Anomali ThreatStream

Integration version: 9.0

Configure Anomali ThreatStream integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Web Root String https://siemplify.threatstream.com Yes

Web Root of the Anomali ThreatStream instance.

This parameter is used for creating report links across integration items.

API Root String https://api.threatstream.com Yes API Root of the Anomali ThreatStream instance.
Email Address String N/A Yes Email address of the Anomali ThreatStream account.
API Key Password N/A Yes API key of the Anomali ThreatStream account.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Anomali ThreatStream server is valid.

Product use cases

Perform active actions - entity enrichment.

Actions

Add Tags To Entities

Description

Add tags to entities in Anomali ThreatStream.

Parameters

Parameter name Type Default value Is mandatory Description
Tags CSV N/A Yes Specify a comma-separated list of tags that need to be added to entities in Anomali ThreatStream.

Run On

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully added tags to the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If not found specific entities (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier])

If not found all entities (is_success=false): "None of the provided entities were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Add Tags To Entities". Reason: {0}''.format(error.Stacktrace)

General

Enrich entities

Description

Retrieve information about IPs, URLs, hashes, email addresses from Anomali ThreatStream.

Parameters

Parameter name Type Default value Is mandatory Description
Severity Threshold DDL

Low

Possible values:

  • Very High
  • High
  • Medium
  • Low
Yes Specify what should be the severity threshold for the entity, in order to mark it as suspicious. If multiple records are found for the same entity, action will take the highest severity out of all available records.
Confidence Threshold Integer N/A Yes Specify what should be the confidence threshold for the entity, in order to mark it as suspicious. Note: Maximum is 100. If multiple records are found for the entity, action will take the average. Active records have priority.
Ignore False Positive Status Checkbox Unchecked No If enabled, action will ignore the false positive status and mark the entity as suspicious based on the Severity Threshold and Confidence Threshold. If disabled, action will never label false positive entities as suspicious, regardless, if they pass the Severity Threshold and "Confidence Threshold" conditions or not.
Add Threat Type To Case Checkbox Unchecked No If enabled, action will add threat types of the entity from all records as tags to the case. Example: apt
Only Suspicious Entity Insight Checkbox Unchecked Yes If enabled, action will create insight only for entities that exceeded the Severity Threshold and Confidence Threshold.
Create Insight Checkbox Unchecked Yes If enabled, action will add an insight per processed entity.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Entity enrichment
Enrichment field name Logic - When to apply
id When available in JSON
status When available in JSON
itype When available in JSON
expiration_time When available in JSON
ip When available in JSON
feed_id When available in JSON
confidence When available in JSON
uuid When available in JSON
retina_confidence When available in JSON
trusted_circle_ids When available in JSON
source When available in JSON
latitude When available in JSON
type When available in JSON
description When available in JSON
tags When available in JSON
threat_score When available in JSON
source_confidence When available in JSON
modification_time When available in JSON
org_name When available in JSON
asn When available in JSON
creation_time When available in JSON
tlp When available in JSON
country When available in JSON
longitude When available in JSON
severity When available in JSON
subtype When available in JSON
report When available in JSON
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Anomali ThreatStream: \n {0}".format(entity.identifier list)

If failed to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Anomali ThreatStream\n: {0}".format([entity.identifier])

If failed to enrich all entities (is_success=false): "No entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General
Case Wall Table

Table Name: Related Analysis Links: {entity_identifier}

Table Columns:

  • Name
  • Link
General
Case Wall Table Keys based on the enrichment table Entity

Description

Retrieve entity related associations from Anomali ThreatStream.

Parameters

Parameter name Type Default value Is mandatory Description
Return Campaigns Checkbox Checked No If enabled, action will fetch related campaigns and details about them.
Return Threat Bulletins Checkbox Checked No If enabled, action will fetch related threat bulletins and details about them.
Return Actors Checkbox Checked No If enabled, action will fetch related actors and details about them.
Return Attack Patterns Checkbox Checked No If enabled, action will fetch related attack patterns and details about them.
Return Courses Of Action Checkbox Checked No If enabled, action will fetch related courses of action and details about them.
Return Identities Checkbox Checked No If enabled, action will fetch related identities and details about them.
Return Incidents Checkbox Checked No If enabled, action will fetch related incidents and details about them.
Return Infrastructure Checkbox Checked No If enabled, action will fetch related infrastructure and details about them.
Return Intrusion Sets Checkbox Checked No If enabled, action will fetch related intrusion sets and details about them.
Return Malware Checkbox Checked No If enabled, action will fetch related malware and details about them.
Return Signatures Checkbox Checked No If enabled, action will fetch related signatures and details about them.
Return Tools Checkbox Checked No If enabled, action will fetch related tools and details about them.
Return TTPs Checkbox Checked No If enabled, action will fetch related TTPs and details about them.
Return Vulnerabilities Checkbox Checked No If enabled, action will fetch related vulnerabilities and details about them.
Create Campaign Entity Checkbox Unchecked No If enabled, action will create an entity out of available Campaign associations.
Create Actors Entity Checkbox Unchecked No If enabled, action will create an entity out of available Actor associations.
Create Signature Entity Checkbox Unchecked No If enabled, action will create an entity out of available Signature associations.
Create Vulnerability Entity Checkbox Unchecked No If enabled, action will create an entity out of available Vulnerability associations.
Create Insight Checkbox Checked No If enabled, action will create an insight based on the results.
Create Case Tag Checkbox Unchecked No If enabled, action will create case tags based on the results.
Max Associations To Return Integer 5 No Specify how many associations to return per type. Default: 5
Max Statistics To Return Integer 3 No Specify how many top statistics results regarding IOCs to return. Note: The action will at max process 1000 IOCs related to the association. If you provide 0, action will not try to fetch statistics information.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{
    "campaign": [
        {
            "name": "Coronavirus",
            "id": 1
        },
        {
            "name": "Bad campaign",
            "id": 2
        }
    ],
    "actor": [
        {
            "name": "Actor 1",
            "id": 1
        },
        {
            "name": "Actor 2",
            "id": 2
        }
    ],
    "attackpattern": [
        {
            "name": "Pattern 1",
            "id": 1
        },
        {
            "name": "Pattern 2",
            "id": 2
        }
    ],
    "courseofaction": [
        {
            "name": "Course of Action 1",
            "id": 1
        },
        {
            "name": "Course Of Action 2",
            "id": 2
        }
    ],
    "identity": [
        {
            "name": "Identity 1",
            "id": 1
        },
        {
            "name": "Identity 2",
            "id": 2
        }
    ],
    "incident": [
        {
            "name": "Incident 1",
            "id": 1
        },
        {
            "name": "Incident 2",
            "id": 2
        }
    ],
    "infrastructure": [
        {
            "name": "Infrustructure 1",
            "id": 1
        },
        {
            "name": "Infrustructure 2",
            "id": 2
        }
    ],
    "intrusionset": [
        {
            "name": "Intrusion set 1",
            "id": 1
        },
        {
            "name": "Intrusion set 2",
            "id": 2
        }
    ],
    "malware": [
        {
            "name": "Malware 1",
            "id": 1
        },
        {
            "name": "Malware 2",
            "id": 2
        }
    ],
    "signature": [
        {
            "name": "Signature 1",
            "id": 1
        },
        {
            "name": "Signature 2",
            "id": 2
        }
    ],
    "tool": [
        {
            "name": "Tool 1",
            "id": 1
        },
        {
            "name": "Tool 2",
            "id": 2
        }
    ],
    "ttp": [
        {
            "name": "TTP 1",
            "id": 1
        },
        {
            "name": "TTP 2",
            "id": 2
        }
    ],
    "vulnerability": [
        {
            "name": "Vulnerability 1",
            "id": 1
        },
        {
            "name": "Vulnerability 2",
            "id": 2
        }
    ],
}
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Anomali ThreatStream"

If no associations are found (is_success=false): "No related associations were found."

Async Message: "Waiting for all of the association details to be retrieved"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Related Associations"

Table Columns:

  • ID
  • Name
  • Type
  • Status

Description

Retrieve related entities based on the associations in Anomali ThreatStream.

Parameters

Parameter name Type Default value Is mandatory Description
Confidence Threshold Integer N/A Yes Specify what should be the confidence threshold. Maximum is 100.
Search Threat Bulletins Checkbox Checked No If enabled, action will search among threat bulletins.
Search Actors Checkbox Checked No If enabled, action will search among actors.
Search Attack Patterns Checkbox Checked No If enabled, action will search among attack patterns.
Search Campaigns Checkbox Checked No If enabled, action will search campaigns.
Search Courses Of Action Checkbox Checked No If enabled, action will search among courses of action.
Search Identities Checkbox Checked No If enabled, action will search among identities.
Search Incidents Checkbox Checked No If enabled, action will search among incidents.
Search Infrastructures Checkbox Checked No If enabled, action will search among infrastructures.
Search Intrusion Sets Checkbox Checked No If enabled, action will search among intrusion sets.
Search Malware Checkbox Checked No If enabled, action will search among malware.
Search Signatures Checkbox Checked No If enabled, action will search among signatures.
Search Tools Checkbox Checked No If enabled, action will search among tools.
Search TTPs Checkbox Checked No If enabled, action will search among ttps.
Search Vulnerabilities Checkbox Checked No If enabled, action will search among vulnerabilities.
Max Entities To Return Integer 50 No Specify how many entities to return per entity type.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email (user entity that matches email regex)
  • Threat Actor
  • CVE

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result

JSON results shouldn't be split between entities. Everything should be in one place.

{
"{}_hashes".format(subtype): [""],
"all_hashes": ["md5hash_1"],
"domains": [""]
"urls": []
"emails": []
"ips": []
}
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Anomali ThreatStream"

If no hashes are found (is_success=false): "No related hashes were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Ping

Description

Test connectivity to Anomali ThreatStream with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

This action doesn't run on entities, nor has mandatory input parameters.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Anomali ThreatStream server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful:"Failed to connect to the Anomali ThreatStream server! Error is {0}".format(exception.stacktrace)

General

Remove Tags From Entities

Description

Remove tags from entities in Anomali ThreatStream. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Parameters

Parameter name Type Default value Is mandatory Description
Tags CSV N/A Yes Specify a comma-separated list of tags that need to be removed from entities in Anomali ThreatStream.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one tag is removed from one entity (is_success=true): "Successfully removed the following tags from the "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags)

If one tag is not found for one entity (is_success=true): "The following tags were already not a part of "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags)

If all tags are not found for one entity (is_success=true): "None of the provided tags were part of "{entity.identifier}" entity in Anomali ThreatStream."

If one entity is not found (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier])

If all entities are not found (is_success=false): "None of the provided entities were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Tags From Entities". Reason: {0}''.format(error.Stacktrace)

General

Report As False Positive

Description

Report entities in Anomali ThreatStream as false positive. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Parameters

Parameter name Type Default value Is mandatory Description
Reason String N/A Yes Specify the reason why you want to mark entities as false positives.
Comment String N/A Yes Specify additional information related to your decision regarding marking the entity as false positive.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email Address (user entity that matches email regex)

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Anomali ThreatStream\n: {0}".format([entity.identifier])

If fail to enrich all entities (is_success=false): "No entities were reported as false positive."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace)

General

Submit Observables

Description

Submit an observable to Anomali ThreatStream based on IP, URL, Hash, Email entities. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Where to find trusted circle IDs

To find the ID of a trusted circle, locate the trusted circle on Anomali ThreatStream, and click on its name. The URL displayed in the address bar shows the ID. For example: https://siemplify.threatstream.com/search?trustedcircles=13.

Parameters

Parameter name Type Default value Is mandatory Description
Classification DDL

Private

Possible values:

  • Public
  • Private
Yes Specify the classification of the observable.
Threat Type DDL

APT

Possible Values

  • APT
  • Adware
  • Anomalous
  • Anomyzation
  • Bot
  • Brute
  • C2
  • Compromised
  • Crypto
  • Data Leakage
  • DDOS
  • Dynamic DNS
  • Exfil
  • Exploit
  • Fraud
  • Hacking Tool
  • I2P
  • Informational
  • Malware
  • P2P
  • Parked
  • Phish
  • Scan
  • Sinkhole
  • Social
  • Spam
  • Suppress
  • Suspicious
  • TOR
  • VPS
Yes Specify the threat type for the observables.
Source String Siemplify No Specify the intelligence source for the observable.
Expiration Date Integer N/A No Specify the expiration date in days for the observable. If nothing is specified here, action will create an observable that will never expire.
Trusted Circle IDs CSV N/A No Specify the comma-separated list of trusted circle ids. Observables will be shared with those trusted circles.
TLP DDL

Select One

Possible Values:

  • Select One
  • Red
  • Green
  • Amber
  • White
No Specify the TLP for your observables.
Confidence Integer N/A No Specify what should be the confidence for the observable. Note: This parameter will only work, if you create observables in your organization and requires Override System Confidence to be enabled.
Override System Confidence Checkbox Unchecked No If enabled, created observables will have the confidence specified in the Confidence parameter. Note: You can't share observables in trusted circles and publicly, when this parameter is enabled.
Anonymous Submission Checkbox Unchecked No If enabled, action will make an anonymous submission.
Tags CSV N/A No Specify a comma-separated list of tags that you want to add to observable.

Run on

This action runs on the following entities:

  • Hash
  • IP Address
  • URL
  • Email

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
approved_jobs = [
    {
        "id" ,
        "entity": {entity.identifier}
    }
]
    jobs_with_excluded_entities = [
    {
        "id":,
        "entity": {entity.identifier}
    }
]
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found(is_success=true): "Successfully submitted and approved the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If fails to enrich some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Anomali ThreatStream\n: {0}".format([entity.identifier])

If fails to enrich for all entities (is_success=false): "No entities were successfully submitted to Anomali ThreatStream."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit Observables". Reason: {0}''.format(error.Stacktrace)

If the 400 status code is reported: "Error executing action "Submit Observables". Reason: {0}''.format(message)

General

Link:

https://siemplify.threatstream.com/import/review/{jobid}

Entity

Connectors

Anomali ThreatStream - Observables Connector

Description

Pull observables from Anomali ThreatStream.

Where to find trusted circle IDs

To find the ID of a trusted circle, locate the trusted circle on Anomali ThreatStream, and click on its name. The URL displayed in the address bar shows the ID. For example: https://siemplify.threatstream.com/search?trustedcircles=13.

Configure Anomali ThreatStream - Observables Connector in Google Security Operations SOAR

For detailed instructions about how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 300 Yes Timeout limit for the python process running the current script.
API Root String https://api.threatstream.com Yes API root of the Anomali ThreatStream instance.
Email Address String N/A Yes Email address of the Anomali ThreatStream account.
API Key Password N/A Yes API Key of the Anomali ThreatStream account.
Lowest Severity To Fetch String High Yes

Lowest severity that will be used to fetch observables.

Possible values:

  • Low
  • Medium
  • High
  • Very-High
Lowest Confidence To Fetch Integer 50 Yes Lowest confidence that will be used to fetch observables. Maximum is 100.
Source Feed Filter CSV N/A No Comma-separated list of feed ids that should be used to ingest observables. Example: 515,4129
Observable Type Filter CSV url, domain, email, hash, ip, ipv6 No

Comma-separated list of observable types that should be ingested. Example: url, domain

Possible values: url, domain, email, hash, ip, ipv6

Observable Status Filter CSV active No

Comma-separated list of observable status that should be used to ingest new data. Example: active,inactive

Possible values: active,inactive,falsepos

Threat Type Filter CSV N/A No

Comma-separated list of threat types that should be used to ingest observables. Example: аdware,anomalous,anonymization,apt

Possible values: аdware,anomalous,anonymization,apt,bot,brute,c2,compromised,crypto,data_leakage,ddos,dyn_dns,exfil,exploit,fraud,hack_tool,i2p,informational,malware,p2p,parked,phish,scan,sinkhole,spam,suppress,suspicious,tor,vps

Trusted Circle Filter CSV N/A No

Comma-separated list of trusted circle ids that should be used to ingest observables.

Example: 146,147

Tag Name Filter CSV N/A No Comma-separated list of tag names associated with observables that should be used with ingestion. Example: Microsoft Credentials, Phishing
Source Feed Grouping Checkbox Unchecked No If enabled, the connector will group observables from the same source under the same Google Security Operations SOAR Alert.
Fetch Max Days Backwards Integer 1 No Amount of days from where to fetch observables.
Max Observables Per Alert Integer 100 No How many observables should be a part of one Google Security Operations SOAR alert. Maximum is 200.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the Anomali ThreatStream server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports Proxy.