details of import jobs.
Number of Records to Return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "next": "",
         "total_count": "",
         "limit": "",
         "offset": "",
         "previous": ""
     },
     "objects": [
         {
             "name": "",
             "approved_by_id": "",
             "user_id": "",
             "visibleForReview": "",
             "is_public": "",
             "num_public": "",
             "numIndicators": "",
             "email": "",
             "fileType": "",
             "source_confidence_weight": "",
             "date": "",
             "workgroups": [],
             "is_anonymous": "",
             "organization": {
                 "name": "",
                 "resource_uri": "",
                 "id": ""
             },
             "status": "",
             "id": "",
             "numRejected": "",
             "fileName": "",
             "num_private": "",
             "jobID": "",
             "default_comment": "",
             "resource_uri": "",
             "intelligence_source": "",
             "date_modified": "",
             "tags": [
                 {
                     "name": "",
                     "org_id": "",
                     "tlp": "",
                     "id": ""
                 }
             ],
             "sandbox_submit": "",
             "processed_ts": "",
             "confidence": "",
             "orginal_intelligence": "",
             "messages": "",
             "notes": "",
             "tlp": "",
             "trusted_circles": [],
             "approved_by": {
                 "name": "",
                 "must_change_password": "",
                 "avatar_s3_url": "",
                 "organization": {
                     "name": "",
                     "resource_uri": "",
                     "id": ""
                 },
                 "nickname": "",
                 "id": "",
                 "email": "",
                 "can_share_intelligence": "",
                 "resource_uri": "",
                 "is_active": ""
             }
         }
     ]
}

operation: Create Incident

Input parameters

Parameter Description
Name Name of the incident that you want to create in ThreatStream.
The incident name is associated with your organization. Therefore, the name that you specify must be unique within your organization.
Is Incident Public or Private Select whether the incident that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle).
Select this option, i.e., set it to True, if you want to create the incident as a Public incident. This is the default value.
Clear this option, i.e., set it to False, if you want to create the incident as a Private incident or an incident that belongs to a Trusted Circle.
Tags (Optional) Tags assigned to the incident that you want to create in ThreatStream.
A tag is a meaningful name or any other string value assigned to identify the information. For example, spear phishing, exploitation.
Intelligence (Optional)  Indicators that are associated with the incident on the ThreatStream platform. You can add multiple intelligence IDs using the comma separator.
TLP (Optional) Traffic Light Protocol (TLP) designation for the incident that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White.
Fields to Include with The Incident (Optional) Specify other fields that you want to include with the incident that you want to create in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "external_references": [],
     "is_public": "",
     "intended_effects": [],
     "logo_s3_url": "",
     "assignee_user": "",
     "publication_status": "",
     "end_date": "",
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "circles": [],
     "activity_dates": [],
     "resource_uri": "",
     "organization_id": "",
     "modified_ts": "",
     "parent": "",
     "watched_by_me": "",
     "starred_total_count": "",
     "tlp": "",
     "votes": {
         "total": "",
         "me": ""
     },
     "victims": [],
     "starred_by_me": "",
     "description": "",
     "body_content_type": "",
     "published_ts": "",
     "start_date": "",
     "is_cloneable": "",
     "sandbox_reports": [],
     "status_desc": "",
     "created_ts": "",
     "watched_total_count": ""
}

operation: Get Incidents List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.  

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve the list of incidents. For example, google.com returns all incidents that are associated with google.com.    
Limit Maximum number of results, per page, that this operation should return.
Offset 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "next": "",
         "total_count": "",
         "limit": "",
         "offset": "",
         "previous": ""
     },
     "objects": [
         {
             "name": "",
             "is_public": "",
             "starred_by_me": "",
             "publication_status": "",
             "end_date": "",
             "feed_id": "",
             "workgroups": [],
             "is_anonymous": "",
             "is_cloneable": "",
             "status": {
                 "display_name": "",
                 "resource_uri": "",
                 "id": ""
             },
             "id": "",
             "start_date": "",
             "circles": [
                 {
                     "name": "",
                     "resource_uri": "",
                     "id": ""
                 }
             ],
             "resource_uri": "",
             "organization_id": "",
             "modified_ts": "",
             "watched_by_me": "",
             "tags": [],
             "tags_v2": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "starred_total_count": "",
             "published_ts": "",
             "votes": {
                 "total": "",
                 "me": ""
             },
             "tlp": "",
             "created_ts": "",
             "watched_total_count": ""
         }
     ]
}

operation: Get Incident List By Indicator

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Intelligence value to filter Intelligence value using which you want to filter incidents to be retrieved from ThreatStream. For example, google.com returns all Incidents that are associated with google.com.
Limit Maximum number of results that this operation should return.
Offset 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

operation: Get Incident

Input parameters

Parameter Description
Incident ID ID of the generated incident whose details you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "external_references": [
         {
             "title": "",
             "id": "",
             "filename": "",
             "r_type": "",
             "s3_url": "",
             "resource_uri": "",
             "url": ""
         }
     ],
     "logo_s3_url": "",
     "signatures": [],
     "publication_status": "",
     "end_date": "",
     "modified_ts": "",
     "is_cloneable": "",
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "activity_dates": [],
     "tipreports": [],
     "tlp": "",
     "watched_by_me": "",
     "tags": [
         ""
     ],
     "created_ts": "",
     "actors": [],
     "victims": [],
     "incidents": [],
     "body_content_type": "",
     "published_ts": "",
     "starred_total_count": "",
     "sandbox_reports": [],
     "description": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "name": "",
     "is_public": "",
     "intended_effects": [],
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "circles": [
         {
             "name": "",
             "resource_uri": "",
             "id": ""
         }
     ],
     "resource_uri": "",
     "campaigns": [],
     "organization_id": "",
     "parent": "",
     "intelligence": [],
     "tags_v2": [
         {
             "name": "",
             "id": ""
         }
     ],
     "votes": {
         "total": "",
         "me": ""
     },
     "start_date": "",
     "ttps": [],
     "starred_by_me": "",
     "watched_total_count": "",
     "status_desc": ""
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update on ThreatStream.
Incident Name Name of the incident that you want to update on ThreatStream.
Status (Optional) Select the status of the incident that you want to update on ThreatStream. You can choose from the following options: New, Open, Stalled, Containment Achieved, Restoration Achieved, Incident Reported, Closed, Rejected, or Deleted.
Note: This parameter will make an API call named "get_status" to dynamically populate its dropdown selections.
Status Description (Optional) Description associated with the status of the incident that you want to update on ThreatStream.
Intelligence (Optional) Indicators associated with the Incident on the ThreatStream platform. Multiple intelligence IDs are comma-separated.
Fields to Update on Incident (Optional) Specify other fields that you want to include with the incident that you want to update in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "external_references": [],
     "is_public": "",
     "intended_effects": [],
     "logo_s3_url": "",
     "assignee_user": "",
     "publication_status": "",
     "end_date": "",
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "circles": [],
     "activity_dates": [],
     "resource_uri": "",
     "organization_id": "",
     "modified_ts": "",
     "parent": "",
     "watched_by_me": "",
     "starred_total_count": "",
     "tlp": "",
     "votes": {
         "total": "",
         "me": ""
     },
     "victims": [],
     "starred_by_me": "",
     "description": "",
     "body_content_type": "",
     "published_ts": "",
     "start_date": "",
     "is_cloneable": "",
     "sandbox_reports": [],
     "status_desc": "",
     "created_ts": "",
     "watched_total_count": ""
}

operation: Delete Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to delete from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Create Threat Bulletin

Input parameters

Parameter Description
Name Name of the threat bulletin that you want to create in ThreatStream.
Format Used for Description (Optional) Format that will be used for the body text of the threat bulletin. You can choose between Markdown (Default) or Richtext.
Description (Optional) Complete text of the threat bulletin that you want to create in ThreatStream.
Is Threat Bulletin Public or Private Select whether the threat bulletin that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle).
Select this checkbox, if you want to create the threat bulletin as a Public Threat Bulletin.
Clear this checkbox, if you want to create the threat bulletin as a Private Threat Bulletin (including belonging to a trusted circle). By default, the threat bulletin is created as Private, i.e., this checkbox is cleared.
TLP (Optional) Traffic Light Protocol (TLP) that you want to designate to the threat bulletin that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White.
Add an Attachment (Optional)  IRI of the file from the FortiSOAR™ 'Attachment' module that you want to add as an attachment to the threat bulletin that you want to create in ThreatStream.
Fields to Include with the Threat Bulletin (Optional) Fields that you want to include with the threat bulletin that you want to create in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "watched_by_me": "",
     "feed_id": "",
     "import_sessions": [],
     "assignee_user": "",
     "circles": [],
     "is_anonymous": "",
     "assignee_org_id": "",
     "original_source": "",
     "assignee_user_id": "",
     "parent": "",
     "history": [
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "can_share_intelligence": "",
                 "organization": {
                     "id": "",
                     "resource_uri": "",
                     "name": ""
                 },
                 "nickname": "",
                 "is_active": "",
                 "is_readonly": "",
                 "name": "",
                 "must_change_password": "",
                 "email": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         }
     ],
     "is_editable": "",
     "starred_total_count": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "source": "",
     "all_circles_visible": "",
     "threat_actor": "",
     "name": "",
     "owner_org_name": "",
     "owner_user_id": "",
     "tlp": "",
     "campaign": "",
     "body": "",
     "status": "",
     "id": "",
     "private_status_id": "",
     "attachments": [],
     "embedded_content_url": "",
     "resource_uri": "",
     "original_source_id": "",
     "is_email": "",
     "body_content_type": "",
     "logo_s3_url": "",
     "created_ts": "",
     "owner_org": {
         "id": "",
         "resource_uri": "",
         "name": ""
     },
     "assignee_org": "",
     "watched_total_count": "",
     "owner_user_name": "",
     "starred_by_me": "",
     "assignee_org_name": "",
     "modified_ts": "",
     "workgroups": [],
     "is_cloneable": "",
     "owner_user": {
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "can_share_intelligence": "",
         "organization": {
             "id": "",
             "resource_uri": "",
             "name": ""
         },
         "nickname": "",
         "is_active": "",
         "is_readonly": "",
         "name": "",
         "must_change_password": "",
         "email": ""
     },
     "embedded_content_type": "",
     "is_public": "",
     "owner_org_id": "",
     "ttp": "",
     "published_ts": "",
     "comments": [],
     "sandbox_reports": [],
     "assignee_user_name": ""
}

operation: Update Threat Bulletin

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin that you want to update on ThreatStream.
Threat Bulletin Name (Optional) Name of the threat bulletin that you want to update on ThreatStream.
Publication Status (Optional) Publication status that you want to set for the threat bulletin that you want to update on ThreatStream. You can choose from the following options: Published, Reviewed, Review Request, or Pending Review.
Add an Attachment (Optional) Path of the file that you want to add as an attachment to the threat bulletin that you want to update in ThreatStream.
Fields to Update on Threat Bulletin (Optional) Fields that you want to include with the incident that you want to update in ThreatStream.

Output

The output contains the following populated JSON schema:

Output schema if condition is : {{reference_id === ''}}
{
     "embedded_content_url": "",
     "feed_id": "",
     "import_sessions": [
           {
             "numIndicators": "",
             "trusted_circles": [],
             "tags": [],
             "notes": "",
             "is_anonymous": "",
             "fileType": "",
             "default_comment": "",
             "confidence": "",
             "visibleForReview": "",
             "processed_ts": "",
             "sandbox_submit": "",
             "jobID": "",
             "numRejected": "",
             "resource_uri": "",
             "orginal_intelligence": "[]",
             "date_modified": "",
             "num_private": "",
             "workgroups": [],
             "fileName": "",
             "tlp": "",
             "date": "",
             "messages": "",
             "intelligence_source": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "is_public": "",
             "source_confidence_weight": "",
             "id": "",
             "num_public": "",
             "approved_by_id": "",
             "email": "",
             "status": "",
             "approved_by": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "name": "",
             "user_id": ""
         }
     ],
     "attachments": [
         {
             "s3_url": "",
             "tip_report": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": "",
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "modified_ts": "",
             "filename": "",
             "s3_thumbnail_url": "",
             "signed_thumbnail_url": "",
             "created_ts": "",
             "content_type": "",
             "signed_url": ""
         }
     ],
     "history": [
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": " ",
                 "organization": {
                     "id": "",
                     "name": " ",
                     "resource_uri": " "
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         }
     ],
     "is_anonymous": "",
     "assignee_org_id": "",
     "original_source": "",
     "assignee_user_id": "",
     "parent": "",
     "circles": [],
     "is_editable": true,
     "starred_total_count": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "source": "",
     "threat_actor": "",
     "name": "",
     "owner_org_name": "",
     "owner_user_id": "",
     "tlp": "",
     "original_source_id": "",
     "campaign": "",
     "body": "",
     "status": "",
     "id": "",
     "private_status_id": "",
     "assignee_user": {
         "can_share_intelligence": "",
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "email": "",
         "organization": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "nickname": "",
         "is_active": "",
         "is_readonly": "",
         "must_change_password": "",
         "name": ""
     },
     "ttp": "",
     "resource_uri": "",
     "sandbox_reports": [],
     "is_email": "",
     "body_content_type": "",
     "logo_s3_url": "",
     "created_ts": "",
     "owner_org": {
         "id": "",
         "name": "",
         "resource_uri": ""
     },
     "comments": [],
     "watched_total_count": "",
     "owner_user_name": "",
     "starred_by_me": "",
     "assignee_org_name": "",
     "modified_ts": "",
     "workgroups": [],
     "is_cloneable": "",
     "owner_user": {
         "can_share_intelligence": "",
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "email": "",
         "organization": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "nickname": "",
         "is_active": true,
         "is_readonly": "",
         "must_change_password": "",
         "name": ""
     },
     "embedded_content_type": "",
     "is_public": false,
     "watched_by_me": "",
     "owner_org_id": "",
     "published_ts": "",
     "assignee_org": "",
     "all_circles_visible": "",
     "assignee_user_name": ""
}

Output schema if an attachment is provided
{
     "attachment": {
         "tip_report": "",
         "s3_url": "",
         "content_type": "",
         "modified_ts": "",
         "user": {
             "can_share_intelligence": "",
             "is_active": "",
             "id": "",
             "name": "",
             "is_readonly": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "avatar_s3_url": "",
             "must_change_password": "",
             "resource_uri": ""
         },
         "id": "",
         "filename": "",
         "s3_thumbnail_url": "",
         "signed_thumbnail_url": "",
         "created_ts": "",
         "signed_url": ""
     },
     "threat_bulletin": {
         "embedded_content_url": "",
         "feed_id": "",
         "import_sessions": [
             {
                 "numIndicators": "",
                 "trusted_circles": [],
                 "tags": [],
                 "notes": "",
                 "is_anonymous": "",
                 "fileType": "",
                 "default_comment": "",
                 "confidence": "",
                 "visibleForReview": "",
                 "processed_ts": "",
                 "sandbox_submit": "",
                 "jobID": "",
                 "numRejected": "",
                 "resource_uri": "",
                 "orginal_intelligence": "[]",
                 "date_modified": "",
                 "num_private": "",
                 "workgroups": [],
                 "fileName": "",
                 "tlp": "",
                 "date": "",
                 "messages": "",
                 "intelligence_source": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "is_public": "",
                 "source_confidence_weight": "",
                 "id": "",
                 "num_public": "",
                 "approved_by_id": "",
                 "email": "",
                 "status": "",
                 "approved_by": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "name": "",
                 "user_id": ""
             }
         ],
         "attachments": [
             {
                 "s3_url": "",
                 "tip_report": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": "",
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "modified_ts": "",
                 "filename": "",
                 "s3_thumbnail_url": "",
                 "signed_thumbnail_url": "",
                 "created_ts": "",
                 "content_type": "",
                 "signed_url": ""
             }
         ],
         "history": [
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": " ",
                     "organization": {
                         "id": "",
                         "name": " ",
                         "resource_uri": " "
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                  &nnbsp;  "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             }
         ],
         "is_anonymous": "",
         "assignee_org_id": "",
         "original_source": "",
         "assignee_user_id": "",
         "parent": "",
         "circles": [],
         "is_editable": true,
         "starred_total_count": "",
         "votes": {
             "me": "",
             "total": ""
         },
         "source": "",
         "threat_actor": "",
         "name": "",
         "owner_org_name": "",
         "owner_user_id": "",
         "tlp": "",
         "original_source_id": "",
         "campaign": "",
         "body": "",
         "status": "",
         "id": "",
         "private_status_id": "",
         "assignee_user": {
             "can_share_intelligence": "",
             "avatar_s3_url": "",
             "id": "",
             "resource_uri": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "is_active": "",
             "is_readonly": "",
             "must_change_password": "",
             "name": ""
         },
         "ttp": "",
         "resource_uri": "",
         "sandbox_reports": [],
         "is_email": "",
         "body_content_type": "",
         "logo_s3_url": "",
         "created_ts": "",
         "owner_org": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "comments": [],
         "watched_total_count": "",
         "owner_user_name": "",
         "starred_by_me": "",
         "assignee_org_name": "",
         "modified_ts": "",
         "workgroups": [],
         "is_cloneable": "",
         "owner_user": {
             "can_share_intelligence": "",
             "avatar_s3_url": "",
             "id": "",
             "resource_uri": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "is_active": true,
             "is_readonly": "",
             "must_change_password": "",
             "name": ""
         },
         "embedded_content_type": "",
         "is_public": false,
         "watched_by_me": "",
         "owner_org_id": "",
         "published_ts": "",
         "assignee_org": "",
         "all_circles_visible": "",
         "assignee_user_name": ""
     }
}

operation: Get Threat Bulletin List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve the list of threat bulletins. For example, created_ts__gte=2014-10-02T20:44:35
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "limit": "",
         "total_count": "",
         "offset": "",
         "next": ""
     },
     "objects": [
         {
             "ttp": "",
             "feed_id": "",
             "campaign": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "assignee_org_id": "",
             "is_editable": "",
             "assignee_user_id": "",
             "parent": "",
             "circles": [
                 {
                     "description": "",
                     "name": "",
                     "resource_uri": "",
                     "openinvite": "",
                     "member": "",
                     "can_edit": "",
                     "pending": "",
                     "num_members": "",
                     "public": "",
                     "is_freemium": "",
                     "can_invite": "",
                     "id": "",
                     "validate_subscriptions": "",
                     "can_override_confidence": "",
                     "anonymous_sharing": "",
                     "restricted_publishing": "",
                     "num_administrators": ""
                 }
             ],
             "original_source": "",
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "source": "",
             "name": "",
             "owner_org_name": "",
             "owner_user_id": "",
             "tlp": "",
             "original_source_id": "",
             "status": "",
             "owner_org_id": "",
             "watched_by_me": "",
             "resource_uri": "",
             "threat_actor": "",
             "body_content_type": "",
             "created_ts": "",
             "owner_org": {
                 "id": "",
                 "resource_uri": "",
                 "name": ""
             },
             "assignee_org": "",
             "is_email": "",
             "owner_user_name": "",
             "starred_by_me": "",
             "assignee_org_name": "",
             "modified_ts": "",
             "workgroups": [],
             "is_cloneable": "",
             "owner_user": {
                 "avatar_s3_url": "",
                 "email": "",
                 "is_active": "",
                 "id": "",
                 "resource_uri": "",
                 "can_share_intelligence": "",
                 "organization": {
                     "id": "",
                     "resource_uri": "",
                     "name": ""
                 },
                 "nickname": "",
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "is_public": "",
             "id": "",
             "published_ts": "",
             "all_circles_visible": "",
             "watched_total_count": "",
             "assignee_user_name": ""
         }
     ]
}

operation: Get Threat Bulletin Entities

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin whose associated threat model entities that you want to retrieve from ThreatStream.
Entity Type Type of the threat model entity that is associated with the specified threat bulletin that you want to retrieve from ThreatStream. You can choose from the following types: Actor, Campaign, Incident, Signature, Tipreport, TTP, or vulnerability
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema, based on the entity type you have selected.

Output schema for the Actor entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "is_team": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "aliases": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "tlp": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": "",
             "watched_total_count": "",
             "start_date": ""
         }
     ]
}

Output schema for the Campaign entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

Output schema for the Incident entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

Output schema for the Signature entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "s_type": "",
             "organization_id": "",
             "tlp": "",
             "workgroups": [],
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": ""
         }
     ]
}

Output schema for the Tipreport entity type:  
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "campaign": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "assignee_org_id": "",
             "original_source": "",
             "assignee_user_id": "",
             "parent": "",
             "circles": [
                 {
                     "description": "",
                     "name": "",
                     "resource_uri": "",
                     "is_freemium": "",
                     "member": "",
                     "can_edit": "",
                     "pending": "",
                     "num_members": "",
                     "public": "",
                     "openinvite": "",
                     "can_invite": "",
                     "anonymous_sharing": "",
                     "validate_subscriptions": "",
                     "can_override_confidence": "",
                     "restricted_publishing": "",
                     "id": "",
                     "num_administrators": ""
                 }
             ],
             "is_editable": "",
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "source": "",
             "assignee_user_name": "",
             "name": "",
             "owner_org_name": "",
             "owner_user_id": "",
             "tlp": "",
             "original_source_id": "",
             "status": "",
             "owner_org_id": "",
             "ttp": "",
             "resource_uri": "",
             "threat_actor": "",
             "body_content_type": "",
             "created_ts": "",
             "owner_org": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "assignee_org": "",
             "is_email": "",
             "owner_user_name": "",
             "starred_by_me": "",
             "all_circles_visible": "",
             "modified_ts": "",
             "workgroups": [],
             "is_cloneable": "",
             "owner_user": {
                 "can_share_intelligence": "",
                 "is_active": "",
                 "id": "",
                 "name": "",
                 "is_readonly": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "avatar_s3_url": "",
                 "must_change_password": "",
                 "resource_uri": ""
             },
             "is_public": "",
             "id": "",
             "published_ts": "",
             "assignee_org_name": "",
             "watched_total_count": ""
         }
     ]
}

Output schema for the TTP entity type:  
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "is_category": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "tlp": "",
             "children": [],
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": "",
             "watched_total_count": ""
         }
     ]
}

Output schema for the Vulnerability entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "organization_id": "",
             "feed_id": "",
             "publication_status": "",
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "is_cloneable": "",
             "assignee_user": "",
             "tags": [],
             "created_ts": "",
             "is_anonymous": "",
             "is_public": "",
             "id": "",
             "is_system": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "published_ts": "",
             "update_id": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "tlp": "",
             "source": "",
             "resource_uri": ""
         }
     ]
}

operation: Get Threat Bulletin Observables

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin whose associated observables that you want to retrieve from ThreatStream.
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "limit": "",
         "total_count": "",
         "offset": "",
         "next": ""
     },
     "objects": [
         {
             "value": "",
             "meta": {
                 "detail2": "",
                 "detail": "",
                 "severity": ""
             },
             "feed_id": "",
             "asn": "",
             "resource_uri": "",
             "trusted_circle_ids": [],
             "source_reported_confidence": "",
             "longitude": "",
             "tags": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "is_anonymous": "",
             "trusted_circles_ids": [],
             "comments": [
                 {
                     "created_ts": "",
                     "id": "",
                     "user": {
                         "can_share_intelligence": "",
                         "is_active": "",
                         "id": "",
                         "name": "",
                         "is_readonly": "",
                         "email": "",
                         "organization": {
                             "id": "",
                             "name": "",
                             "resource_uri": ""
                         },
                         "nickname": "",
                         "avatar_s3_url": "",
                         "must_change_password": "",
                         "resource_uri": ""
                     },
                     "tlp": "",
                     "ip_address": "",
                     "comment": ""
                 }
             ],
             "created_ts": "",
             "confidence": "",
             "latitude": "",
             "threat_type": "",
             "type": "",
             "org": "",
             "source": "",
             "threatscore": "",
             "country": "",
             "ip": "",
             "modified_ts": "",
             "owner_organization_id": "",
             "workgroups": [],
             "expiration_ts": "",
             "uuid": "",
             "import_session_id": "",
             "is_public": "",
             "id": "",
             "retina_confidence": "",
             "status": "",
             "update_id": "",
             "rdns": "",
             "tlp": "",
             "itype": ""
         }
     ]
}

operation: Submit URLs or Files to Sandbox

Input parameters

Parameter Description
Classification of the Sandbox Submission Classify the files or URLs that you are submitting to the ThreatStream Sandbox submission as Public or Private.
Sandbox Select the sandbox type and the respective platform on which you want to run the submitted URL or file. You can choose from the following sandbox options: ThreatStream Sandbox, ThreatStream Joe Sandbox, or Joe Sandbox via an individual subscription.
Supported Platforms Select the platform from the list of supported platforms, based on the sandbox type you have chosen on which you want to run the submitted URL or file.
If you choose ThreatStream Sandbox, then you can choose from the following supported platforms: All, WindowsXP, or Windows7.
If you choose ThreatStream Joe Sandbox, then you can choose from the following supported platforms: MacOSX, Windows7, Windows7Office2010, or Windows10X64.
If you choose Joe Sandbox via an individual subscription, then you can choose from the following supported platforms: Android4.4, Android5.1, Android6.0, MacOSX, WindowsXP, WindowsXPNative, Windows7, Windows7Native, Windows7Office2010, Windows7Office2013, Windows10 or Windows10X64.
Sample type Type of sample that you want to submit to ThreatStream. You can choose between URL or File.
If you choose URL, then in the URL field specify the URL that you want to submit to ThreatStream.
If you choose File, then in the CyOPs Attachment IRI field specify the IRI of the file from the FortiSOAR™ 'Attachment' module that you want to submit to ThreatStream.
Tags Comma-separated list of tags that provide additional details of the indicator that you want to submit to ThreatStream
Use Premium Sandbox Select this checkbox, i.e., set it as true, if you want to use a premium sandbox for the file that you are submitting to ThreatStream.
Trusted Circle IDs (Optional) ID of the trusted circle with which you want to associate the sandbox data. If you want to specify multiple trusted circles, enter a list of comma-separated Trusted Circle IDs.

Output

The output contains the following populated JSON schema:


{
     "success": "",
     "reports": {
         "WINDOWSXP": {
             "status": "",
             "id": "",
             "detail": ""
         },
         "WINDOWS7": {
             "status": "",
             "id": "",
             "detail": ""
         }
     }
}

operation: Get Sandbox Status of Submitted URL/File

Input parameters

Parameter Description
Report ID ID of the sandbox report whose sandbox status for submitted URLs or Files you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "circles": [],
     "message": "",
     "virustotal": "",
     "resource_uri": "",
     "file": "",
     "notes": "",
     "starred_total_count": "",
     "sha1": "",
     "confidence": "",
     "watched_total_count": "",
     "misc_info": "",
     "platform_label": "",
     "starred_by_me": "",
     "platform": "",
     "priority": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "pdf_generated": "",
     "import_indicators": "",
     "date_added": "",
     "verdict": "",
     "html_report": "",
     "watched_by_me": "",
     "user": {
         "username": "",
         "id": ""
     },
     "maec_report": "",
     "reportid": "",
     "sha256": "",
     "detail": "",
     "jobID": "",
     "id": "",
     "user_id": "",
     "yara": "",
     "status": "",
     "comments": [],
     "url": "",
     "classification": "",
     "md5": ""
}

operation: Get Sandbox Report of Submitted URL/File

Input parameters

Parameter Description
Sandbox Report ID ID of the sandbox report whose sandbox report for submitted URLs or Files you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "screenshots": [],
     "pcap": "",
     "success": true,
     "results": {
         "behavior": {
             "summary": {
                 "mutexes": [],
                 "files": [],
                 "keys": []
             },
             "anomaly": [],
             "processes": [
                 {
                     "first_seen": "",
                     "calls": [
                         {
                             "return": "",
                             "arguments": [
                                 {
                                     "value": "",
                                     "name": ""
                                 }
                             ],
                             "timestamp": "",
                             "id": "",
                             "status": "",
                             "api": "",
                             "category": "",
                             "thread_id": "",
                             "repeated": ""
                         }
                     ],
                     "parent_id": "",
                     "process_name": "",
                     "process_id": ""
                 }
             ],
             "processtree": [
                 {
                     "parent_id": "",
                     "children": [],
                     "pid": "",
                     "name": ""
                 }
             ],
             "enhanced": [
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "content": "",
                         "object": "",
                         "regkey": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 }
             ]
         },
         "signatures": [],
         "procmemory": [],
         "debug": {
             "log": "",
             "errors": []
         },
         "network": {
             "udp": [
                 {
                     "dst": "",
                     "offset": "",
                     "time": "",
                     "dport": "",
                     "src": "",
                     "sport": ""
                 }
             ],
             "tcp": [],
             "domains": [],
             "sorted_pcap_sha256": "",
             "irc": [],
             "http": [],
             "smtp": [],
             "hosts": [],
             "dns": [],
             "icmp": [],
             "pcap_sha256": ""
         },
         "info": {
             "started": "",
             "ended": "",
             "duration": "",
             "package": "",
             "version": "",
             "machine": {
                 "manager": "",
                 "shutdown_on": "",
                 "id": "",
                 "name": "",
                 "label": "",
                 "started_on": ""
             },
             "category": "",
             "id": "",
             "custom": ""
         },
         "dropped": [],
         "static": {
             "pe_imports": [
                 {
                     "dll": "",
                     "imports": [
                         {
                             "address": "",
                             "name": ""
                         }
                     ]
                 },
                 {
                     "dll": "",
                     "imports": [
                         {
                             "address": "",
                             "name": ""
                         }
                     ]
                 }
             ],
             "pe_timestamp": "",
             "pe_sections": [
                 {
                     "virtual_size": "",
                nbsp;     "virtual_address": "",
                     "name": "",
                     "entropy": "",
                     "size_of_data": ""
                 }
             ],
             "pe_imphash": "",
             "pe_exports": [],
             "pe_resources": [],
             "peid_signatures": "",
             "imported_dll_count": "",
             "pe_versioninfo": []
         },
         "target": {
             "file": {
                 "crc32": "",
                 "sha1": "",
                 "ssdeep": "",
                 "name": "",
                 "yara": [],
                 "type": "",
                 "sha512": "",
                 "path": "",
                 "sha256": "",
                 "size": "",
                 "md5": ""
             },
             "category": ""
         }
     }
}

operation: Get Intelligence Enrichments

Input parameters

Parameter Description
Third Party TI Third-party Threat Intelligence (TI) tool using which you want to retrieve enrichment data for the observable. You can choose from the following options: Recorded Future, RIsk IQ, or Passive DNS.
  • If you choose Recorded Future, then you must specify the following parameters:
    • Observable Type: Select the type of observable for which you want to retrieve enrichment data from Recorded Future. You can choose from the following options: IP, Domain, or MD5.
      • If you choose IP, then in the IP Address field, specify the IP address for which you want to retrieve enrichment data from Recorded Future.
      • If you choose Domain, then in the Domain value field, specify the value of the domain for which you want to retrieve enrichment data from Recorded Future.
      • If you choose MD5, then in the Filehash field, specify the filehash for which you want to retrieve enrichment data from Recorded Future.
  • If you choose Risk IQ, then you must specify the following parameter:
    • IP Address: IP address for which you want to retrieve enrichment data from Risk IQ.
  • If you choose Passive DNS, then you must specify the following parameters:
    • Observable Type: Select the type of observable for which you want to retrieve enrichment data from Passive DNS. You can choose from the following options: IP or Domain.
      • If you choose IP, then in the IP Address field, specify the IP address for which you want to retrieve enrichment data from Passive DNS.
      • If you choose Domain, then in the Domain value field, specify the value of the domain for which you want to retrieve enrichment data from Passive DNS.
      • If you choose MD5, then in the Filehash field, specify the filehash for which you want to retrieve enrichment data from Recorded Future.

Output

The output contains the following populated JSON schema:

Output schema if 'Third Party TI' is 'Passive DNS'
{
     "cached": "",
     "results": [
         {
             "ip": "",
             "first_seen": "",
             "domain": "",
             "source": "",
             "rrtype": "",
             "last_seen": ""
         }
     ]
}

Output schema if 'Third Party TI' is 'Recorded Future'
{
     "cached": "",
     "results": [
         {
             "criticalityLable": "",
             "evidenceDetails": "",
             "relatedEntities": "",
             "hits": "",
             "recordedFutureUrl": "",
             "dateFirst": "",
             "riskScore": "",
             "dateLast": "",
             "sources": ""
         }
     ]
}

Output schema if 'Third Party TI' is 'Risk IQ'
{
     "results": [
         {
             "subject_country": "",
             "first_seen": "",
             "link": "",
             "subject_name": "",
             "issue_date": "",
             "source": "",
             "expiration_date": "",
             "issuer_org_name": "",
             "sha1": "",
             "last_seen": ""
         }
     ]
}

Included playbooks

The Sample - Anomali ThreatStream - 2.2.1 playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.

  • > Anomali ThreatStream > Fetch
  • >> Anomali ThreatStream > Handle Macros
  • Anomali ThreatStream > Ingest
  • Create Incident
  • Create Threat Bulletin
  • Delete Incident 
  • Get Domain Reputation
  • Get Email ID Reputation
  • Get File Reputation
  • Get Import Job Details
  • Get Incident
  • Get Incident List
  • Get Incident List By Indicator
  • Get Intelligence Enrichments
  • Get IP Reputation
  • Get Submitted Observables Status by Import ID
  • Get Submitted URL/File Report
  • Get Submitted URL/File Status
  • Get Threat Bulletin Entities
  • Get Threat Bulletin List
  • Get Threat Bulletin Observables 
  • Get URL Reputation
  • Get Whois Domain Information
  • Get Whois IP Information
  • Run Advanced Search
  • Run Filter Language Query
  • Submit Observables
  • Submit URLs or Files to Sandbox
  • Update Incident
  • Update Threat Bulletin

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing organizations to access all intelligence feeds and integrate it seamlessly with internal security and IT systems.

This document provides information about the Anomali ThreatStream connector, which facilitates automated interactions, with a ThreatStream server using FortiSOAR™ playbooks. Add the Anomali ThreatStream connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting the reputation of an IP address, URL, File, Email, or Domain providing you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 2.2.1

FortiSOAR™ Version Tested on: 6.4.1

Anomali ThreatStream API Version Tested on: v2

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.2.1

Following enhancements have been made to the Anomali ThreatStream connector in version 2.2.1:

Important: The output schema for Anomali Threatstream changed in version 2.0.0 and later of the connector. Therefore to maintain backward compatibility issues both the older version of the connector and the current version gets retained. For example, if you already had installed version 1.1.0 and then you installed version 2.2.0, then both versions 1.1.0 and 2.2.0 will be retained. However, if you had installed version 2.0.0 or 2.1.0, and you upgrade to version 2.2.0, then only version 2.2.0 of the connector will be retained.

Data Ingestion support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Anomali ThreatStream. The Data Ingestion Wizard pulls "incidents" from Anomali ThreatStream and creates "alerts" in FortiSOAR™.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks to support data ingestion:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-threatstream

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Anomali ThreatStream connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL IP address or the hostname URL of the ThreatStream server to which you will connect and perform the automated operations.
Username Registered username for ThreatStream.
API Key API key configured for your account for using the ThreatStream API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards: 

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation of the specified domain based on the filter criteria such as the domain name and other input parameters that you have specified. domain_reputation
Investigation
Get IP Reputation Retrieves the reputation of the specified IP address based on the filter criteria such as the IP address and other input parameters that you have specified. ip_reputation
Investigation
Get URL Reputation Retrieves the reputation of the specified URL based on the filter criteria such as the URL and other input parameters that you have specified, url_reputation
Investigation
Get Email ID Reputation Retrieves the reputation of the specified Email address based on the filter criteria such as the email address and other input parameters that you have specified. email_reputation
Investigation
Get File Reputation Retrieves the reputation of the specified FileHash based on the filter criteria such as the filehash and other input parameters that you have specified. file_reputation
Investigation
Get Whois Domain Information Executes a WhoIs lookup on the specified domain name and retrieves a list of domains based on the domain name that you have specified. whois_domain
Investigation
Get Whois IP Information Executes a WhoIs lookup on the specified IP address and retrieves a list of IP addresses based on the IP address that you have specified. whois_ip
Investigation
Run Filter Language Query Runs a search query using ThreatStream’s Filter Language Query grammar. search_query
Investigation
Run Advanced Search Runs an advanced search query using ThreatStream’s Query grammar. search_query
Investigation
Submit Observables Imports threat data (indicators) into ThreatStream and requires the approval of the imported data through the ThreatStream UI. submit_sample
Investigation
Get Submitted Observables Status by Import ID Retrieves the status of a submitted observable from ThreatStream based on the import ID that was returned in the response of the Submit Observables operation. get_import_job_status
Investigation
Get Import Job Details Retrieves the details of import jobs from ThreatStream based on the search query that you have specified.  get_import_job
Investigation
Create Incident Creates an incident in ThreatStream based on the name, tags, and other input parameters that you have specified. create_incidents
Investigation
Get Incident List Retrieves a list of all incidents based on the search query and other input parameters that you have specified. get_incident_list
Investigation
Get Incident List By Indicator Retrieves a list of incidents based on specific intelligence value and other input parameters that you have specified. get_incident_list
Investigation
Get Incident Collects and retrieves generated incidents from ThreatStream based on the incident ID that you have specified. get_incidents
Investigation
Update Incident Updates an incident in ThreatStream based on the incident ID and other input parameters that you have specified. update_incidents
Investigation
Delete Incident Deletes an incident from ThreatStream based on the incident ID that you have specified. delet_incidents
Investigation
Create Threat Bulletin Creates a threat bulletin in ThreatStream based on the name, tags, and other input parameters that you have specified. create_threat_bulletin
Investigation
Update Threat Bulletin Updates a threat bulletin in ThreatStream based on the incident ID and other input parameters that you have specified. update_threat_bulletin
Investigation
Get Threat Bulletin List Retrieves a list of all threat bulletins or specific threat bulletins based on the search query and other input parameters that you have specified. get_threat_bulletin_list
Investigation
Get Threat Bulletin Entities Retrieves a list of all threat model entities associated with a specific threat bulletin based on the threat bulletin ID and other input parameters that you have specified. get_threat_model
Investigation
Get Threat Bulletin Observables Retrieves a list of all observables associated with a specific threat bulletin based on the threat bulletin ID and other input parameters that you have specified. get_observables_associated_threat_bulletin
Investigation
Submit URLs or Files to Sandbox Submit files or URLs to a specific ThreatStream-hosted sandbox based on the sandbox name, URLs/files, tags, and other input parameters that you have specified. submit_sample
Investigation
Get Sandbox Status of Submitted URL/File Retrieves the sandbox status of files or URLs that you have submitted to ThreatStream based on the report ID that you have specified. get_import_job_status
Investigation
Get Sandbox Report of Submitted URL/File Retrieves the sandbox analysis report of files or URLs that you have submitted to ThreatStream based on the report ID that you have specified. get_report
Investigation
Get Intelligence Enrichments Retrieves the enrichment data using third-party Threat Intelligence (TI) tools, such as Recorded Future, Risk IQ, etc. for a specific observable. get_intelligence_enrichments
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Domain Name in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, IP Address in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, URL in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get Email ID Reputation

Input parameters

Parameter Description
Email ID Email ID for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, Email ID in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get File Reputation

Input parameters

Parameter Description
Filehash FileHash for which you want to retrieve reputation information.
Filter Options Filter options supported by ThreatStream.
Filter options supported by ThreatStream are Exact, Startswith, Contains, Regex, and Regexp.
If you select Exact, then you can select the Validate Input checkbox, if you want to validate the input you have provided, filehash in this case.
By default, this option is set as False.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Get Whois Domain Information

Input parameters

Parameter Description
Domain Name Name of the domain for which you want to retrieve information from Whois.

Output

The output contains the following populated JSON schema:
{
     "contacts": {
         "billing": "",
         "tech": "",
         "registrant": "",
         "admin": ""
     },
     "registrar": [],
     "status": [],
     "updated_date": [],
     "creation_date": [],
     "nameservers": [],
     "emails": [],
     "raw": [],
     "expiration_date": []
}

operation: Get Whois IP Information

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve information from Whois.

Output

The output contains the following populated JSON schema:
{
     "contacts": {
         "billing": "",
         "tech": "",
         "registrant": "",
         "admin": ""
     },
     "registrar": [],
     "status": [],
     "updated_date": [],
     "creation_date": [],
     "nameservers": [],
     "emails": [],
     "raw": [],
     "expiration_date": []
}

operation: Run Filter Language Query

Input parameters

Parameter Description
Filter Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Filter Language Query grammar.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return.  
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Run Advanced Search

Input parameters

Parameter Description
Advanced Query Valid query to be run on the ThreatStream server. The query must conform to ThreatStream’s Query grammar.
Number of Records to return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "offset": "",
         "limit": "",
         "total_count": "",
         "next": "",
         "took": "",
         "previous": ""
     },
     "objects": [
         {
             "meta": {
                 "severity": "",
                 "media_type": "",
                 "detail2": "",
                 "media": "",
                 "detail": "",
                 "maltype": ""
             },
             "threat_type": "",
             "is_editable": "",
             "source": "",
             "is_public": "",
             "retina_confidence": "",
             "trusted_circle_ids": [],
             "longitude": "",
             "modified_ts": "",
             "workgroups": [],
             "is_anonymous": "",
             "ip": "",
             "status": "",
             "id": "",
             "source_reported_confidence": "",
             "uuid": "",
             "resource_uri": "",
             "threatscore": "",
             "feed_id": "",
             "country": "",
             "org": "",
             "tags": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "value": "",
             "asn": "",
             "rdns": "",
             "itype": "",
             "type": "",
             "confidence": "",
             "owner_organization_id": "",
             "update_id": "",
             "import_session_id": "",
             "description": "",
             "expiration_ts": "",
             "latitude": "",
             "tlp": "",
             "created_ts": ""
         }
     ]
}

operation: Submit Observables

Input parameters

Parameter Description
CyOPs Attachment IRI (Optional) Attachment IRI that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file from which you want to import observables into Threatstream.
You can import observables from the following file types: CSV, HTML, IOC, JSON, PDF, or TXT.
Observable data (Optional) Enter the observable data that you want to import into Threatstream.
Confidence Confidence value that you want to assign to the observables that you want to import into Threatstream. You can specify values between 0 to 100.
Source Confidence Weight (Optional) Specifies the ratio between the amount of the source confidence of each indicator and the ThreatStream confidence.
Severity Severity value that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Low, Medium, High, or Very High.
Classification Classification that you want to assign to the observables that you want to import into Threatstream.
You can choose from the following options: Private or Public.
Expiration Time Stamp Duration after which the observables will expire on Threatstream.
You can choose from the following options: 90 days, 60 days, 30 days, Never, or Custom.
By default, it set to 90 days from the current date.
Tags (Optional) Tags that you want to assign to the observables that you want to import into Threatstream.
IP Indicator Type Global setting that applies to any imported IP-type indicator, when you do not specify an explicit itype for the IP-type indicator.
Domain Indicator Type Global setting that applies to any imported domain-type indicator, when you do not specify an explicit itype for the domain-type indicator.
URL Indicator Type Global setting that applies to any imported URL-type indicator, when you do not specify an explicit itype for the URL-type indicator.
Email Indicator Type Global setting that applies to any imported email-type indicator, when you do not specify an explicit itype for the email-type indicator.
MD5 Indicator Type Global setting that applies to any imported MD5-type indicator, when you do not specify an explicit itype for the MD5-type indicator.
Trusted Circle IDs (Optional) IDs of the trusted circle.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "success": "",
     "import_session_id": ""
}

operation: Get Submitted Observables Status by Import ID

Input parameters

Parameter Description
Import Session ID ID of the import session for which you want to retrieve the submitted observable status from ThreatStream.
The import session ID is returned in the response of the Submit Observables operation.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "messages": "",
     "user_id": "",
     "numRejected": "",
     "is_public": "",
     "associations": {
         "tip_reports": [],
         "actors": [],
         "incidents": [],
         "ttps": [],
         "campaigns": []
     },
     "id": "",
     "numIndicators": "",
     "fileType": "",
     "source_confidence_weight": "",
     "notes": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": "",
     "num_public": "",
     "email": "",
     "fileName": "",
     "num_private": "",
     "jobID": "",
     "default_comment": "",
     "resource_uri": "",
     "intelligence_source": "",
     "date_modified": "",
     "tags": [],
     "sandbox_submit": "",
     "approved_by_id": "",
     "processed_ts": "",
     "confidence": "",
     "orginal_intelligence": "",
     "date": "",
     "visibleForReview": "",
     "tlp": "",
     "trusted_circles": [],
     "approved_by": {
         "name": "",
         "must_change_password": "",
         "avatar_s3_url": "",
         "organization": {
             "name": "",
             "resource_uri": "",
             "id": ""
         },
         "is_active": "",
         "id": "",
         "email": "",
         "can_share_intelligence": "",
         "resource_uri": "",
         "nickname": ""
     }
}

operation: Get Import Job Details

Input parameters

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve details of import jobs.
Number of Records to Return Select whether you want this operation to Fetch Limited Records or Fetch All Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results, per page, that this operation should return. 
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "next": "",
         "total_count": "",
         "limit": "",
         "offset": "",
         "previous": ""
     },
     "objects": [
         {
             "name": "",
             "approved_by_id": "",
             "user_id": "",
             "visibleForReview": "",
             "is_public": "",
             "num_public": "",
             "numIndicators": "",
             "email": "",
             "fileType": "",
             "source_confidence_weight": "",
             "date": "",
             "workgroups": [],
             "is_anonymous": "",
             "organization": {
                 "name": "",
                 "resource_uri": "",
                 "id": ""
             },
             "status": "",
             "id": "",
             "numRejected": "",
             "fileName": "",
             "num_private": "",
             "jobID": "",
             "default_comment": "",
             "resource_uri": "",
             "intelligence_source": "",
             "date_modified": "",
             "tags": [
                 {
                     "name": "",
                     "org_id": "",
                     "tlp": "",
                     "id": ""
                 }
             ],
             "sandbox_submit": "",
             "processed_ts": "",
             "confidence": "",
             "orginal_intelligence": "",
             "messages": "",
             "notes": "",
             "tlp": "",
             "trusted_circles": [],
             "approved_by": {
                 "name": "",
                 "must_change_password": "",
                 "avatar_s3_url": "",
                 "organization": {
                     "name": "",
                     "resource_uri": "",
                     "id": ""
                 },
                 "nickname": "",
                 "id": "",
                 "email": "",
                 "can_share_intelligence": "",
                 "resource_uri": "",
                 "is_active": ""
             }
         }
     ]
}

operation: Create Incident

Input parameters

Parameter Description
Name Name of the incident that you want to create in ThreatStream.
The incident name is associated with your organization. Therefore, the name that you specify must be unique within your organization.
Is Incident Public or Private Select whether the incident that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle).
Select this option, i.e., set it to True, if you want to create the incident as a Public incident. This is the default value.
Clear this option, i.e., set it to False, if you want to create the incident as a Private incident or an incident that belongs to a Trusted Circle.
Tags (Optional) Tags assigned to the incident that you want to create in ThreatStream.
A tag is a meaningful name or any other string value assigned to identify the information. For example, spear phishing, exploitation.
Intelligence (Optional)  Indicators that are associated with the incident on the ThreatStream platform. You can add multiple intelligence IDs using the comma separator.
TLP (Optional) Traffic Light Protocol (TLP) designation for the incident that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White.
Fields to Include with The Incident (Optional) Specify other fields that you want to include with the incident that you want to create in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "external_references": [],
     "is_public": "",
     "intended_effects": [],
     "logo_s3_url": "",
     "assignee_user": "",
     "publication_status": "",
     "end_date": "",
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "circles": [],
     "activity_dates": [],
     "resource_uri": "",
     "organization_id": "",
     "modified_ts": "",
     "parent": "",
     "watched_by_me": "",
     "starred_total_count": "",
     "tlp": "",
     "votes": {
         "total": "",
         "me": ""
     },
     "victims": [],
     "starred_by_me": "",
     "description": "",
     "body_content_type": "",
     "published_ts": "",
     "start_date": "",
     "is_cloneable": "",
     "sandbox_reports": [],
     "status_desc": "",
     "created_ts": "",
     "watched_total_count": ""
}

operation: Get Incidents List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.  

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve the list of incidents. For example, google.com returns all incidents that are associated with google.com.    
Limit Maximum number of results, per page, that this operation should return.
Offset 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "next": "",
         "total_count": "",
         "limit": "",
         "offset": "",
         "previous": ""
     },
     "objects": [
         {
             "name": "",
             "is_public": "",
             "starred_by_me": "",
             "publication_status": "",
             "end_date": "",
             "feed_id": "",
             "workgroups": [],
             "is_anonymous": "",
             "is_cloneable": "",
             "status": {
                 "display_name": "",
                 "resource_uri": "",
                 "id": ""
             },
             "id": "",
             "start_date": "",
             "circles": [
                 {
                     "name": "",
                     "resource_uri": "",
                     "id": ""
                 }
             ],
             "resource_uri": "",
             "organization_id": "",
             "modified_ts": "",
             "watched_by_me": "",
             "tags": [],
             "tags_v2": [
                 {
                     "name": "",
                     "id": ""
                 }
             ],
             "starred_total_count": "",
             "published_ts": "",
             "votes": {
                 "total": "",
                 "me": ""
             },
             "tlp": "",
             "created_ts": "",
             "watched_total_count": ""
         }
     ]
}

operation: Get Incident List By Indicator

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Intelligence value to filter Intelligence value using which you want to filter incidents to be retrieved from ThreatStream. For example, google.com returns all Incidents that are associated with google.com.
Limit Maximum number of results that this operation should return.
Offset 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

operation: Get Incident

Input parameters

Parameter Description
Incident ID ID of the generated incident whose details you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "external_references": [
         {
             "title": "",
             "id": "",
             "filename": "",
             "r_type": "",
             "s3_url": "",
             "resource_uri": "",
             "url": ""
         }
     ],
     "logo_s3_url": "",
     "signatures": [],
     "publication_status": "",
     "end_date": "",
     "modified_ts": "",
     "is_cloneable": "",
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "activity_dates": [],
     "tipreports": [],
     "tlp": "",
     "watched_by_me": "",
     "tags": [
         ""
     ],
     "created_ts": "",
     "actors": [],
     "victims": [],
     "incidents": [],
     "body_content_type": "",
     "published_ts": "",
     "starred_total_count": "",
     "sandbox_reports": [],
     "description": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "name": "",
     "is_public": "",
     "intended_effects": [],
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "circles": [
         {
             "name": "",
             "resource_uri": "",
             "id": ""
         }
     ],
     "resource_uri": "",
     "campaigns": [],
     "organization_id": "",
     "parent": "",
     "intelligence": [],
     "tags_v2": [
         {
             "name": "",
             "id": ""
         }
     ],
     "votes": {
         "total": "",
         "me": ""
     },
     "start_date": "",
     "ttps": [],
     "starred_by_me": "",
     "watched_total_count": "",
     "status_desc": ""
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update on ThreatStream.
Incident Name Name of the incident that you want to update on ThreatStream.
Status (Optional) Select the status of the incident that you want to update on ThreatStream. You can choose from the following options: New, Open, Stalled, Containment Achieved, Restoration Achieved, Incident Reported, Closed, Rejected, or Deleted.
Note: This parameter will make an API call named "get_status" to dynamically populate its dropdown selections.
Status Description (Optional) Description associated with the status of the incident that you want to update on ThreatStream.
Intelligence (Optional) Indicators associated with the Incident on the ThreatStream platform. Multiple intelligence IDs are comma-separated.
Fields to Update on Incident (Optional) Specify other fields that you want to include with the incident that you want to update in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "external_references": [],
     "is_public": "",
     "intended_effects": [],
     "logo_s3_url": "",
     "assignee_user": "",
     "publication_status": "",
     "end_date": "",
     "feed_id": "",
     "workgroups": [],
     "is_anonymous": "",
     "organization": {
         "name": "",
         "resource_uri": "",
         "id": ""
     },
     "status": {
         "display_name": "",
         "resource_uri": "",
         "id": ""
     },
     "id": "",
     "owner_user": {
         "name": "",
         "email": "",
         "resource_uri": "",
         "id": ""
     },
     "circles": [],
     "activity_dates": [],
     "resource_uri": "",
     "organization_id": "",
     "modified_ts": "",
     "parent": "",
     "watched_by_me": "",
     "starred_total_count": "",
     "tlp": "",
     "votes": {
         "total": "",
         "me": ""
     },
     "victims": [],
     "starred_by_me": "",
     "description": "",
     "body_content_type": "",
     "published_ts": "",
     "start_date": "",
     "is_cloneable": "",
     "sandbox_reports": [],
     "status_desc": "",
     "created_ts": "",
     "watched_total_count": ""
}

operation: Delete Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to delete from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Create Threat Bulletin

Input parameters

Parameter Description
Name Name of the threat bulletin that you want to create in ThreatStream.
Format Used for Description (Optional) Format that will be used for the body text of the threat bulletin. You can choose between Markdown (Default) or Richtext.
Description (Optional) Complete text of the threat bulletin that you want to create in ThreatStream.
Is Threat Bulletin Public or Private Select whether the threat bulletin that you want to create in ThreatStream is Public or Private (including belonging to a trusted circle).
Select this checkbox, if you want to create the threat bulletin as a Public Threat Bulletin.
Clear this checkbox, if you want to create the threat bulletin as a Private Threat Bulletin (including belonging to a trusted circle). By default, the threat bulletin is created as Private, i.e., this checkbox is cleared.
TLP (Optional) Traffic Light Protocol (TLP) that you want to designate to the threat bulletin that you want to create in ThreatStream. You can choose from the following options: Red, Amber, Green, or White.
Add an Attachment (Optional)  IRI of the file from the FortiSOAR™ 'Attachment' module that you want to add as an attachment to the threat bulletin that you want to create in ThreatStream.
Fields to Include with the Threat Bulletin (Optional) Fields that you want to include with the threat bulletin that you want to create in ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "watched_by_me": "",
     "feed_id": "",
     "import_sessions": [],
     "assignee_user": "",
     "circles": [],
     "is_anonymous": "",
     "assignee_org_id": "",
     "original_source": "",
     "assignee_user_id": "",
     "parent": "",
     "history": [
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "can_share_intelligence": "",
                 "organization": {
                     "id": "",
                     "resource_uri": "",
                     "name": ""
                 },
                 "nickname": "",
                 "is_active": "",
                 "is_readonly": "",
                 "name": "",
                 "must_change_password": "",
                 "email": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         }
     ],
     "is_editable": "",
     "starred_total_count": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "source": "",
     "all_circles_visible": "",
     "threat_actor": "",
     "name": "",
     "owner_org_name": "",
     "owner_user_id": "",
     "tlp": "",
     "campaign": "",
     "body": "",
     "status": "",
     "id": "",
     "private_status_id": "",
     "attachments": [],
     "embedded_content_url": "",
     "resource_uri": "",
     "original_source_id": "",
     "is_email": "",
     "body_content_type": "",
     "logo_s3_url": "",
     "created_ts": "",
     "owner_org": {
         "id": "",
         "resource_uri": "",
         "name": ""
     },
     "assignee_org": "",
     "watched_total_count": "",
     "owner_user_name": "",
     "starred_by_me": "",
     "assignee_org_name": "",
     "modified_ts": "",
     "workgroups": [],
     "is_cloneable": "",
     "owner_user": {
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "can_share_intelligence": "",
         "organization": {
             "id": "",
             "resource_uri": "",
             "name": ""
         },
         "nickname": "",
         "is_active": "",
         "is_readonly": "",
         "name": "",
         "must_change_password": "",
         "email": ""
     },
     "embedded_content_type": "",
     "is_public": "",
     "owner_org_id": "",
     "ttp": "",
     "published_ts": "",
     "comments": [],
     "sandbox_reports": [],
     "assignee_user_name": ""
}

operation: Update Threat Bulletin

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin that you want to update on ThreatStream.
Threat Bulletin Name (Optional) Name of the threat bulletin that you want to update on ThreatStream.
Publication Status (Optional) Publication status that you want to set for the threat bulletin that you want to update on ThreatStream. You can choose from the following options: Published, Reviewed, Review Request, or Pending Review.
Add an Attachment (Optional) Path of the file that you want to add as an attachment to the threat bulletin that you want to update in ThreatStream.
Fields to Update on Threat Bulletin (Optional) Fields that you want to include with the incident that you want to update in ThreatStream.

Output

The output contains the following populated JSON schema:

Output schema if condition is : {{reference_id === ''}}
{
     "embedded_content_url": "",
     "feed_id": "",
     "import_sessions": [
           {
             "numIndicators": "",
             "trusted_circles": [],
             "tags": [],
             "notes": "",
             "is_anonymous": "",
             "fileType": "",
             "default_comment": "",
             "confidence": "",
             "visibleForReview": "",
             "processed_ts": "",
             "sandbox_submit": "",
             "jobID": "",
             "numRejected": "",
             "resource_uri": "",
             "orginal_intelligence": "[]",
             "date_modified": "",
             "num_private": "",
             "workgroups": [],
             "fileName": "",
             "tlp": "",
             "date": "",
             "messages": "",
             "intelligence_source": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "is_public": "",
             "source_confidence_weight": "",
             "id": "",
             "num_public": "",
             "approved_by_id": "",
             "email": "",
             "status": "",
             "approved_by": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "name": "",
             "user_id": ""
         }
     ],
     "attachments": [
         {
             "s3_url": "",
             "tip_report": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": "",
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "modified_ts": "",
             "filename": "",
             "s3_thumbnail_url": "",
             "signed_thumbnail_url": "",
             "created_ts": "",
             "content_type": "",
             "signed_url": ""
         }
     ],
     "history": [
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": " ",
                 "organization": {
                     "id": "",
                     "name": " ",
                     "resource_uri": " "
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         },
         {
             "action": "",
             "quantity": "",
             "id": "",
             "user": {
                 "can_share_intelligence": "",
                 "avatar_s3_url": "",
                 "id": "",
                 "resource_uri": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "is_active": true,
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "tip_report": "",
             "detail": "",
             "ts": ""
         }
     ],
     "is_anonymous": "",
     "assignee_org_id": "",
     "original_source": "",
     "assignee_user_id": "",
     "parent": "",
     "circles": [],
     "is_editable": true,
     "starred_total_count": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "source": "",
     "threat_actor": "",
     "name": "",
     "owner_org_name": "",
     "owner_user_id": "",
     "tlp": "",
     "original_source_id": "",
     "campaign": "",
     "body": "",
     "status": "",
     "id": "",
     "private_status_id": "",
     "assignee_user": {
         "can_share_intelligence": "",
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "email": "",
         "organization": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "nickname": "",
         "is_active": "",
         "is_readonly": "",
         "must_change_password": "",
         "name": ""
     },
     "ttp": "",
     "resource_uri": "",
     "sandbox_reports": [],
     "is_email": "",
     "body_content_type": "",
     "logo_s3_url": "",
     "created_ts": "",
     "owner_org": {
         "id": "",
         "name": "",
         "resource_uri": ""
     },
     "comments": [],
     "watched_total_count": "",
     "owner_user_name": "",
     "starred_by_me": "",
     "assignee_org_name": "",
     "modified_ts": "",
     "workgroups": [],
     "is_cloneable": "",
     "owner_user": {
         "can_share_intelligence": "",
         "avatar_s3_url": "",
         "id": "",
         "resource_uri": "",
         "email": "",
         "organization": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "nickname": "",
         "is_active": true,
         "is_readonly": "",
         "must_change_password": "",
         "name": ""
     },
     "embedded_content_type": "",
     "is_public": false,
     "watched_by_me": "",
     "owner_org_id": "",
     "published_ts": "",
     "assignee_org": "",
     "all_circles_visible": "",
     "assignee_user_name": ""
}

Output schema if an attachment is provided
{
     "attachment": {
         "tip_report": "",
         "s3_url": "",
         "content_type": "",
         "modified_ts": "",
         "user": {
             "can_share_intelligence": "",
             "is_active": "",
             "id": "",
             "name": "",
             "is_readonly": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "avatar_s3_url": "",
             "must_change_password": "",
             "resource_uri": ""
         },
         "id": "",
         "filename": "",
         "s3_thumbnail_url": "",
         "signed_thumbnail_url": "",
         "created_ts": "",
         "signed_url": ""
     },
     "threat_bulletin": {
         "embedded_content_url": "",
         "feed_id": "",
         "import_sessions": [
             {
                 "numIndicators": "",
                 "trusted_circles": [],
                 "tags": [],
                 "notes": "",
                 "is_anonymous": "",
                 "fileType": "",
                 "default_comment": "",
                 "confidence": "",
                 "visibleForReview": "",
                 "processed_ts": "",
                 "sandbox_submit": "",
                 "jobID": "",
                 "numRejected": "",
                 "resource_uri": "",
                 "orginal_intelligence": "[]",
                 "date_modified": "",
                 "num_private": "",
                 "workgroups": [],
                 "fileName": "",
                 "tlp": "",
                 "date": "",
                 "messages": "",
                 "intelligence_source": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "is_public": "",
                 "source_confidence_weight": "",
                 "id": "",
                 "num_public": "",
                 "approved_by_id": "",
                 "email": "",
                 "status": "",
                 "approved_by": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "name": "",
                 "user_id": ""
             }
         ],
         "attachments": [
             {
                 "s3_url": "",
                 "tip_report": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": "",
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "modified_ts": "",
                 "filename": "",
                 "s3_thumbnail_url": "",
                 "signed_thumbnail_url": "",
                 "created_ts": "",
                 "content_type": "",
                 "signed_url": ""
             }
         ],
         "history": [
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": " ",
                     "organization": {
                         "id": "",
                         "name": " ",
                         "resource_uri": " "
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                  &nnbsp;  "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             },
             {
                 "action": "",
                 "quantity": "",
                 "id": "",
                 "user": {
                     "can_share_intelligence": "",
                     "avatar_s3_url": "",
                     "id": "",
                     "resource_uri": "",
                     "email": "",
                     "organization": {
                         "id": "",
                         "name": "",
                         "resource_uri": ""
                     },
                     "nickname": "",
                     "is_active": true,
                     "is_readonly": "",
                     "must_change_password": "",
                     "name": ""
                 },
                 "tip_report": "",
                 "detail": "",
                 "ts": ""
             }
         ],
         "is_anonymous": "",
         "assignee_org_id": "",
         "original_source": "",
         "assignee_user_id": "",
         "parent": "",
         "circles": [],
         "is_editable": true,
         "starred_total_count": "",
         "votes": {
             "me": "",
             "total": ""
         },
         "source": "",
         "threat_actor": "",
         "name": "",
         "owner_org_name": "",
         "owner_user_id": "",
         "tlp": "",
         "original_source_id": "",
         "campaign": "",
         "body": "",
         "status": "",
         "id": "",
         "private_status_id": "",
         "assignee_user": {
             "can_share_intelligence": "",
             "avatar_s3_url": "",
             "id": "",
             "resource_uri": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "is_active": "",
             "is_readonly": "",
             "must_change_password": "",
             "name": ""
         },
         "ttp": "",
         "resource_uri": "",
         "sandbox_reports": [],
         "is_email": "",
         "body_content_type": "",
         "logo_s3_url": "",
         "created_ts": "",
         "owner_org": {
             "id": "",
             "name": "",
             "resource_uri": ""
         },
         "comments": [],
         "watched_total_count": "",
         "owner_user_name": "",
         "starred_by_me": "",
         "assignee_org_name": "",
         "modified_ts": "",
         "workgroups": [],
         "is_cloneable": "",
         "owner_user": {
             "can_share_intelligence": "",
             "avatar_s3_url": "",
             "id": "",
             "resource_uri": "",
             "email": "",
             "organization": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "nickname": "",
             "is_active": true,
             "is_readonly": "",
             "must_change_password": "",
             "name": ""
         },
         "embedded_content_type": "",
         "is_public": false,
         "watched_by_me": "",
         "owner_org_id": "",
         "published_ts": "",
         "assignee_org": "",
         "all_circles_visible": "",
         "assignee_user_name": ""
     }
}

operation: Get Threat Bulletin List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Search Query Valid query to be run on the ThreatStream server based on which you want to retrieve the list of threat bulletins. For example, created_ts__gte=2014-10-02T20:44:35
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "limit": "",
         "total_count": "",
         "offset": "",
         "next": ""
     },
     "objects": [
         {
             "ttp": "",
             "feed_id": "",
             "campaign": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "assignee_org_id": "",
             "is_editable": "",
             "assignee_user_id": "",
             "parent": "",
             "circles": [
                 {
                     "description": "",
                     "name": "",
                     "resource_uri": "",
                     "openinvite": "",
                     "member": "",
                     "can_edit": "",
                     "pending": "",
                     "num_members": "",
                     "public": "",
                     "is_freemium": "",
                     "can_invite": "",
                     "id": "",
                     "validate_subscriptions": "",
                     "can_override_confidence": "",
                     "anonymous_sharing": "",
                     "restricted_publishing": "",
                     "num_administrators": ""
                 }
             ],
             "original_source": "",
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "source": "",
             "name": "",
             "owner_org_name": "",
             "owner_user_id": "",
             "tlp": "",
             "original_source_id": "",
             "status": "",
             "owner_org_id": "",
             "watched_by_me": "",
             "resource_uri": "",
             "threat_actor": "",
             "body_content_type": "",
             "created_ts": "",
             "owner_org": {
                 "id": "",
                 "resource_uri": "",
                 "name": ""
             },
             "assignee_org": "",
             "is_email": "",
             "owner_user_name": "",
             "starred_by_me": "",
             "assignee_org_name": "",
             "modified_ts": "",
             "workgroups": [],
             "is_cloneable": "",
             "owner_user": {
                 "avatar_s3_url": "",
                 "email": "",
                 "is_active": "",
                 "id": "",
                 "resource_uri": "",
                 "can_share_intelligence": "",
                 "organization": {
                     "id": "",
                     "resource_uri": "",
                     "name": ""
                 },
                 "nickname": "",
                 "is_readonly": "",
                 "must_change_password": "",
                 "name": ""
             },
             "is_public": "",
             "id": "",
             "published_ts": "",
             "all_circles_visible": "",
             "watched_total_count": "",
             "assignee_user_name": ""
         }
     ]
}

operation: Get Threat Bulletin Entities

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin whose associated threat model entities that you want to retrieve from ThreatStream.
Entity Type Type of the threat model entity that is associated with the specified threat bulletin that you want to retrieve from ThreatStream. You can choose from the following types: Actor, Campaign, Incident, Signature, Tipreport, TTP, or vulnerability
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema, based on the entity type you have selected.

Output schema for the Actor entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "is_team": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "aliases": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "tlp": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": "",
             "watched_total_count": "",
             "start_date": ""
         }
     ]
}

Output schema for the Campaign entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

Output schema for the Incident entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "tags": [],
             "is_anonymous": "",
             "published_ts": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "end_date": "",
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "status": {
                 "id": "",
                 "display_name": "",
                 "resource_uri": ""
             },
             "starred_by_me": "",
             "tlp": "",
             "start_date": ""
         }
     ]
}

Output schema for the Signature entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "watched_total_count": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "s_type": "",
             "organization_id": "",
             "tlp": "",
             "workgroups": [],
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": ""
         }
     ]
}

Output schema for the Tipreport entity type:  
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "campaign": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "assignee_org_id": "",
             "original_source": "",
             "assignee_user_id": "",
             "parent": "",
             "circles": [
                 {
                     "description": "",
                     "name": "",
                     "resource_uri": "",
                     "is_freemium": "",
                     "member": "",
                     "can_edit": "",
                     "pending": "",
                     "num_members": "",
                     "public": "",
                     "openinvite": "",
                     "can_invite": "",
                     "anonymous_sharing": "",
                     "validate_subscriptions": "",
                     "can_override_confidence": "",
                     "restricted_publishing": "",
                     "id": "",
                     "num_administrators": ""
                 }
             ],
             "is_editable": "",
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "source": "",
             "assignee_user_name": "",
             "name": "",
             "owner_org_name": "",
             "owner_user_id": "",
             "tlp": "",
             "original_source_id": "",
             "status": "",
             "owner_org_id": "",
             "ttp": "",
             "resource_uri": "",
             "threat_actor": "",
             "body_content_type": "",
             "created_ts": "",
             "owner_org": {
                 "id": "",
                 "name": "",
                 "resource_uri": ""
             },
             "assignee_org": "",
             "is_email": "",
             "owner_user_name": "",
             "starred_by_me": "",
             "all_circles_visible": "",
             "modified_ts": "",
             "workgroups": [],
             "is_cloneable": "",
             "owner_user": {
                 "can_share_intelligence": "",
                 "is_active": "",
                 "id": "",
                 "name": "",
                 "is_readonly": "",
                 "email": "",
                 "organization": {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 },
                 "nickname": "",
                 "avatar_s3_url": "",
                 "must_change_password": "",
                 "resource_uri": ""
             },
             "is_public": "",
             "id": "",
             "published_ts": "",
             "assignee_org_name": "",
             "watched_total_count": ""
         }
     ]
}

Output schema for the TTP entity type:  
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "watched_by_me": "",
             "feed_id": "",
             "publication_status": "",
             "resource_uri": "",
             "assignee_user": "",
             "tags": [],
             "is_anonymous": "",
             "created_ts": "",
             "is_category": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "starred_total_count": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "votes": {
                 "me": "",
                 "total": ""
             },
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "organization_id": "",
             "tlp": "",
             "children": [],
             "is_public": "",
             "id": "",
             "is_cloneable": "",
             "published_ts": "",
             "starred_by_me": "",
             "watched_total_count": ""
         }
     ]
}

Output schema for the Vulnerability entity type:
{
     "meta": {
         "previous": "",
         "next": "",
         "total_count": "",
         "offset": "",
         "limit": ""
     },
     "objects": [
         {
             "organization_id": "",
             "feed_id": "",
             "publication_status": "",
             "modified_ts": "",
             "name": "",
             "workgroups": [],
             "is_cloneable": "",
             "assignee_user": "",
             "tags": [],
             "created_ts": "",
             "is_anonymous": "",
             "is_public": "",
             "id": "",
             "is_system": "",
             "circles": [
                 {
                     "id": "",
                     "name": "",
                     "resource_uri": ""
                 }
             ],
             "published_ts": "",
             "update_id": "",
             "tags_v2": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "tlp": "",
             "source": "",
             "resource_uri": ""
         }
     ]
}

operation: Get Threat Bulletin Observables

Input parameters

Parameter Description
Threat Bulletin ID ID of the threat bulletin whose associated observables that you want to retrieve from ThreatStream.
Number of Records to Return This parameter determines if the operation will Fetch All Records or Fetch Limited Records.
If you select Fetch Limited Records, then you must specify the following additional parameters:
  • Limit: Maximum number of results that this operation should return.
  • Offset: 0 based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:
{
     "meta": {
         "previous": "",
         "limit": "",
         "total_count": "",
         "offset": "",
         "next": ""
     },
     "objects": [
         {
             "value": "",
             "meta": {
                 "detail2": "",
                 "detail": "",
                 "severity": ""
             },
             "feed_id": "",
             "asn": "",
             "resource_uri": "",
             "trusted_circle_ids": [],
             "source_reported_confidence": "",
             "longitude": "",
             "tags": [
                 {
                     "id": "",
                     "name": ""
                 }
             ],
             "is_anonymous": "",
             "trusted_circles_ids": [],
             "comments": [
                 {
                     "created_ts": "",
                     "id": "",
                     "user": {
                         "can_share_intelligence": "",
                         "is_active": "",
                         "id": "",
                         "name": "",
                         "is_readonly": "",
                         "email": "",
                         "organization": {
                             "id": "",
                             "name": "",
                             "resource_uri": ""
                         },
                         "nickname": "",
                         "avatar_s3_url": "",
                         "must_change_password": "",
                         "resource_uri": ""
                     },
                     "tlp": "",
                     "ip_address": "",
                     "comment": ""
                 }
             ],
             "created_ts": "",
             "confidence": "",
             "latitude": "",
             "threat_type": "",
             "type": "",
             "org": "",
             "source": "",
             "threatscore": "",
             "country": "",
             "ip": "",
             "modified_ts": "",
             "owner_organization_id": "",
             "workgroups": [],
             "expiration_ts": "",
             "uuid": "",
             "import_session_id": "",
             "is_public": "",
             "id": "",
             "retina_confidence": "",
             "status": "",
             "update_id": "",
             "rdns": "",
             "tlp": "",
             "itype": ""
         }
     ]
}

operation: Submit URLs or Files to Sandbox

Input parameters

Parameter Description
Classification of the Sandbox Submission Classify the files or URLs that you are submitting to the ThreatStream Sandbox submission as Public or Private.
Sandbox Select the sandbox type and the respective platform on which you want to run the submitted URL or file. You can choose from the following sandbox options: ThreatStream Sandbox, ThreatStream Joe Sandbox, or Joe Sandbox via an individual subscription.
Supported Platforms Select the platform from the list of supported platforms, based on the sandbox type you have chosen on which you want to run the submitted URL or file.
If you choose ThreatStream Sandbox, then you can choose from the following supported platforms: All, WindowsXP, or Windows7.
If you choose ThreatStream Joe Sandbox, then you can choose from the following supported platforms: MacOSX, Windows7, Windows7Office2010, or Windows10X64.
If you choose Joe Sandbox via an individual subscription, then you can choose from the following supported platforms: Android4.4, Android5.1, Android6.0, MacOSX, WindowsXP, WindowsXPNative, Windows7, Windows7Native, Windows7Office2010, Windows7Office2013, Windows10 or Windows10X64.
Sample type Type of sample that you want to submit to ThreatStream. You can choose between URL or File.
If you choose URL, then in the URL field specify the URL that you want to submit to ThreatStream.
If you choose File, then in the CyOPs Attachment IRI field specify the IRI of the file from the FortiSOAR™ 'Attachment' module that you want to submit to ThreatStream.
Tags Comma-separated list of tags that provide additional details of the indicator that you want to submit to ThreatStream
Use Premium Sandbox Select this checkbox, i.e., set it as true, if you want to use a premium sandbox for the file that you are submitting to ThreatStream.
Trusted Circle IDs (Optional) ID of the trusted circle with which you want to associate the sandbox data. If you want to specify multiple trusted circles, enter a list of comma-separated Trusted Circle IDs.

Output

The output contains the following populated JSON schema:


{
     "success": "",
     "reports": {
         "WINDOWSXP": {
             "status": "",
             "id": "",
             "detail": ""
         },
         "WINDOWS7": {
             "status": "",
             "id": "",
             "detail": ""
         }
     }
}

operation: Get Sandbox Status of Submitted URL/File

Input parameters

Parameter Description
Report ID ID of the sandbox report whose sandbox status for submitted URLs or Files you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "circles": [],
     "message": "",
     "virustotal": "",
     "resource_uri": "",
     "file": "",
     "notes": "",
     "starred_total_count": "",
     "sha1": "",
     "confidence": "",
     "watched_total_count": "",
     "misc_info": "",
     "platform_label": "",
     "starred_by_me": "",
     "platform": "",
     "priority": "",
     "votes": {
         "me": "",
         "total": ""
     },
     "pdf_generated": "",
     "import_indicators": "",
     "date_added": "",
     "verdict": "",
     "html_report": "",
     "watched_by_me": "",
     "user": {
         "username": "",
         "id": ""
     },
     "maec_report": "",
     "reportid": "",
     "sha256": "",
     "detail": "",
     "jobID": "",
     "id": "",
     "user_id": "",
     "yara": "",
     "status": "",
     "comments": [],
     "url": "",
     "classification": "",
     "md5": ""
}

operation: Get Sandbox Report of Submitted URL/File

Input parameters

Parameter Description
Sandbox Report ID ID of the sandbox report whose sandbox report for submitted URLs or Files you want to retrieve from ThreatStream.

Output

The output contains the following populated JSON schema:
{
     "screenshots": [],
     "pcap": "",
     "success": true,
     "results": {
         "behavior": {
             "summary": {
                 "mutexes": [],
                 "files": [],
                 "keys": []
             },
             "anomaly": [],
             "processes": [
                 {
                     "first_seen": "",
                     "calls": [
                         {
                             "return": "",
                             "arguments": [
                                 {
                                     "value": "",
                                     "name": ""
                                 }
                             ],
                             "timestamp": "",
                             "id": "",
                             "status": "",
                             "api": "",
                             "category": "",
                             "thread_id": "",
                             "repeated": ""
                         }
                     ],
                     "parent_id": "",
                     "process_name": "",
                     "process_id": ""
                 }
             ],
             "processtree": [
                 {
                     "parent_id": "",
                     "children": [],
                     "pid": "",
                     "name": ""
                 }
             ],
             "enhanced": [
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "content": "",
                         "object": "",
                         "regkey": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 },
                 {
                     "data": {
                         "moduleaddress": "",
                         "file": "",
                         "pathtofile": ""
                     },
                     "event": "",
                     "timestamp": "",
                     "eid": "",
                     "object": ""
                 }
             ]
         },
         "signatures": [],
         "procmemory": [],
         "debug": {
             "log": "",
             "errors": []
         },
         "network": {
             "udp": [
                 {
                     "dst": "",
                     "offset": "",
                     "time": "",
                     "dport": "",
                     "src": "",
                     "sport": ""
                 }
             ],
             "tcp": [],
             "domains": [],
             "sorted_pcap_sha256": "",
             "irc": [],
             "http": [],
             "smtp": [],
             "hosts": [],
             "dns": [],
             "icmp": [],
             "pcap_sha256": ""
         },
         "info": {
             "started": "",
             "ended": "",
             "duration": "",
             "package": "",
             "version": "",
             "machine": {
                 "manager": "",
                 "shutdown_on": "",
                 "id": "",
                 "name": "",
                 "label": "",
                 "started_on": ""
             },
             "category": "",
             "id": "",
             "custom": ""
         },
         "dropped": [],
         "static": {
             "pe_imports": [
                 {
                     "dll": "",
                     "imports": [
                         {
                             "address": "",
                             "name": ""
                         }
                     ]
                 },
                 {
                     "dll": "",
                     "imports": [
                         {
                             "address": "",
                             "name": ""
                         }
                     ]
                 }
             ],
             "pe_timestamp": "",
             "pe_sections": [
                 {
                     "virtual_size": "",
                nbsp;     "virtual_address": "",
                     "name": "",
                     "entropy": "",
                     "size_of_data": ""
                 }
             ],
             "pe_imphash": "",
             "pe_exports": [],
             "pe_resources": [],
             "peid_signatures": "",
             "imported_dll_count": "",
             "pe_versioninfo": []
         },
         "target": {
             "file": {
                 "crc32": "",
                 "sha1": "",
                 "ssdeep": "",
                 "name": "",
                 "yara": [],
                 "type": "",
                 "sha512": "",
                 "path": "",
                 "sha256": "",
                 "size": "",
                 "md5": ""
             },
             "category": ""
         }
     }
}

operation: Get Intelligence Enrichments

Input parameters

Parameter Description
Third Party TI Third-party Threat Intelligence (TI) tool using which you want to retrieve enrichment data for the observable. You can choose from the following options: Recorded Future, RIsk IQ, or Passive DNS.
  • If you choose Recorded Future, then you must specify the following parameters:
    • Observable Type: Select the type of observable for which you want to retrieve enrichment data from Recorded Future. You can choose from the following options: IP, Domain, or MD5.
      • If you choose IP, then in the IP Address field, specify the IP address for which you want to retrieve enrichment data from Recorded Future.
      • If you choose Domain, then in the Domain value field, specify the value of the domain for which you want to retrieve enrichment data from Recorded Future.
      • If you choose MD5, then in the Filehash field, specify the filehash for which you want to retrieve enrichment data from Recorded Future.
  • If you choose Risk IQ, then you must specify the following parameter:
    • IP Address: IP address for which you want to retrieve enrichment data from Risk IQ.
  • If you choose Passive DNS, then you must specify the following parameters:
    • Observable Type: Select the type of observable for which you want to retrieve enrichment data from Passive DNS. You can choose from the following options: IP or Domain.
      • If you choose IP, then in the IP Address field, specify the IP address for which you want to retrieve enrichment data from Passive DNS.
      • If you choose Domain, then in the Domain value field, specify the value of the domain for which you want to retrieve enrichment data from Passive DNS.
      • If you choose MD5, then in the Filehash field, specify the filehash for which you want to retrieve enrichment data from Recorded Future.

Output

The output contains the following populated JSON schema:

Output schema if 'Third Party TI' is 'Passive DNS'
{
     "cached": "",
     "results": [
         {
             "ip": "",
             "first_seen": "",
             "domain": "",
             "source": "",
             "rrtype": "",
             "last_seen": ""
         }
     ]
}

Output schema if 'Third Party TI' is 'Recorded Future'
{
     "cached": "",
     "results": [
         {
             "criticalityLable": "",
             "evidenceDetails": "",
             "relatedEntities": "",
             "hits": "",
             "recordedFutureUrl": "",
             "dateFirst": "",
             "riskScore": "",
             "dateLast": "",
             "sources": ""
         }
     ]
}

Output schema if 'Third Party TI' is 'Risk IQ'
{
     "results": [
         {
             "subject_country": "",
             "first_seen": "",
             "link": "",
             "subject_name": "",
             "issue_date": "",
             "source": "",
             "expiration_date": "",
             "issuer_org_name": "",
             "sha1": "",
             "last_seen": ""
         }
     ]
}

Included playbooks

The Sample - Anomali ThreatStream - 2.2.1 playbook collection comes bundled with the Anomali ThreatStream connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali ThreatStream connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.